Getting things done in privacy protection Part 1: Blended Methodologies and some lessons from Europe about “learning and defining by doing”

How do you strengthen a fundamental human right without diluting the basic principle and understanding of that right? How do you reinforce the right to privacy through a constant process of evolution and self-evaluation which does not threaten to undermine the right but yet enables the legal framework to keep up with developments in society and especially changes wrought by technology? This is not an unusual problem. This is a problem which every single policy expert and advisor faces in the privacy sector and it is one which I have lived with constantly since I first ventured onto the international arena and especially the intergovernmental sector in 1984.

When I was first appointed UN Special Rapporteur for Privacy in July 2015, I sat down and asked myself what I could learn from more than 30 years of experience in the field. Which are the special problems, what works and what does not work when it comes to protecting privacy? What should I pick as being a successful strategy in order to unite people behind common measures which could promote and protect privacy world-wide? This period of reflection led me to identify at least two possible complementary paths which I propose to explore in two separate blogs:

1. Learning and defining by doing: getting around the problems of definition by agreeing on concrete measures which somehow address a particular privacy issue in a particular sector;
2. Discussing the fundamentals of why privacy is important to us can, paradoxically enough, help us discover what is common, what unites us when we discuss privacy across cultures;

Ultimately, the conclusion is always the same: while some principles remain intact and useful, one cannot protect privacy in constantly changing circumstances by relying on old laws designed to handle old situations. Instead one must develop an on-going structured process which develops safeguards and remedies for a good many specific situations while remaining faithful to and inspired by a set of fundamental principles capable of continuous refinement.

A blended methodology explained in an anecdotal interlude

Over the past several months several people have asked me how and why I have come to formulate my thinking about privacy. It seems to be important to them to understand what may have been the formative moments which lead me to now propose certain approaches and solutions. Now, it should be known that I hate talking about myself, much less writing about myself but given this interest I will make an exception and try, over a two-part blog, to share some experiences which have influenced me over the past quarter-century and more.

There are many reasons why I often count myself to be both lucky and privileged. I have sometimes been lucky enough, through an accident of history, to be the right person with the right idea at the right time. The merit for the timing then would certainly not be mine however good the idea may have been. I hope to be able to share some of what I learned in those circumstances later on in my writings. Moreover, I guess that I was often also the right person with the right idea at the wrong time i.e. when most other people were just not ready for that idea. That also taught me a lot about the importance of timing. More about that anon too. Finally, I am certain that some people would say that I was the wrong person with the right idea at the right time or indeed all the other permutations using the adjective “wrong”. Those cases taught me a lot about human nature and eventually even more about myself, both in those cases (a minority I trust) where others were right about my being wrong and especially those when others were wrong about my being wrong. In all of these cases I hope that I have learned from experience and I would like to share some of these experiences believing that others may draw the same lessons that I have.

Five accidents of history threw me into the work of the Council of Europe in five separate areas of activity between 1984 and 1996: legal data processing, data protection law, media law and freedom of expression, bio-ethics and cybercrime. I do not wish to be overly anecdotal but I should explain the context a bit further in order to understand the blended methodology that I developed during those formative years of my career. For most of the decade 1984-1994 I was only a part-time academic. Instead , and especially after defending my doctoral thesis in November 1986, I was a full-time practitioner in applied computing projects in the commercial sector while at the same time practising IT Law and also devoting substantial amounts of my time (sometimes between 30-40%) to inter-governmental policy making in the five areas mentioned above. The latter implied a total of several months a year for the best part of 15 years devoted to meetings in Strasbourg, Brussels and elsewhere working very closely with governmental and corporate legal, IT and sectoral experts from around the world in an effort to prepare legal instruments of various sorts which could help achieve harmonisation amongst the laws of up to 47 different European states in a given problem area. In the case of cybercrime the countries additionally included many from outside Europe including the USA, Canada, Japan, Australia and other members of the G20. I would like to think that this period of time was a baptism of fire in pragmatism tempered by the rigour that I could bring to the process from academic life while yet retaining the idealism inherent when working in a human rights context like that intrinsic to the Council of Europe.

In the end I discovered that, in many respects, governments were very much like my clients in the private and commercial sectors in the sense that what they were after is a remedy if they were grieved or a safeguard if they wished to avoid grief. I would have been useless to private and corporate clients alike in the same way that I would have been useless to governments if I were not capable of coming up with solutions which actually work in practise. If you have no idea as to what this type of inter-governmental work entails try to think of it in its simplest form: trying to work out safeguards and remedies which can be effective within and across borders and which would be the basis of solutions to issues which are acceptable to all countries around the table. With the benefit of hindsight, I can better realise today why I developed what is now more fashionably called a blended methodology, one which is neither purely academic not purely heuristic-based, one which is not purely legal science-based nor purely IT science-based, one which partakes of many disciplines coming together rather than one which is based on one discipline alone blind to the perspectives and value of other disciplines. So, I suspect that it could be said that, in my constant search for practical but principled solutions I threw all my training and my experience into the blender of life and ended up with an approach which constantly quizzed realities with simple questions like: Does this make sense? Is this sensible? (which is a different question to the previous one). What is the range of solutions that can be proposed? How much does it cost? Can we have technical and procedural safeguards as well as legal ones? Where is and what is the evidence on which the proposed solution is based?

Learning and defining by doing: lessons from Europe

Europe may not always set a good example in some things but anybody examining European history in the 45 years since 1970 would find a very interesting case study of how Europeans caught the privacy bug from the United States and then set about trying to achieve something concrete by creating multiple sets of safeguards and remedies yet always deriving inspiration from and acting in the best interests to promote the fundamental right to privacy. The right to private and family life enshrined in Art 8 of the European Convention of Human Rights of 1950 is very close to Art 12 of the UN’s Declaration of Fundamental Rights and Art 17 of the ICCPR. Art 8 shares with Art 12 and Art 17 the common problem of not containing any binding definition of “privacy” or “private and family life” but then it benefits from a number of subsidiary initiatives which I shall here call “learning and defining by doing”. For the Europeans did not content themselves with Art 8 of the European Convention of Human Rights (ECHR). Nor did they content themselves with the protection afforded by the most successful supra-national mechanism of all time aimed at protecting the fundamental rights of individual citizens i.e. recourse to the European Court of Human Rights in Strasbourg (ECtHR). It is well worth noting that this mechanism extends its benefits to 47 European countries or approximately 25% of the nation states which are members of the United Nations, a total of 800 million citizens out of a global population of 7.3 billion and has seen over 100,000 individual cases being considered over the 60 years of the functioning of the ECtHR.

The European nations within the “Europe of the 47” – as distinct from the “Europe of the 28” i.e, the sub-set of the 47 which are also grouped in a separate club,  the EU – are all signatories of the ECHR and were not satisfied with the level of the protection to privacy afforded by the basic wording of Art. 8 of the ECHR. Instead they sought to reinforce the protection of private and family life – as opposed to undermining it – by creating a new international treaty, the 1981 Data Protection Convention which is designed to protect the fundamental right to privacy through the enforcement of ten basic data protection principles. The process of creating the Data Protection Convention (also known as Convention 108) influenced and cross-fertilised with the process which led to the creation of the OECD 1980 Guidelines and would eventually hugely influence the creation and substance of EU legislation on the matter, the EU’s Data protection Directive 46/95. Did the Europeans stop there? Were they content with the creation of an international treaty – open to all countries of the world and not just European member states of the Council of Europe? No, they did not stop there. They then asked themselves the question “How best can we protect privacy through concrete safeguards and remedies in each particular sector where privacy may be at risk?”. At the Council of Europe, the Committee of Experts designated the CJ-PD, the inter-governmental Committee of Experts on Data Protection – the same committee that drafted Convention 108 as of 1976 – spent the next 25 years devising pieces of soft law called Recommendations dealing with different sectors since each sector presented its own particular issues. The CJ-PD also collaborated with other Committees to contribute to other work being undertaken by the Council of Europe in fields as diverse as Cybercrime and bio-ethics.

In order to understand why I may have been influenced by the efficacy of certain measures or to understand how I gained an insight into the processes that resulted in a mass of European initiatives in privacy protection it may be helpful to mention that it was in this way that, either as Vice-Chair or Chair of the CJ-PD between 1992 and 1998 or in the years before and after that period as Chair of the CJ-PD’s Working Party on Data protection in Insurance and Chair of the Working Party on Data Protection in New Technologies, or as a member of the Bureau of the CJ-PD or as Rapporteur to the CJ-PD, that I had the privilege to co-author, negotiate, review or otherwise participate in the drawing up or review of several legal instruments, many of which which I am pleased to see having an effect around the world and not only in Europe. These include:

Some of these Recommendations have aged better than others but the principles contained therein found their way into many European laws thus translating them from soft law into hard law. Perhaps the most dramatic example of this was Recommendation R(87) 15 about protecting personal data used for police purposes which quickly became the data protection standard for the Schengen Treaty and then became part of the acquis communautaire [1] of the EU by 1997 to the extent that any new countries becoming part the EU after that date had to have those principles transposed into their national laws prior to accession (eg all the ten countries which became members of the EU in 2004).

I have called this approach “Learning and defining by doing” because it side-stepped many problems caused by the lack of an agreed definition of what privacy is. Instead it challenged member states and individuals to think about what behaviour and personal information they may value in a given sector whether we were dealing with medical data or insurance data or any other type of personal data indicated in the lists above and below. Through a process of intensive and continuous consultation with stakeholders be they from the insurance industry or the international community of statisticians etc., we would then identify how personal data would be put at risk and which are the safeguards we could devise and the remedies which would be sensible in such a situation. By discovering what is acceptable to all member states as a safeguard or a remedy we were often implicitly defining the boundaries to the right of privacy in a given situation in specific sector. We were thus learning by doing. We would do a lot to devise a safeguard or a remedy and through that process, an intense international discussion, we would learn what we valued about private life in a given sector of activity. While doing so, we also naturally paid close attention to the continuously developing jurisprudence of the ECtHR which has really enabled us to put the intellectual meat on the bare skeleton that is offered by most instruments of international and European law. The Recommendations that we produced were therefore also in compliance with the jurisdiction of the ECtHR.

I did not personally participate in the drafting of the following more recent legal instruments but the strategy followed is the same one of sectoral protection which implements in further detail the principles of Convention 108 which in turn exists to further protect the basic principle spelled out in Art 8 of the ECHR.

Most of these legal instruments were used and continue to be used in as points of reference by many countries when they come to introduce safeguards and remedies into their own legislation. They offer an example of how a consensus was arrived at after experts from 47 countries sat around a table, debated a subject over a period of many years, referring back constantly to stakeholders in their home countries and coming back to the European table to represent concerns from their colleagues back home. This is not an academic process but one from the real life world of international diplomacy and law making. It is a process which is to be admired for the extent to which it blends compromise with effective safeguards and common remedies. The results are often imperfect but remain extremely useful nevertheless. Since so many of the technologies are the same and the issues remain the same the natural question is “How many of the solutions devised in Europe could also be useful to other countries around the world?”.  I learned a great deal from being able to participate in and contribute to these processes but, as will be seen in later sections, I was never satisfied with the European approach alone so I also adopted the rule of going round the world in order to try and find other approaches to privacy which could be useful globally and from which Europeans could also learn a thing or two. For a good idea is a good idea is a good idea, wherever it comes from.

Some of the lessons and many good ideas that I suggest that we take away from the European process of the last 45 years include:

1. International legal instruments, both soft law and hard, are an effective mid and long-term strategy to improve privacy protection. They work relatively well and European experience proves that point. European standards of privacy and data protection are generally recognised to be amongst the highest in the world. They have been achieved largely to the three-tier approach described above i.e. 1. Generic recognition of right; 2. Detailed enunciation of principles designed to give effect to right contained within a multilateral treaty and 3. Even more detailed sectoral legal instruments designed to give effect to the privacy protection principles in an ad hoc sector as diverse as medical data, police data, insurance data, statistical data, social security data etc. etc.
2. You don’t need a universally agreed definition of privacy to have a useful legal instrument. What you need is a structured discussion that focuses on safeguards and remedies which then converts itself into a legal document which spells out the same safeguards and remedies. This approach gets people to focus on what’s important for them to protect without hang-ups about what type of privacy is already traditionally protected in their jurisdiction;
3. International legal instruments can start off small scale at the regional level with only five countries or so around which others can coalesce. That’s the way Convention 108 started off and now close to 50 countries have ratified it and are therefore putting it into practice. If similar regional legal instruments are drawn up around analogous principles these could provide a ground-swell of harmonisation world-wide.
4. For those regions of the world where a regional equivalent is unlikely for the time being , aspiring countries can also join Convention 108. For example, membership of Convention 108 would not be incompatible for APAC member states. Indeed, not only European countries have acceded to Convention 108. At the last count, out of 48 ratifications one is from Uruguay and another four non-European states are already being considered for ratification. It is too early to tell whether this is a trend but the EU’s latest legal instrument, the GDPR may actually make Convention 108 more attractive to those countries with ambitions to trade extensively with and within Europe. If and when a regional or indeed global legal instrument becomes available there is nothing which would stop them from being a party to that too. The 28 EU member states have all proved that they are capable of being fully paid-up members to two different Privacy clubs: the EU one and the CoE Convention 108 one. All other countries can do that too if it suits them…and I have not seen any convincing arguments which persuade me that it does not suit them. A good idea is a good idea is a good idea wherever it comes from…even if occasionally it comes from Europe.

[1] This is the body of the law of the EU as build up through accumulated legislation, legal acts, and court decisions.