Privacy Shield is no solution for data protection - EU should put personal data in citizens' hands

Many US and European businesses no doubt breathed a sigh of relief when the European Commission announced it had agreed a basis for replacing the defunct Safe Harbour data protection agreement with the US government.

Now we have a Privacy Shield in place to ensure that European citizens’ personal data is subject to comparable data protection principles when transferred into a US-located database. At least, that’s the theory.

However, as privacy campaigners point out, there seems little more to the new arrangement than a letter from America promising that EU residents’ data will not be subject to mass surveillance. “Honest it won’t,” said a draft of the letter. “We really promise, pinky swear, that we won’t use it for mass surveillance. Because hey, we don’t do mass surveillance anyway! (Hey Chuck, do you think they’ll notice we had our fingers crossed?)”

OK, maybe that’s not what the letter said after all. But given the US government’s attitude to data privacy, a nicely worded note might not prove to be the basis for a lasting and secure agreement.

“A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance,” wrote campaigner Max Schrems, whose legal case brought about the demise of Safe Harbour.

But the underlying problem has not been addressed – that current approaches to data protection remain a 20th century attempt to solve a very 21st century problem; analogue solutions in a digital world.

Data protection laws are entirely predicated on the assumption that corporations and governments hold all our personal data, and are thereby granted conditional rights to use that data as they wish. It’s based on the concept that all the data that matters is held in big databases, somewhere apart from the person whose data has been collected.

The UK Data Protection Act, for example, says that we have the right to see a copy of the information that an organisation holds about us and how it is being used – but only if we ask nicely in writing and pay a fee.

How quaint. Surely the digital solution is the right to log in to an organisation’s website and see all our data and how it is being used – and moreover, to be able to edit or remove it if we wish?

Data protection remains a database-centric approach to regulation, when the “digital way” is data-centric – a very important distinction. Data-centric means that laws and IT systems start from the data itself, not from a centralised place in which that data is aggregated with everyone else’s.

There has been a lot of discussion about personal data stores – still an emerging technology that allows us to hold all our relevant information in a location controlled by us, from which we set the rules and permissions about who can access our data and for what purpose. It’s the data equivalent of an online bank account, which is where we control who can take our money and for what purpose.

This data-centric approach puts control in the hands of the individual and negates the need for international data protection agreements because if you’re happy for your data to be accessed or stored by a US company, that’s your decision. You might trust Google, but not Facebook – the choice should be yours.

If all you want is to allow access for the purpose of a single transaction, you could say that too – so the company uses a copy of the data to complete the transaction, then deletes it. Maybe if they offer you a good discount, you might be willing to let them keep a copy for a while? After all, why should a company’s desire for data analytics to better target its marketing at you be a reason for them to keep all your data as they see fit? The choice should be yours.

The Safe Harbour / Privacy Shield row only serves to show that legislators are a very long way from understanding the potential to put control of our data back into our own hands. A truly digital solution would be to legislate for the introduction of technology – whether personal data stores or something else – to make that happen. The choice should be yours.