Robin Wilton

A member of the Gartner Blog Network

Robin Wilton
Research Director
26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio

Coverage Areas:

EU DP Directive revision slips – but is that good or bad?

by Robin Wilton  |  January 13, 2012  |  Comments Off

Neelie Kroes is Vice-President of the European Commission, and also the Digital Agenda portfolio-holder (in which role she is also responsible for the Commission’s policy direction on cloud computing). Ms Kroes took up these posts in the so-called “Barroso 2″ Commission; prior to that re-shuffle, she was the Competition Commissioner. In that role she oversaw the competition case against Microsoft, which resulted in a €497m fine for the company and the enforced release of interoperability documentation relating to Windows.

I mention this background to establish that this is someone well versed in the disciplines of policy formation, strategy-setting, and the practicalities of regulating technology industries.

Ms Kroes has been blogging today about the forthcoming review of the EU Data Protection Directive… She also blogged last June about the review of the ePrivacy Directive, and rightly sees the two as being intimately connected. In terms of policy formulation and direction, I think that’s a great thing. In terms of execution, it concerns me, and here’s why; today’s blog post ends with the following up-beat assessment:

“And I am confident that the Commission will propose “technology savvy” protection for all of us – rules which protect our rights, while taking full account of both the risks and opportunities of the digital age.”

That’s a worthy goal, but the previous experience of the ePrivacy Directive and its measures on cookie regulation give us legitimate grounds to wonder whether the Commission has the skills to achieve it. Let’s not forget that the cookie directive sought to distinguish between “spy” cookies (which are bad, and should not be allowed without the user’s prior and informed consent) and “technical” cookies (which are OK). This, among other things, led one UK IT law specialist to describe the legislation as “breathtakingly stupid“. In the interests of impartiality I, of course, couldn’t possibly comment.. but if you know of a browser that allows you to set separate preferences for “spy” and “technical” cookies, please do point me at it.

As well as establishing one exemption for “technical” cookies (whatever they might eventually turn out to be) the Directive also qualified the need to seek informed consent by saying that this should be done “Where it is technically possible and effective…” – a loophole through which a competent corporate lawyer could probably back a bus while sipping a skinny latte.

I should make clear that “spy” vs “technical” distinction came from one of the other Commissioners, not Ms Kroes. I’m just rather worried that, with the best of intentions, she may be writing “technical savvy-ness” cheques her colleagues can’t cash.

Specifically in terms of data protection and privacy, here are some of the challenges which face the Commission’s legislators. I think it’s safe to say that current laws are:

  • mediocre at successfully handling privacy detriment arising out of well-defined lists of PII;
  • poor at providing protection against abuse of data which is ‘about’ you but not personally identifiable (see the mess over Google Streetview, wireless MAC addresses and geo-location);
  • clueless about how to address the privacy detriments arising out of third party aggregation and data mining;
  • ineffective at providing redress in cross-border cases;
  • equally clueless about how to factor “potential harm” into regulation that encourages better privacy behaviour.

If those sound vaguely familiar… well, it’s because I’ve just recycled some bullet points from an August 2010 blog post, and the legislation doesn’t really seem to have moved on. The proposed review of the Data Protection Directive has just been further postponed because of “negative feedback” about the leaked draft version which surfaced in December. It’s good that feedback has had a visible effect on the policy-making process, but if the concerns aren’t acted on and new, realistic proposals brought forth pretty soon, another 18 months will go by without effective legislation. That would be bad for commerce, bad for privacy, and bad for the credibility of the legislative process.

Comments Off

Category: Uncategorized     Tags: