Global data privacy rules would be awesome (but good luck getting there)

With federal elections just 10 weeks away, German chancellor Angela Merkel finds her path to a third term obscured by the NSA scandal. Opposition parties are calling for a parliamentary inquiry into how much the country’s security services – and Merkel, their ultimate chief – knew about the Americans spying on German citizens.
Merkel is not one for snap judgements and, before the weekend, her response to the increasing pressure was to defend the NSA’s activities. However, at the end of last week interior minister Hans-Peter Friedrich visited senior U.S. officials and came back saying there was no problem. Germany’s opposition parties exploded and Merkel now appears to have sprung into action.
In an interview with broadcaster ARD, Europe’s most powerful politician called for two things in particular: unified European data protection rules that force companies such as Google(s goog) and Facebook(s fb) to be open about who gets access to EU citizens’ data through their systems; and a global agreement on data privacy. Here’s the key quote:

“We must work together in the fight against terror, but on the other hand, also guarantee the privacy of citizens. Not everything that is technically feasible in the future must be put to use. In our view, the ends do not justify the means.”

Quite so. However, what precisely is Merkel proposing?

Whose rules?

Europe is already trying to firm up its data protection rules, and the process has not been a happy one — lobbyists, generally representing the interests of U.S. web firms, have already been responsible for significantly watering  down the new rules.
Renewed involvement by the Germans, however, could bolster the proposed rules. Bear in mind that the EU already has a unified data protection law, albeit one that’s out of date. Member states have transposed that EU-level law into national law in different ways – the Germans follow the wording of the EU law to the letter, while the UK and Ireland, for example, are a little more flexible.
Google and Facebook’s international operations, of course, are headquartered in Ireland. So Merkel suggested she wanted German-strength laws to apply in Ireland – and that means being super-clear about who gets access to users’ data. “We [in Germany] have a great data protection law,” she said. “But if Facebook is registered in Ireland, then Irish law is valid, and therefore we need unified European rules.”
To complicate matters further, EU member states have full control over their national security activities – this is one department where national law trumps European law. So Google and Facebook may find themselves with conflicted obligations when it comes to Europe: to intelligence agencies back home in the U.S.; to the national laws of the countries in which they’re operating; and to overall European privacy law.

International law

Of course, the complexity of that situation pales in comparison to that of the global privacy scene.
Merkel suggested in Sunday’s interview that a new protocol on data protection could be added to the International Covenant on Civil and Political Rights (ICCPR), a multilateral treaty that dates back to 1966 and that has been ratified by 74 signatories.
As it stands, the key bit of the ICCPR is Article 17, which states that “no-one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence”. Does this wording mean much in the era of big data? I would argue not. Blanket interception and storage of data isn’t “arbitrary”, even though once the data has been captured it can be interrogated at some point down the line in arbitrary ways.
Because of the power of big data (and the falling costs of storage and processing), good data protection law should regulate the way in which data is collected in the first place, rather than simply concentrating on specific abuses. For that reason, it would make sense to introduce to the ICCPR a modern data protection protocol that explicitly protects people from abuses of both the real-time and potential varieties.
However, good luck trying to get the countries of the world to agree on that protocol’s wording, or indeed getting them to stick to what it says. The interpretation of the ICCPR into national law has already been far from uniform – the U.S., for example, has signed and ratified the treaty but has refused to actually change its domestic law to reflect it. Now take into account the differing conceptions of privacy around the world.
What Merkel is proposing is sensible – essential, even, given the rapidly evolving nature of modern technology and its utility for excessive surveillance. However, none of it is a matter of easy or speedy solutions, so there’s no way of knowing if the German chancellor is serious or just desperate to stop the NSA scandal from extinguishing her re-election hopes.