It’s time for Europe”s data protection authorities to engage with the real world


 By Simon Davies

I won’t name names, but there are some data protection authorities (DPA’s) in Europe who need a swift kicking over their general attitude. Some of them are becoming increasingly timid, isolated and invisible to the public.

This can’t go on. If there was any moment for tenacity and strategic engagement, it’s now. But if the track record of some DPA’s was any guide, all is well on the data protection front and there’s no cause for concern. I wish this were so, but it clearly isn’t the case. Privacy is under sustained attack on all fronts, while the incoming Data Protection Regulation – the Great Protector of rights – is becoming an endangered species.

This trend has been evident for some years, but a recent unsettling experience prompted me to raise the issue now. I’d certainly be interested in hearing from anyone with other views.

Some of the DPA’s are becoming increasingly timid, isolated and invisible to the public.

I recently worked in a mid-sized EU country that’s currently facing tremendous privacy challenges. Government authorities there are lining up to brutalise protections, while the general population appears increasingly chilled about the collapse of their privacy rights. The spectre of terrorist attacks is never far from the PR channels of industry and government.

But where is this country’s national DPA in this dangerous conundrum? In terms of police and security powers, its profile is opaque at best. I looked at a summary of the office’s activities over the past six months and there are only one or two elements that offer any hope whatever. Yes, this DPA has engaged police and some authorities over intrusive technologies, but the language and process they use is sterile and uninspiring to anyone outside the legal realm.

This dynamic will not come as a surprise to any observer of this field. I’ve certainly become accustomed to hearing and reading DPA material that gives off the odour of a diplomatic communiqué rather than a call to action.

A key element of a DPA’s function is education and awareness-building – and you can’t achieve those ends just by hiring a PR firm to write a catchy slogan every two years. Being an educator involves every strand of what you do.

Anyway, back to the anecdote. As with other countries across the world, I started working extensively with local NGO’s and professional bodies. I presented public lectures and workshops, and worked toward practical projects that would help strengthen local privacy. 

Privacy is under sustained attack on all fronts, while the incoming Data Protection Regulation – the Great Protector of rights – is becoming an endangered species.

Now you might have imagined that the DPA of this (decreasingly anonymised) country would have been interested in such activities.  It seems not. From what I can tell, it never appeared once at any public event. Worryingly, no-one from civil society or professional associations ever proposed its involvement at any level or at any event. This indicates to me that this particular DPA has become remote to the extent that its relevance is now cripplingly limited.

This is not a good situation, so I reached out in an effort to meet the DPA. After a few days someone responded saying that no-one would be available at any time to see me. In other words, there was no interest in a meeting.

I must stress that this attitude is not universal among DPA’s. I recall visiting the federal privacy regulator in Canada a while back. More than forty of its officials crammed into a conference room to hear me talk about international developments and the work of civil society and privacy technologists in other countries. The Federal Trade Commission in Washington DC usually falls over itself in an effort to engage with international experts (though not as rigorously as in previous years). Ditto for Mexico.

I’ve never visited France, Germany, the Netherlands, Italy or numerous other countries without the local DPA’s making every effort to meet. Gosh, at one point the entire office of the Norwegian DPA travelled to London where it had arranged for me to lecture to them on the dynamics of global privacy.

So, to reiterate, this isn’t a slap aimed at the entire regulatory community. What I’m doing here is to warn that the DPA’s of some countries are letting down their citizens. If regulators become arrogant and isolated, they lose touch with the real world and end up feeding almost exclusively off their own decreasing circles of elite dialogue.

I haven’t had the opportunity to visit every EU country in recent times, but of the 23 I have had the pleasure of working with, the DPA’s of fourteen have been eager to engage. That ratio corresponds with the experience of some of my better travelled colleagues.

It’s not even a question of size and resources. I recently had tremendously valuable roundtables with both Slovenia (population two million and Estonia (population 1.3 million).

The warning shot here is that in an age of escalating public threat, the authorities responsible for data protection need to become privacy ambassadors and not merely legal technocrats. Many have focused too much on the importance of their quasi-judicial functions at the expense of their responsibility as advocates.