Privacy kills. Fish, this time.
The main difference between US and European data protection law is this: in the United States, laws are usually written to solve a particular privacy problem, whereas in Europe all personal data is broadly protected by a set of grand principles. Both privacy regimes produce plenty of unanticipated consequences and lots of what I’ve called privacy victims. But at least the American approach confines the privacy victims and the unhappy surprises to a few identifiable areas, like hospitals under HIPAA.
The European system casts its net far wider and thus drags in victims from every part of the sea.
Literally. The latest victims of Europe’s privacy laws are fish.
Here’s how it happened. To reduce overfishing in its waters, Europe has an elaborate regulatory regime that uses GPS and electronic signals to keep track of each fishing boat’s activities on the water. That data helps save fish in other ways; researchers trying to gauge the impact of fishing practices can now conduct detailed and fine-grained studies, down to how many boats spent how much time pursuing a particular school of fish.
Well, they could. Until the privacy police showed up, in the form of the European Data Protection Supervisor, Europe's head data protector. He pronounced himself shocked to discover that the fisheries records included the names of some of the crew members on the boats being tracked. That made the records personally identifiable information, and the whole creaking machinery of European data protection had to lurch into action to protect the rights of man.
Without ever asking what possible privacy harm the crews might suffer, Europe's chief privacy officer invoked the grand principles, demanding that the data be held for no more than three years and that it be used only for the purpose of regulating fisheries. This means among other things that it probably can’t be used to find “fishing” boats that are actually smuggling drugs or people – that’s not the reason the data was originally gathered, you see.
Academics took the limits on law enforcement in stride, but now they’ve discovered that the hook was baited for them as well. As the fisheries regulators flounder about, trying to implement pointless grand principles, they’ve begun anonymizing their data, so that instead of knowing which boats went where, researchers are simply told how many boats could be found in a particular patch of ocean at a particular time. Oh, and American researchers can probably forget getting even that much, since exports of this data to third countries will presumably depend on whether our fishing-crew-data-protection laws are adequate in European eyes. (And that won't be easy, since we never had a reason to adopt such laws.)
Fisheries researchers say that these limits will cripple the studies needed to achieve sustainable stocks of fish. They’ve begun a campaign of wailing, gnashing of teeth, and harsh articles in Nature. They’re appalled to find that they, and the fish, have fallen victim to an ill-considered data protection regime. But the head of European data protection is unmoved. The rights of man, after all, are at stake.
What lessons can we learn from Europe’s foolishness? I think the answer is simple: More privacy law means more victims of privacy law.
But in this case, there’s a second: The United States needs European-style data protection law like a fish needs a bicycle.
Photo credit: Wikipedia
UPDATE: Corrected link to EDPS opinion.
"More privacy law means more victims of privacy law"?
I'd rather say: "More poor understanding of privacy law means more unnecessary privacy-bashing".
Yes, Europe has "grand principles" regarding privacy and data protection.
That's because, unlike the US, we consider them fundamental human rights.
And rightly so, I might add.
But anyway, without having read the EDPS's opinion (your link is not to the correct document), in general:
- If you can demonstrate that it is really necessary to process the personal data, then this is often possible under current data protection rules, especially for research purposes. But are the data really necessary? Can't they be pseudonymized, for instance? Don't blame privacy laws for your own unwillingness to walk the extra mile required!
- If current data protection do actually prevent processing that is deemed necessary, a legal basis can usually be created.
In other words, you're cyring wolf.
Posted by: Koen Versmissen | Jun 12, 2012 at 05:16 AM
I've corrected the link so it goes to the proper EDPS opinion. You're correct that some Europeans consider data protection to be a fundamental human right. Simply calling something a fundamental human right, though, can't be the end of debate; it should be the beginning. I am pointing out the costs of treating something as malleable as privacy expectations as a fundamental right. You're also right that, in theory, there is a way to solve many of the problems created by the "rights of man" approach; all it takes is more time, more money, more hassle, and more lawyers. Of course, in the real world, anything that takes all those things to get done, doesn't get done. That seems to be what's happened here, where the solution chosen for anonymizing the data doesn't allow researchers to do the kind of detailed research they think is necessary.
Posted by: Stewart Baker | Jun 12, 2012 at 05:33 AM