When the European Commission published its proposal for a new regulation aimed at rejuvenating the 1995 Data Protection Directive in 2012, there was one major feature that stuck out above everything
When the European Commission published its proposal for a new regulation aimed at rejuvenating the 1995 Data Protection Directive in 2012, there was one major feature that stuck out above everything else. Beyond the obvious objective of tackling the data privacy challenges of the 21st century, all of the novelties proposed by the Commission had one thing in common: the principles, rights and obligations were far more prescriptive in nature than under the Directive. This was perhaps a natural consequence of having to draft a directly applicable regulation, but it represented a fundamental change from the way European data protection had operated until now.
The bulk of the proposed regulation was meant to introduce a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus, of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also a new way of demanding practical compliance in the black letter of the law. If one is looking for legal certainty, there is nothing like a law which says do A, B and C, and do not do X, Y and Z. It almost makes lawyers redundant, which may well be a good thing! But aside from the risk of distorting the technological neutrality principle, it makes that law much more dissimilar from any other law in the world regulating the same thing.
The balance between principle-based regulation and laws with clear instructions is a fragile one. Go for high level principles with woolly words such as 'fair', 'reasonable', 'relevant' or 'adequate' and you are risking inconsistency of interpretation and a lack of understanding of what the law requires. Tilt the scale towards prescriptive instructions and what you gain in legal certainty you lose in much needed flexibility. Here is the thing: clear and prescriptive obligations are helpful in the sense that they do not leave room for ambiguity. But let us not forget that privacy protection is linked to the evolution of technology, an unpredictable world requiring flexibility and quick thinking. A prescriptive law will always be constraining, not because it is strict, but because it is rigid.
Now, shift this balancing exercise to a global stage and the risk of rigid laws becoming practically ineffective is exponentially multiplied. Instructions and checklists are immune to cultural and political differences, but those who need to follow those instructions and go through those checklists, are not. People and organisations are revealing and accessing the same information at a global scale. The protections and norms that affect that relationship must, therefore, be geared to cope with the situation in a way that specific legal instructions cannot be. Some data privacy and security principles may be imprecise, but they have proven to pass the test of time and distance. Prescriptive norms are bound to fail that test because they lack the elasticity needed to make global privacy protection workable. Relying on principles to safeguard something so important may not be the perfect solution, but we should be looking for effectiveness, not perfection.
This article was first published in Data Protection Law & Policy in October 2013 and is an extract from Eduardo Ustaran's forthcoming book The Future of Privacy, which is due to be published in November 2013.
The bulk of the proposed regulation was meant to introduce a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus, of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also a new way of demanding practical compliance in the black letter of the law. If one is looking for legal certainty, there is nothing like a law which says do A, B and C, and do not do X, Y and Z. It almost makes lawyers redundant, which may well be a good thing! But aside from the risk of distorting the technological neutrality principle, it makes that law much more dissimilar from any other law in the world regulating the same thing.
The balance between principle-based regulation and laws with clear instructions is a fragile one. Go for high level principles with woolly words such as 'fair', 'reasonable', 'relevant' or 'adequate' and you are risking inconsistency of interpretation and a lack of understanding of what the law requires. Tilt the scale towards prescriptive instructions and what you gain in legal certainty you lose in much needed flexibility. Here is the thing: clear and prescriptive obligations are helpful in the sense that they do not leave room for ambiguity. But let us not forget that privacy protection is linked to the evolution of technology, an unpredictable world requiring flexibility and quick thinking. A prescriptive law will always be constraining, not because it is strict, but because it is rigid.
Now, shift this balancing exercise to a global stage and the risk of rigid laws becoming practically ineffective is exponentially multiplied. Instructions and checklists are immune to cultural and political differences, but those who need to follow those instructions and go through those checklists, are not. People and organisations are revealing and accessing the same information at a global scale. The protections and norms that affect that relationship must, therefore, be geared to cope with the situation in a way that specific legal instructions cannot be. Some data privacy and security principles may be imprecise, but they have proven to pass the test of time and distance. Prescriptive norms are bound to fail that test because they lack the elasticity needed to make global privacy protection workable. Relying on principles to safeguard something so important may not be the perfect solution, but we should be looking for effectiveness, not perfection.
This article was first published in Data Protection Law & Policy in October 2013 and is an extract from Eduardo Ustaran's forthcoming book The Future of Privacy, which is due to be published in November 2013.