Privacy law rots from the head

Privacy kills.  Fish, this time.

The main difference between US and European data protection law is this: in the United States, laws are usually written to solve a particular privacy problem, whereas in Europe all personal data is broadly protected by a set of grand principles.

Both privacy regimes produce plenty of unanticipated consequences and lots of what I’ve called privacy victims. But at least the American approach confines the privacy victims and the unhappy surprises to a few identifiable areas, like hospitals under HIPAA. The European system casts its net far wider and thus drags in victims from every part of the sea.

Literally.  The latest victims of Europe’s privacy laws are fish.

Here’s how it happened. To reduce overfishing in its waters, Europe has an elaborate regulatory regime that uses GPS and electronic signals to keep track of each fishing boat’s activities on the water. That data helps save fish in other ways; researchers trying to gauge the impact of fishing practices can now conduct detailed and fine-grained studies, down to how many boats spent how much time pursuing a particular school of fish.

Well, they could.  Until the privacy police showed up, in the form of the European Data Protection Supervisor, Europe’s head data protector. He pronounced himself shocked to discover that the fisheries records included the names of some of the crew members on the boats being tracked. That made the records personally identifiable information, and the whole creaking machinery of European data protection had to lurch into action to protect the rights of man.

Without ever asking what possible privacy harm the crews might suffer, Europe’s chief privacy officer invoked the grand principles, demanding that the data be held for no more than three years and that it be used only for the purpose of regulating fisheries.  This means among other things that it probably can’t be used to find “fishing” boats that are actually smuggling drugs or people – that’s not the reason the data was originally gathered, you see.

Academics took the limits on law enforcement in stride, but now they’ve discovered that the hook was baited for them as well.  As the fisheries regulators flounder about, trying to implement pointless grand principles, they’ve begun anonymizing their data, so that instead of knowing which boats went where, . Oh, and American researchers can probably forget getting even that much, since exports of this data to third countries will presumably depend on whether our fishing-crew-data-protection laws are adequate in European eyes. (And that won’t be easy, since we never had a reason to adopt such laws.)

Fisheries researchers say that these limits will cripple the studies needed to achieve sustainable stocks of fish. They’ve begun a campaign of wailing, gnashing of teeth, and harsh articles in Nature. They’re appalled to find that they, and the fish, have fallen victim to an ill-considered data protection regime. But the head of European data protection is unmoved.  The rights of man, after all, are at stake.

What lessons can we learn from Europe’s foolishness?

I think the answer is simple:  More privacy law means more victims of privacy law.

But in this case, there’s a second:  The United States needs European-style data protection law like a fish needs a bicycle.

UPDATE: Link to EDPS opinion now points to proper document.  Thanks, Katja.