Privacy and Data Protection In Europe
Ilias Chantzos, director, Europe and Asia government relations, Symantec: Tuesday, December 8th, 2008 | 10:00 am
When I was a lot younger, like many other Greeks of my generation, I had the benefit, according to some, of a "classic" public school education, focusing a lot on arts, literature, history, philosophy and languages (most of them dead languages).
Among the things we did learn at school at an early age were concepts and even quotes that originated from famous philosophers, such as the teachings of Socrates on Gnothi seauton» (Know thyself). There was one quote of Cleobulus however that particularly puzzled me: Métron áriston» (Moderation is the best thing).
I used to argue with my teachers on that particular point because I could not accept easily what I thought was an oversimplification... There are many things in life that one should not accept moderation that easily or absolutely. For example, one cannot be moderately in love. He or she is either in love or is not. There is no real middle ground. Even in ancient Athens in case of a dispute within the direct-democracy institutions of the city moderation was not allowed. Citizens who were directly participating in the institutions needed to chose sides. Whoever was claiming to be "in the middle" would lose his civil rights.
Of course the time went by and as I grew older I came to understand that life is often shades of gray and not black or white. Coming back to the present and my day to day job however I cannot help but noticing how much we miss "moderation", how much we miss "measure" in some of the debates we are having in Europe on issues like privacy and data protection.
This is a sensitive issue that ultimately needs a cool-headed, educated and balanced approach and I cannot help but feeling that what we sometimes seem to have is cries in the middle of the night, conspiracy theories or big brother scenarios as to what Governments, Eurocrats, intelligence services, evil industry, pirates, cybercriminals, pedophiles and data protection ayatollahs are trying to achieve. I honestly sometimes feel sorry for some of the Commission officials, MEPs and PERM REPs that have to penetrate through this fog, distill the different messages and make sense of the proposals and options on the table.
The fact of the matter is that data protection is important even if the data subject (that is us all) does not usually understand or appreciate how important it is. It is also a fact that the more we are becoming an information-driven society the more important will information about the individual and the associated data protection rules become. I am sometimes astonished by how few industry colleagues seem to have a full appreciation of that, especially when it comes to the on-line components of privacy as Internet will be the delivery medium for a variety of products and services.
What does this really mean? It means that the problem is just a question of moderation and striking the right balance between all the different competing, and legitimate interests. It means that most of us (the stakeholders) when debating about privacy and access to data, which can be technical or about individuals, or both, are probably somewhat right in having some legitimate interest in asking for it (or some of it anyhow), needing it and also wanting to restrict it. There is no right or wrong, good or evil, no violator of human rights, or protector of criminals. Just think for a moment some of the purposes that we now know of needing technical or personal data (or both)……provision of services, marketing, copyright, sales, security, quality of service, customer satisfaction, law enforcement, protection of minors to name a few. For the same reason that in order for information to be private it needs to be protected and therefore restricted, I cannot agree to oversimplifications like "we cannot be sure what IP addresses are so treat them always as personal data" or that "car plate numbers are personal data" but I do not have the power to restrict this information and its circulation because by law I have to put them somewhere visible (at the back of my car). Such simplifications are unbecoming of the sophisticated system of regulation that we have in Europe.
In Europe we are leading data protection and that is a good thing. We are also emotional about it and we are correct in being so because it is a human right and an important one. However as we are looking at revising the frameworks (2002/58/EC is under review and soon will be the turn of 95/46/EC) we need to make sure that we have a proper and mature debate about it. We cannot live in denial that nothing has changed and the framework is perfect. The framework directive is pre-internet era. That tells everything. It does not address adequately issues like digitization of information or the borderless information society or the plethora of data that may be personal, may be not-personal or may be personal in some circumstances.
Unless we strike the right balance in the rules we will put in place and focus on what needs to be protected, data protection might become increasingly unworkable, irrelevant and over-bureaucratic. We need flexible rules, not weak rules, but rules which can withstand the test of time, because one thing is certain in the information society era… πάντα [χω]ρεῖ καὶ οὐδὲν μένει» (Everything flows, nothing stands still), Heraclitus.