Wednesday, April 16, 2008

Rethinking Privacy 1.0

Ever since the OECD published its Privacy Principles in 1980, the privacy laws around the world have been focussing primarily on protecting personal data in databases. And all those years the fundamentals of privacy have remained the same. The European Data Protection Directive 95/46, which allows personal data to move across borders in Europe, came into force 15 years after the OECD Privacy Principles on which it is based were published, but meanwhile the world had already changed: the Internet had arrived! Only 8 years after the Directive was introduced, on November 6, 2003, the European Court of Justice -Europe's highest court- was confronted with this change in its only second ever case under the Data Protection Directive: Lindqvist vs. Sweden. This case demonstrated the built-in weakness of the European system of data protection: despite the EU's claim to the contrary, the Directive proved to be not very technology-neutral, and therefore not very future-proof. The various actors in the Lindqvist-case, such as the Advocate-General and the Member States, tried to do their best to get a legal grip on the facts while trying to preserve the essential elements of the Directive, but eventually the Court reached a surprising and far-reaching conclusion: posting personal data on the Internet, despite the fact that everybody around the world with an internet connection could potentially read the information, does NOT violate one of the key-elements of the Directive: the international data transfer rules...!

A second example of my view that today's law is not technology-neutral is Directive 2002/58, a.k.a. the e-Privacy Directive, which specifically addresses privacy in electronic communications. The very first version of this Directive was published in 1997, but already in 2002, it got a complete overhaul. And only 6 years later, the EU is putting Directive 2002/58 up for discussion again, as it is -among other things- trying to address the privacy concerns around Radio Frequency Identification (RFID) technology. So what's next? Bluetooth? GPS? WiMAX? Ubiquitous Computing? Body Area Networks?

In the meantime, governments are trying to broaden their powers to collect information about their citizens and non-citizens in order to prevent terrorism and to combat crime. This is creating a disconnect between the private sector and the public sector, and creates a false impression with the public. Strict privacy rules for the private sector (where privacy risk is relatively low) versus weak privacy rules for the government gives the impression that the private sector cannot be trusted. Which is strange, considering the fact that getting and keeping customer trust is a basic element of doing business for the private sector. Screw your customers and you are out-of-business in no time. On the other hand, weak privacy rules in the public sector is especially damaging if inaccurate or incomplete information is rapidly shared between government agencies or when information is used out-of-context. But such weak privacy rules give the citizen the false impression that governments have such risks under control. George Orwell's "Big Brother" state may not have arrived eyt, but "Little Sister" is already here, and she brought her whole family...!!

We need to rethink privacy in the 21st century!
The world has changed since the OECD introduced its Privacy Principles in 1980. What does privacy mean for us if at the same time we want no terrorism, less crime, better and personalized services, and more convenience? How do we protect privacy in a world that becomes ever more globalized, so our data end up in data systems on the other side of the world? What does privacy mean for people who come from different cultures and backgrounds? How do we protect our privacy if computers, sensors and communication devices become invisible and ubiquitous? How can we build trust into the technologies that we use? How do we make ourselves feel protected against the risk of identity theft and malicious attacks on our private life? And how do we protect the privacy of people who are vulnerable, such as elderly, minors and mentally handicapped, in an inclusive Information Society?

Unlike some other people, I am not saying that privacy is dead. Or that it is an illusion in the Information Age in which we live. No, I am saying that we have to go back to the privacy drawing board, re-define the privacy principles for the 21st century, and come up with a new set of privacy principles that fit the new realities of our global society and which are robust enough to survive technological and social change. Principles that enhance trust with consumers and citizens, stimulate innovation and societal development, and protect democratic principles and the rule of law. What we need is Privacy 2.0 !

All this and more is the main topic of this blog. I welcome you to comment on my thoughts, so we can get a global discussion started how to protect privacy in the 30 years to come.

No comments: