Dr. Kamlesh Bajaj
Monday, February 06, 2012
Personal Information (PI) is generally defined as any information relating to an identified or identifiable natural person. It may be referred to as personal data, personal information, non-public personal information, etc. Examples include, but not limited to, name, address, date of birth, telephone number, fax number, email address, government identifier (eg, PAN number, PF account number, UID number, etc), bank account number, credit card number, driving license number, IP address, biometric identifier, photograph, or video identifiable to an individual, and any other unique identifying number, characteristic, or code. Privacy is all about protecting one's PI. Since 1940s privacy has been recognized as a fundamental civil liberty. The Universal Declaration of Human Rights (1948) contains a paragraph on privacy. The 1950 European Convention on the Protection of Human Rights and Fundamental Freedoms includes a similar clause. The Supreme Court of India has upheld the right to privacy as part of 'Article 21-right to liberty', under the Constitution of India.
Technology Killed Privacy
Is technology impacting privacy of individuals? If yes, how and what can be done about it? Is it possible to protect privacy through laws that are technology-neutral; that can anticipate threats from new technologies? It was Samuel Brandeis, who along with Warren, defined privacy in 1890, as a 'right to be left alone' when a new technology, namely the printing press was publishing about famous individuals. It was the print media that were invading the privacy of a few individuals at the end of the 19th century; computers in the 1960s, followed by networked computers in the 1980s enabled invasion of privacy of individuals by governments and businesses. In the first wave of information and communication technologies (ICT), there were large databases on central systems-almost a replica of large filing cabinets with paper files-in which individuals could be tracked for their PI in a single database. The second wave enabled an individual to be tracked in multiple databases with cross-referencing leading to what is now known as 'profiling'. There was a need to develop privacy laws or data protection laws based on a set of privacy principles to ensure privacy protection; privacy laws were created in the 1980s. The European Union Data Protection Directive 95/46 was a far-reaching effort to harmonize privacy protection laws in all the EU countries. It mandated that the EU countries legislate and implement privacy laws based on this Directive. Have these laws helped achieve the objective of privacy protection, or they have been overwhelmed by technological developments?
The Age of Oversharing
Let's look at the next ICT wave since the dawn of the present century, which has transformed the individual from being a passive data subject to an active data creator, communicator, and sharer. E-commerce applications, email, chat, blogs, and social networks like Facebook, Orkut, Twitter help persons become data creators. Alan Westin's definition of privacy as 'the claim of individuals, groups, or institutions to determine when, how, and to what extent information about them is communicated to others' starts becoming more relevant, since the focus has shifted to a person's choice on what they want to be known about them to others. They want to control what they want to reveal about themselves to others. But can they really control?
Controlling Commercialization of Personal Information
PI has become a commodity that has an economic value attached to it. Organizations correlate increasing amounts of data, convert it into forms that are useful to the data subject himself, and to many other businesses. People are driven by data sharing for a number of reasons, but it's those who are aggregating data from social networks and correlating with that obtained from other sources that have the potential to put privacy at risk. The real cost of trading in privacy is not known.
Living with a Stalker
There is a need to dissociate the availability of data from its use. Digital data generated by all kinds of sources is everywhere. An individual's primary purpose of going online is to engage in activities that include buying, reading, leisure, social networking, blogging, and chatting. They are burdened with notice, choice, and consent regime, which does not seem to be working anymore. They are asked to worry about how their data is collected, for what purpose, what value does their data have, and so on. They are tracked and linked by several organizations for different purposes. One can know about oneself by doing a Google search, going to Facebook, and various other online communities. But then this data is available to others too; and they can use it for any purpose such as denying a job based on their views at a certain site. Worst of all, data is permanent-the internet does not let you forget anything. Does an individual have a right to oblivion? How do you empower an individual to control their data? That should be a key consideration in devising privacy principles for the new age. But let's first review the existing privacy principles and their limitations.
Privacy Principles and Laws
European Union and the US have different approaches to privacy protection resulting in different international instruments of privacy. Should countries have privacy laws that are consistent? Or should the objective be outcome-driven, based on globally accepted privacy principles and best practices with industry self-regulation under an appropriate law, ie, co-regulation? Most countries are in agreement on the universality of a set of privacy principles, although emergence of several new ICTs have put some of these principles at risk; some new principles are being debated. It was the US that came up with a set of privacy principles, in what is known as the Fair Information Privacy Practices (FIPPs) in 1974 that provided for protection of consumers' PI . The OECD Privacy Guidelines, on the other hand, released in 1980, were issued to ensure that privacy protection did not end becoming a non-tariff barrier in international trade in which global a data flows were ever increasing. The privacy principles (PPs) are as following: Collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability principles. As can be seen these are similar to FIPPs.
United States: The US has a history of self-regulation, especially in its safe-harbor program with the EU. It has defined 7 PPs: Notice, choice, onward transfer (to third parties), access, security, data integrity, and enforcement. Privacy is largely viewed as a consumer and an economic issue.
EU Data Protection Directive: The EU Data Protection Directive, as noted above, mandates that the EU member states "shall protect the fundamental rights and freedoms of natural persons, in particular, their right to privacy with respect to the processing of personal data." The Directive stipulates the following privacy principles: Processed fairly and lawfully, collection for specific and legitimate purpose, adequate and relevant data collection, accurate and secure, not kept longer than necessary, data subjects' rights protected, access and correction, no transfer to third countries with inadequate protection, and restriction on automated decision-making; and mandates that Data Protection Authorities (DPAs) shall be created with wide powers to oversee implementation of privacy protection. Article 25 mandates that transfer of data to third countries can take place only if "the third country in question ensures an adequate level of protection." It's the EU that determines whether a third country has 'adequate security'-it's based on an unclear criteria; an important element of assessment is whether privacy law in a third country is similar to that expected by the Directive. The expectation thus is harmonization of laws in accordance with the EU Directive. Derogation are through the routes of Binding Corporate Rules (BCRs) for multinational corporations, and standard contractual clauses for contracts between data controllers and data processors in third countries that are deemed not to have adequate security.
APEC Privacy Framework: This is a grouping of some 21 countries that has come up with the APEC Privacy Framework to promote e-commerce. Self-regulation is part of the APEC Privacy Program, which has taken the approach of accountability under which the data protection obligations flow along with data in trans-border data flows.
The privacy principles represent conception of privacy, and there is high degree of agreement among various approaches-US, OECD, EU, APEC-in the world. There is thus a set of globally accepted privacy principles. Transparency, enforcement, and accountability are the cornerstone of privacy protection. Many countries do not have privacy laws; in some countries such as the US, data protection is realized through consumer protection laws. As long as there are laws that can be used to punish the violators, privacy can be protected. The EU Directive, was based on OECD privacy principles, which in turn was inspired by the FIPPs of the US. There is, therefore, a high degree of compatibility between the EU and the US. However similarity is at the privacy principle level, not in the method of implementation. APEC privacy principles are similar too, but they promote working with countries that may not have any privacy laws. APEC Privacy Program recognizes the role of SROs; they can fulfill the role of regulators. The focus is on accountability of data controllers and data processors.
Privacy Principles and New Technologies
During the last 30 years, since the OECD privacy principles were announced, the context in which these guidelines operate has changed-explosion in the volume and uses of PI triggered by technological advancements that help collect, store, process, aggregate, link, mine, analyze, and transfer large quantities of data. Moreover, the role of PI in the economy and society has expanded largely because of an easy access to fixed and mobile devices connected over the global internet.
The 1980 OECD Privacy Guidelines were for free global data flows and not to hinder international free trade. Today, people want data delivered to them on multi-platforms, and they want consumer empowerment too. Yet, innovation and new tools have to be encouraged for an economic growth. For example, Facebook enables people use many applications, which deliver value to them.
Many emerging technologies have stretched the limits of applicability of privacy principles-in fact, some of the principles appear to be in trouble. Has 'consent' any meaning with advanced cookies? Notice and choice do not have a central role, but they seem to occupy a major part of the global debate on privacy. In practice, the principles seem to cause an endless frustration for consumers, since although in online transactions, such notices are sent to them, there's precious little in terms of choice available to them. The only choice is not to avail of services if one disagrees. Thus consent is neither informed nor voluntary. This is similar to the case of government asking for information, failing which service may not be delivered to a citizen or consumer. Since much of privacy is to do with 'fairness', many of the privacy principles, which are in trouble because of emerging technologies, social networking, pervasive surveillance online, and in the physical world through cameras, scanners, RFID tokens, mobile phones,
GPS, etc, are under review. At the same time, principles like 'accountability' and 'privacy by design' are gaining acceptance.
Determining the Right
It has to be recognized that individuals have various roles-consumer, citizen, employee-in which their privacy concerns are different. They have different attitudes towards privacy: Privacy intensive, privacy pragmatists, or privacy insensitive.
Global Privacy Protection Review Efforts
EUs Review: The EU launched a consultation on the legal framework for the fundamental right of personal data in July 2009. In a paper entitled A comprehensive Approach on Personal Data Protection in the European Union, which the European Commission submitted to the European Parliament in November 2010, the key objective was to ensure that individuals have the right to enjoy effective control over their PI in the new digital age.
Recommendations of DSCI: DSCI submitted its response to the questionnaire, in so far as it relates to outsourcing and global data flows that was circulated by EU. Prior to that, DSCI had submitted its suggestions on extending BCRs to service providers.
Measures of the US Bodies: In the US, on the other hand, the Federal Trade Commission (FTC) and the Department of Commerce have engaged people on privacy matters, and have come up with separate green papers through which they are seeking comment of people. The FTC report: Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policy Makers was released on December 1, 2010. Its focus is consumer privacy protection. It has concluded that the existing privacy models based on the Notice-and-Choice and harm based approach are insufficient to address evolving privacy issues. Consumer consent is missing in the complicated online environment, while the reputational and psychological harms are also not covered. It suggests a new framework with 3 core principles: Privacy by design, simplification of consumer choice, and greater transparency. This report also suggests that do not track feature be developed in applications to enable consumers to prevent the tracking of their internet activities.
The Department of Commerce Internet Policy Task Force Privacy Green Paper: Commercial Data Privacy and Innovation in the Internet Policy a Dynamic Policy Framework focuses on reducing barriers to business development and innovation, and recommends minimal regulation using voluntary, enforceable policy codes that would be created by industry. It advocates a privacy framework based on revitalized FIPPs, that would engender consumer trust while maintaining flexibility in business development and innovation. It also discussed the importance of global interoperability among diverse international privacy frameworks, and nationally consistent breach notification rules.
Recommendations of DSCI
India is a vast country, where outreach can be through industry associations and other NGOs, and not through a single bureaucratic DPA. DSCI recommends that the proposed privacy law should take care of the following:
Light Weight Regulations: It should be based on global privacy principles that value economic benefits of data usage and flow, while guaranteeing privacy to citizens
Bureaucratic Structure: Avoid bureaucratic structure that could hinder business interest and lose the spirit of the intent in the operational implementation
Self-regulated Businesses: Rely on self-regulation of businesses that promote practices, making the privacy program relevant to technology advancements
Legal Recognition: Provide legal recognition to the role of self-regulatory bodies, promoted by industry associations, in enforcing codes for the privacy in the interest of citizens rights
Associations: Notify and implement through self-regulatory organizations like industry associations
Ensuring Privacy of Customers: Allow businesses self declare the codes of practices that they have implemented to protect the privacy rights of the customers
Public Private Partnership: Establish a mechanism, in the form of public private partnership, to resolve the disputes and grievances of citizens Self-Regulation with a legal sanction, ie, co-regulation should be the way forward. The self-regulatory organizations will define the process and codes of practices, which are vetted and recognized by the government through the proposed privacy law. Co-regulation should be the guiding spirit.
What can society do to increase public awareness of privacy? Ethical responsibility is essential, merely sending 'notice' is not adequate. How to better implement data minimization? The solution lies in improved practices. Cloud computing adds another dimension to the problem, which is that an individual maybe viewed as a citizen of a Cloud Database: what rights does one have; cloud will have to share data back with the individual. Regulatory structure will be expected to create right incentives for companies to engage in privacy protection, and create tools that empower people, eg, for privacy impact assessment (PIA). Users should be empowered with self-audit tools that maybe provided by online providers such as Google. Governments need to create more transparency, eg, through PIA of departments, and making them public.
Consumer and privacy issues come together. Trust factor can come from regulators that may have a certification role and enforcement function too. SROs in various sectors can do the same. Privacy Seal type certification schemes can be used-these are being considered in the review of the EU Directive. NGOs have a role to watch privacy conformance. Citizens can be assured of privacy protection if the gatekeepers work according to the following rules: Government should do minimum regulation, industry should engage in self-regulation, and a user should be careful to put out their personal information.
Striking a Balance between National Security and Privacy
The views expressed here are the author's personal views.