From Himmler to Theresa May to Trump to Microsoft + LinkedIn: why we need data protection

The condemnation in Godwin’s Law, the “Reductio ad Hitlerum”, does not apply to an article which legitimately begins with a record of Nazi atrocities in Berlin. The implied comparison between Heinrich Himmler and Chris Grayling is justified by their parallel rises from obscure nobodies (chicken farmer in one case, media management in the other) to positions where they had / might have their hands round the throat of human rights.

A few yards behind the Brandenburg Gate in Berlin stands a row of glass screens recording, in English and German, the fate of gypsies, Jews and others at the hands of Himmler’s Research Office for Racial Hygiene.


When you hear Americans complain about how EU data protection laws stand in the way of honest lawyers trying to collect documents for US litigation, take them to this place and show them why we in Europe are so concerned about records of personally identifiable information. Efficient record-keeping allowed easy targeting of those whose race, religion, politics and other personal characteristics classified them as different in a regime where difference became a crime.

This kind of record-keeping did not end with the annihilation of the Third Reich. In post-war East Germany, neighbour spied on neighbour, recording and reporting every conversation and every move to the Stasi, who collected it all in vast repositories and used it for discipline and control. The discovery needs of US courts and regulators suddenly seem very insignificant.

The memorials all around Berlin made it an appropriate venue for the Eighth Annual Sedona Conference International Programme on Cross-Border Discovery and Data Protection Laws. I was there last week, and sat down yesterday to write about it. What began as a diversion into the context – the reasons why data protection matters – has become an article of its own, and I will write separately about Sedona WG6.

Our data in the hands of government

If we in the UK don’t presently fear being dragged off to camps and killed for our religion or beliefs, we have other reasons to worry about the security of our data. It has emerged that the UK’s GCHQ has been “logging the browsing habits of internet users worldwide since 2009, including visits to websites, posts on social media and news sites, search engine queries and posts on chat forums and blogs” (the quotation comes from this now firewalled article).

The UK government’s Investigatory Powers Bill, popularly (or not) known as “the Snoopers’ Charter”, will give similar surveillance powers to other authorities. While we may accept that information is critical for combatting terrorism and serious crime, there is a legitimate fear that these powers will be passed to low-level policemen and the unthinking little nobodies who scuttle behind the skirting boards in local authorities and obscure quangos. The theory is that their access to our data is rigorously limited and controlled, but even as I was dictating this paragraph, I came across an article about a policeman misusing his existing search powers; “the system” is supposed to prevent that.

Morland Snoopers

Cartoon by Moreland in the Times

Our data in the hands of commercial operators

Beyond the state, we have good reason to fear those who accumulate data about us from multiple sources for commercial reasons, and use ever more powerful analytical tools to build a picture of us and to fill in the gaps. Some of this information we surrender willingly in exchange for the benefits which we get, for example, from store cards and Google Maps. Yet other data is taken from us covertly by our computer use or by our transactions with supermarkets and other big corporations. Our government sells health data and other personal information to private companies whose ambitions are both boundless and unclear.

What if the accumulated data should fall into the hands of an extremist government from right or left or a megalomaniac tycoon? It is quite clear, for example, that UK Home Secretary Theresa May and her advisers have little or no understanding of the implications of all this data collection. “It’s only metadata”, they say, cheerfully and wilfully ignorant of the power of modern analytical tools to build pictures from scraps of metadata from multiple sources.

Put in this context, the efforts made by the EU to protect data seem entirely reasonable and, wearing my citizen’s hat, I am pleased to be protected by the existing data protection laws and the pending General Data Protection Regulation.

The changing US Perspective

The US has been spared the occasional incursion of hostile powers across its borders and is culturally at ease with the idea that openness and transparency are more valuable than the right to privacy and data protection.

Both US and the EU are mighty economic powers, dependent on trade between each other as well as with others. Trade depends upon and creates data flows, both for the everyday conduct of business and for the resolution of disputes and the demands of regulators. Conflict is inevitable as the EU turns the screw on data protection.

There have been changes since I first started talking about the subject in the US in 2008. Back then, the US reaction would vary with the person I was speaking to: some would attack me, as if I was personally responsible for the difficulties caused to honest Americans just trying to do their job; some would express amazement at discovery regimes which did not collect every last scrap of information; some seemed appalled at the idea that the order of an American court did not carry much weight east of Ellis Island.

SedonaOver the years I came across more people who had had experience of collecting data in Europe and who, if they did not accept the differences, at least did not disbelieve me when I spoke of them; the Sedona Conference published its International Principles, with novel ideas like respecting the laws of other countries, learning how to prepare for and articulate arguments in the US courts, or (gasp) narrowing the demands to documents which were actually necessary for the conduct of the case.

Some even began to wonder if minimising the volume of retained data would reduce the problems caused by having to search it for PII (Personally Identifiable Information) with every discovery exercise.

Keep less crap

Someone made a note of my off-the-cuff comment on a Legaltech panel

Privacy began to intrude in US domestic circles with, for example, the restrictions imposed by HIPAA (the Health Insurance Portability and Accountability Act) and arguments about the proper scope of email demands by various authorities; Snowden blew the lid off the scale of state intrusions into privacy, and some were quick to see through the NSA’s protestations that it was only “foreigners” whose data they investigated (how do you know they are foreign until you have searched through their data?).

Recent developments

A big change came with the EUCJ’s Schrems decision, invalidating the cosy umbrella of Safe Harbour which had given the fig leaf of compliance to so many transmissions of data; Schrems brought the subject to the front page of the newspapers, where a federal judge might read it and begin to understand that there was a problem to be solved.

The US claims to grab documents held by Microsoft in Dublin raised interesting questions about “jurisdictionality” and control, but also made some wonder what Americans would think if the Chinese purported to exercise the same rights against them (here, as elsewhere, “interesting questions” means that one can see both sides of the argument, both legally and morally).

Not least was the promulgation of the EU’s General Data Protection Regulation with its headline-grabbing fines and international reach.

Who might get your data next?

[I held back this article yesterday as the murder of MP Jo Cox inspired comment that it is destructive to condemn all politicians by default. So it is, but Chris Grayling is a nasty piece of work, as his time at the Ministry of Justice shows. At a point when next week’s EU Referendum may yet bring us a far right government which includes him, he illustrates perfectly my point about how democracy can bring us abuses of power.]

All this seems a long way from Himmler and his Research Office for Racial Purity. Is it though? We might confidently say that the time has gone when far right demagogues can seize power, but then we look at Trump, at the very narrow margin by which the right was defeated in Austria, at the rise of Marine Le Pen’s party in France, and at the apparent success (so far) of the Brexit immigration arguments in the UK, and we begin to wonder.

Grayling2Standing in front of the Reichstag last week, I recalled that Hitler did not seize power in a coup but worked his way up through the democratic system. What if the next turn of the UK’s political wheel brings the former Justice Secretary Chris Grayling back into a position of authority? He has already once been sacked for incompetence, and he has form when it comes to his personal expenses; that is the least of it. He is nasty, arrogant, dishonest, abusive of power and keen to have more; he is devoted to selling government functions to the highest bidder; and he has made it clear that a UK led by him and his Brexit pals would speedily trample on human rights and break EU treaties (see Guardian article here). What would be the fate of your private data in the hands of a man like this?

Himmler had to build his own lists of undesirables; a modern equivalent will find everything he or she wants to know in the data which we create and collect every day, often without knowing we are doing so.

Making compromises

We have to find a balance, and balances are almost always unsatisfactory. At a government level, democratic controls slowed down Theresa May’s efforts to know all about us, but she got there in the end with some token compromises; the security services still feel that they have one arm tied behind their back, while we citizens feel spied upon. The EU legislators have to strike a balance between the protection of individuals’ data and the business imperatives of those who bring the trade which the EU needs; again, both sides feel short-changed, with Max Schrems as the over-excited standard-bearer for protection, and Microsoft, Google and Facebook objecting to yet further restraints on their commercial freedom to offer what most people seem to want.

Individuals have similar balances to strike. Since we must put up with advertising, it is probably better to have targeted advertising than that which is completely random; if we want government to target resources against needs, we must surrender a certain amount of information (for example in the census) to give government a statistical basis for the allocation of resources; if we accept the frankly amazing tools which Google gives us for “free” then we must expect to pay for it by surrendering something, and that something is information about us.

Microsoft, the world’s most skilled creator of nagware, has just bought spamming expert LinkedIn, paying $26bn for LinkedIn’s data hoard. Some of that data we gave voluntarily to LinkedIn; some of it LinkedIn acquired by surreptitiously reading our address books. Their combined power to ram garbage down your throat will be tiresome; that is only part of what they can do together – the part we can see.

The borders between government and business are easily crossed. Something induced the British government to give healthcare contracts and healthcare data to Virgin. We don’t know what the inducement was, but it won’t be long before the Virgin empire is offering you flights and holidays because it knows you had an operation recently. Now, imagine what happens if Microsoft next buys Virgin and starts spamming your LinkedIn contacts with the news that you have been ill. And so on, ad infinitum.

Not all of this is ipso facto evil, but someone needs to ensure that a balance is struck between the benefits and burdens in this trade between information on the one hand and security, proper commercial purposes and user convenience on the other. Compromises inevitably involve difficult decisions. Decisions should be based on understanding, and understanding is derived from knowledge. The Sedona WG6 meeting gave us ample opportunity to acquire some of the knowledge and understanding which we need to play our part in navigating the compromises, whether for US discovery purposes or for things closer to home.

I will write separately about the Sedona WG6 programme itself.

Pictures: Chris Dale, Mortensen in the Times, kCura, The Guardian




About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Cross-border eDiscovery, Data privacy, Data Protection, eDiscovery. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s