When vendors cozy up to regulators

The European Union (EU) is revising its legal framework relating to the protection of private data, and the private sector has had a big say in its proceedings.

According to the EU, the aim of the revision is to:

• modernise the EU legal system for the protection of personal data;

• strengthen individuals’ rights, and at the same time reduce administration;

• improve the clarity, coherence and consistency of the EU rules for personal data protection.

Any company that collects, maintains or interacts in any way with individuals’ or companies’ private data will be watching to see what the EU eventually enacts, as they will be required to comply with the new regulations.

But some organisations do more than sit and watch. Many are actively involved in the process, seeking to influence the EU, with the goal of shaping the legal framework itself.

But should the organisations that will eventually be bound by the revised rules be allowed to wield such influence?

To answer this question, the best place to start is with the process itself. The EU launched a series of public consultations in 2009, the last of which ended in January this year.

It allows anyone to participate in these consultations, including individuals, consumer groups, member state organisations or governments themselves. Also, companies of any size can comment, as Matthew Newman, spokesman for Viviane Reding, vice president of the European Commission (EC) and Commissioner for Justice, Fundamental Rights and Citizenship, explained to Computing: “We take into account all sizes of technology companies. It could be a one-person company, or Microsoft with a team of lawyers going through legislation and making very precise recommendations. We can’t discriminate against those who submit recommendations, we take everything on board.”

This can result in hundreds of opinions to be considered, and the EC insists that it takes all submissions “very seriously”. Is there a risk then that the sheer volume of opinions makes for a diluted argument? After all, how many clear and progressive decisions are made by committee?

Carsten Casper, research director at analyst firm Gartner, believes that the need to take so much into account does not always result in the best output.

“There is a danger that too many opinions are in the mix. Then rather than having a clear, strategic and visionary law, it’s overly precise and not very applicable,” he said. “You can have too many rules and too many exceptions to those rules.”

But Newman said that any risk of an overly diluted law comes later in the process. “There’s more of a risk of dilution in the whole legislative process, not at the commission level,” he said. “The EC’s proposals go to [the European] Parliament and the Council. It’s the responsibility of the two legislators to make sure the law properly reflects the balance of interests between private businesses and public interest in protecting data.”

The ideal outcome for most companies is a broad law that lays out general rules. There is a danger that any law that attempts to govern technology will be obsolete weeks after its enactment if it tries to relate too specifically to the existing market.

“Whenever you get technology prescriptive in legislation, it gets out of date very quickly,” said Brendon Lynch, chief privacy officer at Microsoft. “It needs to be broader and comprehensive, backed up by self-regulation in industry.”

Microsoft has been heavily involved in the privacy debate, as you might expect for a company with such a large user base across Europe.

Newman said that the software giant’s input has been well received within the EU. “Microsoft’s argument is that they need legal certainty. That means they want a single set of rules to follow. That’s exactly our way of thinking too,” he said.

So this is not a case of a company forcing its own agenda on lawmakers, but rather finding common ground with those legislators.

If that agenda did not accord with the EU’s own view, or that of the wider community, it could ignore it. Gartner’s Casper explained that the EU solicits public advice, but it does not have to follow it.

He added that the private sector is obviously out to protect its own interests, but in the case of privacy law, that is often also the interests of the public and by association, governments.

“Industry is out for profit, but where does that profit come from? It comes from citizens, and they have to trust industry,” Casper said.

“If you have weak privacy laws, then consumers don’t trust the offering of someone like Microsoft, so it doesn’t make any money. So industry has an interest in sound privacy law.”

The EU will put its proposals for the new privacy framework to the European Parliament in the autumn.