US privacy in the age of big data, mobile and the cloud

This year the United States took a big step in the protection of data by announcing an online privacy plan that would give consumers more control over how their personal data is collected, shared and used by websites and advertisers. Malcolm Crompton says the next big step will be implementation and global interoperability.

The President of the United States has finally released the long anticipated US policy initiative in reforming the US privacy policy and legal frameworks.  The comprehensive blueprint that he has announced lays out a bold and clear approach.  The key issues will be the extent to which Internet companies will be held accountable through adequate enforcement measures and whether the blueprint advances or slows down the pressing issue of global interoperability of privacy laws and frameworks.

On 23 February, the Obama Administration announced the approach it intends to take to protect individual privacy rights and give internet users more control over how their information is handled.

The stated goal of the Administration’s blueprint is “to protect consumer’s privacy expectations while providing companies with the certainty they need to innovate.”  The centrepiece of the privacy protection framework is a Consumer Privacy Bill of Rights (‘the Bill’), encapsulating key privacy principles that have been recognised throughout the world, including:

• Individual control: Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.
• Respect for context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
• Focused collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain; and
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

The US President is calling for Congress to enact legislation that would give the Bill an enforceable, statutory basis.  However, recognising that passing such a law is still some way off, he is also directing the Commerce Department to convene with various stakeholders — including companies, industry and consumer groups, privacy advocates, and law enforcement officials — to develop codes of conduct that would implement the principles in the Bill. Companies could opt-in to joining the codes whichwould be enforceable once they had done so.

The blueprint also recognises the critical role of the Federal Trade Commission (FTC) and seeks to strengthen its enforcement capabilities.  Finally, the blueprint aims to improve international interoperability of protection mechanisms to facilitate the transborder flow of data.

Getting it right

In the end, the merits of any regulatory framework depend on how it actually changes people’s lives.  Whether it does so depends on two factors: the nature of the rules embodied in it and compliance with the rules.

For the last 20 years or more, far too much of the privacy debate globally has centred round the best approach to the rules that should be embodied in frameworks designed to protect privacy.  Nowhere near enough attention has been paid to the enforceability or enforcement of such frameworks.

Compounding the error, each new initiative to develop such a framework is drawn up as though it is a competition — ”my framework is better than yours.”

The result to date by and large is an excessively complex compliance burden for any business process that operates in more than one jurisdiction with far too little genuine impact.

That is, of course, if there is a desire to comply.  For those who do not wish to comply, the current mish-mash of regulation globally actually makes it easier to avoid compliance.  This is because all the privacy regulators are enforcing laws march out of step with each other.  As a direct consequence, it is very difficult for them to cooperate in any multi-jurisdictional enforcement action.

And remember: in the world of data globalisation, every day a rapidly increasing proportion of personal information being processed involves more than one jurisdiction!

Further compounding the challenge is the rapidly increasing amount personal information being collected, used and ever more widely shared about each of us every day.

Benchmarking the US blueprint: will it change peoples’ lives?

The seven Principles outlined in the US blueprint are a thoughtful contribution to a framework that could provide individuals with genuine privacy in a world burgeoning with Big Data, global data flows, user generated content and the barely comprehensible surveillance that is emerging from the combination of geolocation and mobile connectivity.

The incredible value for individuals, business and government mean that simply trying to turn off these developments would be another glorious Luddite replay of King Canute’s attempt to turn back the tide.  We do have to think differently and the authors of the US blueprint have attempted to do so.

That said, the US initiative appears to fall into all the traps I outlined earlier.  Just like the recent draft EU regulation and the proposed revision of privacy law here in Australia.

Domestically, in order for the US initiative to be effective and change peoples’ lives, three things must happen:

1. Ensuring the codes will do what they are supposed to do — the Australian experience indicates that early and consistent consumer involvement during the preparation is essential to the quality and credibility of those codes, and hopefully the US will adopt such an approach.
2. Coverage — getting companies to follow the codes. Unless companies can be convinced to adopt the codes, they will simply be hollow statements.
3. Enforcement in the wider economy — after figuring out what needs protecting and the players involved, a mechanism must be established to ensure that companies abide by the rules.

The difficulty of enforceability was highlighted by a spate of privacy breaches in the US in the weeks leading up to the White House announcement.  A whole host of apps, including the photo-sharing app Path, were found to be uploading users’ information without permission.  Google also came under fire for circumventing the default privacy settings of Safari and Internet Explorer.  These are just the latest discoveries: the What They Know series in The Wall Street Journal has gathered in many more such stories.  A common theme running through all such stories is that each of those processes seems to have been in place for some time and they were discovered not by regulators or accountability groups but by concerned individuals and determined investigators.  This will be a continuing challenge — unless we are aware of what’s wrong, the rules are no good to us.

Regarding coverage, as the codes are not backed by statutory authority their observance will be purely voluntary.  The big Internet giants will probably come on board — if only for reputation enhancement than any benevolent reasons — while I envisage there may be a long, uncooperative tail in relation to numerous small businesses unwilling or unable to submit themselves to the codes and potential penalties.

In relation to the third point, I see the US developments as having great potential in proliferating non-governmental enforcement mechanisms, with FTC action only as a last resort.  With the plan’s emphasis on flexibility and corporate autonomy, the first line of compliance will involve third-party accountability agents (eg. through auditing) as companies seek to meet their commitments to a code and avoid costly run-ins with government regulators.  Thus they will achieve internally what the FTC would be doing externally with (limited) taxpayer dollars.  The end result is considerably more resources applied to accountability through enforceable compliance than ever will be possible by simply increasing the budgets of government funded regulators.  This is how financial information governance works and there is no reason why it won’t work for the stronger governance of personal information.  As such, it would be a very positive development.  Based on first impressions, this is a point of difference with the EU plan which emphasises the role of centralised public agencies.

As to the contribution by the US initiative towards global inter-operability, the recognition of its importance by making global inter-operability a fourth leg of the plan is very welcome.  But in light of the EU’s move in a very different direction in the form of the draft Regulation released in January, we have a very long way to go.

Conclusion

The seven principles outlined in the Consumer Privacy Bill of Rights are a thoughtful contribution.  It will be very interesting to see how they will be implemented, either through legislation or codes of conduct.

In advancing privacy protection, though, all stakeholders must confront the challenge of enforceability and then actual enforcement, which is all-too-often under-appreciated.  Finally, while it is pleasing that the Obama Administration has recognised the importance of international interoperability, the greatest challenge for the framework will be generating global impact.

Time will tell whether they succeed. 2012 promises to be a very eventful year for privacy.