'Privacy – the question of who has the right to obtain, retain, and perhaps even sell personal information in digital form – is becoming one of the hottest points of contention between the US and the European Union. "
I wrote that sentence. And not in the last few weeks, as you might think, but in 1998.
In that piece, I noted that, in contrast to the United States's market-dominated approach to data protection, then Irish data protection commissioner Fergus Glavey had stated in his annual report that Europe had "a philosophical view that privacy is a fundamental human right".
Just because it's possible to do something with new technologies doesn't mean any nation or company should be able to do it
He also made an observation that, in 1998, was prescient and which, 20 years on, fuels our anger with the opaque power of technology companies. Their products offer enticements, and many benefits but their potential encroachments and real costs go unrecognised (at best) or more despicably, are hidden (NB Google and Facebook). Glavey wrote: “There is an imbalance between the consideration given to what can be done through the application of the latest technology and what should be done having regard to the cultural, ethical and legal assumptions which underpin our society.”
How little has changed in regard to data privacy and data protection.
The EU and US remain profoundly split on the subject, ideologically and ethically, even though attempts have been made to bridge the gulf with, for example, a rewritten transatlantic data transfer agreement (albeit of dubious real effectiveness).
The European Court of Justice (ECJ) has articulated the (pro-)privacy view in a number of groundbreaking cases. This was an important shift for a powerful court that, in the past, had focused more on interpreting business issues while leaving those that touch upon civil and human rights to the European Court of Human Rights (which has little power to enforce decisions).
The ECJ grasped the point made two decades ago by Glavey: just because it’s possible to do something with new technologies doesn’t mean any nation or company or government organisation should be able to do it. The court realised data and privacy were critical business issues too. And took on privacy cases, laying down important case law.
For that 1998 piece, I had interviewed Marc Rotenberg, the director of the pioneering Washington DC-based privacy organisation the Electronic Privacy Information Centre (Epic). Epic was taking on – as it continues to do – the difficult task of articulating, and litigating against, the invasive threats posed by digital technologies often presented as benign by governments and industry – hence, the constant introduction of shiny new product and service features, for free, and that deliberately deceptive lie: "If you've nothing to hide, you've nothing to fear."
Over the years, I would email and talk to him many times on central privacy issues that are so much better understood now (thanks to Epic and Rotenberg).
Back in 1998, he was arguing for the need for the US to bring in proper, federal privacy legislation. The EU was about to issue a privacy directive – which would eventually be seen as inadequate to the increasing threats to personal privacy and would morph into the General Data Protection Regulation and ancillary EU regulations on e-privacy and e-commerce.
The US then, as now, was still primarily focused on industry self-regulation. “We think the government’s been pursuing the wrong goal,” he told me then. “They want to make self-regulation work. We want to make privacy work.”
He said Americans should have a legal right to access all data held on themselves; a legal framework for enforcement and redress of privacy rights; and a privacy agency within the federal government. Sound familiar? That’s today’s GDPR in a nutshell.
Last week, Rotenberg was in Dublin to deliver the 12th annual Dave Ellis Memorial Lecture, organised by Irish human rights organisation Flac (Free Legal Advice Centres). These days, Epic has solid ties to Ireland, having become an amicus (friendly adviser to the court) for cases such as Microsoft's Dublin data centre email dispute that went to the US supreme court, and Austrian Max Schrems's data-handling complaint with the Irish Data Protection Commissioner, against Facebook.
In a wide-ranging, incisive lecture, he spoke persuasively to the same issues we discussed all those years ago – the ways in which governments and corporations continue to gather data, often indiscriminately, flout the privacy of citizens, secretly surveil (whether in the name of security, or profit) and dodge laws. Add in deceptive social media ads, potential election manipulation, and threats to global democracy.
At the lecture, I asked him about the likelihood of a GDPR-ish law for the US. His answer echoed all the same points he’d made in 1998: the US needs national policy, not industry regulation, and it shouldn’t just be a law to conform to the EU’s GDPR but a home-grown US law that gives fundamental privacy rights and protections to US citizens.
He thinks this may happen at last, not least because, in the wake of so many corporate and government privacy scandals worldwide, we all understand so much better why citizens need such a law.
Let’s just hope it doesn’t take another 20 years for US lawmakers to act on the compelling, hard evidence Epic has done so much to reveal since 1998.