As the European elite has for centuries, I love summertime in Ravello. Civilization has flourished on these ravishing hills for millenia. Democracy has ruled here for only very brief interludes. Indeed, modern Italy has given up on having an elected Prime Minister, and instead appointed a (well-respected) technocrat as their leader. The "democracy deficit" in Europe is well-documented. When things get tough in Europe, well, do we turn our backs on democracy? Virtually all European-level legislation is drafted by un-elected Brussels-based European Commission technocrats. (I have the greatest respect to the intelligence and professionalism of the Commission staff, so my comments are institutional, rather than individual.) What's true for virtually all EU legislation is also true for data protection. The current EU proposal for revising EU Data Protection is a technocratic tour-de-force.
The Commission has chosen the approach of a Regulation (directly applicable law), rather than the approach of a Directive (prior law was a Directive, which included scope for national parliaments to make adjustments). There are pro's and con's to the Regulation approach. The biggest advantage is that it would result in fully harmonized, consistent privacy laws across Europe. That's why businesses love it: it's easier to comply with one set of rules, rather than with dozens of (slightly) different rules. The biggest disadvantage is that a Regulation leaves no scope for national parliaments to bring their own democratic choices and legitimacy to privacy laws in Europe.
Privacy is the product of culture and history, and naturally, attitudes to privacy vary widely across Europe, given the wildly different cultural and historical experiences. Even neighboring countries, like Germany and Denmark, have very different views on privacy, given their different histories and cultures. Given Germany's history, we expect Germans to be particularly sensitive to privacy issues. But should German views on privacy, based on Germany's traumatic history, or French views on State-dirigisme, based on centuries of an all-powerful centralized State, dictate privacy laws in a country like Britain that has been a stable parliamentary democracy for centuries? Half of European Member States are first-generation democracies. Does one size fit all?
The toughest choices in privacy laws are deeply political. For example, how much cost are we willing to impose on businesses to improve privacy compliance? This is a clear political trade-off: how much bureaucracy, like privacy impact assessments, mandatory appointments of Data Protection Officers, etc is enough, before the costs become too burdomsome for European businesses, in particular, SMEs? Where do you draw the line between freedom of expression and the "right to be forgotten"? Where do you draw the line between citizens' privacy and government surveillance? How much flexibility should the laws include to reflect the cultural and regulatory differences amongst countries in Europe? Is a Regulation the right instrument in the interest of harmonization, or is the flexibility of a Directive more democratic? How high should fines be set for data handling compliance mistakes (high enough to punish/deter, but not so high as to freeze European innovation and risk-taking)? All these are deeply political issues. I have my views, and the unelected Commission has its views, and unelected data protection authorities have their views, but what do European elected officials think?
There has been very little political debate in Europe about how privacy laws should be up-dated for the modern world. The European Commission technocrats have had their say, and they are naturally wary of seeing their careful package of privacy-compromises re-opened in a messy democratic debate in the European Parliament, and elsewhere. Democracy is indeed messy, but, as the saying goes...the alternative is worse.
"Privacy" is a deeply political and democratic issue. It is too precious to leave all difficult privacy law decisions to technocrats. Privacy needs and deserves a political and democratic debate. Perhaps this is all part of a much bigger democracy deficit in Europe. We're on a path to "solve" the Euro crisis by transferring even more power from elected national leaders to unelected Brussels technocrats. Nonetheless, I hope we see a vibrant debate in the European Parliament on data protection. Privacy laws need democratic legitimacy. Anyway, that's what we, the European elite, are debating, sipping Campari over the Amalfi coast.