The privacy conversation is not moving; The Identity Management debate is

| October 26, 2008

What is happening in the global debate on how to make it safe for individuals to share personal information (or have it shared), otherwise known as "information privacy"?  What about a significant part of this discussion, developing identity management arrangements for the 21st century that respect the individual, otherwise known as "user centric identity management"?

What is happening in the global debate on how to make it safe for individuals to share personal information (or have it shared), otherwise known as "information privacy"?  What about a significant part of this discussion, developing identity management arrangements for the 21st century that respect the individual, otherwise known as "user centric identity management"?

In my last blog entry, I mused upon whether rationality was returning to the official debate over the "war on terrorism".  I concluded that we might be turning a corner towards a more rational discussion on this issue.

Hence it was interesting to reflect on two events in which I participated earlier in October and muse upon the discussions that unfolded.  One was the 2008 International Conference of Data Protection & Privacy Commissioners.  The other was a Workshop on "ID Management in the Future Digital Society" organised by the European Commission. 

More specifically, are we making progress in the debate on how to keep personal information safe yet all share in the huge benefits from sharing it wisely in a way that respects our privacy and dignity? 

The 2008 Commissioner's Conference was held in the 'Hemicycle' main chamber of the Council of Europe in Strasbourg; the conference website is

Of the 10 Commissioner's Conferences that I have now attended, it ranks up there with the best when considering the strength of the debate and the size of the audience (probably the largest ever at about 600).  Ever since Australia hosted the 2003 Conference, there has been a concerted effort at keeping the conference websites open as long term resources.  The 2008 Conference has gone one step further and provides videos of all the major sessions and for the first time, publishes in the one place all resolutions adopted by Commissioners since the beginning of the millenium:  2008 resolutions on one page; the earlier years on another.

One of the innovations of the conference was to hold all sessions in plenary but to ensure that there was enough time for audience participation.  The conference organisers also ensured that each session involved speakers who held differing points of view.  This created a degree of frisson & liveliness that we have not seen in recent conferences and reduced the trend towards speeches that explored the already well explored.

Overall, though, the impression was that we ended up with a dialogue of the deaf. 

On the one hand, some effectively wanted to stop the world so they could get off and keep things as they would like to think they should be. 

This approach risks ignoring the clear evidence that current regulatory frameworks for the handling of personal information either are not working or are breaking down rapidly, even within single jurisdictions.  We explored this in the work of the Privacy & Trust Partnership, particularly the White Paper and Working Paper and supporting forums.  Justice Michael Kirby has been similarly clear.  Given that he chaired the OECD Working Party that wrote the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, this is particularly significant.  Have a look at what he had to say at the 2008 Gala Dinner of the Internet Industry Association when in Parable 1 of his Four Parables, he stated about the Use Limitation Principle that:

"…in the end, with technology as vibrant, as energetic, as dynamic & as changing as the technology of informatics, there will ultimately be limits. The technology will outpace in its capacity, the imagination of even the most clever law makers. … Of course that is not a reason to do nothing. To do nothing is to make a decision." 

And that is without adding in the so-far unsolved problem of providing effective protection of personal information when it moves between jurisdictions.  The EU approach based on an "adequacy" concept has not worked.  APEC is working hard on an approach that is based on ensuring "accountability", but there is a long way to go.  For more detail, read Chapter 31 of the Australian Law Reform Commission review of Australian Privacy Law in Report 108, For Your Information: Australian Privacy Law and Practice.

On the other hand, many speakers felt that education, self help tools and self regulation were sufficient, notwithstanding a brilliant talk from Leif Stenström, Director of Communication at the Swedish Privacy Commission about the difficulties of engaging young people who are involved in social networking in safety issues and safer practices. His talk is about one hour into Panel 4.

There was a bit too much laissez-faire from some of the speakers taking the latter approach.  While new regulatory approaches are going to be painful and a lot of work, laissez-faire ignores the recent climate change that has occurred and which will dominate for the foreseeable future for two very significant reasons.  First, we have repeated evidence over the last 2-3 years that far too many organisations worldwide have appalling data security practices, be they government or private sector.  Second, the Global Financial Crisis (GFC) will result in regulation that aims to achieve social objectives being seen in a more favourable light than any time since Reagan and Thatcher were in their heyday.

Sadly, neither side appeared to listen much to the other.  There was a strong push for more nations to sign up the the Council of Europe approach as set out in Convention 108.  While greater merit is going to be seen in drawing up stronger global approaches to enforcement of frameworks that protect personal information (including a resolution adopted at the Confernce by Commissioners), is this the right one in light of global developments?  It was also clear that a number of nations are most unlikely to consider the CoE Convention.

There were, of course, glimmers of light to allow optimism.  The paper titled Moving Information Across Border delivered by Peter Cullen in Panel 6 may well contain the core of a workable future approach.  It is based on giving true meaning to "accountability" where organisations will be expected to be much more transparent about what they are doing with personal information & be truly accountable for their actions, both within a single jurisdiction and worldwide.  We heard that this approach is going to be developed further in the coming months, including in a process being facilitated by Billy Hawkes, the Irish data protection commissioner, and involving a number of other European privacy regulators.

So, I remain optimistic about this broader debate.  I have to. 

On a brighter note, it is interesting to see the identity management debate move forward.  I last touched on this issue in Identity Management in New Zealand, CeBIT Australia and the Merry Month of May … where I reflected on developments especially in our region.  The Workshop on "ID Management in the Future Digital Society" organised by the Information Society Directorate-General of the European Commission on 14 October allowed another insight into global trends on ID management. 

Again, there were cross currents that did not recognise the extent to which inappropriate ID management arrangements placed far too much privacy and other risk on the individual.  On the other hand, the trend was definitely towards finding ways of providing for ID management that doesn't place all the information and all the control in the hands of authorities who also have considerable powers to monitor activity, made worse by inadequate transparency and accountability.  Better than that, we are seeing the seeds of trans-Atlantic cooperation here:  The presentation on developing a user-centric identity meta system draws on Kim Cameron's work on Laws of Identity and the work going on in Europe in a similar vein.  The slides for all presentations are on the Workshop on "ID Management in the Future Digital Society" web page and are well worth looking at.

An additional thought arising from the Workshop:  Australia's ID management arrangements are falling further and further behind global practice as the world moves on.  We don't have a moment to lose.

Both these events gave me cause for cautious optimism, especially the EC Workshop.  But we have more work to do on the dialogue of the deaf …

Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.