Ah, Amsterdam. You can ride a bike, you can travel the canals by boat, you can walk around happily by yourself (ideally scoffing from a paper cone of hot frites doused in mayonnaise) or you can catch a tram with the locals, but you cannot escape one thing – the bridges. So many, many bridges. 1,539 of them, apparently.
Just like this year’s Eurovision song contest (but sadly without the glitter, outrageous outfits or Guy Sebastian), the theme for this year’s Data Protection Commissioners’ conference in Amsterdam was “Building Bridges”. I discovered this ‘bridges’ metaphor is extremely malleable. Every speaker somehow managed to make their topic related to bridges. It would have made a fun drinking game to down a shot every time you heard a speaker use the B word, but the fun might have worn off by the 57th vodka in the first panel session alone.
People then starting talking about “functional bridges”. (Really? Would anyone build a non-functioning kind? My Year 6 teacher would have been all over that tautological nonsense.) By the end of the first day I felt an itching desire for some metaphorical dynamite to blow up all the metaphorical bridges.
But leaving aside the tortured use of language, more frustrating was the exclusionary, EU/US-centric discussion.
These conferences have often tended to focus on analysing – to death, sometimes with heated debate from people holding entrenched positions – the differences between and relative merits of the EU and the US approaches to privacy regulation. The EU approach is similar to Australia’s approach: generalist privacy principles built into omnibus (aka cross-sectoral) privacy laws with specialist privacy regulators. The US approach is to have only sector-specific privacy laws (e.g. a video rental privacy law, financial privacy regulations, a health insurance privacy Act …), but also a powerful consumer protection regulator with a broad remit, in the form of the US Federal Trade Commission.
Occasionally at these conferences someone like me from TROTW (the rest of the world) will raise their hand and point out (a) that TROTW indeed exists, and (b) we tend to not argue about whose system is better, we just want to get on with it, and can we please now talk about concrete examples instead of theories?
2015 was supposed to be different. The ‘building bridges’ theme was intended to put aside all debates about the relative merits of legal approaches, let bygones be bygones, and instead focus on practical solutions to privacy problems.
“Hooray!” I thought. I was hoping for some enlightening discussion – nay, even actual examples! – of how to turn abstract legal principles into concrete operational decisions and systems design. But no such luck.
We were back to discussion of EU/US data transfers, to the exclusion of almost everything else. Each topic was seen through the lens of the recent unravelling of the Safe Harbor scheme, leading to much hand-wringing about what American companies and EU regulators are supposed to do now about their transborder disclosures. Back to square one: “my legal system is better than yours, nah nah nah nah nah”, and the more positive, but naïve, “hey, maybe we should instead design a universal set of privacy principles to cover both of us!” It was left to representatives from TROTW, like Colombia and Canada, to point out that the creation of a ‘universal’ set of privacy rules, as proposed in the 2009 ‘Madrid Resolution’, is not the task of the EU and US alone.
While the Privacy Bridges project itself was understandably written to meet its terms of reference, which were confined to non-legislative ways to “increase the transatlantic level of protection of personal data” – i.e. manage privacy issues arising from transborder disclosures between companies in the EU and the US – making the Privacy Bridges report the primary focus of this “international” conference was a disappointing waste of the time and expertise of the individuals assembled there.
The narrow focus on multinational companies sidelined voices from civil society, as well as our client base: small-to-medium businesses, NGOs and public sector agencies facing privacy challenges which have nothing or little to do with multinational transborder data flows. The topic of discussion offered nothing new or pragmatic to take away on privacy hot topics like Big Data, drones, the Internet of Things, re-identification or geolocation data.
And the arrogance was taken to squirm-inducing new heights when those of us from TROTW were repeatedly asked to identify ourselves in the audience; we were then told that the ten ‘bridges’ described in the report “may also be useful for those of you in the rest of the world”. Oh please. That is as patronising and offensive as a former Australian Prime Minister coming to Europe and telling you how to deal with the Syrian refugee crisis.
It was almost embarrassing to see how an “international” conference managed to sideline both the privacy concerns of, and the privacy expertise from, the 164 countries that are not either America or in the EU; that’s 85% of the 193 members of the UN. There are billions – yes, billions – of people who live nowhere near the Atlantic Ocean. China and India, anyone?
In my view, the ‘ten bridges’ report presented only a nice list of things to talk about, for a closed circle talkfest of European regulators and American businesses, while Rome burns.
I hope that next year’s conference organisers, including the hosting data protection authority of Morocco, are willing to take a more inclusive view of our world, and thus allow an array of truly international voices to be heard, and wider expertise to be shared amongst the privacy community.
Photograph © Anna Johnston