Thursday, 15 November 2018

Data protection in the EU-UK Withdrawal Agreement - Are we being framed?

A few weeks ago, TJ McIntyre of University Collage Dublin and Digital Rights Ireland, alerted us to a little-noticed section in the UK Information Commissioner’s guidance on international data transfers under the GDPR that advises controllers that they "are only making a transfer that is restricted under Chapter V of the GDPR (Transfer of Personal Data to Third Countries or International Organisations), if they are sending personal data, or making it accessible, to a non-EEA receiver to which the GDPR does not apply". 

The ICO’s General Counsel, Ms. Emma Bate, has then apparently explained this guidance to mean that “a transfer of personal data outside the EEA is not restricted by Chapter V of the GDPR, if the data, when held by the non-EEA recipient, is still protected by the extra-territorial scope of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies, so this is not a transfer outside the protection of the GDPR.

Now, this was an odd thing to say, even then, given that it would effectively authorise data transfers from inside the EU to any big non-EEA internet provider qua the extra-territorial provisions of Article 3 of the GDPR without any need of those providers to either be established in a country that provides adequate protection, or use one of the appropriate safeguards, or rely on one of the derogations in Article 49. 

Which sounds like absolute nonsense if you take into account the wording of Article 3 of the GDPR, which quite clearly states that its territorial application only extends in this way where the processing activities themselves are related to either the offering of goods or services or the monitoring of data subjects behaviour. The territorial scope provisions does not therefore create a "mini-safe harbour" in those controllers for all manner of other processing and it is unlikely that this was what the legislator likely had in mind when adopting that provision.

TJ duly made an FOI request to the ICO to find out more and was recently bequeathed a reply that explained…absolutely nothing.

As oddities go in these turbulent times, this was maybe not the oddest we have come across, and Matron put it out of her mind until this morning when she had a look at the data protection provisions of the draft EU-UK Withdrawal Agreement. 

Which provides in Article 71(1) that:

“Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data

(a) were processed in accordance with Union law in the Union Kingdom before the end of the transition period; or

(b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.”

And all of a sudden, everything seems to make so much more sense!

Because, if we take those two things together, the implications for the UK (and EU data subjects) could be highly interesting.

Lets say the ICO’s guidance is accepted by the Commission, the EDPB and/or the DPAs of other member states. 

And lets further assume that - at least for the period of the transition period-  the GDPR still applies in the UK to the processing of EU data subject's personal data. Which it arguably does under Section 2 and 4 of the Data Protection Act 2018 (with a few exceptions here and there).

So, would this be a way to ensure that, in practice, the UK does not acquire full “third country” status under Article 44 of the GDPR on leaving the EU on 29 March 2019 but that, instead, 

  1. its controller can continue to receive personal data from inside the EU, at least during the transition period, without a need to put in place one of the Chapter V routes (adequacy, appropriate safeguards or one of the derogations);
  2. those data transfers would be outside the jurisdiction, at least with regard to Chapter V compliance, of the CJEU,  which might otherwise want to take a look at the UK's dubious electronic surveillance laws as part of a Schrems-like challenge?

If so, this would be an extraordinary fudge of the EU legislative legislative framework that deserves detailed attention by civil society and the regulators, given that it would not only give the UK and the EU ample time to negotiate an adequacy agreement as part of the final trade deal, but that the repercussions of this fudge would likely be felt way beyond UK borders and well into the future.

Should we be worried?

Monday, 23 July 2018

A fool and their data are easily parted: Is "data portability" really all it's cracked up to be?

Last week, Microsoft, Facebook, Google and Twitter announced plans to introduce a new open source initiative for consumer data portability, called the Data Transfer Product. A noble endeavour, many will argue, which obeys both the letter and the spirit of the new data portability requirement in Article 20 of the GDPR. That Article requires data controllers transmit, under certain circumstances and on the request of a user, that user's personal data to another controller "in a structured, commonly used and machine-readable format" and " without hindrance from the controller to which the data have been provided".  Data portability is generally seen as A Good Thing and the industry has long been lambasted for dragging its feet on this on the assumption, made by many, that individual providers don't want to share their users' personal data because they see them as their own business's commercial assets. But, true as that may have been all the way back in the 90s, is that really still the case in today's data-driven society?

Let Matron play Cassandra once again and say that, first of all, a joint project for data portability set up by the likes of Microsoft, Facebook, Google and Twitter is unlikely to be done solely for the benefit of users. A sane and rational part of us knows this, even if that is often the part that we choose not to listen to. But even if you have not yet joined the tribe of the "Incurably Suspicious" of which Matron is a card-carrying member, there are some points to consider here that should be clear to everyone.

You can check out any time you like...

As most us know, even if given the option, most users will likely decide to share their data with a new provider while continuing to keep that same data on the old provider‘s service “ just in case”. The online environment is our Hotel California. We don’t “leave” services, we multi-home. 

This has been a fact for the majority of people ever since before Viktor Mayer-Schönberger declared, in his book "Delete: The Virtue of Forgetting in the Digital Age", that the (time) cost of deleting [data/online content/communications] has become more expensive at roughly the same time that the (financial) cost of storing that data forever has gone down. And as long as that storage doesn't cost us a penny, most people will ask themselves, what's the harm in also keeping it on the old service, even if we no longer use it? We do it for safekeeping, or because we still use the old service for some purposes (news gathering but not photo sharing) or to communicate with some people but not others (our mothers v our friends, acquaintances or work colleagues). The point is, we mostly don't delete. And they know that.

Which is why any data portability project that focuses on “share and remain” rather than “share and delete” type user behaviour is not only an instrument that empowers users to have control over their data, but also one that facilitates the widest possible distribution - by users themselves - of their personal data between different providers. We’re not “porting” our data in the sense that we take them away from one provider and give them to another. We just duplicate them. It's all about convenience but without necessarily affecting either provider's bottom line.

Interestingly, this was one of the few things that the late Caspar Bowden and I ever disagreed on. I remember a long and heated discussion over bad coffee in some University cafeteria during some conference around 2012 when he told me about his campaign to make data portability a legal requirement. He got ever more enthusiastic, I became increasingly horrified. Because he saw portability as an instrument of user control, I saw it chiefly as a way of conning users into handing out their data to ever more different providers. And quite honestly, what’s not to like from the providers’ POV?

We are programmed to receive

Because one of the best kept secrets of the data economy now is that, contrary to popular belief, personal data is not necessarily a competitive asset. One provider doesn’t necessarily lose out, just because another provider has access to the same data too.

In fact, if the GDPR just allowed this, unfettered ubiquitous sharing of internet users' data between providers could probably be to the commercial benefit of all of them, particularly if it then also allowed for the seamless tracking of all of a user’s online activity by everyone. This is, after all,  just the raw data, which they can share. These days, the competitive element increasingly lies in what each of those providers does with those data - and this means their profiling algorithms, their means to combine those data with other data and the subsequent sale of the data product.

Open access proponents already know this. And once commercial providers "got it" too, we saw industry resistance to data portability slowly fade away.

We are all just prisoners here, of our own device

But data portability does much to assist providers in eroding principles like data minimisation, purpose limitation and storage limitation and in getting around the much more annoying conditions of those other legal grounds.

Because user consent is still a binary concept. You have it or you don't. And (depending on how good you are at writing privacy policies) once you have it, it will often allow you do things with data that you would not otherwise be allowed to do because of restrictions put in place in the context of those pesky other legal grounds - restrictions that were imposed for good reasons that we would do well to remember occasionally.

But a fool and their data are easily parted and “share and remain” data portability is just another way to facilitate the spread of personal data across the internet with minimum fuss and effort - all with the individual user's full knowledge and consent. And therein lies the problem that the GDPR has - as yet - not solved sufficiently.

This could be Heaven or this could be Hell

So is Matron categorically against data portability? No. How can she be? It’s a question of user autonomy after all. But it’s also just another example of why we need restrictions on consent. Because individual users are often not the best judge of what kind of data uses serve them and others well. So if we can’t (or don’t want to) limit users in who they share their data with, we must make sure that we limit what providers can do with those data. 

If we don’t, people will inevitably use this new instrument in the way they always do: for short-term benefit (usually accruing only to them) and against their own and (increasingly) collective or societal long-term interests.

Not for the first time, the fact that Caspar left us so early bugs the hell out of Matron. Just once she would have loved to hear him say, “you were right”.

Wednesday, 21 December 2016

Squaring the data protection circle just got harder for the UK

So, the CJEU decision in the Joined cases of Tele2 Sverige AB and Tom Watson et al. (Cases C203/15 and C698/15) came out today and maybe unsurprisingly - after the fairly decisive Advocate General Opinion in July - it is not good news for the UK government.

Admittedly, the judgment does, in theory, concern an Act (the Data Retention and Investigatory Powers Act 2014 (DRIPA)) that is only going to be on the UK statute book for ten more days when it expires under a sunset clause. However, that Act was, to all intents and purposes, replaced by something even worse and far more serious. Despite the inclusion of certain procedural safeguards, it is probably safe to say that, for example, the provision on bulk data collection contained in the Investigatory Powers Act 2016, Britain’s latest version of the “snoopers’ charter”, which now includes a requirement to retain internet connection data, make it a significant advance on anything the country has seen before. In many respects, the IP Act is DRIPA on steroids. And that will be significant.

Incoming data flows post-Brexit

It will be significant not just because we can now surely expect a judicial challenge to the IP Act just as soon as the ink is dry on the CJEU decision (for a detailed analysis of the decision's implications for the IP Act, see Angela Patrick's excellent blog post). It will also be significant because of the long-term effect of the judgment not just on the UK’s ability to monitor the online activities of its population, but on the UK’s economy – particularly its information economy – after Brexit.

It’s a funny thing, this Brexit lark. Intended to free the UK from the shackles of EU regulation and an attempt to relocate “sovereignty” (whatever that means these days) back to the Westminster Parliament (Matron will bite her tongue for now on any comment arising from the points so beautifully made before the Supreme Court in the Miller case), it is in fact likely to cause the UK no end of trouble when it comes to its data protection laws. A point that, to date, the UK government has only seemed to have grasped slowly and incompletely, if recent legislative activity is anything to go by, and that much of the UK public will find difficult to follow given current rhetoric on the benefits of a red, white and blue Brexit.

Although the UK government has now confirmed that it will opt in to the GDPR in May 2018, its failure to commit to the continued application of the framework post-Brexit already creates legal uncertainty for UK data controllers and processors. But in the face of today’s judgment, it is now seriously putting at risk the ability of any UK company to receive personal data from inside the EEA after the UK’s departure from the EU club. And that is something that UK businesses should view with some concern.

To quickly sum up the current situation: the EU data protection law framework has always been, and will continue to be, in the service of two seemingly conflicting objectives: it seeks to protect personal data and hence the individual citizen’s right to privacy and data protection (now guaranteed to them under the EU Charter of Fundamental Rights), and to facilitate the free flow of personal data, which is a basic requirement for the functioning of the digital economy that we are all now operating in.

The way in which this has been achieved since the adoption of the Data Protection Directive in 1995 was by creating some sort of “protective bubble” around the EU (and later the EEA) member states within which everyone applied roughly the same rules with regard to the processing of personal data. This made it possible to allow for free data flows from one  member state to another, safe in the knowledge that no country would be able to either:
  • create “data havens” with a low standard of data protection as a means to entice data heavy businesses to settle and invest there, or
  • use high standards of data protection as a protectionist measure to guard its own businesses from outside competition.

Now, we can all agree that, EU-internally, this hasn’t worked out quite as well as it should. Most of us suspect that there is a reason why some of the more interesting judicial challenges in this area of law originate from Ireland. But where this approach has arguably been quite effective is in the relationship this has created between the EU/EEA and so-called “third countries”.

Because one of the main tenets of EU data protection law is that EU data controllers may only transfer personal data to a country outside the EU, if that country provides adequate protection of personal data, the relative high standard of the EU data protection framework has already spread, missionary style, to other, non-EEA countries that wish to trade with the EU.

And this, dear Watson, is of course the circle the UK will have to square post-Brexit when it takes on the noble mantle of “third country” status.

Debunking the “We’re out of here” myth

A quick perusal of today’s press shows that commentators were quick to assume that today’s CJEU ruling will not affect the UK much given its impending exit from the EU and the fact that it will no longer be subject to the CJEU’s jurisdiction.

This is the same attitude that allows some people to believe that the UK actually has a choice when it comes to the kind of data protection law that it will adopt after Brexit. Already, there have been a number of suggestions on how to skin this particular cat, ranging from, yes, the continued wholesale application of the GDPR to the adoption of a significantly “less burdensome” data protection standard aimed to make the UK an attractive destination for inward investment by data-heavy industries. What the latter camp fail to acknowledge, however (as with so many other Brexit-related questions), is the UK’s current importance as port-of-entry to the EU markets – which is likely to be much diminished after its departure from the EU - as well as the significant level of data-heavy services that UK businesses themselves provide to other EU member states, all of which require a continued ability of those UK business to be able to receive inward transfers of personal data from the EU.

That continued ability relies heavily on the UK being viewed as a jurisdiction that provides an adequate  level of protection for personal data in a way that would enable the European Commission either to a make a finding of adequacy with respect to the UK or to negotiate some other mechanism, for example, in the form of an EU-UK Privacy Shield, that would authorize those inward transfers.

Reading only reports from inside the UK, it is easy to believe that, because much of these negotiations are generally highly politicized, the UK’s proven skills in getting concessions out of the EU that no other member state would ever even dare ask for will ensure that a deal that favours the UK could be struck. And maybe they are right.

But today’s judgment might nonetheless have served a blow to the long-term viability of that strategy.

Because, although as a judgment it is important in its own right, it becomes even more important when read in conjunction with last year’s CJEU decision in Schrems v Data Protection Commissioner (Case362/14).

Advantage EU?

By way of a reminder, the Schrems decision answered the question whether national data protection authorities should have the right to conduct their own investigation into transfers of personal data to a third country (in this case the US) despite the fact that that transfer was, on the face of it, authorized by a decision of the European Commission (in this case the decision that put in place the EU-US Safe Harbour arrangement). The CJEU answered this question in the positive and in the process the court took a number of significant steps that are bound to haunt EU and non-EU data controllers and processors for years to come.

Yes, it invalidated the Safe Harbour decision. But, more importantly, it asserted for itself the right to judicially review all Commission decisions (and possibly  other executive and legislative measures adopted by the Commission and other EU institutions as well) for their compliance with the EU Charter of Fundamental Rights.

It also made it clear that:
  • in the context of data protection, national authorities have the right and indeed the obligation to bring matters that, in their opinion, might necessitate such a judicial review before their national courts with a view to having them referred to the CJEU.
  • when determining whether a third country does provide an adequate level of protection and therefore should be allowed to receive personal data from inside the EU, the court itself would take into account the entire legal framework of that country including the laws permitting the mass surveillance of electronic communications to the extent that those laws might arguably authorise the third country’s law enforcement and security services to access EU citizens’ personal data transferred to that country under the instrument in question.

Although the decision in Schrems was limited to the EU-US Safe Harbour arrangement, it does therefore not require much of a stretch of the imagination to see how the same reasoning could be (and most likely would be) applied to any other type of legal instrument authorising cross-border data transfers from the EU to a third country. And indeed, cases brought by the Irish DPO (with regard to the validity of the standard contractual clauses) and by Digital Rights Ireland and La Quadrature du Net (with regard to the Privacy Shield that has now replaced the Safe Habour) seem to suggest that this is a valid concern.

Game, set and match?

Which brings us back to today’s decision and the way in which the CJEU has reiterated, once again, just how it feels about national legislation that “prescribes the general and indiscriminate retention of data”. Such activity, according to the court, is not in compliance with the rights and freedoms guaranteed to EU citizens under the Charter. Specifically, EU member states are not allowed to make laws that mandate the retention of traffic and location data unless they limit retention to that which is strictly necessary and make access to the retained data subject to substantive and procedural conditions. This includes objective criteria in order to define the circumstances and conditions under which the competent national authorities are granted such access. Access must also, except in cases of urgency, be subject to prior review by a court or an independent body.

In the case at hand, this is likely to mean that DRIPA is unlikely to comply with the CJEU’s conditions (although the final determination of this is of course left to the referring court in the UK). Moving forward, this is also likely to mean that the IP Act will face difficulty in passing muster on that score.

And although, of course, the UK has the option to say “Why should we care? We’re off” and thus refuse to change its laws to accommodate today’s ruling,  the existence of a surveillance framework that so obviously and disproportionately interferes with the rights and freedoms of EU citizens will make it difficult, if not impossible for the UK in the future to provide evidence that it does in fact ensure an adequate level of protection of personal data.

Because the way the CJEU has phrased its conditions for a data retention framework that meets the requirements of the Charter sounds remarkably similar to the way it talked about the requirements that the US would have had to meet (and, in practice, failed to meet) to justify the validity of the Safe Harbour framework.

I am sovereign, you are protectionist?

In fact, in an outstanding show of asserting the EU’s own sovereignty vis a vis third countries, the court, in Schrems, gave a dressing down to the EU Commission for the fact that it had issued a decision that authorised data exports from the EU without a proper examination of whether or not the receiving country ensures an adequate level of protection "by reason of its domestic law and international commitments".

Specifically, the court ruled that the Commission should have taken into account whether the authorization of personal data transfers from the EU to the US under the Safe Harbour framework did, in practice, facilitate the interference by US public authorities with fundamental rights of the persons whose data is transferred to the US. The Commission’s decision should have included therefore (and didn’t) findings regarding the existence of US rules to limit any interference with the fundamental rights of those persons, as well as the existence of effective legal protection against interference of that kind.

The fact that, by its own assessment, the court felt that US law was found wanting on either of those points, directly contributed to its decision to invalidate the Safe Harbour.

Implications of Schrems and Watson for a post-Brexit UK

So what does this mean for the UK post-Brexit, when it takes on the noble mantle of “third country” status?

It means that regardless of the type of legal instrument it may come to agree with the EU to secure its continued ability to receive personal data from other EU member states, its approach to the surveillance of electronic communications as well as its "international commitments" in this area is now likely to be part of the issues that will be assessed if a challenge to that instrument ever finds its way to the CJEU. And it would probably be naïve to assume that no such challenge would be made.

Meaning that even though the CJEU may no longer be able directly to influence UK surveillance laws in a post-Brexit world, it would very much still be in a position to put a stop to EU-UK data transfers if it finds that the legal instrument that authorizes those transfers facilitates the interference by UK public authorities with the fundamental rights of EU citizens. For as long as UK laws like DRIPA or the IP Act exist or in the event that the UK indiscriminately allows bulk access to EU citizens' personal information under as part of its "international commitments"(like the Five Eyes arrangement"?) to countries that might not be considered "safe" themselves, today’s judgment in combination with the courts ruling in Schrems is likely to present a clear and present danger for the economic outlook of UK data controllers and processors.

Where to we go from here?

So here is Matron’s take on how UK privacy advocates should take today’s judgment forward. Not just by celebrating the fact that “we won” (although a certain amount of celebratory glee must surely be allowed at least for today). And certainly not by getting into fights with the right-wing press on whether or not this is just another sign of how the EU affects UK sovereignty and national security and just another reason for severing ties with the lot of them as soon as possible.

But by pointing out - calmly but relentlessly - that, like a post-Brexit UK, a post-Brexit EU is sovereign and competent to decide which countries it allows its businesses to trade with. And that a post-Brexit EU, being bound, as it is, by the Charter, is unlikely to allow its businesses to transfer EU citizens'  personal data to countries where their protection from what would be considered, under the Charter, unlawful access by law enforcement and security agencies cannot be guaranteed.

Which means that, like the US before it (in the Microsoft case) – the UK now faces a choice: it can either moderate its ever more intrusive surveillance laws to make them compliant with the EU Charter or it can exercise its “sovereignty” in the area of national security at the long-term expense of its digital and cloud industries.  But until that choice is made, the economic position of any UK business that relies for its viability on the ability to receive inward transfers of any kind of personal data from inside the EU has just become a lot more difficult.

Time to get popcorn!

Saturday, 11 July 2015


I admired Caspar Bowden’s mind before I met him in person. That may have been a good thing because - as others have already testified – in person he was a handful. And to deal with that handful properly it was maybe advisable to have a drink in your other hand. Or a blunt object. Or maybe just be the sharpest, wittiest, most intelligent, most probing, most suspicious, most cynical, most V for Vendetta version of yourself that you could possibly manage to be. Because he expected a lot from you and he didn’t suffer fools gladly.

We first meet at a workshop in the autumn of 2005. I have written an extremely detailed, rambling legal account of the fight against the Data Retention Directive, a fight we were about to lose, outlining the procedural intricacies of an EU legislative system that leaves little room for individual advocacy and a lot of room for political gerrymandering. The workshop is only my second foray into academic life after six years spent in legal practice. I expect much of the detail in my paper to go over people’s head, but it is a cause I am passionate about so I decide to stick with it. I start my presentation with a quote from Caspar’s Duke article on “CCTV of the mind”. I have seen his name on the speakers list, so on the off chance, I mention that the author of the quote may be somewhere in the audience. “That’s me”, pipes up the guy sitting directly in front of me. “Great!”, I think, “No pressure there then!”.

He corners me over coffee. He’s not normally a fan of lawyers, he says, but my obsessive eye for the detail of the EU legislative process and the political behind-the-scenes machinations has caught his attention. We chat. I have worked on this paper for months, doing desktop research, finding and reading all the boring background papers, connecting the dots, drawing conclusions. There is nothing new I can tell him, but he looks at me like he is impressed by my forensic abilities. We spend time over dinner, chat. I am a little bit in awe.

We meet again a year later at a conference in Hamburg. I’m surprised he remembers me, but he comes to see what will later be known as “my crazy paper”, says he likes it. We go for drinks. I ask him how he’s been and he tells me that he’s just accepted a position with Microsoft. I nearly choke on my wine and ask him why. “They offered it to me and I was intrigued”, he says. “Maybe I can do something from the inside. Also, I needed a job.”

It becomes a joke between us in the coming years. The fact that the most absolutist, uncompromising privacy fundamentalist I have ever met had gone over to the Dark Side. I tell him I worry that it will grind him down, affect his mental health. Over the years, his denials of that possibility become weaker. But when he finally gets out, he is angry. He rages against the machine even more than before, throws everything he has at it. Everything he has is a lot. He isn’t fond of compromise or restraint. He comes to a workshop I organize and aggressively attacks some of my more esteemed panelists. We have it out on the phone afterwards. ”Sometimes you catch more flies with honey than with vinegar”, I tell him. He disputes that but is sorry if he has embarrassed me. We agree he’s almost German. Our kind value the truth more than other people’s feelings.

Two years later, autumn 2012. We are asked to work together on organizing a panel for yet another conference. The choice of topic is up to us. The CJEU decision on the Data Retention Directive is imminent and I want it to be about that. To my surprise he disagrees. He wants it to be about mass surveillance in the cloud. It’s more important, he says. We argue. I am busy at the time, he is better prepared. He wins. As it turns out later, he was right.

We start discussing the panel, the speakers, the way we want things to go, whether either of us should speak ourselves. I can sense that he wants to, but it’s not the done thing and I wonder if it is wise. I know him by now and I also know why I was asked to do this with him. I’m to be the moderating influence, the good cop to his bad cop, so that he can go out there and do what needs to be done, what he does best. We lose a panelist at short notice and decide that, yes, he should speak.

A planned brief introduction turns into a 45 minute slide show full of small print text and intricate analysis of complicated FISA provisions, holes in human rights protection, US exceptionalism and the dangers for EU citizens if the EU does nothing.

The picture he paints is scary, borderline crazy. A spy movie, where James Bond is the villain. The audience is rattled. Probably half of them think he’s insane. A tin hatter that doesn’t have to be, can’t be, taken seriously. Because what kind of a world would we be living in, if he was right?

On our panel are representatives from the Commission, the EDPS and the European Parliament. The Commission rep denies that any of the scenarios Caspar paints are ever likely to happen. The others are less certain. Cats and pigeons debate the topic over lunch and Caspar is on his laptop, sending out his slides to everyone who wants them for the rest of the day. The conference ends and we wonder what to do with this now.

We decide to present separate papers at a US conference. Try and raise awareness in the US privacy community at least. He doubts they will follow our call to arms, I am more hopeful. I know he thinks I am naive.

As before, we argue about content, distribution, presentation, method, everything. One Saturday afternoon after shouting at each other for hours on e-mail and skype I decide I’ve had enough. I mail him setting out my position one more time and tell him, “This is a compromise but these are my red lines. Call me if you want to discuss this further. If not, have a nice life.” I don’t get a response and we don’t speak for three months.

Until the next conference we’re both at when he once again corners me during the break.

“Are you still talking to me?”, he asks, somewhat sheepishly.

“I will always be talking to you.” In all honesty, I’m surprised HE’s talking to ME.

“You told me ‘Have a nice life’”, he says.

“I told you ‘Call me if you want to discuss further’“, I respond. “YOU didn’t get back to ME”.

We get coffee, sit down, miss the next two sessions chewing the fat and I realize that this person, who has wandered in and out of my life for the last seven years, has actually become a friend.

In the end only I end up going to the US conference. At the last minute he tells me he’s decided to boycott it because he isn’t happy with the sponsors. I groan but I don’t say anything. I have reservations myself but I make a judgment call. And I want this article out there.

The paper is scheduled for the morning of 7 June 2013. Jet lag wakes me early and a quick perusal of the Guardian website tells me that a black hole in the form of the PRISM revelations has just opened up in the known universe. They publish detailed descriptions of US mass surveillance and it is clear that almost everything Caspar has talked about for the past two years, everything he warned might happen and was dismissed as a crank for, is actually happening already. I send him an e-mail and wish him “Happy ‘I Told You So’ Day”.

They are nine hours ahead and he has already spent them giving interviews and explaining background to a suddenly interested, rabid press. He is exhausted and still somewhat shell-shocked by the extent to which he may have been right all along. He says, “...but sweet Jesus Christ, sort of feels like Columbus stumbling ashore and finding strip malls, McDonalds, and Coca Cola billboards already there...”.

I am borderline hopeful that this might change things, he is already worried that it might blow over. The coming years show that we are both right in our own way. Stuff happens but the Empire re-groups quickly.

I wish him “Happy ‘I Told You So’ Anniversary” in either of the following years but when I do it this year we both already know that it might be the last time. There are plans for a visit in August but nothing firm yet. He is still his usual self and fears are repressed and replaced by the hope that his stubbornness might help him to fight this one too. Then his name flashes up in the subject line of several e-mail alerts and I know. As my various tech lists and social media accounts explode in tributes I feel numb. We have lost a friend but, more than that, a very noticeable gap in our ranks has just opened up that we will now somehow have to close. How are we going to do that?

How important can one person be to the world, to a cause? Except to our loved ones, we are all of us replaceable, we have to be. But if one person with his knowledge, his experience, his analytical skills, his tenacity and his pure natural born ability to piss off the powers-that-be and hold them to task, if this one person is no longer around, will that make a difference in the fights we have yet to fight? 

It will make a difference to me, for sure. There are very few people I know, who will always be on the other end of an e-mail, a tweet or a skype call whenever I need a question answered, an idea critiqued, a project have its tires kicked. He was one of those people and I will miss him terribly for that.

But more importantly, I know that his job isn’t finished and that there are fights coming up where his absence will be felt. He was keenly aware of that himself and I know it must have killed him, the idea that he would not be around for that.

In the days after his death I read a few obituaries and am reassured by the overwhelming outpouring of love and respect for him and his work, both from his friends and from the tech community. All of a sudden I have this image in my head where he has been mischievous one last time and where he has staged his exit a month or two early just to be able to see all this for himself. Where he still is around somewhere, bending over his laptop, smirking in amusement at the memories we share and the things we say about him that maybe we wouldn’t have told him to his face.

It is wishful thinking, of course, but it is also evidence of that tin hatting quality we both shared. Never believe the obvious, always consider the alternative. Why is this lying bastard lying to me now? If he was still out there and read this, I know it would make him laugh. He’d probably be proud of me for suspecting.

There is a big part of me that wants that picture to be real because I would want him to know how well respected he was by everyone, even those who argued back. Maybe especially those who argued back. I’m not sure he always did know that.

He was a friend, a fellow traveller and a goddamn nuisance. He was that guy who would argue with you until they throw both of you out of the restaurant. That guy who just wouldn’t shut up even when you wanted him to. And he would encourage you to continue and fight long after you would normally have given up from exhaustion. He didn’t expect anything less of you.

Neither of us believed in a supreme power or any kind of heaven or hell, I think. But it is difficult to accept that an energy like that can simply just vanish. If there is an afterlife of any kind, I hope that those who rule it are ready for him. Because if they're not, they won't know what hit them.

Tuesday, 16 December 2014

The “Born This Way Fallacy” or Why we shouldn’t feel the need to resort to biological determinism to invoke our human rights

It’s December, it’s been grey outside for weeks and Matron has far too much work to do. What better time to procrastinate on something complete unrelated to the day job?* 

In this case, the plan is to vent on another one of those “gay rights” arguments that periodically come up between Matron’s generation and the next (and the one after, and the one after that) and it’s about the best way to frame the call for recognition of LGBT (QIP… and any other letter in the alphabet that anyone cares to add) rights. It’s about biological determinism and whether we should use our bodies and the alleged immutability of our sexual preferences and desires in the context of legal and policy discussions. It’s been something of a bug bear of Matron’s for a while, so the emergency exits are here, here and here.

For the last few years, and particularly in the context of the equal marriage debate, the case for equality has often been based on the argument that people are “born this way”, that they can’t help who they love and that discrimination on the basis of something that is innate and that they have no control over is inherently unfair. 

Of course, Lady Gaga hasn’t helped matters, although in actual fact, Matron has (almost) no beef with Gaga’s particular take on the statement (beautifully embraced in one of Matron’s favorite Glee numbers ever), which is much more about self acceptance than about what other people think of you in response to whatever deviation from the norm you represent. So, she’s fully on board with the Gaga sentiment:

"Don't hide yourself in regret,  
Just love yourself and you're set, 
I'm on the right track, baby 
I was born this way"
But as Suzanna Danuta Walters explains in some detail in her article "An Incomplete Rainbow", there is a bright red line between self acceptance and asking for acceptance from others, between demanding rights regardless of who you are and asking for tolerance because of who you are. Because rights and equality are things that I should have by virtue of the fact that I am a human being among other human beings. Tolerance is something that is handed out to me by someone who feels that there is something (wrong? abnormal?) about me that they are willing to overlook because they are nice. In that way, the “born this way” argument is a deeply flawed, apologist approach by a community that is begging for crumbs from the table rather than stamping its authority on the rights discussion we are all involved in.

It is an argument that relies in no small way on a certain kind of biological determinism. As Walters highlights:
“[T]he idea that sexual desire and identity are hard-wired (through lavender DNA, or an endocrine system that washes the infant in homo fantasies, or a kinky hypothalamus) reaches into legal arguments, familial conversations, political speeches, Broadway musicals, teen television, movement websites, and, of course, pop songs.”
It is nevertheless a fallacy, for several reasons.

For one, if biology can be used to demand tolerance, it can be used to justify discrimination. As @nigelwUK pointed out to her on Twitter, the old UK headline about the benefits of identifying the “gay gene” was “abortion hope after ‘gay genes’ findings”. As a serving Kraut, this speaks deeply to Matron given the way in which her home country has previously used biological characteristics to “cleanse” the population from all undesirable genetic elements.

But it is also a fallacy because it isn’t true, at least not for all the people all the time, and it is the rights of those people for whom it isn’t true that are sold down the river when queer activists base their campaigns on a “born this way” argument.

Before Matron came out at the tender age of 21, she had had three serious and meaningful relationships and a small number of hook ups with men. There is no regret about those relationships and encounters, including their sexual aspects, and some of those men are still her friends. There was no epiphany at the time about how she was always supposed to be with women and how those previous relationships were a mistake or a failure and there is no general - biologically determined - bar on her possibly hooking up with a man again, should she and the current Mrs Matron ever decide to call it quits.

Nevertheless, Matron calls herself a lesbian, rather than bi-or pansexual, because the right to define her own identity is up to her and because on a day-to-day basis she prefers to be with a woman rather than a man for a host of reasons too complex (and too private for a privacy lawyer) to go into in a blog post. Her lesbian identity is therefore as much a (political) choice as a physical reality. But because she hasn’t been with a man in more than two decades, this truth, which is clear in her own mind, is in constant danger of being subsumed into a “won’t do men, because she can’t do men” narrative in the mind of others. And in the context of a born-this-way based argument that leaves her vulnerable. 

Because if her lesbianism is a choice, she cannot use an immutable biological state of affairs as a reason to call for, say, marriage equality. If she really wanted to, she could get married in ever country on the planet– to a man! She could live the gender-role conformist life most people would expect her to lead and while that might still do untold harm to her sanity, it would not be physically or even emotionally impossible. Which is why, before the gay liberation movement, a multitude of lesbians and gay men through the ages have chosen to do just that, simply to be able to have any kind of life that was acceptable to the societies around them.

And because this is so, less enlightened people in a born-this way world could use this as an argument for why she and others like her should not have the right to be married to a woman. Because she could do different, she could do “better”, she could do right by everyone, she could marry a man.

But Matron doesn’t WANT to marry to a man. Heck, she isn’t even that keen on getting married to a woman, but if marriage was on the agenda, there would currently only be one – decidedly female – person in the frame as a potential partner-in-crime. So what rights do we give someone, who is not “born this way” but has freely chosen her own personal brand of deviancy?

As an old-style 1980’s feminist, Matron can’t help but be frustrated about the way in which we as a community are going backwards on this issue of ethical reasoning, even as we are making significant headway towards a more equal society on a factual level. Of course, Matron is fully aware that there are any number of LGBT people who see their sexuality as fixed and immutable, who do not think that they have a choice in the matter and who cannot see themselves ever falling for someone of their non-preferred gender. And that is fine - for THEM. But it isn’t like that for all of us.

Matron is also aware that people in some quarters (I'm looking at you, crazy religious fundamentalists) will quickly use any admission that sexual orientation/preference/desire may be more fluid to advocate a light course of sexual re-programming or worse. And for those that are subjected to this kind of treatment, the effects are undoubtedly severe. 

But should the answer to this problem really be the establishment of a politically expedient “public truth” about the immutability of sexuality if this truth denies the lived experiences of quite a few members of the LGBT community? Or should we rather argue that the way in which each of us defines ourselves and our identity is a question of personal autonomy and self-determination, and that nobody, NOBODY, has any right to interfere with that autonomy unless the expression of that identity personally harms them (and quite honestly, how could it)?

There was a time when, as a community, we realized that sexuality was a spectrum on which people came down at different points, and not always at the same point during the span of their lifetime. There was an acceptance that things can change, that sexuality is a many splendoured thing and that you can fall in love with the person, not the gender, even while you are using your “deviant” relationship to highlight discrimination and to make the point that the personal is political. Queer campaigning was a much less timid, apologetic, making-nice-with-the-powers-that-be art form than it is now and in Matron’s wistful, old fogey view we were the better for it.

Because rights should be for all of us, regardless of where on that spectrum we reside and whether we tap dance about on it by choice or otherwise.

In other words, I’m not asking you to treat me fairly because I was born this way and can’t help myself being gay. I’m demanding you treat me fairly because I’m a fucking person and you have no reason not to.

*Also, today is the day that equal marriage becomes legal in Scotland for the first time, so this is kind of topical after all.