November 4th, 2007 | Published in Google Public Policy
How does the EU privacy regime fit with the idea of developing global privacy standards? How should the EU’s laws for data protection evolve to continue safeguarding privacy in the digital age? And what is the right balance between privacy and security in today’s society?
These were some of the central themes of a discussion that the Centre for European Policy Studies and Google hosted recently in Brussels, which was attending by some 100 EU policymakers and advocates. Our new Google Privacy channel on YouTube has a video of the entire event; here's a recap of some of the highlights.
Global privacy standards
EU data protection supervisor Peter Hustinx expressed support for Google's call for global privacy standards, and said there was a surprising overlap between different legal frameworks such as the EU rules and the 1980 OECD principles. However, with three out of every four countries not having any privacy rules in place, he considered the APEC framework as a "pragmatic approach to allow some late-starters to step in.” Peter Fleischer, Google's Global Privacy Counsel, said that global privacy standards are intended to raise standards where they don’t exist, not to lower standards where they do exist, like in Europe. Operating a global IT architecture, Google will identify and abide by the highest common denominator of privacy protection, even though in practice it’s not always easy to know what that standard is. Fleischer said that for Google’s business to thrive, consumers need to trust the internet, not just Google.
Adapting the EU data protection regime
Fleischer acknowledged that since 1995, the EU principles of data protection have been adopted by many countries. However, while the administrative application of the principles might have been appropriate before the age of the internet, this no longer works today. In addition, the EU data protection directive has become akin to an export control regime. The list of countries that have been found to be “adequate” under EU law is rather short. Fleischer said that the mechanism of establishing adequacy should be based on universally valid principles, and not on their administrative application that will vary from country to country.
Hustinx agreed that the adequacy test is too cumbersome. "We can do better, and should build in more global privacy into the EU framework as well," he said. There was a larger number of formally "non-adequate" countries that can be considered as adequate for practical purposes. That was not the only change we’ll need in the next five years or so, he said. The administration of the principles should be more simple and flexible; other actors beyond data protection authorities and affected persons should get the right for legal action; and companies should embrace quality controls by third parties of their privacy policies and architecture. Rather than paying expensive auditors, Fleischer favoured technology solutions such as Google web history, to increase transparency for users on how a company deals with privacy.
Privacy and security
Alexander Alvaro, who sits on the Civil Liberties Committee of the European Parliament, focused on the implications of new technologies for individual freedom. There is an urgent need for extending data protection to the EU’s security policies to restrain governments’ excessive requests for data, he said. Alvaro also spoke against filtering web searches or generally blocking content on web sites for security purposes.
Alvaro expressed concern about storage of web search queries but acknowledged Google’s initiative to limit storage to 18 months, even though he’d personally prefer deletion of the data after that, rather than anonymisation. With respect to possible obligations to notify users of security breaches in the upcoming review of the EU’s telecom laws, Alvaro wants to limit notifications to risky breaches that potentially damage users. Encrypting data should also be regarded as a way of securing personal data.
It's clear that there is a need in public policy circles to better understand the rapidly innovating online world and to reflect on how data protection legislation can be adapted to it.