MALE SPEAKER: But I just wanted to raise three very
The first one is that I don't want to say that there is a
conflict between security and data protection.
Because usually what most of our members do is actually to
ensure the security of the user's software computer
system and at least indirectly--
and many members actually provide software solutions for
direct protection of the data.
But we should actually rethink-- and this is actually
what we speak today about--
It shouldn't be the case that when a company's protecting
its user, and is actually checking an IP address to
reduce spam to protect the periphery of a bank, to
prevent financial fraud, that this is considered to be
Like the example you, Peter Fleischer, mentioned with a
lady with a red coat that you can recognize.
Because this data actually, before going to an ISP and
doing some checks for which usually you need at least some
sort of law enforcement support, is impossible
actually to make any use of it.
And we have actually today the conflict that IP addresses,
when security companies process them, are considered
to be data protection.
So actually in theory I have to go to the spammer, say I
will actually process your IP address, do you agree?
Oh, you don't agree?
I delete the spam.
And I deliver the spam actually to the recipient.
Second point is we have heard--
of course nobody has seen the draft--
that the e-privacy directive proposal from the European
Commission may include a breach notification provision.
We fully agree as well--
I disagree, Alexander, that has to be only encryption to
create sort of a safe harbor.
We should think about more openly to say, if a company
actually makes the data it has unusable to a perpetrator that
they shouldn't actually have to notify the data subject.
Because then we lose either trust in the internet or we
lose interest, as Peter Fleischer mentioned.
And the last point is I really would like to emphasize--
I don't know how many lawyers are here.
Could you please just raise your hand to show to the
people that Brussels is full of lawyers.
I am a lawyer.
So actually it's pretty full of lawyers.
MALE SPEAKER: That's pretty scary.
MALE SPEAKER: Please raise again your hand all of you
that always read any contract.
Always when you go shopping, you ask for the general terms
and conditions of the shops.
OK, no one.
So you see even lawyers don't even read the small text.
And we should actually not think we can force people to
read things and to be aware.
It's an option.
It's convenience, a quick easy convenience thing.
So don't be paternalistic.
This is just my call as a consumer, and not as a trade
association to make it [INAUDIBLE].
Thank you very much.
MALE SPEAKER: We collected a number
of comments or questions.
So there was a question there?
SIMON HAMPTON: Simon Hampton.
I work for the Time Warner.
I was interested by Mr. Hustings' remarks about the
importance of bringing third parties into helping enforce
data protection rules.
And I'm really optimistic that we'll see something along
those lines perhaps in the forthcoming changes to the
And I think that would be very valuable.
But my real question was perhaps
more to Peter Fleischer.
You mentioned they need to rethink
the adequacy framework.
And you could argue that actually this is an area where
the data protection agencies have been pretty forthcoming,
starting from a fairly simple set of rules in the directive.
We have model contracts.
We have the safe harbor.
We have binding corporate rules perhaps not yet totally
willingly implemented by all of the regulators.
But there's certainly been some good
momentum in that side.
So you seem to be talking about an even
more radical change.
I wonder if you could say a bit more about that.
PETER FLEISCHER: Well, I'm happy to.
When you look at the list of countries that have been
formally declared to be adequate, it's a rather small
list. Argentina, Guernsey, and such other mega
powers around the globe.
As I think about that issue, structurally other very
important countries, that in my opinion have very
meaningful data protection regimes that look very
different from Europe, such as--
take the example of Japan--
would never be able to achieve adequacy
under this set of rules.
And I think the cause more broadly of
privacy is not well served.
Because if the idea is that a country has to meet this very
complex set of rules in order to be declared to be adequate,
and any country that takes a different approach cannot be,
I think we've made the mistake of confusing the principles
with the administrative application.
And I think the ambition is to have a much more inclusive set
of privacy standards for a much broader number of
countries around the world.
The idea that India would adopt something that would be
adequate under this set of rules is
in my opinion unlikely.
So we shouldn't use adequacy with-- the best shouldn't be
the enemy of the good--
as simple as that.
MALE SPEAKER: Can I jump in here and make a point of
adequacy is certainly not equivalence.
It doesn't mean do you look like me?
Do you have something which resembles the European
It's a functional test. We've been always very clear on this
that there should be a number of principles in substance.
And they should be put into effect.
There should be means of redress.
And they could be different.
It could be self-regulatory entirely.
So although the present list of adequacy findings is rather
limited, it doesn't mean that there is not a larger number
of laws around and arrangements around the world
which are in fact adequate for practical purposes.
So let's not beat around the bush.
I would agree with revisiting that framework.
Because we simply need more global privacy.
In the arrangements, we need to think in larger units.
Decisions on a national basis, and then adding up 27
decisions do not make sense in that new world.
There was also a question about IP addresses.
Amd it was related to spam.
And I wasn't quite sure whether you were
on the right light.
IP addresses simply as a fact are in many
cases personal data.
Because they relate to personal behavior.
In other cases, they're not.
But for practical purposes, this is the rule of thumb.
But what's the consequence.
You seem to suggest that is a disaster if
it is personal data.
But that's not the problem.
If you deal with something legitimate--
you were describing a situation which
was close to it--
then I would say go ahead.
But make sure that you do what is necessary.
And it may not be possible under these circumstances to
inform a spammer if it doesn't make sense.
So what's the problem really?
What was the point you were making?
I don't think there is a problem.
MALE SPEAKER: But there is a problem.
MALE SPEAKER: Well only if you argue on my new [? browns ?]
and enlarge the problems of the exception.
But there is not a problem.
Just go ahead.
And be realistic and no nonsense about this.
MALE SPEAKER: There is a problem.
Yeah, I think I can just clarify.
We have had actually the problem where member companies
have had actual data protection units knocking on
the door and saying what are you doing?
It's [? legitimate. ?]
And the case is--
spammers is just one case.
And actually this is a gray zone in many cases.
What we have is the case where you need to check IP addresses
at the periphery of a bank.
And that may be a perpetrator, but some cases maybe not.
That doesn't mean that you're actually targeting down the
But the processing alone of that IP address, checking it
against a blacklist, could actually be and is regarded to
be in some countries as a breach of
data protection laws.
MALE SPEAKER: Well the rules may apply.
But if your activity is legal and is legitimate, I don't see
really a problem.
We should discuss that in more detail.
But I don't think it's a major problem.
And I want to set this straight.
MALE SPEAKER: Any other question from the floor?
The microphone's coming.
MALE SPEAKER: [INAUDIBLE PHRASE]
be well understood by the people on YouTube.
My name is [? Aoka ?]
[? Hafsma ?], former commission official.
I was actually very interested Mr. Hurstings' in several of
your ideas, suggestions.
I don't know whether they are already very concrete.
And particularly the one which the gentleman from Time Warner
the third party certification or auditing.
If I may take an example mentioned by Peter Fleischer,
if we listened to Peter today.
Your practices were amongst the best on the internet.
If I see cookies deleted--
I don't know whether you said deleted after two years or--
I always understood that you altered them and that others
actually delete them.
But that you didn't go quite as far.
So it would indeed I think be very good to have someone, a
third party, say OK, well what's happening here is good.
If I may be a little provocative--
I mean a couple of months ago there was a third party which
looked at search engines.
And I think privacy international ranked Google
last. How formal do you want to be on those third parties,
I mean would you like to have criteria?
Is this the sort of third party you're thinking of?
Could you explain a little bit further?
MALE SPEAKER: The idea is mentioned in an opinion I
issued in July.
It's on my website.
You check it.
It's a reaction to the commission's policy paper on
better implementation of the current directive.
It is only a short text.
But what it refers to is that it would be a good idea-- in
fact, it is already happening in a number of member states--
that responsible companies ask ADP auditors, privacy
auditors, according to principles of that profession,
to check what they have, whether they are compliant and
produce third party evidence.
That would be very good.
Because if they demonstrate this and would dare to mention
in their annual accounts, in many cases these companies are
on the stock exchange, that this is their track record for
I think that would be an extremely powerful mechanism.
And DPAs would love to rely on that and of course check
whether it's correct.
So we don't believe this no matter what.
But it is an example of just increasing the stakes in this
online privacy world.
And I know that many companies would like to do it.
I don't think that the European community would want
to regulate this in detail.
This is as just a good idea.
We need to open up the system so that this can happen and
then competition will certainly take its role.
Because the leading privacy compliant companies would like
to show this.
That's the idea.
PETER FLEISCHER: We have hundreds of
millions of third parties.
They're called our users who look at what we do.
And I think we believe strongly in a technology
solution rather than a very expensive cadre of lawyers or
accountants to look into this.
So we're building a technology solution, one example of which
we've launched that's called web history that allows any
user to open an account and to see every single piece of data
that we hold about them, every search they've conducted,
every website that they've browsed as long as they've
been logged in through Google.
They can see every single element.
They can delete any element from the system that they want
piece by piece or the entire thing.
To me it's a technology enabling a level of
transparency such as we've never been able to see before.
We've already got it.
It's called web history.
Take a look at it yourself.
I think it's fabulous from a privacy perspective.
MALE SPEAKER: I agree with that.
That's a good approach.
But the link between the two is the architecture.
We need to have mechanisms to verify whether the
architectures is OK.
It's fine, of course, that clients can have access.
But you need to be able to find in the information
infrastructures that this is what it should be.
And companies like yours would like to be able to demonstrate
that-- just not in a letter-- but
present third party evidence.
And that's the idea.
You can in addition to that increase transparency.
That's what you do, an open door policy.
But the two need to be in combination.
Otherwise, there is insufficient trust.
MALE SPEAKER: Any questions or further comments?
There is one here.
Yes, this girl.
FEMALE SPEAKER: I'm [INAUDIBLE] from the
Interactive Advertising Group.
Last month it was reported that Peter Fleischer was
calling for a new global convention on privacy.
And I'm just wondering what the reaction has
been to that so far.
PETER FLEISCHER: Yeah.
Well thank you for that question.
I'm glad you noticed.
The reaction has really been quite positive.
Because what I was doing was pointing out a series of
technological tectonic shifts that I think have occurred and
that do present some fundamental challenges to the
regimes of privacy that are in place and the ones that are
lacking and need to be in place for
these broader issues.
From my point of view, what we're trying to do is help
contribute to a policy reflection that will help to
set the foundation for this five years
from now for the future.
These things tend to work slowly.
But they're urgent.
So it's not just what do we do today in terms of compliance,
but what do we collectively do in terms of building the
foundation for a successful internet in the future?
And I think the reactions have been extraordinarily positive.
I would say that we're just one learning from all of this.
Multinational companies like Google, we already operate
everywhere in the world.
This is not about US or Europe.
It's about operating around the world.
We're not not European.
We're not just American.
We really are global actors.
Because we have to be.
Because we have users around the world.
And because that's the nature of the global internet
architecture in particular.
And I think people are starting to see that we need
to rethink concepts.
Let me just give you one example.
The internet, I think, is the most fundamental revolution in
data collection and data transfer since the development
of the printing press.
Now if the most fundamental revolution in the last 500
years is not going to present some challenges to traditional
notices of data protection, then I don't think we're
challenging ourselves to think things through again.
And I think that's been the reaction, far be it from one
company to suggest how exactly things should happen and
through, what bodies, whether it should be via a convention
or via other mechanisms, just an extension of the OECD
principles and recommendations.
We're not getting into that.
That's not appropriate for Google.
What we're talking about is technology revolutions and the
challenges on the internet.
And I think that's the way it's been heard.
And I've been absolutely delighted.