Month: March 2012

In my name?

I don’t usually write personal blogs – but something’s about to happen that makes me feel I really want to write about.

My grandfather was JD Bernal – he was quite a famous figure in his day, a scientist of great reputation, one of the pioneers of X-ray crystallography and the mentor of amongst other Nobel Prize winners Max Perutz and Dorothy Hodgkin – his wikipedia page (here) is a reasonably accurate reflection of his life and significance. He was ‘one of Britain’s best known and most controversial scientists’ to quote that page. He was controversial primarily because of his politics – he was an unashamed communist, right until he died in 1971.

His political activism shaped his life – and his work. Some of his best writing was as much political as scientific – The Social Function of Science and Science in History give you a flavour of what he was interested in.

He spent the latter part of his career as a professor at Birkbeck – and after he died, there has been an annual ‘Bernal Lecture’ in his name. The speakers are generally either scientists or people with some connection with the kind of radicalism and progressiveness that my grandfather was associated with. Two years ago we had another Nobel Prize winner, Harry Kroto, last year Professor Jim Al-Khalili on the hidden history of Islamic Science.

This year, we had a surprise: a ‘hush-hush’ email arrived, telling us that the speaker was going to be a government minister, but that we weren’t allowed to know who, and shouldn’t tell anyone for ‘security’ reasons. At the best of times the idea of a government minister as speaker would be highly suspect – but this government? A government that has presided over some of the worst decisions for universities in living memory – and one that seems to regard education and science as only tools for generating cash and supporting business.

The speaker, it turns out, is David Willetts – ‘Two brains’ – and relative to others in the cabinet he’s probably one of the most open and the most interesting. It might at least be an interesting debate, a chance for the more radical people who still remember my grandfather to question government priorities – but no. We’re not allowed to know the title to his talk, he won’t be available for questions before or after or take questions during the talk. He won’t even have a chair or anyone to respond to his speech – just a tiny introduction. We’ll be expected to listen, applaud, and let him walk away doubtless surrounded by his ‘security’ people.

…and all this in my grandfather’s name. In my name. Frankly, I’m very disappointed by Birkbeck for allowing this to happen – and I’m not prepared to keep it confidential. The lecture is on April 17th, at 6pm, at Birkbeck. Tickets can be booked by eventbrite, here

I’d be delighted if people came – I’m not sure exactly how I’m going to ‘protest’, but I’m going to do something.

Truth and lies, policy and practice…

Last week it struck me that we were entering a new phase in the way that privacy is dealt with on the net. Two of the biggest players, Google and Facebook, have made significant shifts in their ‘privacy policy’ – shifts that have got some people up in arms.

I’m not going to go through the new policies in detail – lots of people have already done that, and in Google’s case in particular close legal investigation by the French data protection authority CNIL is underway. No, what interests me is something different. Is the biggest change in both Google and Facebook’s case actually something that we should be greeting with a little more positivity? Is it just that now they’re both telling a bit more of the truth? Showing a bit more of that transparency that we privacy advocates are always talking about?

Brutal Honesty

Taking Google first, the key change in their policy, it seems to me, is that they’re admitting to data aggregation. That is, they’re openly acknowledging – indeed in some ways trumpeting – the fact that they’re now bringing together the data they gather from all the various different google services, and using it together. Google has a vast array of different services, from search to gmail, their various ‘location’ services (Google Earth, Google Streetview, Google Maps etc), YouTube, picassa, and of course Google +, so from their own perspective this makes perfect sense. Many of us in the privacy field have suspected (or even assumed) that they’ve always been doing this, or something like it – and their previous privacy policies have been vague enough or ambiguous enough that they could be read to make this sort of thing possible. Now, it seems to me, they’re being more open about it – more honest, more transparent.

That, of course, doesn’t make it any more ‘legal’ or ‘acceptable’ as a policy. Indeed, I wouldn’t be at all surprised if the CNIL investigation concludes that the new policy breaches EU data protection law – but, in reality, I wouldn’t have been at all surprised if the old policies, if investigated properly, had been in breach of EU data protection law. Even more pertinently, as I shall suggest below, I wouldn’t be at all surprised if Google’s practices, rather than they policies, were in breach of data protection law. They may well still be….

Moving on to Facebook, there is a bit of a hoo-haa about their changing the name of their ‘privacy policy’ to a ‘data use policy’. Again, it seems to me, this is actually a bit more honest, a bit more transparent. Facebook’s policy was always to use your data. Indeed, that’s the whole basis of their business model – and why we get to use Facebook for free. They give us the service, we let them use our data. For Facebook to admit that is a good thing, surely? If they’re more honest about what they do, we can make better informed decisions about whether to use them or not. If there is anyone out there who uses Facebook and doesn’t realise that Facebook are using their data – then they should be picked up and shaken, and told!

Facebook’s policy is to use your data, not to protect your privacy – isn’t it better to be open and say that?

Google’s policy is to aggregate all of your data – isn’t it better for them to be open and say that?

Policy and Practice

Finally, it should be remembered that policies are just words – what really matters isn’t what companies like Google and Facebook say they’re doing, but what they actually do. Very few people read privacy (or data use!) policies anyway. We don’t want companies to think changing privacy policies is a matter of good legal drafting – but a reflection of changing the way they actually operate, how they actually gather, hold and use our data, how they monitor us, profile us, target us and so forth.  I hope that the investigation by the CNIL looks properly at that – and that the regular FTC privacy audits of both Facebook and Google do the same. I wouldn’t say I’m exactly optimistic that they will…

….at least not this time. However, I do suspect that the increase in awareness about privacy issues by both individuals and authorities is one of the reasons that policy and practice may be getting closer. Facebook and Google seem to be being more honest and open about how they deal with privacy – because they are realising that they may have to be. We’re starting to at least try to hold them to account. That must be a good thing.

Once upon a time in Mexico…

A new and disturbing law has almost made its way through the system in Mexico, awaiting only Presidential assent. Under this law, the police would be able to use a mobile phone’s geolocation system immediately, and without a warrant, in order to find that phone (see http://humanrightsgeek.blogspot.co.uk/2012/02/la-inconstitucionalidad-de-la.html – in Spanish, but translatable, and the excellent EFF’s blog https://www.eff.org/deeplinks/2012/03/mexico-adopts-surveillance-legislation ).

The law has been brought in, as I understand, to combat kidnappings, primarily of the children of prominent and influential people – and in many ways it is a classical response to a threat, echoing the various laws that justify intrusion and surveillance to combat the threat of terrorism, from the USA PATRIOT Act downwards.  The law, so far, seems to have passed through the parliamentary system without much resistance, and with huge majorities in votes. In that sense, in the eyes of the powerful at least, it seems to be very popular. And yet it sends shivers down my spine, for a number of reasons.

The first is a theoretical concern: any additional surveillance, any additional privacy-intrusive technology or law should be considered very carefully before bring brought in. When I first heard this story, it brought to mind the words of cybersecurity expert Bruce Schneier, writing in 2010: “It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.”

What Scheier said about technology (which is excellent advice, though it seems to be consistently ignored) is equally – and perhaps even more perniciously – true about laws. It is very, very bad civic hygiene to enact laws that could be used to facilitate a police state. In the case of this Mexican law, the ‘police state’ analogy is much closer than in many situations. This doesn’t just make a police state a possibility – on the surface at least it provides the police with an exceptionally powerful tool, with almost no checks and balances.

The second is much more immediately and practically dangerous. As someone who works in the field of privacy and the net, I am all too aware of another story that has been coming out of Mexico over the last year or two: the way that at least four Mexican bloggers have been brutally murdered – decapitated – apparently by the drugs cartels. The bloggers try to work anonymously, but somehow the cartels locate them and kill them. Geolocation might have been used – it is hard to know – but providing another tool to the cartels would seem to put the crucial blogging community at even more risk. By putting a tool in the hands of the police, there is a more than theoretical risk that this tool will be able to be used by the cartels.

These two thoughts – one more theoretical, the other highly practical – are intrinsically linked. The practical risk is a prime example of why the theoretical consideration is important. If we build these systems, and set in place these laws, we need to consider the implications no just insofar as the technologies and laws are ‘intended’ to be used, by the ‘good guys’, but look at what might happen, how they might be used by the ‘bad guys’. Those ‘bad guys’ might be as obviously ‘bad’ as the drugs cartels in Mexico, but they might equally be governments wishing to suppress what they think of as ‘disorder’ but the participants think of as their right to free assembly, to free expression. In the UK, for example, a protest against the government plans for our health service is being planned and the police are concerned about potential disorder, wouldn’t it be nice for the police to be able to track the key organisers? The possibilities and implications are huge…

This is a key moment. If they do this in Mexico, where will it happen next? Law-makers and police forces worldwide may be watching events in Mexico with a great deal of interest.

Free expression needs privacy!

The Nightjack saga – and particularly its most recent dramatic episode, Lord Leveson’s scorching interrogation of veteran Times legal manager Alastair Brett – has been compelling stuff. I am looking forward with great interest to the forthcoming article from David Allen Green (blogger Jack of Kent), due in the New Statesman on Monday, possibly including quotes from Nightjack himself.

I’m not going to rehash the saga – not least because David Allen Green will be producing something far, far better than anything I could. What I am interested in, however, is one of the underlying issues: the relationship between free expression and privacy. It is often thought that privacy is an enemy of free expression – blogger Guido Fawkes, for example, told the Parliamentary Joint Committee on Privacy and Injunctions that ‘privacy is a euphemism for censorship’. From his point of view it is easy to see that argument: celebrities (and in particular a number of Premier League footballers) have invoked privacy law to attempt to get injunctions to prevent publication of stories concerning their private lives. You don’t have to be a gossip columnist to consider that such actions might be seen as censorship.

That, however, is just part of the story. Privacy, like so many things, is a double-edged sword: the Nightjack saga shows that all too clearly. Nightjack was a blogger, a police ‘insider’ – and in order to get his stories out into the world, he needed to be able to protect his identity. He needed to be able to control who knew what about him – and that, ultimately, is what privacy is about. Having some control – albeit inherently limited – over what information about you is made public, and what remains private.

For Nightjack, losing that privacy meant losing his online identity: ‘Nightjack’ effectively ceased to exist. Anonymity (or perhaps more accurately pseudonymity) was crucial to his functioning as a blogger. For other bloggers, losing anonymity means losing much more – at least four Mexican bloggers have been brutally killed by the drug cartels about whom they have been writing.

In all kinds of situations this kind of privacy is crucial, from those combatting oppression to those threatened by abusive spouses, whistleblowers – and for others though the need isn’t so obviously crucial, anonymity or privacy allows them the freedom to talk about things that matter, not just to them but to us all. I’ve ‘met’ a number of people like this on Twitter, and have learned a huge amount from them both from their tweets and their blogs, things that they wouldn’t have felt so free to say if they had feared that they might be identified.

That’s the key. If we want to encourage people to speak freely, if we want to learn about what’s really happening in a whole range of situations, we need to give people not just the space and the opportunity to express themselves, but the protection that will give them the confidence to do so. We need to give them privacy… that way we’ll get more free expression.

Twitter/DataSift – an early ICO response

I’ve just received a response from the ICO to my initial question about whether or not they were investigating the Twitter/DataSift issue (about which I’ve just blogged here)

This is the full response (set down here with the permission of Dr Simon Rice of the ICO)

————————————————

Paul,

David Smith passed on your email regarding Twitter/DataSift.

The ICO is aware of an arrangement between Twitter and some third-parties which permits access to a greater volume of Tweets than would normally be accessible through the website or API. Insofar as they are required to comply with UK law both Twitter and these third-parties would need to ensure that they remain compliant with the DPA and PECR for the processing undertaken with such data.

The report linked to from your blog suggests that the data is used for purposes of thematic analysis and not for direct marketing or otherwise attempting to identify the users of the Twitter accounts. This is important because clearly a third party learning that I might be interested in their products and marketing me on that basis still needs to comply with the rules on marketing and still needs to justify why they are holding personal data relating to me; on the other hand, a third party which analyses the mass of tweets to infer that their efforts are best focussed on a particular demographic or geographical area might not face the same compliance problems. Then, of course, there are the mass of third parties whose activities lie somewhere in the middle.

The privacy policy at http://twitter.com/privacy does state that the sharing of non-personal data may take place and we would expect Twitter to comply with this. However, if you are aware of evidence that is contrary to this understanding then of course please do not hesitate to let us know.

I you have any further questions please feel free to get in contact.

Regards,

Simon Rice

Dr Simon Rice Principal Policy Adviser (Technology)

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

————————————————

I would welcome any responses – but it seems to me that we would need to see the details of the agreement between Twitter and DataSift (and any other subsequent agreements) to see whether they meet the requirements of the ICO as set out in the letter. There’s more to investigate here – I will be interested to see how DataSift might be able to guarantee that they will only be using the data for thematic analysis rather than direct marketing, and have written to DataSift to ask that question.

Dr Rice has asked that anyone contacting the ICO directly should use the usual ICO website or helpline (see https://www.ico.gov.uk/Global/contact_us.aspx)

In praise of the ephemeral!

Like many people who spend a lot of time (perhaps far too much time) using Twitter, the recent revelation that Twitter was ‘partnering’ with data-mining company DataSift to ‘unlock’ their tweet archive made me distinctly uneasy. The idea was presented as something essentially beneficial – unlocking an archive sounds like a ‘good’ thing, getting benefits from what is ‘public’ information (because Twitter’s terms and conditions say quite clearly that the default position for a tweet is that it is ‘public’).

Why, then, do I feel nervous about it? Privacy campaigners reacted badly to the idea. Privacy International said: “Twitter has turned a social network that was meant to promote real-time global conversation into a vast market-research enterprise with unwilling, unpaid participants,” while the Electronic Frontier Foundation described the idea as ‘creepy’.

To my mind, both are right. Yes, the information is public, but for me the nature of twitter – the joy of twitter – is that it is spontaneous, instinctive, current and instantaneous. When I tweet, I tweet in the moment – and almost all the best tweeters work mostly like that. Pre-prepared, marketing, political tweets are generally as dull as dishwater – which is why such excellent hashtags as #tweetlikeanMP are so effective, showing up the lack of honesty, spontaneity and creativity in the tweeting of most of our politicians.

I may be unusual – after all, I don’t follow the likes of Lady Gaga or Justin Bieber as many millions do, and only follow a handful of MPs – but I don’t think I’m that unusual. I like the ephemeral nature of Twitter, the fact that something I tweet one day will be all but forgotten the next day – indeed, something I tweet one hour will be mostly forgotten even an hour later. Setting up a twitter ‘archive’ puts that spontaneity at risk.

Anyone who works in the privacy field must be familiar with the idea of the Panopticon. Bentham’s concept was of a prison, set out in a circular form, in which at any moment the occupant of a cell could be observed. The key point was that the possibility of being observed was intended to alter the behaviour of the prisoner. If they know they might be seen at any time, they would control their own behaviour – they would be naturally constrained, and not behave badly. The logic of the Panopticon lies behind many of the most privacy-invasive policies both online and in the ‘real’ world – ever-present CCTV cameras, constant monitoring of web-traffic and so forth. It makes sense, however, only when you want to restrict the behaviour of people. It curtails freedom, stifles creativity, crushes spontaneity. That might be necessary to control potentially violent and dangerous prisoners – but in a ‘free society’ it is disastrous.

For real freedom of action, for real freedom of expression, you need the reverse of the panopticon. You need people to feel free to speak, to write, to express themselves without the feeling that anything and everything you might say or do might be written down, quoted back at you (often out of context), manipulated and misused. You need to know that making mistakes won’t be fatal – that you can correct yourself and clarify your comments and not be treated as some kind of hypocrite.

Right now, on the internet, Twitter is one of the few places where that kind of freedom feels possible. Digital memory is all too eternal – Viktor Mayer-Schönberger’s excellent ‘Delete’ talks eloquently of the benefits of forgetting in the digital era. Mayer-Schönberger’s concept of data with expiry dates may be difficult to bring into reality – but Twitter has, to date, been one of the places where in a practical sense it almost happens. That is something worth celebrating, something worth preserving. The Twitter/DataSift deal, and others like it, put it at risk. For me, it puts the whole benefit of Twitter at risk.

If I want something to be archived, to be used as a reference, I’ll put it in a blog like this one – there are plenty of places where the eternal nature of internet data storage is possible. There are very few where the benefits of the opposite, the joys of the ephemeral shine through. Twitter is one. I hope Twitter itself realises this – and changes its direction.

Time for a change?

I attended the Westminster eForum this morning. The subject was the new Data Protection Framework, and there was a stellar cast of speakers and panellists, from the estimable Peter Hustinx (the European Data Protection Supervisor), the MoJ’s Lord McNally and the ICO’s David Smith to representatives of Facebook, Google, the online advertising industry, computer security experts Symantec, Which, and top lawyers Allen and Overy..

Most of the forum was fairly predictable – strong and excellent stuff from Hustinx defending the new framework, even suggesting it might not go far enough in some places, to the expected (if carefully worded) attempts to undermine it from the politicians and most of the business people. The latter were generally disappointing in one particular way: very few of them seemed to grasp the ultimate purpose of the regulation, or the real reasons for its existences. They didn’t seem to have asked themselves two key questions: why has this regulation come about in the first place, and what is its underlying purpose?

Why has this regulation come about?

The two are of course linked – and missing the point of both is similarly linked. So why has this regulation come about? Well, we heard a lot of history this morning, all about how much had changed since the original data protection regime came into existence in 1995. All of it was undoubtedly true – the internet as it now exists was close to inconceivable back in 1995, and what we do now both as individuals and as businesses has completely changed. Is that why the regulation needed to change? In a way, of course it is – but thinking along those lines is missing the bigger point. Why was data protection regulation needed in the first place, back in 1995, and what was its intention then?

Ultimately, there were (and still are) two purposes. As Hustinx and other (including an excellent intervention from Douwe Korff) stressed, it is about what we (in Europe at least) consider to be fundamental rights. Ilias Chantzos of Symantec made the point that the original intention was to enable better cross-border data flow – and indeed it is clear that both are the case. Fundamental rights need protecting, and data needs to be allowed (or even encouraged) to flow, but in accordance with those rights.

All that is well and good – but still begs the underlying question: why was data protection needed? Regulation generally comes about because there is a problem – and that is the case here.

The problem was twofold: that data was not flowing as freely as it should had been, and that fundamental rights were not being protected. In particular, privacy was not being respected.

What has changed in the intervening period? Well, there doesn’t seem to be as much of a problem of data flowing as there used to be – but there’s still a problem of privacy not being respected. That, more than anything else, is what lies behind the need for the new regulation. That’s why the regulation is tough. If there aren’t big problems, there’s no need for tough regulation.

We have a tough regulation here – because there ARE big problems.

How do you comply with regulation?

This is where the real problem seemed to come for me. All the businesses want to know how to comply with regulations – but they don’t seem to understand the real point. These kinds of regulations aren’t really supposed to be about ticking boxes, or finding the right words to describe your activities in order to comply with the technical details of the relevant laws. Nigel Parker from Allen and Overy gave a very revealing and detailed picture of how he had to navigate some of his multi-national clients through the complexities of the different international regulations concerning data protection – but he seemed not to want to offer one particular piece of advice. He didn’t seem to want to tell his clients that they might well have to change what they do – or perhaps even decide not to do it.

The purpose of the very existence of these regulations are to make businesses (and governments) change what they do, or at least how they do it.

Changes!

Protecting fundamental rights when those rights are being infringed does not mean filling boxes or writing reports. It means changing what you do. Let me repeat that. It means changing what you do.

The approach to regulations seems generally to be more like ‘we’re going to do this, now help us comply with the regulations’ than ‘what do the regulations suggest is inappropriate – let’s not do them’. That’s not the real point – the point is that compliance should come by doing the right thing, not by trying to shape your ‘wrong’ thing into a form that ticks the boxes. Only the impressive Anthony House from Google seemed to grasp that – and suggest that Google wants to do the ‘right’ thing about privacy not because the law says it should, but because it’s a good thing to do, and because its users want these kinds of things. Whether Google are actually doing this is a slightly moot point – but he did seem to understand.

Change is hard, everyone knows that – but the first stage is recognition that change is necessary. If you find that your business, or your government department, can’t seem to comply with the regulations, don’t complain about the regulations – ask yourself why your activities don’t seem to comply. Could it be that you need to change? It could, you know, it could….

Infamy, Infamy, they’ve all got it in for me!

“Beware the Ides of March!”

These are strange times for a company who does no evil. The top people at Google must feel at times as though everyone’s got it in for them. Google already faces 20 years of privacy audits from the FTC in the US and is under fairly continuous attack by regulators in Europe – as I blogged last week, Commissioner Reding in particular seems ready to rumble. More that that, it is facing almost unprecedented and aggressive advertising and lobbying from its competitors – Microsoft in particular seems to be trying to ‘smear’ Google, as one noted blogger has put it. Google’s new privacy policy, officially in place since 1st March, has come under attack from almost everyone – not just the various regulators and their competitors but a whole range of privacy advocacy groups. Google are under attack from the top to the bottom – in the UK, privacy campaigner Alexander Hanff has launched a small claim against Google, effectively asking for his money back for the Android phone he bought before the privacy policy came in. On top of all this, the latest revelations that apps on the Android platform can access your calls and texts has sent waves of dissent and anger around the web.

Why does it look as though everyone has got it in for Google? Jealous competitors trying to bring down them down for purely selfish reasons? Sniping privacy advocates missing the point? Overzealous regulators trying to catch the biggest fish? After all, Google are the good guys! As they see it, they’ve been open and honest about their privacy policy, giving people plenty of warnings that it was coming in – far too many for some. I’ve lost count how many times they’ve tried to tell me all about it in various ways. Also from their perspective, the problems with Android are just a side effect of their ‘openness’ – compared to the ultra-controlling Apple, they give app developers plenty of freedom. As for the European regulators, well we all know they’re crazy, and their right to be forgotten is just an excuse for censorship – all Google are doing in opposing them is fighting for freedom. Excessive regulation could “stifle innovation and stall foreword progress” as Google Executive Chairman Eric Schmidt warned last week.

Are Google right and everyone else wrong? I can see their perspective – and have some sympathy with them in some ways. The glee with which their competitors have leapt upon the privacy policy furore isn’t exactly edifying, and I can’t say that I would trust Microsoft or Facebook any more than I would Google – and even the previously relatively ‘clean’ Twitter has seriously blotted its privacy copybook by selling its tweet archive to data-miners Datasift. It’s also true that European regulators can seem to have a tendency to use a sledgehammer to crack even a small nut….

….but from my perspective, at least, there’s something in each of the complaints, and the way that Google seems to be dealing with them doesn’t exactly seem positive or productive. They’ve come out fighting, complaining about regulation without seeming to ask why that regulation has happened. Regulation doesn’t come from a vacuum – if it did, it wouldn’t get support, even from the most zealous of bureaucrats. Regulation arises in reaction to a problem – sometimes it causes problems of its own, sometimes it is over the top, sometimes it misses the point, but it unless there’s a problem there to start with the regulation won’t get even close to becoming reality. Here, there IS a problem, and if Google wants to stop everyone having it in for them they need to start by recognising the problem and starting to address it. If Larry Page wants to stop excessive regulation from stifling innovation and stopping forward progress, he should know what to do.

Why did Caeser meet his doom on the Ides of March? Was it the jealousy of all those around him, each wanting to stick the knife in? That certainly seemed to contribute – but it probably wasn’t the main reason. Everyone had it in for Caesar because he’d become a tyrant. He’d stopped listening. If Google wants things to change, it has to start by changing itself. It has to understand why people are bothered by all the things it has done – and do something about them.

From a privacy perspective, Google stands at a crossroads. There have been signs that it had started to ‘get’ privacy – Alma Whitten in particular seems to have a real understanding of the issues – but at the same time there is still a sense that they want to ride roughshod over everyone’s objections. If Google choose the ‘privacy direction’, they could play a key part in shaping a more ‘privacy-friendly’ internet. They seem at times as though they’re floundering – privacy could be a chance for them to find a new role, one which would get the support, rather than the opposition, of a great many people.

P.S. For anyone that doesn’t recognise either the title of this post or the picture, it’s from that prime example of fine British film-making, Carry On Cleo. If you haven’t seen it – do!

Ready to Rumble?

This morning I attended a lecture given by European Commissioner Viviane Reding – and I have to say I was impressed. The lecture was at my old Alma Mater, the LSE, with the estimable Professor Andrew Murray in the chair, and was officially about the importance of data protection in keeping businesses competitive – but in practice it turned about to be a vigorous defence of the new Data Protection Regulation. Commissioner Reding was robust, forthright – and remarkably straightforward for someone in her position.

Her speech started off by looking at the changes that have taken place since the original Data Protection Directive – which was brought in in 1995. She didn’t waste much time – most of the changes are pretty much self-evident to anyone who’s paid much attention, and she knew that her audience wasn’t the kind that would need to be told. The key, though, was that she was looking from the perspective of business. The needs of businesses have changed – and as she put it, the new regulation was designed to meet those needs.

The key points from this perspective will be familiar to most who have studied the planned regulation. First and foremost, because it is a regulation rather than a directive, it applies uniformly throughout the EU, creating both an even playing field and a degree of certainty. Secondly, it is intended to remove ‘red tape’ – multinational companies will only have to deal with the data protection authorities in the country that is their primary base, rather than having to deal with a separate authority for each country they operate in. Taken together, she said that the administrative burden for companies would go down by 2.3 billion Euro a year. It was very direct and clear – she certainly seems to believe what she’s saying.

She also made the point (which she’s made before) that the right to be forgotten, which has received a lot of press, and which I’ve written about before (ad nauseam I suspect), is NOT a threat to free expression, and not a tool for censorship, regardless of how that point seems to be misunderstood or misrepresented. The key, as she described, is to understand that no rights are absolute, and that they have to compete with other rights – and they certainly don’t override them. As I’ve also noted before, this is something that isn’t really understood in the US as well as it is in Europe – the American ‘take’ on rights is much more absolutists, which is one of the reason they accept as ‘rights’ a much narrower range of things that most of the rest of the world.

I doubt her words on the right to be forgotten will cut much mustard with the critics of the right on either side of the Atlantic – but I’m not sure that will matter that much to Commissioner Reding. She’s ready for a fight on this, it seems to me, and for quite a lot else besides. Those who might be expecting her to back down, to compromise, I think are in for a surprise. She’s ready to rumble…

The first and biggest opponent she’s ready to take on looks like being Google. She name-checked them several times both in the speech and in her answers to questions. She talked specifically about the new Google privacy policy – coming into force today – and in answer to a question I asked about the apparent resistance of US companies to data protection she freely admitted that part of the reason for the form and content of the regulation is to give the Commission teeth in its dealings with companies like Google. Now, she said, there was little that Europe could do to Google. Each of the individual countries in the EU could challenge Google, and each could potentially fine Google. ‘Peanuts’ was the word that she used about these fines, freely acknowledging that she didn’t have the weapons with which to fight. With the new regulations, however, they could fine Google 2% of their worldwide revenue. 560 million euro was the figure she quoted: enough to get even Google to stand up and take notice.

She showed no sign of backing down on cookies either – reiterating the need for explicit, informed consent whenever data is gathered, including details of the purposes to which the data is to be put. She seemed ready for a fight on that as well.

Overall, it was a combative Commissioner that took to the lectern this morning – and I was impressed. She’s ready for the fight, whether businesses and governments want it or not. As I’ve blogged elsewhere, the UK government doesn’t share her enthusiasm for a strengthening of data protection, and the reaction from the US has been far from entirely positive either. Commissioner Reding had a few words for the US too, applauding Obama’s moves for online privacy (about which I’ve blogged here) but suggesting that the US is a good way behind the EU in dealing with privacy. They’re still playing catch-up, talking about it and suggesting ideas, but not ready to take the bull by the horns yet. We may yet lead them to the promised land, seemed to be the message…. and only with her tongue half in her cheek.

She’s not going to give up – and neither should she, in my opinion. This is important stuff, and it needs fighting for. She’s one of the ‘Crazy Europeans‘ about which I’ve written before – but we need them. As @spinzo tweeted to me there’s ‘nothing more frightening than a self-righteous regulator backed by federal fiat and federal coffers’ – but I’d LIKE some of the companies involved in privacy invasive practices around the net to be frightened. If they behaved in a bit more of a privacy friendly way we wouldn’t need the likes of Commissioner Reding to be ready to rumble. They don’t – and we do!