Eurocrats Need A Reality Check

The Society for Computers and Law was recently entertained on the topic of trust in Big Data and the Cloud, by Paul Nemitz, European Commission Director of Fundamental Rights and Union Citizenship (in the Directorate-General for Justice). Both immigration and data protection feature among the main responsibilities of his Directorate, so you can imagine Paul is a very busy man right now, and it was very kind of him to take the time to speak.

Right, so that's the polite bit out of the way ;-)

Paul was keen to challenge the Brits in the audience to be more pragmatic in their attitude to the European Union. He believes the UK is among those who engage with the EU irresponsibly on the basis that "everything that comes out of Brussels is shite". Instead, he says British officials, lawyers and academics should be focused pragmatically on how to engage positively to achieve better European policy and regulation.

Of course, it's an old rhetorical trick to characterise your opponent's views as overly simplistic, boorish and stupid. Paul knows that the UK's opposition to red tape is based on more serious and fundamental differences than simply declaring everthing from Brussels as 'shite', as discussed below. But as a Commission official, he's not able to enter into debates over the fundamental principles of the EU. It's his job to be a 'Believer' and get on with building the vision. He must take it on faith that the European Union is a single market, rather than a loose collection of disparate nations held together by red tape and political ambition. 

It suits some EU member states to accept that same article of faith, but not all, and the people in the streets certainly don't think that way - consumers have been worryingly slow to purchase across borders, for example. And the recent election results revealed that a huge proportion of the electorate remain to be convinced that EU governance is wholly worthwhile. 

In these circumstances, the UK's rather sceptical view of what comes out of Brussels is quite broadly representative, and the attempt to draw a line in the sand over the imposition of a fervent unionist as head of the Commission was completely understandable. It's also pragmatic. If the EUrophiles were humble enough to accept that the single market is still an ambition, they too would realise it's unwise to be seen to force the issue. People have to be brought along on the journey, and maybe the UK is a good indicator of how far they are being left behind.

To back his claim that the UK's attitude is simply boorish, Paul points to a 'typical' lack of empirical evidence for resisting provisions in the General Data Protection Regulation requring large firms to appoint a data protection officer and to facilitate fee-free 'data subject access requests'. He says these things work well in other EU member states already, and haven't driven anyone out of business. And against the UK's charge that the European Commission is needlessly committed to ever-increasing levels of privacy regulation, Paul points to surveys that show ever-increasing levels of concern amongst EU citizens about commercial and governmental intrusion into their private lives; as well as recent judgments from the European Court of Justice and the US Supreme Court curbing commercial and governmental intrusion into these areas (ironic, given that one of the ECJ's decisions was to declare Europe's own Data Retention Directive invalid).

Again, he's missing a sensible, pragmatic point. The UK's reaction is telling him is that when huge swathes of the population questionn the very existence of the EU, it's wiser to stick to the essential foundations and building blocks, rather than snowing people with confetti about day-to-day compliance issues.

However, I'm glad to say that Paul was able to explain how the European Commission is working on some important foundations, such as getting standing for foreigners to take action to protect themselves in the US courts; and preventing indiscriminate mass collection of the personal data of EU citizens by any government or corporation, inside or outside the EU. Those two things are very important to building trust in governments, as well as Big Data, and are the sort of fundamental constitutional changes that citizens would find extremely difficult to achieve solely through the democratic process - though the European Commission has climbed on the bandwagon of public opinion (or Merkel's personal outrage), rather than initiated pressure to achieve these outcomes in its own right.

I also think Paul is right to point out that businesses are wrong in the view that personal data is 'the currency of the future' or 'oil in the wheels of commerce'.  Money is fungible - we view one note as the same as another - and, similarly, oil is just a commodity. So the data related to money and oil are hardly very sensitive and can be dealt with through economic regulation. But people, and the data about them and their personal affairs, come with more fundamental rights that can't simply be dealt with in economic terms. It's important that citizens have a right of action against governments and corporations to protect their interests (though I think the Google Spain decision was wrong).

But Paul overstates the 'synergies' between EU regulation, trust and innovation. He is stretching too far when he says that vigorous regulatory protection is essential to the creation of trust between people and their governments and the corporations they deal with. As evidence for this, he claims that the UK's Financial Conduct Authority as doling out the largest fines in the EU for the abuse of people's personal data, and asserts that this has built trust in the UK financial services market. From there, Paul leaps to the conclusion that similarly vigorous regulatory attention is somehow one of the necessary pre-conditions to the creation of commercial trust generally. He then leaps again to the notion that commercial trust driven by regulation is a pre-condition for innovation because, "There is no trust in start-ups," he says.

This is all nonsense.

Here Paul seems to be looking at the world through the lens of his own area of responsibility rather than from a consumer standpoint. Very few of the FCA's fines have anything to do with abuse of customer data, and its fines are puny compared to US regulators in any event. And in survey after survey, we've also seen that the providers of retail financial services are generally among the least trusted retail organisations in the UK and Europe. Enforcement processes also tend to be slow, resulting in fines for activity that ceased years before, and depriving consumers of the opportunity to cease dealing with firms at the time of wrongdoing. So, relative to consumers' perception of other industries, complex financial regulation and allegedly vigorous enforcement action has been no help at all.

It's also strange for Paul to suggest that "there is no trust in start-ups" without the backing of regulation, given the vast number of start-ups that have achieved mass consumer adoption absent effective regulation - certainly across borders. Unless, of course, Paul still considers Google, Facebook, Twitter etc to be 'start-ups', which would be weird. This ignores the fact that, love 'em or hate 'em, such businesses have been far more responsive to consumer/citizen pressure in changing their terms and policies than the European Commission or national legislators have been in altering their own laws etc. Indeed such businesses have even been relied upon by governments to enforce their consumer agreements to shutdown activities that national governments have been powerless to stop.

Paul's view of start-ups appears to reflect the continental civil law notion that citizens cannot undertake an activity unless the law permits it; while in the common law world 'the law follows commerce' - in the UK and Ireland (and the US, Canada, Australia etc) we can act unless the law prevents it. The havoc that arises from these opposing viewpoints - and the differing approaches to interpreting legislation - cannot be underestimated. In fairness, the UK needlessly creates a rod for its own citizens by 'gold-plating' EU laws (transposing them more or less verbatim). The national version is then interpreted literally. We would be far better off adopting the purposive interpretation of EU laws and implementing them according to their intended effect. This may mean a bit more friction with the Commission on the detail of implementation, but the French don't seem to mind frequent trips to the European Court where the Commission objects, and meanwhile their citizens don't labour under unduly restrictive interpretation of EU laws.

None of this is to say that I disagree with Paul's claim that strong individual rights and regulation to protect them are not inconsistent with making money and healthy innovation. But I reach this conclusion by a different route, starting from the premise that retail goods and services must ultimately solve consumers' problems, rather than be designed to solve suppliers' problems at consumers' expense. Strong individual rights are only one feature of a consumer's legitimate day-to-day requirements, not all of which can be legislated for. Co-regulation, self-regulation and responsible, adaptable terms of service are all part of the mix.

Of course, regulation can be helpful in preserving or boosting trust where it is already present - as can be seen in the development of privacy law amidst the rise of social media services (and in the context of peer-to-peer lending and crowd-investment, for example). But regulation can't create trust from scratch, any more than Parliament can start businesses.

If only the Eurocrats would recognise these realities and limit their attention to areas where government action is essential, I'm sure they would find more favour with pragmatists everywhere.

Will This Book Stop The Dogmatists Waving Their Fallacies Around?

As one who loathes the use of party-political dogma to muddy the waters of sensible debate, I was delighted to read Tim Worstall's list of the top "20 Economics Fallacies" that political types wave around to justify some of their weirder ideas, and exactly why they're false. Maybe this book will help focus debate on the real issues.

At any rate, with the next general election less than a year away, you'd do well to keep a copy by the armchair to guide you through the evening's political interviews. So long as you can resist the urge to throw it at the screen.

The Hideous Cost Of Banking 'Standards'

I'm a great fan of trade bodies that introduce necessary self-regulation and create an efficient bridge between industry and officials. But news that UK banks will add to their enormous lobbying efforts by spending an extra £7-10m on a new "Banking Standards Review Board" definitely strikes me as overkill. 

I mean, what's the British Bankers' Association for, if not to ensure decent industry standards? Does the need for a new 'standards' board mean that the BBA has failed? If so, shouldn't it be dismantled? What about the Lending Standards Board? It's role is "to monitor and enforce the Lending Code and to ensure subscribers provide a fair deal to their personal and micro-enterprise borrowing customers." Surely it failed in that aim long ago?  Or is it that such bodies are really just lobbying outfits that merely pay lip service to effective self-regulation? In 2011 alone, The Bureau of Investigative Journalism found that the City spent £92m on lobbying regulators and politicians, which it described as an "economic war of attrition." Even the Confederation of British Industry has been captured by the banks.

Lord knows how much it really costs to run these lobbying outfits and face savers. But you can bet that customers and/or taxpayers end up paying for them in the end - not to mention the 2000 extra staff that the Financial Ombudsman Service has had to hire since 2012 to deal with the million complaints about payment protection insurance, or the endless Parliamentary time, or the £20bn in PPI compensation that the banks must fund. In fact, the London School of Economics found that poor conduct among the world's top 10 banks, including 5 UK outfits, had cost nearly £150bn by the end of 2012, and there have been vast fines and compensation payments since. 

Isn't it time for the banks to stop talking their way through everyone's money and just get on with the job of supplying decent financial services?

Google Spain Case Raises More Questions Than It Answers

I'm an enthusiastic supporter of greater control over your data. But I'm really struggling with the European Court of Justice ruling that you can stop a search engine linking to something lawfully published about you in your local newspaper's online archive.

The case in question concerned the appearance of someone's name in a local Spanish newspaper announcement for a real-estate auction connected with proceedings to recover social security debts 16 years ago. The individual concerned (openly named in the judgment, ironically) claimed that the proceedings had been "fully resolved for a number of years and that reference to them was now entirely irrelevant." He failed to obtain an order banning the newspaper from carrying the item in its online archive, but succeeded in getting Google Spain to remove any links to it.

But surely if it was lawful for the local newspaper to have published the item of data - and it remains okay for it to publish the data via its website - then it should be okay to allow someone to find it?

I mean, why stop at gagging Google's local site? Why not make local libraries cut tiny holes in their microfiche records?

On this point, the ECJ cited problems where multiple jurisdictions were involved, even though this was purely Spanish scenario:

"Given the ease with which information published on a website can be replicated on other sites and the fact that the persons responsible for its publication are not always subject to European Union legislation, effective and complete protection of data users [subjects?] could not be achieved if the latter had to obtain first or in parallel the erasure of the information relating to them from the publishers of websites."

But how could removing links to an item from a national search engine achieve "effective and complete protection" of the data subject when the same items are lawfully available via a national newspaper's online archive anyway? Surely a national problem such as this has to be dealt with at source, or not at all?

Another key issue is that the ECJ didn't seem to weigh up all the possible public interests against the particular individual's rights to 'respect for private life' and 'protection of personal data'. 

Surely, for example, there was some public interest in the publication of the notices of auction complained about, such as achieving a fair price for property being sold to pay a debt to the state? Perhaps if that requirement had been abolished you could make a case for requiring the deletion of public notices relating to them. But, absent their abolition, I'm not sure you can say it's "entirely irrelevant" that someone was mentioned in such a notice, even if that were years ago.

And is there not a public interest in being able to more readily find published material via search engines? Consider the huge variety of research processes that must now rely on search engines, from journalistic research, to employment checks, to official background checks. What holes will now emerge in such research processes? Will records be kept of all the links that search engines were told to remove? If so, where will those records be kept? Who will be allowed to access them? Aren't researchers now on notice that they should check individual newspaper archives for data that search engines aren't allowed to let you find? How many won't bother when they really should?

The problems with the judgment don't end there, as is demonstrated by the tortuous path the ECJ took to reach its result (explained here). 

All of this underlines the need for careful policy thought and regulatory clarity around these issues, rather than the celebratory gunfire heard in some quarters. This judgment raises more questions than it answers.

 

Has The Initial Term Of Your #Mobile Contract Expired?

Are you a cash cow?

Today I contacted Vodafone to cancel the 3G contract I took out as part of an iPad offer a few years back. It's included as an extra number on my mobile bill, so it was easy to kind of forget it in the total. Turns out I'd diarised the wrong cancellation date, and could've cancelled last October, when I was first 'out of contract'. Okay, so I'm a bit of a mug (worse, I'd long ago switched the iPad to 'airplane' mode, so wasn't even using the 3G option), but I do tend to have a lot more important things on my mind. The decent thing would have been to remind me at the time the intial term expired to give me a chance to consider if I wanted to extend, switch or cancel. But that's not part of the service...

The first customer service person I spoke to wasn't allowed to process my cancellation request. She had to put me through to another person who could. I protested, but to no avail. Needless to say, the next person began putting me through the whole process again, presumably so I'd lose the will to cancel and consider an upgrade.

I toughed it out and insisted on cancellation. The representative agreed to put that through, but said it would only take effect in 30 days' time. Hang on, I said. If it was true that I was "out of contract", as they kept saying I was, then how could Vodafone still be entitled to 30 days of my money - not to mention the extra 6 months they'd already enjoyed through my diary error? I knew the answer, but I wanted to hear the explanation.

You see, they didn't really mean that I was 'out of contract' in the sense that the contract had somehow expired. That would be misleading. If the contract had really ended, Vodafone wouldn't have been entitled to be paid for the extra 6 months, never mind the 30 days. Instead, they only meant that the minimum term of the contract had expired. That meant the contract had actually continued subject to termination on 30 days' notice - so it could have gone on for 30 years if I hadn't called to cancel it. 

When I asked if Vodafone has a process for notifying customers when they are 'out of contract' (i.e. when their initial term has expired), the representative said they did not.

Of course, Vodafone does have a process of calling you about upgrade opportunities a long time in advance of when the initial term expires. But that's just marketing. They then go quiet around the time the initial term expires, so you bear the risk of beoming a rolling 30-day cash cow.

I wonder how many customers paid for an iPad or other device through a 3G contract and forget it's still appearing in their bill even though the initial term had ended? And how many get a new mobile and don't realise they're still paying for an old one they thought was 'out of contract'? Are they to be treated as stupid people, or people with a hell of a lot of other stuff on their mind who could do with a reminder? Would they be prepared to pay a small admin charge for a reminder at the right time, or should such a reminder be a part of any decent service?

It's worth noting that Ofcom banned "automatic rollover contracts" for consumers and businesses with no more than 10 employees in September 2011. But the ban only applied to landline voice and broadband services, and it only means the customer can't be automatically renewed into another extended 'minimum contract period'. The new rule is that the maximum duration of initial contracts can only be 2 years; and at that point users must be offered an option to contract for a further maximum duration of 12 months. That means they are prompted to extend, switch or cancel.

Should a similar rule be brought in for mobile services?