Policy Matters: Europe deadlocked over data protection reform

• John Burn-Murdoch
• theguardian.com, Monday 12 August 2013 16.48 BST

Viviane Reding, European commissioner for justice, fundamental rights and citizenship, has called for a swift conclusion to data protection negotiations. Photograph: Szilard Koszticsak/EPA

An EU parliament vote on amendments to data protection law has been postponed for the third successive time, with the impasse leaving citizens' rights inadequately protected.

MEPs had been set to decide whether to ratify the latest set of proposals in early July but the vote is now scheduled to take place in October, with a view to publishing the amended legislation before the European elections in May 2014.

The legislation in its current form is 18 years old and as a result has increasingly been found wanting in a number of areas, including the protection of personally identifiable information in light of recent industry developments.

The process was kicked off in January 2012 when the European Commission published its initial proposal. Since then, no significant agreements have been reached, fueling fears that the legal system simply cannot keep pace with technological change where data collection, analysis and storage is concerned.

"Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation, and some detailed exploration of the key elements of such an approach under the Irish presidency", said Bridget Treacy, partner and head of the UK privacyand cybersecurity practice at Hunton & Williams.

Foremost in recent discussions has been the need to consolidate definitions of differing levels of privacy risk; from personally identifiable records through to truly anonymous information.

One sticking point has been where information falls somewhere between these two extremes. The latest proposal includes an attempt to establish a third, intermediate classification, but this step is easier said than done.

A third way: pseudonymous data

"The Irish presidency's compromise text includes a definition of 'pseudonymous data', being personal data processed in such a way that the data cannot be attributed to a specific individual, without the use of additional information, provided the additional information is kept separately.

"Pseudonymous data would still be personal data, and subject to data protection law, but controllers might be exempted from certain obligations. The practical challenge, however, is to find an appropriate definition of 'pseudonymous data', which is an extremely complex task. It may not be possible", said Treacy.

Perhaps more problematic than the protracted process itself is the apparent lack of desire to define anonymous data.

In one recent example, a Harvard professor was able to re-identify almost half of participants in a genetics study by cross-referencing records from its results database with publicly available information. The whole re-identification process was done without individuals' names, and using only three pieces of data - gender, age and postal code.

"On the subject of anonymisation, there appears to be no real appetite to define this as a concept. That said, if data are anonymous, they cannot be 'personal data' and will therefore fall outside the scope of data protection law. True anonymisation is, however, difficult to achieve and it is often only temporary", said Treacy.

With algorithms getting better and better at matching data from one database to another using common or similar fields, some data sets may gradually migrate from anonymous, through pseudonymous, to personally identifiable.

This risk is exacerbated by the fact that experts believe many companies simply do not currently have the means to delete all copies of an individual record when duplicates are stored off-site, risking such data being left waiting to be discovered at a time when analytical capabilities are such that its subjects can be re-identified.

UK firms selling customer data

Earlier this year Barclays was revealed to be combining its customers' data with that of third parties, including - in theory - government departments, in order to yield more valuable information than could be extracted from their own databases alone.

Even when such data is anonymised, the creation of these super-databases brings with it its own inherent dangers. The more data feeds used for analytics, the richer the data that could fall into the wrong hands in the event of a breach.

Techniques such as topological data analysis are already providing data scientists with methods of grouping data based on inherent mathematical patterns, taking the bulk of the work out of human hands altogether.

The threat from non-EU governments and corporations

Another concern - that of whether EU courts will be able to hold non-European bodies to account - has been brought into the spotlight by theongoing revelations regarding government surveillance.

Angela Merkel and Viviane Reding, Europe's most senior justice officialhave both in recent weeks cited government and corporate collection of personal data in calls for a swift conclusion to data protection negotiations.

"I would find it helpful if the European council in October could speed up the work on this important matter," said Reding.

During an election debate last month on internet privacy Merkel named Google and Facebook as examples of companies that should provide information to European authorities on third parties where their customers' data is being sent.

Worries over extra-EU attacks on EU privacy have escalated to the extent that one security expert has stated his belief that the only way for European citizens to be free from fear of surveillance would be for European entrepreneurs to create an EU dot.com industry rivalling that of the US.

The revelations that several of the US' counterparts in the EU are engaging in the same or similar practices have perhaps shown such concerns to be misplaced, but the argument that a more self-sufficient online Europe would offer its citizens better protection than the current model will remain appealing until non-EU governments and corporations have a reason to fear EU data protection law.

Are cries for an EU dot.com industry to rival that of the US alarmist, or is this the only watertight solution to concerns over the online privacy of EU citizens? Join in the debate by commenting below or contacting me directly on Twitter @jburnmurdoch or @GuardianData

Source:

http://www.theguardian.com/news/datablog/2013/aug/12/europe-data-protection-directive-eu

Pirate Bay's 10th birthday is a milestone for internet freedom

• 
• • Loz Kaye
  • theguardian.com, Monday 12 August 2013 11.30 BST
  • Ten years on, the groundbreaking filesharing site is still an emblem of the debate over censorship and digital policy

Pirate Bay's first server is on display at the Technical Museum in Stockholm. Photograph: Scanpix Sweden/Reuters

An internet milestone has just been reached: Pirate Bay has passed its 10th anniversary. The iconic/notorious site (pick your adjective)celebrated with a party just outside Stockholm. Who knows, perhaps entertainment bosses were simultaneously weeping into their champagne and plotting new action against their favourite enemy. The filesharing hub is arguably the most famous of all sites providing access to torrent files and magnet links to allow peer-to-peer sharing. If that means nothing to you, it's like being able to swap those tapes you made of Radio 1 chart shows with anyone in the world.

While the dilemmas posed by filesharing are of course not new, the site has become emblematic of the two sides of the 21st-century data-sharing debate. In simple terms, there are two conflicting ideologies. For advocates of intellectual property, revenue and cultural value is created by restricting access to information. For internet freedom advocates, revenue and cultural value is created by opening up access to information. Obviously these two approaches are bound to clash with each other.

Given the last decade's copyright wars, it's amazing that Pirate Bay survived at all, not just because 10 is antediluvian in internet years. In the fight to retain control of the information flow, Pirate Bay has been the subject of site blocks, court cases, dramatic intercontinental manhunts and media controversy. Here in the UK, major ISPs were forced by an injunction in April 2012 to block access to the site.

It was the 2006 police raid on the Pirate Bay servers that was the "Stonewall moment" for digital-rights activists – when the state overstepped the mark and it was vital to fight back. The key realisation was that the internet isn't separate from society, and political action is necessary if key freedoms are to be defended.

The site itself can't be divorced from its cultural context, the hacktivist digital dissidence scene. Pirate Bay represents the punk music of the 21st century: while popular music is reduced to sugary talent-show fodder, online counterculture is noisy, rebellious and disruptive. The cool kids aren't writing lyrics, they are writing code. This is the heart of Pirate Bay's tenacity. It's no longer just about the service it provides, it's because Pirate Bay has come to symbolise web liberty for many.

This is well understood by the entertainment industry, and I've experienced it personally. Last year Music Week knew the BPI wanted to shut down the Pirate Bay proxy site that the Pirate party was running even before I received the BPI's letter.

This, to me, shows how empty the fight against Pirate Bay has become. The UK block only dented P2P for a matter of days. Politically, it's become evident governments are less willing to have digital policy hijacked by narrow corporate interests. In France the expensive Hadopi "three strikes" regime is being abandoned. Here, the Digital Economy Act's site-blocking provisions are to be dropped.

That's not to say there aren't significant challenges to digital rights. Activists warned that snooping on what people download would lend legitimacy to mass surveillance, that allowing site-blocking was a dangerous tool to give governments and that removing pirate-related search terms would lead to wider filtering. A suitable 10th-anniversary souvenir might be a "we told you so" T-shirt.

Those of us who were galvanised by the Pirate Bay crackdowns have moved on, focusing on the broader picture of internet surveillance, censorship and bridging the digital divide. Co-founder Peter Sunde called for the site to close, to allow something new to develop. If we can move on, so can others. It's time for the entertainment lobby to ditch attempts to clamp down on technological advances and abandon the tired pirate narrative.

Like it or not, Pirate Bay is a key part of internet history. So, let's join a rousing chorus of Happy Birthday. Oh wait, it's under copyright and the subject of a court case...