The lobby-tomy 7: not all roads lead to privacy

Within the privacy world, different schools of thought exist. Connecting different viewpoints to a seemingly positive ideology is also a persuasion strategy.

The new European data protection regulation is the most lobbied piece of legislation thus far because the subject is very important and touches upon almost every aspect of our daily lives. Therefore Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all of the lobby documents they received on this new law. We published these documents with our analysis in English in a series of blogs for EDRi. This series of blogs has also been combined in one report. What parties lobby? What do they want? What does that mean for you?

If one school of thought has been successfully put in the limelight, it is the “risk-based approach.” It means that when policy makers formulate obligations for industry, they should take the risks of data processing into account. Strict obligations should only accompany large risks. But that too can’t be an excuse to create a lower level of protection for people.

If we read the lobby letters correctly, one of the most important offices behind this approach is the ‘Centre for Information Policy Leadership’ of Hunton en Williams “LLP”. Although the term is older, they launch a ‘risk based approach framework’ in January 2014, after which the subject resurfaces repeatedly.

The new privacy law creates new obligations for organizations that plan to process a certain quantity of data. An organization is for example required to do a ‘privacy impact assessment’ before processing data, in which the organization will have to evaluate the consequences of the processing for the privacy of people. In some cases, the processing should be notified to the authority. Apart from that organizations should have a data protection officer, who handles supervision of all privacy topics internally. Furthermore, organizations are required to notify data breaches to anyone connected to the data.

Companies are not happy about this. We already mentioned in a previous blog that these are the themes that have been lobbied on the most. They say, briefly: allow us to only fulfill those obligations if it’s to prevent large risks.

It doesn’t surprise that many of the usual suspects support this risk based approach. TechAmerica Europe, an organization that represents the interests of European technology companies “with American parentage,” strongly supports this. Banks also want such an approach, they email in their position paper to the permanent representation. The hospitality industry and many other industries as well. (a Dutch e-commerce representative) says in an email to the ministry of justice: “The current reforms are not adequate enough in the eyes of, in particular because the proposals lack a “risk-based” approach.” Even the royal academy for sciences seems to be a proponent of this approach.

To strengthen their arguments, different parties use ‘commitment and consistency’. The trick with this is that people like to present one unambiguous image of themselves. So people will want to act in ways that are congruent with their statements. Therefore, the Centre for Policy Leadership uses statements of influential politicians from the group of people they are trying to influence, who have been positive about the risk based approach.

In a letter by the Centre for Information Policy Leadership to the ministry of justice, European commissioner Reding is quoted as a proponent of this approach, just like the council of ministers that the letter aims to convince. You were in favor of a risk based approach right? Then you should also agree to our demands. The former European Data Protection Supervisor (the highest privacy officer at the EU) Peter Hustinx once made positive statements about this approach, and these are quoted quite happily in a letter by the Industry Coalition for Data Protection to the ministry of justice:

“ICDP strongly agrees with the European Data Protection Supervisor, Peter Hustinx that data protection legislation is most effective when it follows a risk-based approach.”

A risk based approach is not a crazy idea. But it can’t be an excuse to evade important obligations, the collective of privacy watchdogs in Europe said. A well described liability based on agreed criteria can assure that companies keep privacy protection in mind at an early stage. Those criteria should obviously be proportional, so a sole proprietorship that serves only fifty customers per year shouldn’t be required to send a privacy impact assessment to the data protection authority every week or to hire a data protection officer. But we should also be weary of abuse. Digital Europe (a lobby organization for digital businesses) for example wants to make sure that companies can decide for themselves what constitutes risky. That would make evading supervision very easy.

Privacy schools of thought
Connecting your viewpoints to clear schools of thought can aide your cause. That’s why more schools of though than the ‘risk based approach’ are mentioned in the lobby documents. Vodafone wants a more ‘principle based’ approach (which means they want more flexibility). Yet other companies mention the ‘harm based approach’, the ‘use based approach’, the ‘precautionary based approach’ and others.
Whatever school of thought one prefers, no one can currently predict the risks well. What we do know is that more data will be collected and will be increasingly used. This makes every choice we make now only more important for privacy protection in the future.

To be continued
Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about the anti-fraud argument.

Help mee en steun ons

Door mijn bijdrage ondersteun ik Bits of Freedom, dat kan maandelijks of eenmalig.