EU privacy rights derided in land of the free access

After sitting through days of presentations, discussion panels and keynotes last week at the world's largest security industry gathering, I came away startled by the obvious disjunct between mainstream American and European views on privacy.

In Europe, privacy goes hand in hand with data protection. An entitlement to data protection is seen as a human and civil right. To Americans, or those attending the RSA conference, data protection seemed a roadblock to enterprise and innovation. A silly, time-and-money wasting, European notion, like national health services, publicly-funded transport or state-subsidised art galleries and ballet.

Data protection, in the corporate and government view, basically meant whatever (minimal) structures were needed to allow for the mass intake and processing of people's data, towards an improved bottom line, or in the name of achieving efficiencies and insights.

Battered concept
"Privacy" professionals representing US companies seemed to have reinvented the meaning of a word that has already taken a considerable battering in a post-Snowden world. I found it hard to understand what privacy meant to them.

Or to the International Association of Privacy Professionals, a US-based group that came across ( as represented by its chief executive Trevor Hughes) as anti-data protection. “More data protection emerging” in Europe was “a knee-jerk response” to NSA disclosures, he said.

Existing European data protection laws were seen as an irritation. Current EU proposals to toughen them up further, and give citizens more ownership of their own data, require more corporate responsibility, and allow for significant penalties, were the subject of regular speaker derision.

That’s what truly jarred. And seemed surreal, when the week was dominated by discussions about national and international mass surveillance programmes.

Even more so, on the final day of the conference, as I read about further filings in California last Thursday in a lawsuit Google is fighting against claims that it intercepted, read and mined the contents of Gmail users' emails, in order to profile users and target them with advertising.

Similar suits have been brought against LinkedIn, Hulu, Facebook and Yahoo.

Plaintiffs are trying to have a judge designate the lawsuit a class action suit and force Google to pay all Gmail users $100 for each day it processed user email in this way over a five-year period.

As I read about this, I thought of the words of Keith Enright, Google's senior privacy counsel, who was on an RSA panel discussion about privacy. Users of Google's services, he said, understood that user data were gathered and used to provide the services received for free.

The judge in the current case rejected that general argument last September, when Google had tried to get the lawsuit dismissed on the basis that Gmail users realised they had agreed to have their emails scanned when they signed up. It’s in the user agreement, said Google.

That would be the same user agreement the privacy panellists last week laughingly agreed nobody reads. Their perspective seemed to be that people didn't read them because they didn't really care.

Who cares?
Unlike the "privacy" professionals, I do think people care about all these things. I also think – contrary to what many at the conference said – that the generation growing up with the internet, electronic devices and mobiles as a norm, also cares.

Studies certainly show that they do – at least, when they can actually see and understand what happens to their data. But there are two impediments to people taking action to protect their privacy.

The first is lack of awareness. It’s true that people don’t read user agreements. Figuring out what you have consented to in 50 pages of legalese? Much less reading it to begin with? Yeah, right.

The second is a sense of futility. If you want to use certain services, and everyone you know also uses them, then what choice do you really have? It takes a lot of effort to find more privacy protecting alternatives.

On the plus side, if Europe raises the data protection bar for its market of 400 million citizens, the rest of the world will have little choice but to meet it.