Last week, Dutch think tank ECP hosted an interesting seminar on the future of data in the Netherlands. The seminar was aimed at discussing a legislative proposal for a 'general data law' presented by social democrats (PvdA) Jeroen Recourt and Astrid Oosenbrug. The idea behind the proposal for a general data law is the growing inconsistency and uncertainty in the current legal framework for governing data related issues. I had the pleasure of reflecting on the proposal from a cyberlaw angle. Below is a summary of my presentation (the full presentation can be found online > Dutch).
According to my interpretation of the proposal, it basically falls apart into two distinctive elements: 1) a vision on the necessity of a legal framework for the digital world and, 2) a concrete proposal for a 'data law'.
1. Vision on a legal framework for the digital world
The first part of the proposal sets the stage for the data law. The parliamentarians signal that there is a growing discrepancy between the current law in the books and the real world of the Internet. This observation is accurate and the debate is timely and important. The parliamentarians are to be commended for their vision and bravery in putting this complex subject on the table. The current EU legal framework, which has grown over time to incorporate new technological and societal developments, is a hodgepodge of telecoms, privacy and e-commerce law. Throw in incompatible national laws for intelligence and law enforcement, and you have a recipe for disaster (and a lawyer's paradise).
2. The data law
Unfortunately, the proposed solution to this problem, a general data law, is fundamentally flawed. The parliamentarians want to regulate data much the same way as utilities (e.g. electricity, gas, water). What this approach fails to take into account is that legislation for utilities is only concerned with production and transport, not with actual use. But in the context of data precisely this is highly relevant. Another issue is that the data law is to be a Dutch law. This disregards the fact that in today's connected world data flows across borders almost by definition. It also disregards the fact that all the rules that really matter are made in Brussels, not The Hague. Finally, the parliamentarians have made a wish list of things the data law should regulate (right to be forgotten, data breaches, net neutrality). Most of the points on the wish list however, are actually already part of Dutch law, or are about to be implemented in new legislation such as the European Data Protection Regulation.
So, having concluded that the idea and vision behind the initiative is sound, but the practical solution is not, what should we do? First of all let's get rid of the idea of a general data law as a solution. What we need to do first is create a good overview of existing legislation, determine relations and dependencies, find inconsistencies, and assess where improvement is actually necessary. The next step is to formulate -at the national level- what we want to change and how a new legal framework can take shape. The final step is to bring these ideas to the international level. As a 'digital superpower' the Netherlands is the ideal country to come up with new ideas and solutions.