I spent much of last week in Brussels, Belgium, speaking with people about the European Union’s proposed Data Protection Regulation, including presenting at the 3rd Annual European Data Protection & Privacy Conference. The Regulation is a once in a generation opportunity to examine privacy and data protection, as one of the landmark pieces of privacy legislation (the 95/46 EU Data Protection Directive) is updated. Having spent a number of years managing Intel’s privacy organization while living in Europe, I saw the impact the EU member state authorities can have in protecting individuals’ privacy. However, I could also see the many places where the current EU model falls short (e.g. lack of harmonization, lack of predictable enforcement, too many non value add administrative burdens). The current draft regulation is an ambitious document, which follows the technology neutral, high level principles model recommended by many (including Intel). It also tries to address the difficulties experienced with the non-harmonized implementing legislation of the current Data Protection Directive which has been challenging for many organizations doing business in various EU Member States and at a global level. The binding nature of the proposed Regulation and the “main establishment” provisions (which would largely mean a company would work with one regulator as the lead responsible authority) could be tremendous advances. However, there has been considerable concern over some provisions in the document, and I myself was wondering on the plane to Brussels whether there would be political will to fix some of the flaws in the draft. I came away from the week feeling there exists a real opportunity for discussion and change to the proposal in the coming months.
Intel has multiple goals for privacy laws. We believe privacy is an important individual interest, and one needing robust legal protections. It is also critical for our business for individuals to trust their use of technology. We need individuals to have confidence in their use of the many features and services in which we invest significant capital to develop. In addition, Intel is a company founded on the concept of the social benefits of innovation. Privacy is a necessary pre-requisite for innovation.
Innovation can be the tide lifting all boats. The economic benefit of an innovation economy is not a zero sum game between countries. However, the tide will only lift those boats without holes. Each country must look at its policy environment and determine whether it has put in place the right laws and regulations to encourage innovation. This includes robust intellectual property laws, investment in education, tax benefits for research and development, immigration policies rewarding higher education and technology skills, and also robust privacy laws. Innovation happens when individuals have protected environments in which they can collaborate and take risks. A lack of privacy has a natural result of encouraging conformity, as individuals have concerns that any failure or controversial opinion will be placed in a profile about them, remembered forever, and used to discriminate against them. The technology sector has created a global digital infrastructure providing an unprecedented ability for individuals to engage with each other across generations, countries and cultures. We need to make certain we provide adequate protections so individuals will fully use the free exchange of ideas enabled by this infrastructure. This exchange of ideas will create increased innovation, economic growth and jobs for the floating boats.
With these goals in mind, we can evaluate the current state of both the US privacy environment and the Draft EU Data Protection Regulation, and see many commendable features. Both the EU and the US have recently published defenses of these privacy models in “myth-busting” pieces. Each document includes important points to clear up confusion about the existing privacy environment in the US and the proposed regulation in the EU. However, it is important to note there are still holes in both of these boats. I have spent considerable time on this blog discussing the need for comprehensive US privacy legislation. The current US administration released a Consumer Privacy Bill of Rights earlier this year. In this document they noted the US framework lacks the following two elements: “a clear statement of basic privacy principles that apply to the commercial world, and a sustained commitment of all stakeholders to address consumer data privacy issues as they arise from advances in technologies and business models.” The administration then called upon the US Congress to pass legislation to patch these holes in the US boat. Intel echoes that call.
Similarly, the EU Commission recognizes there are issues with the current Regulation draft, but they are issues which can be fixed. Commission Vice President Vivienne Reding delivered a key note address at the conference mentioned above. In her speech, Ms. Reding noted changes will be made to the draft. She defended privacy as good for innovation and economic growth. She also made clear the Commission’s interest in modifying current provisions which create undue administrative burdens or uncertainty for the private sector.
Intel’s analysis of the current draft notes several areas for focus in making changes. In follow up conversations with stakeholders we understand there are robust discussions taking place on all of these issues. Here are a few of the priority holes, which can and should be repaired:
• The importance of cyber security. The EU recognizes the Right to Privacy. This is different than the Right to Steal, the Right to Hack, or the Right to Attack. We all need to recognize some of the greatest risks to privacy come from malicious attacks on legitimate and responsible stewards of personal data. Processing personal data to provide reasonable cyber security is a legitimate interest of both Controllers and Processors and should be a lawful basis for such processing. Inclusion of Recital 39 is helpful, but this issue needs language in the Regulation text.
• Moving from file clerks to privacy professionals. The current Directive requires both company privacy staff and supervisory authority employees to spend too much time processing paper, and not enough time counseling the business or taking enforcement action against bad actors (respectively). Doing away with notification and registration is a good step. However, replacing registration with an obligation in Article 28 Section 1 to document “all processing operations” will create an unreasonable burden on companies and do little to protect the privacy of individuals. Further, given the resource constraints of the supervisory authorities, it is likely 99% of these documents will never be reviewed by a regulator. The Commission needs to change these provisions to focus more on documenting the controls processes, and requiring companies to stand ready to work with supervisory authority investigators.
• Allowing the Privacy Impact Assessment to be effective. Intel has been doing Privacy by Design for over twelve years. We have integrated our privacy assessment documents into our Secure Development Lifecycle, which is the process we use to develop our products. These assessment documents need to be flexible and enable discussion between the privacy staff and the business. However, Articles 33 an 34 of the Regulation potentially place a huge burden on these assessments, both by creating prescriptive detailed requirements for a Data Protection Impact Assessment, and by requiring in Article 34 Section 6 the company to produce the document to the Supervisory Authority. If the Commission feels a document must be produced for this purpose (of which I am highly skeptical of the utility), then the scope should be substantially reduced and the requirements decreased to make clear, 1. These documents should only be produced in rare circumstances, and 2. These documents are different than those assessment documents used by the privacy staff to integrate privacy into the product and business processes.
• Avoiding Over Regulating. The Commission should be commended for proposing a principles based, technology neutral framework. However, there is concern about the many mentions in the text of Implementing and Delegated Acts. Detailed regulation is not an appropriate way to increase data protection, as providing reasonable privacy is highly contextual. Many of the references to Implementing and Delegated Acts should be removed from the text. A better method for contextual interpretation is already provided in the draft in the creation of the European Data Protection Board and its responsibilities under Chapter VII’s co-operation and consistency goals. If the Commission can make certain this Board will operate in a transparent manner, with input from all stakeholders, then the Board will provide a better mechanism for the interpretation of the principles to individual contextual situations and new technologies.
• Sanctions should be fair and not decrease investment in Europe. The current proposal in Article 79, which authorizes sanctions up to 2% of annual worldwide turnover, is excessive and will create a disincentive for large organizations to launch new products and services in the EU. In Section 3 of that Article, the text includes a carve out for situations of a first and non-intentional non-compliance. This carve out provides that no sanction will be imposed and it will instead result in a written warning. However, companies with more than 250 employees are not eligible for that exemption, when they are processing the data for a commercial interest. Even with the exemption, 2% of worldwide turnover is excessive. In addition to doing away with the concept of worldwide turnover, the exemption should be available to all organizations.
After the excellent set of presentations at the conference, and the exchange of ideas during the week, I am hopeful the Commission will patch these and other holes. We owe it to the people who want to trust their use of technology to get this right. Let’s continue the substantive discussion, as I welcome your thoughts and comments.