Many of the ideas promoted by Vivienne Reding and the EU are going to look fortuitous 10 or 20 years from now. The EU's focus on individual privacy is the world's most convincing legislative attempt to answer the question of our generation – whether in a world of interconnected data and global surveillance, our children or grandchildren will even know what privacy is. We should all be grateful for that effort and it may even prove to be one of the EU's most lasting achievements. However, yesterday's decision is a case of one bold step forward, ten big steps back.
There is a lot of evidence that monetary penalties have driven compliance with privacy legislation over the last decade, but we need to keep this in context. There is a fine line between incentivising organisations to behave responsibly, and imposing a penal regime that will simply discourage businesses from investing in Europe. A fine of up to two per cent of global turnover was already excessive – five percent is wholly unreasonable. The cost of a data breach in many locations will exceed the cost of corporate manslaughter or major environmental damage. It's reasonable to question whether that is the right balance.
Harmonisation also is not all it is cracked up to be - EU privacy law is already very consistent. The issue is not about differences in implementation between European nations, but the gulf between Europe and other jurisdictions.
It's great that Europe is leading on the privacy agenda but there is a very real risk that new legislation simply services to increase the risk of operating in Europe and encouraging companies to operate out of other jurisdictions.
The EU has changed the game for personal privacy and most people would consider that a good thing. However, the EU also introduced the so called 'cookie law', which has done little or nothing to benefit consumers whilst imposing a significant amount of additional red tape on organisations and businesses. Even parts of the EU have been unable to comply with it.
A global privacy war?
There is already a conflict between European Data Protection legislation and the US Patriot Act. One requires data not to be disclosed, and the other requires it to be disclosed secretly. It is already questionable whether data on EU citizens can be processed in the United States, even with 'safe harbor' agreements in place. This is not a good place for us to be in when companies need to operate to a global model. What we really need is some clarity here, but not of the kind we got today.
If EU law applies exclusively to all EU data subjects regardless of where the data is held, and US law has primacy on all data in the US regardless of the nationality of the data subject, the outcome will be a global privacy war. Citizens will not understand what legislation applies to their data, and company directors will be forced to accept an unmanageable legal risk. It will be a matter of time before a major global company is prosecuted in one jurisdiction for actions they were required to have undertaken in another.
When we need a global consensus on how personal privacy will be regulated, should requirements be based on the domicile of the data subject, or the domicile of the data? It cannot be both.
Right to be forgotten
A right to erasure is a nice idea and a good sound bite but impossible for many companies to deliver. Most large global companies have a multitude of information stores, many developed in an era before privacy legislation. Things that sound simple, such as deleting references to an individual, are actually incredibly hard, and incredibly costly to implement.
Not the only issue
Whilst the data is not being forgotten, the risks are. People are at a greater risk of identify fraud than ever before. Home PCs are often insecure, exposing the user to considerable threats that will not be reduced regardless of privacy controls operated by companies they use. Cyber-security is increasing, and wrongly seen primarily as a defence matter, rather than as a civil policing issue. Even with additional investment in many countries, police forces are simply not equipped to deal with cybercrime. There is a wider issue at stake.
Matt Palmer is a member of the ISACA UK Security Advisory Group