International: The culture wars of data protection
Polarisation is a defining word for our times. Opinions seem no longer informed by reasoned arguments but by a self-imposed blindness to see and understand other points of view. Politics are no longer about ideas, they are about tribalism. Amplifying the angry noise around us, social media has become the perfect channel for everyone to vent their rants, rally like-minded members of the tribe and seek to quash those on the other side. This phenomenon covers all aspects of our lives and is now visibly affecting the way we approach privacy and data protection. All laws are subject to interpretation and data protection law is not an exception. But more than ever, this area of law is being weaponised to support positions on issues that, as respectable as they may be, are having a disruptive effect on the very purpose of the law.
International data transfers are an obvious target in this conflict. State surveillance generates strong emotions and rightly so. When our freedom to communicate and interact with others is at risk, it is right to question the controls on the power of the state to access our data. However, the scrutiny of the lawfulness of global dataflows is currently adopting an absolutist approach that appears unaware of the fact that democracy is always a work in progress exercise. Fuelled by a distrust of the open economy, the rules that govern the way in which data can lawfully flow beyond Europe's borders are being interpreted in such extreme ways, that any efforts to protect such data are swiftly disregarded irrespective of the actual risk for our privacy.
Some of the strongest opinions on the use of data and privacy are also being voiced in the context of online targeted advertising. The recent decision by the Belgian data protection authority stating that IAB Europe acts as a data controller with respect to the individual's consent signals, objections and preferences captured by the Transparency and Consent Framework ('TCF') was carefully argued. This is an ingenious ruling that has hit the whole online advertising ecosystem with a single shot, and the repercussions need to be collectively addressed by all involved in it. But the way in which it was cheered by so many seeking the demise of the advertising that makes so much of the content available on the internet possible was aggressive to the extreme.
Speaking of extreme views, few issues are as divisive as Brexit. So when the UK Government announced its plans to reform the current data protection framework, many reactions followed the views on Brexit. At one end of the spectrum, a radical diversion from a law of such a marked EU pedigree as the GDPR cannot happen quickly enough. At the other, diverging for the sake of diverging is seen as another self-inflicted catastrophe. These stances are obviously incapable of seeing any merits in each other's arguments, but even more worryingly, they appear unwilling to think rationally about the pros and cons of any such reforms. Not necessarily because they are incapable of undertaking a rational assessment, but because the stance is already predetermined by the tribe to which one belongs.
Given these examples, is there any room left for rational discourse and debate in an area like data protection? Or have all relevant parties already taken a side in this culture war? Surely, this is too important a topic to be left unresolved. Perhaps, if we look at it properly, there is enough room to find a tempered middle ground where the right answers (and peace!) can be found. As far as the purpose of data protection law is concerned, the intention was never to stop the world, close the Internet and restrict progress. European data protection law has always been about enabling personal data to flow while protecting our rights and freedoms, particularly our privacy. There is plenty of room for manoeuvre within that premise to function in a globally connected way. International data transfers are not the enemy of freedom. Internet advertising is compatible with responsible data uses. And the GDPR itself can and should be interpreted in ways that are not in conflict with the information economy. Privacy and data protection are too precious to succumb to culture wars. We just need to see them as a responsibility and not a battlefield.
Eduardo Ustaran Partner
Hogan Lovells, London