Response to Question 1
Please give us your views on the new challenges for personal data protection, in particular in the light of new technologies and globalisation.
The need for privacy protection has never been greater. Nations now have over 30 years of experience in regulating data protection that show that abuses are rife. The past two decades has seen the significant growth of private sector data processing, and in particular the growth of industries that thrive off personal information.
Ironically we continue to hear calls for reduced regulation. In turn, we are shocked that despite all the regulation in our lives, particularly introduced by government IT strategies and law enforcement agendas, some still argue that the protection of personal information must be left to self-regulation.
This lack of synergy between the mounting risks and the calls for reduced regulation is difficult to understand. We offer a number of possible instances:
- For too long we believed our privacy was protected by the incompetence of government and industry personal information processors. That is, we relied on the inability of organisations to collect, analyse, and share information. Instead we are finding that as organisations become more expert at data mining and moving information around the globe, incompetence is no longer a protection but is instead a risk in itself as incompetent organisations give rise to abuses through inadequate internal and external controls, and data breaches.
- Over the past ten to fifteen years we have become obsessed with perceiving momentary trends as though they were ‘game changers’. The way policymakers regard users of social networking as though they have abandoned all hopes and expectations of privacy is the same way they described the need to promote mining, profiling, and retention after terrorist attacks. Two years ago proponents of reduced privacy spoke of privacy as standing opposed to the survival of a free Internet, just as we hear proponents of body-scanning technologies speaking of processing naked scans of passengers is necessary to the survival of the air-travel industry. Privacy regulations are said to be standing in the way of progress while policymakers focus on regulating for public security.
- Organisations have become paranoid over data collection. Previously, due to the scarcity of resources, only relevant information was collected. As costs have reduced dramatically, and security concerns have grown, governments have been keen to collect more and more information just in case something may some day go wrong. They fear the day that a cataclysmic event may happen and they do not have the metrics of that place, person, or event; so even without reasoned justification they collect vast amounts of information. Governments have also placed these collection requirements on industry. Industry is also keen to retain information just in case it may prove useful in analysing their services and customers. Even so, governments and industry have tried arguing that collection in itself is not a problem, and that only use must be regulated. This is a fundamental shift, again, on the regulatory approach to privacy.
- Organisations have become aware of data protection laws and find ways of skirting them. Much of the modern internet advertising industry exists in contravention of data protection law. Telemarketing continues to thrive despite anger and frustration from the public. Modern communications surveillance policy, particularly in the European Union, contravenes the principles of proportionality and necessity as required by the European Convention of Human Rights.
All these instances are obvious. More worrying is that surveillance and the defiance of privacy laws is becoming commonplace as part of the infrastructure of modern society and the arsenal of policymakers. Surveillance policy is no longer enshrined only in ‘anti-crime' or ‘anti-terrorism' laws, just as industry surveillance is no longer limited to named customers. One would be hard pressed to identify a modern government policy or industry customer-management practice that does not involve the collection and processing of personal information. Policy agendas as diverse as environmental protection, the management of social exclusion and social benefits, and health and education services now appear to be hinging on surveillance techniques. The use of modern computing resources shows how surveillance has been concealed from end-users with websites running scripts and placing cookies from third parties and servers being located across borders and providers. There are fewer debates over these initiatives because we are so rarely informed of the fact that they are occurring.
We are facing these challenges today both because authorities have inadequately enforced existing laws when they had the chance, and the awareness of privacy protection is minimal amongst policy-makers and within industry. While there is greater awareness of privacy risks amongst the general population, and there are competent regulators across Europe and a growing sector of privacy professionals, privacy awareness has not penetrated the mindsets of policy-makers, managers and technology developers.