Privacy in the balance - as always!

Nigel Waters talks about the future of privacy: the battle between those who want to monitor us for their own gain, and those who want to preserve an individual's right to privacy.

Image: CC BY-SA 2.0 Edith Soto

Nigel Waters has a wealth of experience from across the privacy spectrum. He has been the deputy Commonwealth Privacy Commissioner of Australia, and currently works for Privacy International and is Public Officer of the Australian Privacy Foundation. He is a visiting fellow at the University of New South Wales Law Faculty.

With another international privacy day just passed, individuals worldwide face the same threats to their privacy as in previous years, but with perhaps a little more hope of protection, through a combination of laws, enforcement, civil society mobilisation and ‘privacy by design’.

Governments and businesses continue to press for ever-greater monitoring and surveillance, in all areas of life from transport to health care. Governments justify it on the basis of meeting law enforcement, efficiency and genuine service provision objectives. Businesses claim that greater knowledge of existing and potential customers allows them to better meet peoples’ needs, but are understandably motivated primarily by commercial objectives.

Both governments and businesses are reluctant to offer individuals real choice about how much personal information they are prepared to share – arguing that in many cases this would compromise the other public interest (or commercial) objectives. The reality is that many current business models, in both the private and public sectors, assume or demand universal access to information about people’s circumstances and activities. Increasing emphasis on data aggregation (Big Data) increase the pressure on a ‘private sphere’ and use of cloud computing services re-awakens a longstanding issue about who is responsible for data processed by one organisation on behalf of another.

The good news is that lawmakers continue to recognise and respond to these threats – the number of jurisdictions with information privacy or data protection laws passed 70 in 2012. While they vary in their strength, most include not only detailed rules but also complaint and enforcement mechanisms and sanctions, rather than relying on weak self-regulatory schemes. Under most laws, there are at least semi-independent supervisory privacy enforcement authorities (PEAs), and there has been progress in recent years in setting up processes for cross-border enforcement co-operation – with some high profile cases including investigations into Google, Facebook and Sony amongst other businesses.

PEAs increasingly also liaise on common public sector issues such as law enforcement information exchanges and biometric identification – seeking to minimise privacy intrusion while meeting legitimate public interest objectives. An increased use of privacy impact assessment (PIA) at the planning stages of new systems should make it easier to strike this balance, although government agencies remain resistant to effective use of PIAs and the technique has not yet taken root in the private sector.

In the last few years, many high profile data security breaches have led to a new strand of regulation – mandatory security breach notification requirements – either alongside or within existing information privacy laws, and these requirements are arguably doing more to focus senior management attention on privacy principles than 30 years of human rights based data protection laws have been able to achieve. Commercial risk – whether in the form of financial losses or reputational damage is clearly a more powerful motivator than mere compliance or altruism.

Civil society has become better organised both in individual countries and internationally, with a formal seat at the table in privacy discussions at the Organisation for Economic Co-operation and Development (OECD), and greater opportunities for input at other international forums such as the EU, the Council of Europe and the International Conference of Data Protection and Privacy Commissioners, though not yet at Asia-Pacific Economic Co-operation (APEC) or in closed door intergovernmental trade negotiations such as the Anti-counterfeiting Trade Agreement (ACTA) and the Trans-pacific Partnership (TPP). However, civil society capacity remains minuscule relative to the resources that business groups can and do devote to lobbying in all these forums.

Major reviews of the main international privacy instruments – the OECD Guidelines, the Council of Europe Convention 108 and the EU Directives - are in progress and to date seem to be ‘holding the line’ against attempts by some government and business interests to weaken these foundation principles. There continues to be legitimate debate about the practical effectiveness of current regimes, focusing on the concept of accountability, which has many different meanings. There is a broad consensus on the need for organisations to demonstrate their compliance with privacy rules – but not on the extent to which a data controller’s acceptance of responsibility can substitute for detailed compliance requirements and close supervision by independent PEAs, and for effective controls on cross-border data transfers.

2013 will no doubt throw up some new privacy challenges, from new technologies and business models, but they are likely to be variants on existing issues rather than fundamentally different. As always, the real challenge will remain the willingness, and capacity, of societies’ institutions to say no to some superficially attractive initiatives in the name of preserving individuals’ right to a private life as a key manifestation of human autonomy and dignity.