From: Gigaom
By David Meyer
Summary: Dr Alexander Dix is Berlin’s privacy chief. With Germany being pretty hardcore about data protection law, you might think he’s Silicon Valley’s worst enemy — but he has compromise in mind.
If you’re in the tech industry, particularly the U.S. tech industry, then you’re probably not a big fan of European privacy officials. And German data protection regulators may well feature in your nightmares.
After all, Germany is literally the birthplace of data protection law, and the country applies European privacy law more strictly than any other EU state — just ask Google, Facebook and Microsoft about their experiences.
So meet Dr Alexander Dix, Berlin’s data protection watchdog. With the NSA scandal still raging and big data technologies raising fresh privacy worries in the commercial sector, we had plenty to talk about — and while his stance is unsurprisingly tough, it’s not uncompromising.
The rise of big data seems to be fundamentally in conflict with user privacy. Can we have both? If we are not to stop or roll back progress, how can we nonetheless maintain privacy?
Bearing in mind that there is no such thing as absolute anonymity or absolute security, there are more privacy-friendly solutions and less privacy-friendly solutions. I am not a perfectionist in that respect, but I do think there are possible ways of regulating for privacy protection in the future.
Take anonymization. It is true that anonymized data can with a certain technical expertise and costs being incurred, can possibly be — if not now then sometime in the future — linked to individual persons. That does not make anonymization a useless process. It is still better than having outright personal data on the internet or pseudonymized data, which is something being discussed in Brussels.
While acknowledging that maybe intelligence services will always find a way to monitor individual behavior, we should not make their task too easy. And, talking about the intelligence services and monitoring individual behavior, the basic problem is that agencies such as the NSA no longer use targeted espionage; they are collecting everything at random.
They have stopped monitoring in a targeted fashion. If they did that, it would be much more acceptable. They are trying to “master the internet” by registering almost every move. That exceeds every legal limit we — at least in Europe and Germany in particular — would think is necessary in a democratic society.
So, what’s the solution – is it mainly the job of policy, or should people protect their privacy through technological means?
We need a mix. There is no silver bullet now.
We need, on the one hand, increased international agreement on what should be the limits on monitoring internet traffic and people’s behavior. There should be an agreement on what kind of data processing should not be allowed at any rate. I know it’s difficult, but that’s the first thing we need. The former president of the German secret service has in fact called for a code of practice between intelligence services on what is allowed and what should be forbidden.
On a secondary regulatory level, one should work for international guarantees of privacy, such as in the UN Covenant on Civil and Political rights. It’s broad but it would be an important step. Then there are some steps on the national level. Secondly, we need technical solutions. We need to empower the individual user to do what he can to protect his own communications. So there’s no one ideal solution; we need to have both.
That is also something for the governments to support and finance — business models or research, for instance, to improve the tools for self-protection for the internet user, and possibly to develop a kind of European cloud model which is less [vulnerable] to detection by the intelligence services. There could also be a competitive advantage for European businesses.
A lot of people, particularly in the tech industry, say privacy is essentially dead in this age, so forget about it. They’re pretty much on the opposite end of this spectrum to you – what’s your response?
There will be no innovation feasible without sensible privacy protection. Innovation requires privacy protection because a considerable number of people — at least, a critical market share — will refuse to accept and adopt innovative technologies if they don’t take into account privacy protection from the start.
Data protection regulation — in Europe, at least — places a lot of weight on the collection of personal data, not just what happens to it afterwards. How do you see the balance in the context of big data technologies, which scoop data up en masse?
The collection is crucial. Any collection of personal data will attract interest both legitimate and illegitimate. It needs to be protected against attacks from the outside. It is even in the economic interest of organizations to limit the collection of personal data, because it entails costs at least, and invades to a certain extent the personal privacy of the data subjects.
And I would dispute whether big data needs to be big personal data. In the research field, very often personal data are not necessary. Basically I take the view that you need to regulate the collection of data because, if you don’t do that, you start building fences around your data pools and try to defend them, and this is often too late. These fences will get holes and will be overcome by technology. It’s always necessary to first put to yourself the question: to what extent do you need personal data at all?
Leave a Reply