Peter Swire and Yianni Lagos recently released a nice paper demonstrating the high risk that Europe’s privacy regulation will turn all of us into privacy victims. The new right, they say with admirable restraint, “raises serious risks for another principle of data protection law, which is protecting the security of an individual’s personal data – in our world of weak authentication and rampant identity theft, moving all of a person’s data to another system “without hindrance” creates security risks that can outweigh the portability benefits.”
I don’t always agree with Peter, but in this case I do. Swire and Lagos rely heavily on the work of an FTC advisory committee on data access and security. I served on that committee, which explored this very problem. Here’s a excerpt from my now-twelve-year-old concurring statement:
That’s bad for all of us, but it is especially bad for the companies forced to set up some sort of access system. If they demand clear and convincing proof of identity before releasing personal data, they will be accused of offering access in theory while denying it in practice. But if they relax the rules, they will surely be sued every time a con man exploits the relaxed rules to steal a consumer’s identity.
The European Commission has now had more than a decade to study the US work on the topic, a decade in which hacking and bad Internet authentication have only grown into more serious security threats.
How does the data portability provision ease the threat to the security of our data? “Unfortunately,” Swire and Lagos note, the provision “makes no mention of the right to data security.”
That’s privacy law in a nutshell: Rights first. Regrets later.