In the background to the current discussions, of course, we have lurking the behemoth of the draft Regulation that is very likely to replace the current Directive that governs privacy in the EU. The Regulation itself is currently subject to a "trilog" – a three-way negotiation among the European Commission, Parliament and Council of Ministers. (The Parliament's plenary vote on March 12, 2014, ensured that the Parliament cannot changes its position on the Regulation even after the round of Parliamentary elections this June.) Speakers at the IAPP conference projected that the Regulation will be finalized and passed as law sometime towards the end of 2014, or possibly 2015.
In the meantime, privacy advocates and commentators from academia, industry and government focused on the following themes, many of which outstrip the thinking in the draft Regulation:
Anonymization: Is it robust anonymization ever possible? (See the comments of a leading international data security expert, Ross Anderson, casting doubt on that.) Can any data set lead us to a given individual if the data queries are structured cleverly enough? Should we instead think of data as only ever "de-identified" and focus on educating data generators and users on the most effective means of de-identification and security, with penalties for intentional re-identification? Or should we stop distinguishing altogether between personal data (which is always within the scope of European privacy laws) and anonymized data (which is outside of the scope of European privacy laws)? The answers to these questions could have huge implications across a range of industries, from marketing research organizations (whose bread-and-butter work involves analyzing massive consumer data sets) to drug development companies (clinical trial data aren't immune to the current debate). Notice and Consent: Is...