The story of Data Protection & the emperor’s new cloak.

After a twitter talk with the one and only Tim Turner he gave me some inspiration to turn fairy tales into information related tales. Up first, and not quite true to the original but allow some poetic licence, is the story of the emperor’s new cloak.

There was a kingdom, not that so far away, where there lived a king who ruled over local 28 villages. This king often traded with passing traders from other villages and encouraged them to visit his villages as he was a wise king that saw the wealth and opportunity that trade could bring. However he was cautious king and while interested in trade, he still wanted to protect himself and his kingdom.

One of the biggest traders came to him one day and offered him a very special trade. In return for gold and the opportunity to sell more of his wares to the kings villages he would give the king an amazing cloak that would offer him protection, wonder and be a good omen for all of his people.

So the deal was done and the king proclaimed the trader as a new shop owner and the kings preferred trader. And in return the trader presented to the king his brand new cloak. But when the king came to look upon the cloak he saw nothing but an empty hanger. The trader assured the king and said it could only be seen by the wisest and noblest of people. And so, in order to not embarrass himself, the king marvelled at the coat and thanked the trader for his efforts.

However when the king greeted his subjects and councilmen with this coat (and not much underneath it) he was laughed at and ridiculed as no one could see his coat. But no matter, he thought, as surely there were not noble or wise therefore they were not important.

But as time went on more and more people commented on the king’s lack of coat and general under dress. Until one day the king spoke with one of his oldest and wisest councilmen, the main keeper of the coin, and he said quite plainly to the king “there is no such coat your majesty”. The king immediately challenged the trader who, said there must be a problem with the coat’s magic therefore he would take it away and fix it and the king will see what a marvellous splendour it is.

Now if you imagine that the king in that story is the EU, his subjects are EU citizens and his councilmen from the villages are the member states of the EU (including their judiciaries) this rings a bell a little bit with the situation we find ourselves in with Safe Harbour.

If you have ever worked with European Data Protection (for example German or Spanish) you’ll know that there has been for some time a growing level of scepticism with the US Safe Harbour framework. This has been for a number of reasons (not just the obvious mass surveillance point).

One of the leading arguments has always been that because Safe Harbour is a certification there is a risk, however unlikely, that the certification can become invalid. Therefore what happens to the processing of that personal data once that certification is removed? (Assuming that is a main reason for legitimate ground of the transfer). Which is a fair point. An essential part of any resilient system is that you always have a contingency plan so why not with a legal system? That’s why many (not all) transfers of German Personal Data (excluding sensitive) would have signed SMCCs as a backup just in case.

Then when you add in all the recent revelations around spying, ineffective monitoring of compliance with Safe Harbour etc the German (and others) argument against the scheme becomes even stronger. Therefore when I heard the Max Schrems case I predicted that he would succeed and indeed while working with the German DPO a few years ago we predicted (over a beer or 2) that Safe Harbour would also fall one day. If I could see it (someone that always thinks less of what he knows) and so could my German DPO friend while sitting in a beer hall in cologne then why couldn’t the rest of the world? Or did they?

Is this a case, as the above fairy tale would suggest, that taking on Safe Harbour would actually expose an error on the EU’s part and cause embarrassment? So rather than admit there is some trickery here let’s pretend that the cloak is still there and everyone simply just isn’t worthy enough to see it.

But putting all that to one side for a moment. Do we run a danger of throwing stones in our glass house? Safe Harbour has been “debunked” (to use a better word) because of the level of spying that the US government undertakes and therefore appropriate protections cannot be guaranteed for European Personal Data that the European Directive and subsequent legislation provides. But aren’t member states not currently introducing various “privacy risky” pieces of legislation based on the EU’s own Data Retention Directive (as well as their own purposes). In the UK today there is an announcement about a so-called “watered down” snooper’s charter.

Similar laws are now throughout the EU member states each of them offering varying levels of protection with regards to Data Protection. So are we being a little “do as we say not as we do” here on this issue? Don’t get me wrong, as outlined above, I tend to agree with the conclusions reached in the Schrems case. Mass surveillance and legal powers that overwrite European legal protections is a dodgy place to be storing personal data. But this isn’t shocking news? The Patriot Act alone has been around since 2001 with the “moral justification” that gives for intercepting any suspected terrorist activity. So did we really believe that the US would use such powers on everything else but EU data?

Some of the reactions by certain DP authorities (mainly Germany) have been less than constructive. Yes Safe Harbour is offline right now but that does not mean that each and every Data Controller that was relying on Safe Harbour, and now can’t, is an evil entity that should be pursued for breaking the law. That’s many things but above all impractical. None of the DP authorities have the resources to do that and it sends the completely wrong message to the world about getting them to engage with this proactively, not doing it because they’ve been “told off”.

And on the opposite end of the scale the ICO has said “don’t panic” but as Jon Baines pointed out in his recent blog the ICO has got a Safe Harbour compliance issue of its own and has been less than helpful until now on how he will be resolving it.

Advertisements