The Latest Victim of European Privacy Law? Privacy Itself

European Union broken chainTranscending parody, the European Union has proposed a privacy regulation that will inevitably deprive many people of their privacy. The regulation, now working its way through the tortuous Brussels process, includes a “right to data portability.” This is typically oversexed Commission-speak for a regulatory requirement that information services must hand over all of a subscriber’s historical data upon request, and “without hindrance.”

Peter Swire and Yianni Lagos recently released a nice paper demonstrating the high risk that Europe’s privacy regulation will turn all of us into privacy victims. The new right, they say with admirable restraint, “raises serious risks for another principle of data protection law, which is protecting the security of an individual’s personal data – in our world of weak authentication and rampant identity theft, moving all of a person’s data to another system “without hindrance” creates security risks that can outweigh the portability benefits.”

I don’t always agree with Peter, but in this case I do. He and Lagos rely heavily on the work of an FTC advisory committee on data access and security.  I served on that committee, which explored exactly this problem.  Here’s a excerpt from my now-twelve-year-old concurring statement:

[A]s the Report says, “Giving access to the wrong person could turn a privacy policy into an anti-privacy policy.” If access to personal data is turned into a legislative right, Americans’ personal data will be at risk of exposure to con men, private investigators, suspicious spouses – anyone who has the chutzpah and the scraps of information needed to plausibly impersonate their target.

That’s bad for all of us, but it is especially bad for the companies forced to set up some sort of access system. If they demand clear and convincing proof of identity before releasing personal data, they will be accused of offering access in theory while denying it in practice. But if they relax the rules, they will surely be sued every time a con man exploits the relaxed rules to steal a consumer’s identity.

The European Commission has now had more than a decade to study the US work on the topic, a decade in which hacking and bad Internet authentication have only grown into more serious security threats.

How does the data portability provision ease the threat to the security of our data? “Unfortunately,” Swire and Lagos note, the provision “makes no mention of the right to data security.”

That’s privacy law in a nutshell: Rights first. Regrets later.