The meeting of the International Data Protection Commissioners is the major event on the privacy circuit.
The 20th annual meeting, held last month in Santiago de Compostela, Spain, even had its own postage stamp issued by the Spanish government to mark the conference. The conference itself was held in the Hostal de los Reyes Catolicos, billed as the oldest hotel in the world, dating back to the 16th century when it was a hospital for pilgrims.
This year's meeting had extra significance because it was the last before the European Union's data protection directive takes effect Oct. 24. Ulf Bruhann, the head of the Data Protection Unit of Directorate-General XV of the European Commission, spoke about the directive and its effects. Of course, other traditional data protection issues, like direct marketing and public records, also received some attention.
To those concerned that the flow of personal data to the United States and to other countries might cease on Oct. 25, Bruhann offered reassurance. He said that it will take time for EU Member States to pass the necessary legislation, for new advice to be issued to data controllers, and for data subjects to learn about new rights. Bruhann said that the full impact of the directive will be felt gradually throughout the world.
Bruhann also reported on discussions between the United States and the European Commission. High-level dialogues between commerce undersecretary David Aaron and John Mogg, the director general of DG XV (roughly the equivalent of a cabinet secretary) are ongoing. Bruhann took special note of the change in attitudes toward privacy in the United States, observing that public opinion polls, the Congress and Vice President Al Gore seem to agree that better privacy protection is needed.
Bruhann disclosed little of substance about the US-EC discussions, except to say that they include a search for a benchmark set of enforceable data protection principles. Companies that meet the standards would benefit from a presumption that they are a “safe destination” for personal data exports.
Bruhann is aware of the Federal Trade Commission's action against GeoCities for deceptive privacy practices on the Internet. Yet he cautioned against reading too much into this decision, noting that generalizations are difficult in a country characterized by a diverse patchwork of data protection mechanisms. This judgement is evidence of the EU's careful and knowledgeable assessment of privacy in America.
The United States was not seated at the conference table with the commissioners. A Japanese delegation had a place at the table even though Japan, like the United States, does not have a data protection office. No one I asked was able to explain why Japan had a seat and the United States did not. Despite its absence from the table, the United States made its presence known.
The United States has a tradition of embarrassing itself at meetings of the data protection commissioners. In the past, it sometimes accomplished that by not showing up at all. At one meeting, the U.S. delegation staged an apparent walk-out while an American law professor gave a speech criticizing privacy protections in the United
This year, the main U.S. representative maintained the tradition. Barbara Wellbery from the Department of Commerce was not on the agenda, but she made a last minute effort to obtain a spot on the program. Intervention by the U.S. embassy was reportedly unsuccessful in convincing the Spanish hosts to change the agenda, but others managed to wangle 10 minutes for her to speak.
Wellbery began with the familiar refrain that the United States does data protection differently than other countries. That is a fair point, but her explanation was painful. The first reason for the difference, Wellbery said, was “government excess.” The implication that data protection officials are “government excess” was lost on no one. What an undiplomatic comment to make in a room filled with government data protection officials!
Wellbery's second reason was the conflict between privacy and First Amendment values of free speech. This is certainly a reasonable point, but it was too late to recover from the initial gaffe.
Wellbery also managed to annoy some American corporate representatives who attended the conference. She mentioned Gore's plan to hold a dialogue with the states on the “problem” of public records. The use of the word “problem” was the problem. It was not a word used in the vice president's press release on public records. American companies that rely on public record information were unhappy to hear the issue described in that fashion. Foreign data protection authorities, however, later said that they were pleased at the recognition by the U.S. government of a public records “problem.”
The United States was only a minor distraction at the conference. If there was an overall theme, it was technology and the Internet. Most of the panels touched on these issues in some way. However, traditional issues like direct marketing and the use of public records were also discussed. A representative from the French data protection agency made the interesting argument that the absence of regulations restricting use of personal data would result in less information being available to the public and, presumably, to marketers. He cited the increasing number of people who have unlisted telephone numbers as an example.
The conference ended with a series of sessions closed to the public. One of those sessions was held in a hotel conference room known as the Room for the Terminally Ill, but anyone who takes that location as a metaphor for data protection is sadly mistaken. Data protection is alive and well in Europe and around the globe. The Room for the Terminally Ill is now located in a five-star luxury hotel, and that may be more symbolic of the ongoing success of the data protection movement.
Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation, and agriculture. His e-mail address is [email protected]