Dr Strangelove lays siege to Fortress Europe

Europe should relax its data protection rules for the sake of multinational firms and globalisation, said a report published by the UK's Information Commissioner this week.

Written by infamous US military advisers The RAND Corporation, and published as the UK's submission to an ongoing debate about data protection reform, it applauds Europe for building the gold standard of data protection regimes, before recommending that it is alloyed to make it affordable for the rest of the world.

RAND proposes "recasting" European data protection law so it doesn't act as so much of a regulatory weir in global flows of personal data and so to make it easier for multinational companies and governments to exchange data about customers and citizens. It would do this by weakening the rights on which the law is based and then using the corporate mantra of risk to reclassify some personal data as less worthy of regulation than others.

Being firmly founded on human rights law, European data protection does not make quick compromise with corporate whim. But it has been implemented with instruments designed to allow international business to operate. RAND repeats the corporate complaint that European law has nevertheless in its implementation placed an unnecessarily bureaucratic burden on multinational corporations. But rather than merely reform Europe's operational instruments, RAND proposes more radical reform.

Along with risk it proposes that another corporate fad, that of outcomes-based management, can be employed to snap European officials out of their bureaucratic obstinacy. It would wean Europe off its adherence to rights and use risk and outcomes to create a liberal data regime to accord with the liberal economic regime preferred by big business.

RAND proposes that data protection outcomes are placed above the fundamental rights that had previously been both the basis and the inspiration of law. It would then redefine the data protection principles to make their application more efficient, and redesign the operational regime within which the law is enforced.

It's proposed outcomes - that individuals are protected, that organisations are held accountable under the law and that authorities enforce it - do indeed provide a rough sketch of the existing regime. They are in fact similar to, though more muddled than, the high-level protections already enshrined in the European Charter of Fundamental Rights, but pay no regard to the crucial Article 8 of the European Convention on Human Rights, which lends unassailable strength to Europe's data protection regime.

If a right is like a solemn oath, or an architectural drawing, an outcome is like a handshake, or an artist's sketch. Outcomes-based management is criticised for using ends to justify the means. It is therefore fitting that the principles RAND proposes to operate under its outcomes would weaken European law, neglecting in particular its concern with proportionality, which is arguably the most crucial of principles in an age of burgeoning data stores and processes.

What we obtain too cheap, we esteem too lightly

RAND's proposals exclude the European principle that data should be "adequate, relevant and not excessive in relation to the purposes for which they are collected". It suggests instead that another principle, that data only be processed for the purpose for which it was collected, implies proportionality enough. But it does not. It jettisons the data minimisation principle, which ensures that only as much data as is needed to achieve the purpose is collected, not merely that it only be collected for the purpose. Moreover, RAND neglects the principles of retention (that data only be kept for as long as necessary) and rectification (that people can challenge incorrect data about them), and the principle that adequate data must be collected to avoid it leading to erroneous conclusions).

RAND also criticises the adequacy principle for causing Europe to isolate itself in rights-based data protectionism. Adequacy forbids transmission of personal data to countries with a poorer standard of protection than that of Europe. Once someone's data has been passed to a lax regime, there's no telling who it might be passed to and for what purpose. Other countries can be to data protection what offshore havens are to finance.

RAND argues that since "After 13 years, only 5 non-EU countries have been found to have adequate legal frameworks" and that China, India, Brazil, Japan and Russia are not among them, and the US only in a limited sense, then "The rules on data export and transfer to external third countries are outmoded ".

Yet this adequacy rule is the basis on which the EU has fought its most important battles to protect its citizen's data abroad, such as its efforts to prevent the US snooping liberally through financial transactions stored in a States-based data centre belonging Swift, the Belgium-based processor of international financial transfers.

Furthermore, the state of a country's data protection law is a function of economic development, totalitarian and libertarian leanings and national political priorities. There is therefore little cause for surprise that it should take a long time for a global framework to evolve. The kinds of behavioural, geographical and biographical processing that European data protection laws rightfully restrain have also only in recent years begun to challenge the authorities. It is neither a surprise that the corporate challenge to Europe's authority in data protection should happen now.

Lowest common denominator

RAND is firing ineffectual arrows over Fortress Europe's ramparts in the belief that European obstinacy impedes international data flows undesirably and that this might be overcome if only Europe and the rest of the world were to accept its revised data rules as the basis on which they do business.

If only there were international consensus on data protection. It is being sought. Some countries would prefer there were no protections at all. RAND's proposal is similar to the data protection framework adopted by Asia-Pacific Economic Co-operation countries in 2005. This weak regime was a vast improvement on the widespread absence of protections in the region. But it is seen in Europe as a first step up for APEC, not an acceptable step down for the EU.

Dr Chris Pounder, a privacy lawyer who has advised European institutions, does not believe the APEC framework can form the basis of an agreement for the whole world.

"The argument is, let every country have a baseline of rights," he says. "[But] the baseline might be too high for some countries, or too low for some countries. You have a floor as the basic minimum standard, but of course everyone works to the minimum. So what is a floor becomes a ceiling."

Rather than be obstructive, Europe has circumvented the rest of the world's inadequate data protection with official instruments that allow multinationals to export data to lax regimes under strict conditions. These instruments (such as Binding Corporate Rules) are so unwieldy, says RAND, that multinationals run flows of personal data internationally without bothering to seek approval. The benefits of communication far outweigh the costs of being caught.

The instruments could be made less burdensome without enfeebling the principles that have served Europe - and the world - so well. Some of RAND's other practical suggestions might also be implemented without weakening European law. For instance, companies might be excused the need to notify authorities of their data processing if instead they implemented a transparent system of autonomous privacy policies, reports, audits and officers in line with the albeit imperfect Usonian model.

If the international dataways were thus cleared for corporations, the only reason for a global agreement to be sought with any urgency would be the cross-border exchange of personal data between governments, the majority of which is related to sensitive matters of crime and immigration. The US has sought to form an international club of allies with which to share immigration data and even borders. Police agencies have sought to exchange more intelligence about criminals, suspects and potential criminals with other countries. The loudest call for data protection rules to be relaxed in recent years has come from the security lobby. RAND is unfortunately quite on this particular area of its expertise.

Corporate interests

So back to its argument for more permissive rules for multinational corporations. RAND's idea is that risk assessments will determine that some data processing need not be governed by rights-based rules, even as we live through the economic crisis that proved how unreliable corporate risk models can be. This idea of data risk assessments was rejected during the UK's deliberations on data protection in the 1970s and, says Pounder, is still unworkable today.

It works on the assumption that data controllers and processors can assess the likelihood that the data they have collected could be used for harm. "The problem with that approach is that its only the data subject that can know harm," says Pounder, "Whereas [RAND] is assuming the data controller can identify a harm."

We might readily assess the risk that criminal or health data might be used to cause harm. But what about someone's address? Only the person at that address can know how important it is that their address be private. Some people prefer to be ex-directory. Some people prefer not to appear on Google Streetview.

Sweden implemented a data risk model, says RAND. But it didn't consult Sweden in writing the report and gives the idea scant attention. Instead RAND complains that Europe's rights model, in treating all personal data as "inherently worthy of protection" makes life difficult for ventures such as Google's Streetview, which controversially published pictures of people going about their private daily business; and anonymised healthcare statistics, which might be processed in ways that identify patients.

To European ears, however, these sound like reasons to leave the rules as they are: the knowledge economy is thriving and in no obvious need of unencumbrance unless your research sample is weighted in favour of US corporations, as RAND's advisers on this project were. They also included a preponderance of APEC countries, and Google, which backed the APEC framework as a global model, and has long been made to dance reluctantly to Brussels' tune.

One has to wonder then how soundly the UK Information Commissioner's Office believes RAND's report to be, as it stated this week, its contribution to the debate and not that of corporate Usonia (the United States of North America, that is). The ICO said it had not endorsed the proposal. And it is anyway either so muddled, compromised or disingenuous as to require more time than it is worth to do anything more than put it in its place: it being concerned less with curtailing excessive data collection and processing than excessive regulation; because it seeks to reset the balance between privacy and expediency in favour of the latter, advancing the interests of multinational corporations over those of people, and the cause of profitable efficiency over that of gracious discretion.