Dear America, you can't steal a personality: GDPR godfather talks privacy with El Reg
Jan Philipp Albrecht on transatlantic data flows, anonymity and AI
Interview "Now I've heard that one before. Let me think, where was it... Ah yes. It was Google!"
Jan Philipp Albrecht is the biggest thorn in the side of US data slurpers, and fortunately he has a good memory. The German Green MEP is the architect of Europe's new privacy regulations, GDPR, and we were discussing a rhetorical question posed to me this week in Parliament.
This is the question. It's 1923 and a householder demands property rights on the airspace over their house – so they can stop aeroplanes flying over it. The purpose of the question is presumably to illustrate why giving strong personal rights can thwart progress. Why should you have property rights over the personal data that you submit to Google or Facebook?
Albrecht doesn't buy the analogy, though.
"The aeroplane has no interest in what it's flying over. Google has every interest in your personal data, as processing that data is its business," he points out.
I caught up with Albrecht this week for a wide-ranging discussion on privacy – data portability, transatlantic data flows, anonymity and AI, and Dave Eggers' The Circle. And I quickly realised how much of a culture war it is between European and the US. Is there one bigger?
I'd remarked how different the common law foundation expressed in Britain and the USA is to the European approach of fundamental rights.
"Yes, the GDPR is written in a continental way. The Fundamental Rights are written into European Law. And they [the USA] have to live with it," he acknowledges.
"It's part of US law now in a way – they have opened up to continental understanding of personal rights, and self-determination continental style. It's a move to each other. The Germans are the starting point for talking and they have forbidden themselves from trading it away by treaty law."
Has the decision to refer transatlantic flows back to the Court of Justice of the European Union (CJEU) put a spanner in the works, I wondered?
Schrems busts Privacy Shield wide openREAD MORE
"It's important what's a sufficient standard beside the adequacy ratings. [The litigation begun by privacy activist and student Max] Schrems is going into more detail about what you need to make data secure when it's transferred. There will be possibilities to make data transfers secure, and therefore lawful."
... Green MEP Jan Philipp Albrecht
Europe's shock Google privacy ruling: The end of history? Don't be daftREAD MORE
Americans claim that they've reached a sufficient level of oversight now.
"Of course they have – but they can do more: particularly Section 702 [of the Foreign Intelligence Surveillance Act (FISA)] which governs the use of data for non-US citizens for security purposes. They could make it better. That covers a vast amount of non-US citizens on non-US territory. They can do it if want.
"On the contractual clauses the fear is to renegotiate anything. They want to just continue as they are, because it's a cost to them. But hey, that's life! If circumstances change, my views change, is the saying."
This was true of the so-called "right to be forgotten", which completely baffled US observers. Albrecht points out that it has been three years since the earthquake of Gonzalez vs Google, which confirmed that privacy encompassed US search engines. It gave a qualified right of deletion. Wikipedia's Jimmy Wales, a paid Google advisor, used his high media profile to warn of the sky falling.
But it hasn't, notes Albrecht.
"The debate was completely exaggerated. It was not on the subject. I understand people who were critical of it. Putting into the hands of Google decisions about delisting would mean maybe we have no checks and balances. But it was the courts who were ultimately doing that. There's no right to erasure for [a complaint against] a media publication.
"If you look to the real situation, there's no massive censorship today and there's no unjustified takedowns any more. I think it's a very solid provision. And it's very good that we should have such a provision – really good working takedown provisions – rather than automatic filtering."
He did have such semantic problems with the phrase "right to be forgotten" that he and his group purposefully omitted it from discussions as the GDPR took shape.
"We took out the whole term. We didn't talk about 'right to be forgotten' anymore. The term was confusing. It was, if anything, the right to delist."
Yet the sky-is-falling message continues to resound from across the Atlantic.
"Again, they said the world would go down after Schrems, but we're still here! The American Chamber of Commerce to the EU (AmChamEU) after the right to be forgotten judgement estimated there will be a loss of economic value €3,000 per household. That would be greater than any financial crisis a state has suffered in the EU! That didn't happen. We'll have it after May 25, 2018, (GDPR day) and after a new judgement from Luxembourg that takes down contractual clauses. This is about the integrity of our systems and protecting our personality rights."
On to data portability. Locking personal data in a proprietary silo is a huge competitive weapon, and the GDPR makes some attempt to give users rights over that data.
"You shouldn't be hindered to switch from one product to another by the fact the data – your personal data, which you have given into a certain system – can't be reused in another system. Today it's about so much. Think about a business card app, what you put it in. Perhaps you'd like to put it in another service that's better protected, say. This provision introduces the dynamic that at least I can request something like that. How it's applied in certain details is something we have yet to see. There are many people who would like to do that – especially simple applications like communications apps. They'd like to transfer information from one interface to another."
(I enjoyed Albrecht's characterisation of an app as simply "an interface" and I suspect many Reg readers will too. And that a WhatsApp is "simple" rather than a "platform".)
How about AI? Last year I suggested that machine autonomy provided the ultimate cat-ate-my-homework excuse for companies, if anything ever went wrong. GDPR introduces stiff fines – 4 per cent of global turnover – for offenders.
"People realise more and more that the only checks and balances we have with the information society is a clear, enforceable standard. For artificial intelligence and machine learning, and so on, it pushes for anonymisation at the end at least. As soon as you produce identifiable data there's backend regulation that kicks in. If you have too much trouble anonymising data, well, that's good."
Isn't reassembling anonymised data so that individuals can be identified again fairly easy, though?
"Yes, de-anonymizing is easy. It's easy to construct just as it's easy to collect: you just join the dots. The GDPR doesn't talk about that. What it says is that as soon as you are personally identifiable again, the laws apply. And that's quite a broad term. As soon as people are identifiable you are in the rules.The rule itself is very clear."
Albrecht isn't impressed by claims that machine learning is, by its nature, beyond the control of privacy laws. This supposes lawmakers don't figure out how much labelling and training is in reality required.
"They says it's not possible, that the machine can't document itself. That's not true. If you can program machine learning, you can put in clear tracing and clear documentation. To follow up what my machine has learned now. And the liability schemes should be clear. My impression is that it's possible, but it also needs to be done."
I wondered if he had read Dave Eggers' The Circle, which more than any journalism gives an insight into the totalitarianism of data collection.
"I've read it twice, but I haven't seen the movie. It can't be as good as the book," he said.
"It's getting the feelings more, yes, where those people are coming from, and how they feel. We're all part of the machinery, and we need to be aware of that, and society can take decisions."
Sadly the movie was panned and went straight to Netflix here in the UK.
Albrecht envisages some big battles ahead as Europe asserts that the individual owns their own data.
"With regard to data ownership, it's quite clear. Personal data is a personality right – you can't own another person. With regard to non-personal data the debate is still open. If I have my connected car, Mercedes objects to Google sucking that data out earning the money from it. We need ownership of data from our machines. It's not just Google who'd like to get in your car, others could and you could benefit." He acknowledges there are lobbies too who want the right to access a car system as an open platform.
I remind him that the auto industry is adamant that there's no internet access to the CAN bus, the vital system that controls a car's operation. Ominously, he points out: "If a car is connected, there is a good reason to have at least equal access to the same platforms."
Perhaps personal safety will ultimately trump data rights – but it's slightly alarming to find the debate is still open.
Albrecht doesn't sound impressed by threats – such as the one expressed by Alphabet's Eric Schmidt – that US companies should pack up shop in Europe and go somewhere more business-friendly, like er... China.
"There will be so many people here happy to use the market opportunity if Facebook went out of Europe. But I don't think they will do that – it would be the beginning of the end for Facebook. They only live [because of] their consumers, and the fact they are everywhere. If they want to go with it here then they should respect some rules." ®