Speaking at
a European think tank debate on privacy and featured in technology
law podcast OUT-LAW Radio, Hustinx
sparred with Google head of privacy Peter Fleischer, but agreed
with him that European privacy laws overall will need re-examining
in five years' time.
"I would expect that some five years down the road, we need to
see some changes in the existing framework," said Hustinx, the
European Data Protection Supervisor (EDPS). "Where? Not in the
principles, although some parts perhaps need to be revisited, my
emphasis would be we need more flexible arrangements to make it
work better, to make it more effective."
Hustinx went on to say that he would consider recommending the
adoption of some principles from the framework published by the
Asia Pacific Economic Co-operation body into European rules.
Fleischer went further in outlining why he thought European
privacy rules were outdated. "Data is flowing around the world all
the time in ways that were simply unimaginable back in, lets just
take 1980 as an example, when the OECD principles were first being
promulgated," said Flesicher. "The amount of data that is flowing
across borders today, a quarter century later, is millions,
millions of times greater than it was then."
"The internet, I think, is the most fundamental revolution in
data collection and data transfer since the development of the
printing press. If the most fundamental revolution in the last 500
years is not going to present some challenges to traditional
notions of data protection I do not think we are challenging
ourselves to think things through," said Fleischer.
Both men agreed that the rules governing the transfer of data
out of the EU needed work. They say that data can only be
transferred to countries with as thorough privacy protections as
the EU, in which case that country is deemed 'adequate'.
Fleischer pointed out that a simple credit card transaction
passed through six or seven countries and that the standards set by
Europe were extremely unlikely to be met by most of the world's
countries.
Hustinx, who is charged with overseeing European agencies'
transfers of data outside the EU, agreed that there were some
problems with the adequacy regime.
"We need to revisit the general legal framework," said Hustinx.
" I agree with Peter Fleischer when he says that the mechanism of
adequacy findings is probably too cumbersome, but this is what we
have now."
"We probably can do better. We need to make sure that we build
in more global privacy into these European frameworks," said
Hustinx.
Fleischer and Hustinx have been locked in a battle this year
over the retention of identifying information linking people to
their Google search engine queries. Google reduced the time for
which it keeps this data from an indefinite period to 18 months,
claiming that it is required to by the EU's Data Retention
Directive, which orders telecoms firms to keep call log data.
"That Data Retention Directive does not apply to content like
searching behaviour on the net," said Hustinx. "It does apply, to
some traffic data in e-mail but in terms of internet browsing
behaviour it is minimal indeed, so let us not be confused about
this."
Fleischer said that companies had to balance competing concerns.
"Data retention obligations for companies are not just about the
directives that we call data retention," he said. "Companies have
to keep things for all kinds of other reasons, tax reasons,
accounting reasons, because your customers like your advertisers
might come back to you and say, "Gee you just charged me €10,000
show me why". You have to have records."
Fleischer did express confusion, though, about exactly what a
company was supposed to do amidst the uncertainty. "Going
forward, data retention: who knows?" he said. "Who knows how
that is all supposed to work? And I do not mean to be flippant, I
am actually trying to figure it out, being one of the people it is
directed at."
