Blog Post:

Hospitals Without Patients, and Data Protection Without Data Subjects: My Address to CPDP2015

imagrfes

One of my favorite episodes of the BBC Series, Yes Minister, is called The Compassionate Society.   The story revolves around a hospital in north London that has 500 administrative staff, but no medical personnel and no patients.   When Sir Humphrey Appleby, the Permanent Secretary, is confronted by Minister Jim Hacker about this perplexing state of affairs, he defends the situation by listing all the essential functions that the administrative staff is performing: data analysis and research; finance; purchasing; technical services; building maintenance; personnel administration; liaison; cleaning and catering; contingency planning; and so on.  It is one of the best run hospitals in the country, he insists. But there are no patients, Humphrey, Hacker pleads. That is what hospitals are for — patients, ill people, healing the sick.   “First of all, Minister, Humphrey replies, you have to sort out the smooth running of the hospital. Having patients around would be no help at all. They would just be in the way.”

I have a similar reaction when I contemplate the 40-year debate on how to regulate the international transfers of personal data.   We have guidelines, conventions and directives. We have binding corporate rules, cross-border privacy rules, and analyses of adequacy.   We have model contracts.  We have comparisons of transparency, consent, notification, security, access and correction principles.   We have lengthy debates about the relative merits of country-to- country, versus organization-to-organization models. We have technical and management standards. We have accountability mechanisms, and complex models to ensure the interoperability of accountability mechanisms.  There is now a plethora of domestic and international instruments, developed by many international regimes,  all of which comprise the international governance of privacy.

But, with few exceptions, at least in cross-national contexts, there are few data subjects:  few individuals actually participating in these processes; few complaints; and few real examples of the cross-national assertion and enforcement of privacy rights. We have brand new edifices or data protection, and few  actually using them: data protection without data subjects; hospitals without patients.

The problem of “transborder data flow”  was recognized as early as the 1960s in reports to the OECD, as was the interdependence of data protection law.   And yet, in nearly 50 years you really have to look very hard to find instances where individual data subjects have successfully pursued their privacy rights against an organization that is based in a different jurisdiction.   Certainly those rights exist in the abstract; rights to individual participation (access and correction, complaints, dispute resolution) exist in every set of principles (the OECD guidelines, the EU Directive and Regulation, Convention 108 from the Council of Europe, and the APEC privacy principles). And while individual rights to may be used extensively, though variably, under domestic data protection laws against domestic organizations, it is rare to find data subjects exerting their rights against organizations that reside offshore.   Where do we find the successful resolution of privacy grievances by a citizen residing in one country, against an organization based in another, and using the complaints investigation and resolution instruments of that second country?   There are a few examples;  but very few.  

And yet the essence of the international personal data flow problem is that individuals should not lose their privacy rights just because their data is processed overseas. Despite the strong insistence from the EU Commission that redress mechanisms are a necessary condition of an adequacy ruling so that European citizens possess the same rights in other countries as they do in Europe, these rights seem very hypothetical.   I do not know of any research on the subject, but it seems very rare for data subjects to be able to assert their rights in international contexts, notwithstanding the recent flurry of “take-down” requests as a result of the Google Spain (right to be forgotten) ruling from the European Court of Justice.

In the Governance of Privacy (MIT Press, 2006), Charles Raab and I made a distinction between the privacy principles that confer obligations on the organization, and those that grant rights to the data subject.   Considerable progress has been reached in ensuring the former in a cross-border context; very little progress has been made on the latter. 

If this premise is correct, then that begs the question why?   I want to offer four hypotheses:

  • The redundancy hypothesis — If the laws are solid, if the corporate compliance is secure, then individual participation is almost unnecessary.   This seems to be the assumption behind the use of the word protection or “safe harbour.”   The companies are trying to become compliant and accountable, and so no action is needed by the data subject. The individual is there, but ancillary.   If the law is adequate, then the individual is protected.
  • The globalization hypothesis Several years ago, it was recognized that the assumptions about the simple bilateral transfers of data (data controller A in country A, transferring data to data controller B in country B) were a thing of the past, or at least rare.   Transfers are global and multi-directional between controllers and controllers and controllers and processors, requiring commensurate responses.   In this environment, it is impossible for any individual to track the source of risk or harm, and the organization(s) responsible.   In this context, what is important to build a string of rules that apply to every organization in the chain.   This is the logic behind the Binding Corporate Rules (BCR) and Cross Border Privacy Rules (CBPR) systems.
  • The surrogate hypothesis — This idea would suggest that individuals are not out of the picture, they just now have surrogate advocacy groups that can increasingly be assertive and act on their behalf.   Unlike in the 1970s and 1980s, when data protection law emerged, there is now a network of privacy advocates and activists, which I documented in my book, The Privacy Advocates (MIT Press, 2008), who can step in. There are some important examples: Max Schrems’ cases on behalf of Europe v. Facebook;   CIPPIC’s complaints against Facebook in Canada; and EPIC’s cases against Google and Facebook.
  • The conspiracy hypothesis — These rules were never actually intended to help data subjects, but to help business. These instruments, therefore, legitimate surveillance, and are replete with so many complex and obscure exemptions that most individuals would give up (see the recent critique by Greenleaf, Waters and Connolly of the CBPR system and Truste in the December 2014 issue of Privacy Law and Business International).   The entire shaky edifice of international personal data protection has been constructed to advance the free flow of personal data, as much as to protect the privacy of individuals, and to mitigate corporate risk rather than to promote personal rights.

I think each of these ideas has some validity, and some inspire more optimism than others.  And of course there may be other explanations.  But what should be clear from this analysis, is that the problem of the “invisible data subject” is present regardless of whether one is talking about regulatory, self-regulatory or co-regulatory mechanisms.  So this is not an indictment of  self-regulatory mechanisms like BCRs and CPBRs. I think the problem can stem as much from an emphasis on abstract legal rights, such as the  formalistic analysis of the black letter of foreign data protection law that has characterized the “adequacy regime” of the 1995 EU Data Protection Directive.   

It has been obvious for many years that we need adequate laws and accountable organizations; regulation and self-regulation.   There exists a complex package of international/domestic, regulatory/self-regulatory, technical/non-technical instruments all of which are necessary, and none sufficient.  Thankfully, our debates have advanced considerably beyond the sterile disputes about voluntary versus mandatory compliance that characterized the issue 15-20 years ago.  But, in conclusion,  I think the overall state of the international regulation of personal data is confronted by two paradoxes.

First, the country-to-country model is plagued by the false assumption that an assessment of law does not guarantee compliance; you can have unaccountable organizations in adequate countries.   The “organization-to-organization model” (the accountability approach) is plagued by the dilemma that you can have accountable organizations in inadequate jurisdictions; and as much as companies might try  to ensure good privacy management and corporate compliance, that cannot compensate for the weakness of legal enforcement and redress mechanisms that we see in many parts of the world.

Secondly, the more international data protection becomes tied with broader issues of international trade and larger global arrangements like the “Trans-Pacific Partnership”, the further they become removed from the rights of real individuals who are seriously at risk from the international transmission of their personal data:  the victim of human trafficking; the person whose bank account is wiped out by identity thieves somewhere in the cloud; the victim of “revenge porn”; the individual whose faulty consumer credit file plagues his life;  and so on.

Somehow the  international conversation about the “smooth running” of the international personal data flow system, needs to be reoriented so that the individual, rather than the corporation or the government, is at the center of the debate, rather than as a messy nuisance that would just get in the way.  And it typically takes active involvement from consumer and privacy advocates (which is not always the case) to remind us that data protection rules are  for data subjects, just as hospitals are for patients.

Going back to Yes Minister, at another point in this episode, Jim Hacker visits the hospital in question, and the  administrator boasts of all the fancy, shiny operating equipment in the hospital.   Doesn’t it appall you that it is not being used, asks the Minister. Oh no, very good thing in a way, comes the response.   It prolongs its life and cuts down running costs.

(VIDEO OF PANEL HERE)   “Cross-Border Data Flows: Where do we Stand?”