Response to Question 3
What future action would be needed to address the identified challenges?
Enhancing public awareness
We need a significant initiative, led by the Commission, to enhance transparency and public education. Though concerned, people are unaware of their actual ‘data shadows' regarding the extent of personal information collection. Regulators have expended few resources in public education campaigns, proving that they alone are insufficient to improve the level of public discourse on privacy protection. Some mechanisms that will enhance transparency must include:
- Enhancement of Subject Access Rights. The right of subject access is one of the most powerful rights an individual may assert. Yet with all the work done on enhancing data collection and sharing, organisations done little to enhance this right of individuals to gain access to the data held about them. The Commission and Regulators must require governments agencies and companies provide easier means for individuals to gain regular access to this information in an understandable manner, to rectify erroneous and out of date information.
- Data Breach notification as an accountability mechanism. While various studies may draw conflicting conclusions on the effectiveness of data breach notification on enhancing privacy rights, we believe that when citizens and consumers are made aware of the poor practices by companies and government agencies, they will scrutinise the collection and use of their information by all organisations.
Minimising collection and developing the right to delete. When information is collected as part of nearly every modern process, we need to place additional obligations on organisations. First, they must minimise collection to the level of what is strictly necessary. Second, upon giving individuals access to their data, people must also be given the right to delete their records. We have been heartened by the response of some key industry players who have taken this responsibility seriously and granted individuals this right; though in many cases we must have faith in their promises to delete while some verifiable audit would be preferable.
Enhancing public discourse and accountability
While the action of informed individuals may lead to enhanced privacy protections, it is our hope that an informed public discourse will lead to better decisions. Public and private sector organisations must be held to account for their practices, and have a duty to explain how they protect privacy. Initiatives should include:
- Political accountability for privacy in the public sector. When surveillance legislation is enacted, the Minister accountable to Parliament for the public authority that undertakes the surveillance will usually be the Minister who guides the legislation through Parliament. Thus it is the Minister who is politically accountable for the surveillance policy who effectively establishes the privacy constraints that apply to that surveillance. There is a therefore a heightened risk that privacy can easily become subservient to policy objectives that depend on an extension of surveillance. As a result, in the Parliamentary process the Government does not have to consider privacy issues. We therefore recommend the creation of Parliamentary bodies and/or Government Ministers who will be responsible for privacy protection, generating guidance and assessments of legislative initiatives.
- A requirement to conduct Privacy Impact Assessments on all new policies, practices, and technologies that interfere with the right to privacy. PIAs are limited but powerful tools, when done properly, that can provide key insights into the development of a new technique, and offer the opportunity for organisations to highlight how they considered privacy from the outset. These must be completed early in the processes to inform deliberations on the technique, much like how some governments promote Regulatory Impact Assessments at the legislative stages in Parliaments.
- Management statements of privacy practices. Currently, citizens and consumers can only rely on statements within privacy policies, often on websites, that are limited in nature. For instance, privacy policies on websites usually only reflect the privacy practices of the website, not the general service, or the organisation. Therefore organisations should be required to present statements of managerial commitments to privacy and audits of management practices.
- Capacity building on privacy for key stakeholders. As we work across Europe and around the world we continually encounter government officials and international organisations that advise other governments on how to devise anti-terrorism law, cybercrime laws, copyright protections, and a myriad of other policy domains. While there may be a benefit in building the capacity of governments around the world to respond to contemporary threats, we have yet to encounter capacity building programmes to enhance privacy. The Commission should be promoting capacity building on privacy within Europe and internationally, and should model its own work on these other initiatives. Additionally, capacity building should not only apply to informing other government ministers and agencies, but should seek to engage with all stakeholders, including academia, civil society, industry, the media, and even religious institutions.
Enhancing the effectiveness of regulation
As we have stated previously, the current principles and the Directive are in of themselves adequate, but the implementation of the Directive and effectiveness of regulators have been lacking. We recommend the following initiatives to remedy this situation:
- Parliamentary appointed Regulators. All regulators and regulatory bodies must be independent of the Government, and appointed by Parliament. In turn, they must report to Parliament, not to the Government. These regulators must be consulted as governments seek to introduce new surveillance measures, and should report their opinions to Parliament throughout the legislative stages of a Bill. They should also be given the power to seek judicial review when their advice is not appropriately heeded.
- Monitoring regulators and more obligations upon ICOs. We are surprised by the diversity in regulators' powers. We recommend that the Commission regularly monitor the powers of regulators to ensure that they are adequately equipped to enforce the Directive. Their opinions and rulings should be monitored to identify significant deviations from regulators in other Member States.
- Monitoring of exemptions. While the Directive and all Member States' laws allow for some surveillance systems to be exempted from privacy laws, these exemptions must be publicly noted and the rationales must be published. For instance in the UK there is no single register of all the ‘national security certificates' that have been issued exempting surveillance systems from the Data Protection Act. As a result the public is not informed, and Parliament is not given the chance to debate the merits of these exemptions.
- Greater incentives for deploying Privacy Enhancing Technologies. Governments and industry organisations must be given greater incentives to deploy privacy enhancing technologies. The public sector must lead in the deployment of privacy-enhancing systems.
Promoting a vision of privacy protection
Just as we could not foresee today’s computing environment in 1995, we cannot predict what the situation will be like in 2015. The Directive is often seen as a constraining mechanism where regulators admonish organisations for poor practices. This is not necessarily a negative development, but a more progressive future of mutual respect for privacy should also be charted. We believe that the Commission and regulators should be more articulate about their vision for privacy protection. Considering today’s environment and tomorrow’s potential, we need to provide guidance on the constitution of privacy rights in the future. Such articulations and visions could serve to provide some guidance to organisations that seek to be perceived as privacy-friendly as they innovate.
This vision need not be limited to 'data protection'. In fact, many of today’s great challenges will not be effectively dealt with so long as we have divergent opinions of the definition of personal data. While body scanning at airports may not involve the collection of names or the generating of unique and persistent identifiers, we are all aware that it is the modern equivalent of a strip search where we place brown paper bags over individuals' heads. Modern internet advertising may not rely on persistent identifiers or an individual’s unique identity, but tracking the movements of individuals across their daily lives still may have a chilling effect. Telephone numbers may not qualify as personal information, yet individuals are still outraged at intrusion by the telemarketing industry. Our point is that just because interpretations of ‘data protection' rules may not find these systems in breach of national laws does not mean that the surveillance is acceptable. We must always remind ourselves that our duty is to protect the dignity of individuals, to protect them from the fear of surveillance and the sense of invasion.
Privacy International does not hold all the answers to how to resolve these situations. We are optimistic that these problems can be resolved, and we are heartened by the positive moves by many governments, industry leaders, regulators and courts. We need continuous engagement on these issues, across all stakeholders. We find solace that the European Commission appears to be also seeking answers to these questions. We hope it will continue its role to spur and host discussions and deliberations, and to lead the world in the protection of this most fragile right. And we are hopeful that the European Commission will remain aware of the fact that it has a duty to uphold fundamental rights in accordance with its Charter, and in accordance with its founding principles, and in accordance to the highest global standards, and in accordance with the need to protect human dignity.