A week is a long time in the world of data protection

Data protection: why does it matter?

For a start: can’t we think of a better word than ‘data’? In other words, a more apt term for all of those ones and zeros that countless computers, peppered around the globe, cobble together to create a picture of each of us?

‘Data’ sounds so cold and impersonal. I am not fond of it:

What data relating to me do they process?

Yuk!

This hoity-toity Latin word really makes it seem as though this sort of question has absolutely nothing to do with any of us.

Now, I am not suggesting that we invent a new word, but perhaps we all ought to be thinking less in terms of ‘data’ and more along the lines of  ‘what is known about me’ or, even more philosophically, 'who do people think I am’? 

That’s more like it. 

In a sense, data protection is increasingly about reputation management: your reputation with companies; your reputation with the government.

So far so good.

However, problems start to flourish with data processing when businesses or the government start to think that you are someone different to who you really are or when they know more about you than is reasonable. What rights do you have to manage your digital reputation?

Many people say, for example, that we should not be afraid to give up all of our personal data to whoever needs it. After all, if we have nothing to hide, we have nothing to fear—to which my response is: we all have something to hide. Well I do. I don’t particular fancy somebody coming around to my place and installing a camera in my bathroom. I’m not ready for an Orwellian telescreen just yet.

Indeed, to what extent can we trust businesses and governments to get it right? Increasingly, they are outsourcing a lot of dull tasks to computers. Computers aren’t sentient—yet. Mistakes will be made.

One social media site, for example, thought that I was Guatemalan for weeks after I visited the country a few years ago. This is a company that, in the last financial year, spent over a billion dollars on buying servers and network infrastructure and building unfeasibly large data centres across the globe. And yet, it struggled to understand me: no, I don’t really need to know about a 2 for 1 burger deal in a fast food restaurant in Chichicastenango. I really don't.

That is why data protection matters. Our reputations exist in bytes on innumerable computers and mainframes around the world. Most of us want to make sure that the information on us is correct and that we know when it is collected and what people do with it. Increasingly, we want some of this information to deleted although this is surprisingly difficult given that the Internet seems to have a permanent memory nowadays.

The key, as with so many things in life, is to find where the balance lies: protecting our private reputations v protecting society as a whole. 

So it was to the surprise of many legal commentators yesterday when the European Court of Justice, in the case Digital Rights Ireland and Seitlinger and Others, unexpectedly declared that one of the most important laws in this area, the Data Retention Directive, was invalid.

How so? You may be vaguely aware that the purpose of the Data Retention Directive was to harmonise Member States’ provisions on the retention of certain personal data by companies such as telecommunications providers. 

The court decided the current collection practices, taken as a whole, can provide very precise information on people’s private lives, such as:

the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented

It decided that collecting such information interfered in a serious way with the fundamental rights to respect for private life and to the protection of personal data.

Furthermore, the Court also decided that there were insufficient safeguards against the risk of abuse and against any unlawful access and use of data, including from outside of the EU. The retention of data should genuinely be for reasons such as the fight against serious crime and terrorism.

In other words, the EU had failed to find the proper balance between safeguarding our security (ie fighting serious crime and terrorism) and protecting our private lives.

On the same day of this judgment the UK’s Commissioner for Interception said that UK police had been overusing their power to gather information on people although he also added:

I am quite clear that any member of the public who does not associate with potential terrorists or serious criminals or individuals who are potentially involved in actions which could raise national security issues for the UK can be assured that none of the interception agencies which I inspect has the slightest interest in examining their emails, their phone or postal communications or their use of the internet, and they do not do so to any extent which could reasonably be regarded as significant

You may believe this or you may not. It is always difficult to say when the intelligence services operate, as they must, in the shadows.

So what does all of this mean?

It certainly looks as the line is being redrawn. People are starting to take a greater interest in understanding and protecting their electronic reputations, ie their data.

To what extent should I give out information in the first place?, How much should companies and the government know about me?, What can I do if things go wrong?

In the meantime, the EU and the UK government have plenty to be thinking about in terms of what will replace the Data Retention Directive. Whilst the Directive is now invalid it is unclear what is going to happen to the UK regulations that implemented it. This is currently the subejct of much legal debate.

Will the police and the security services lobby to keep such powers (as tweaked slightly)? In the light of the Edward Snowden allegations, will they have much political capital to do so? What democratic oversight should be put in place?

The European Commission is due to meet on Friday (11 April 2014) to discuss where to go from here. The UK government is also taking an interest. A spokesman told the BBC yesterday that the retention of communications data was absolutely fundamental to allowing law enforcement authorities to investigate crime and ensure national security, 'we cannot be in a position where service providers are unable to retain this data.'

In any event, it is abundantly clear that the future path for data protection is looking very different indeed from just one week ago...

PS If you want to know more about the data retention law, click here for the European Commission's webpage on it (which at the time of writing makes no reference to the recent court case).

Area of Interest