January 31, 2012

"Europe is considering a sweeping new [...] data protection regulation", writes Somini Sengupta (*). Indeed dear readers, I urge you to peruse the text released last week by the European Commission (1). But I would fail you if I declined to voice my own opinion. These fillips may make sweeping statements on our Information Age and our Western societies. Their legitimacy remains centered on eprivacy.

As it is, I never shied away from criticizing the European Commission. Where our data rights are concerned, it has repeatedly shown itself to be all bark and no bite. While not all commissionners have ignored the issues, decisions which mattered have visibly ignored the few who cared.

I may well have to revise my judgment. Hasn't the European Commission's Vice President for Justice, Viviane Reding, made sure her proposal has real teeth, namely "a fine up to 1,000,000 EUR or, in the case of an enterprise up to 2% of its annual worlwide turnover"?

One must not rejoice ahead of the facts. The recent SOPA soap opera has proven last minute lobbying can derail the most carefully planned initiative. And even if the European Union adopts this regulation as is, it already kowtows to business "legitimate interests" (2) and its words remain to be translated in each European state law and further interpreted by the courts. Only time will tell.

Still the fight has been joined and on critical issues to boot. Here are three points to help you, dear readers, better appreciate the coming struggle.

User consent about personal data has always been a bone of contention. Given users' natural laziness, data aggregators prefer opt out while privacy advocates push for opt in. The former prevail in the United States, the latter in Europe. I have maintained that this is a distinction without a difference. When compelled by law to let users opt in, most online organizations simply bundle an opt in with the transaction sought by the user.

I had written to the European Commission on this very issue as part of its consultation (3). So it is highly satisfactory to see the EU proposal devote the whole of Article 7 to define the type of consent what it calls a "data controller" must obtain from users. Apart a huge loophole (4), it is still an opt in. "The data controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes".

Let Microsoft whine about "the potential difficulty of obtaining explicit consent". For years, the SNCF has had no problem with bundling such explicit consent with online reservations. But look again at Article 7. Doesn't it end with a Parthian shot? "Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller".

I have argued that bundling must be eliminated precisely because a data controller normally holds the user over a barrel. If I want to take a train in France, do I have a choice? Not when there is a quasi monopoly on the bundled offer, nor when all the suppliers of a specific offer tacitly agree not to compete through unbundling. Make such cases illegal in view of the "significant imbalance" involved and bundling is no longer a problem.

In its comments (5), the Commission mentions the employer-employee relationship as an example of a "significant imbalance". But it does not explicitly target the use of bundling for data extortion. It may not want to alert the lobbyists more than necessary. Politically expedient but dangerous, as it implicitly relies on the courts to agree with my interpretation. What will prevent honest judges from taking diverging views and recreate the very lack of consistency the Commission claims to eliminate with its proposal, a major potential benefit?

For Somini Sengupta, "one of the most contested provisions of the European law is the so-called right to be forgotten". Far from raising the expectations of notorious criminals, Ms. Reding reasonably focuses on ordinary consumers' wishes. "When an individual no longer wants its data to be processed, it will be deleted [by the controller]. The individual should also be able to transfer it to another controller as the case may be.

If the proposal does not grant us formal ownership of our personal data, it surely comes close. "A Green Party politician from Germany and an advocate for strict data protection laws", Malte Spitz says, "[it] will change the work of companies that are doing profiling and targeted advertising".

This is almost a British understatement. "Critics warn that it is not so simple" to comply with a data erasure request. They are right (6). Assuming the Commission means business and once again put the burden of proof on the controller, I know of only one efficient way of ensuring data disposal. Do not take possession of the data in the first place. Ironical? Not at all. Profiling and targeted advertising can still be done. Let me show you how.

But "there is a risk [to] the development of innovative services that can bring real benefits to European citizens". In straight English, this means that Facebook is afraid that its corporate piracy may not survive real innovation outside of its control. Big Data rests on pronaocracy and corruption.

My last point however is a friendly warning to the Commission. For the writing of good rules is a difficult exercise which "might not keep up with the pace of change on the Internet". And indeed the current proposal suffers from a lack of conceptual foresight in its definition of a data controller, as a legal subject which "determines the purposes, conditions and means of processing of personal data" (7).

If we hew to the letter of the law, a tax software publisher is a data controller. This obviously is not what was meant. But on what criterion? One only. After data subjects install Microsoft Money on their computers (8), they keep control over whatever personal data their personal software may collect and process. In particular no other legal subject, not even Microsoft, can access such data at will, yet their copies of Money still work.

A pointless remark this is not. Nobody will think for instance of subjecting Microsoft Office software division to this law. But what about ePrio's invention? It determines the means for users to collect and process their personal data during online interactions without ceding control, much like Microsoft Money. What is missing from the law is the explicit requirement a data controller controls the data concerned, access included.

Who controls data will characterize our Information Age, based on data, its economy and its political system. Will what some call crony capitalism be entrenched instead of true democracy?

Europe is making serious progress about our data rights. By taking real innovation into account, it can free innovation further to strenghten eprivacy.

Philippe Coueignoux

• (*) . Europe Weighs Tough Law on Online Privacy, by Somini Sengupta (New York Times) - Jan 24, 2012
• (1) see EU Proposal for a Regulation on the protection of individuals with regards to the processing of personal data, Jan 25, 2012
• (2) see Article 6, which states "processing of personal data shall be lawful [if it is] necessary to the legitimate interests pursued by a controller".
  .....As marketing and advertising can hardly be considered less than legitimate, this opens a giant loophole (see note 4 below)
• (3) see my submission in response to its consultation on Privacy in cooperation with Marc Leprat.
• (4) Article 19 explicitly recognizes "direct marketing purposes" as a legitimate business interest, covered by the fig leaf of an opt out provision.
• (5) see the impact assessment, accessible from the Communication on Data Protection page by the European Commission
• (6) see my lecture on Disposing of digital information
• (7) from Article 4
• (8) This fillip is not an advertisement. Microsoft Money has been discontinued.