When Less is More

| October 28, 2009

Last week the Sydney Morning Herald published, “When the small print leaves us all at sea”, a very good article by Annette Sampson. It really got me going.

The timing was perfect.
I was already fired up on this topic after a robust conversation with one of my colleagues in the US Federal Trade Commission (FTC). They’d had me on the line a couple of days previously for my views on ‘how to do privacy regulation better’ as part of the round table process that FTC is just getting under way.
Sampson’s article illustrates where some thinking is happening in Australia in the world of financial information governance (aka the market in shares & other investments) that is applicable in the world of personal information governance (aka privacy).
Conventional wisdom says that the more regulators and legislators require companies to disclose everything – the safer we’ll all be.
That’s great in theory, and it works for high level transactions where solicitors and privacy experts are employed to review contracts.
It’s less effective in practice. In everyday situations most people simply enter in to agreements or user relationships without understanding, or even reading, all the privacy information.
I can understand why people don’t want to read pages upon pages of privacy jargon or lengthy disclosure documents written in legalese almost with the intention of being unreadable to people like you and me.
Now the emphasis is shifting from full disclosure to effective disclosure.
To put it another way, almost all of the world’s privacy frameworks, including Australia’s, often result in the consumer/customer/citizen being asked to bear too much of the load.
The Individual Participation Principle common to all privacy frameworks is very important: but it has been used as a convenient excuse for placing far too much burden of understanding what is going on in the world of personal information upon the consumer/customer/citizen; then acting as decision maker and the first line enforcement.
In so many other parts of our lives, we accept that excessive reliance such as this is impossible.
Look at the extent to which driving a modern motor car is assisted by a computer. Look how much of the motor car’s servicing is done by expert mechanics, not the driver.  Look at the extent to which owners of stocks and shares depend on third party accountability agents to advise them on the status of the finances in the company. 
As noted parenthetically in some IIS papers, if you rely on a third party accountability agent, then the next question is who should that be? 
There is no inherent reason that necessitates it should have to be a government regulator in the first instance. 
It isn’t in the case of financial information governance. Why is personal information governance so special that it should be treated differently?
Indeed, there is considerable merit in keeping the government regulator in reserve as an enforcing line of defence behind a first line of third party accountability agents; again as is the case in financial information governance. 
As I know from my experience as Federal Privacy Commissioner, and I am sure that the US Federal Trade Commission similarly knows, gaining additional resources from a government budget is extremely difficult. 
But if you pass a law that requires a company to have its accounts audited to a required standard by an accredited third party, then they have no choice but to comply because it is a condition on them continuing in existence. In this way the vast bulk of the cost of that layer of governance is met by the company instead of them getting it free of charge from the government.  In this way, as the number of companies increases and the nature of the standards change, the resources required commit to the task of ensuring compliance grows naturally instead of having to be justified in the artificiality of government budgeting processes. 
In this way the government can provide a reliable regulatory framework whilst retaining their resources in reserve for those occasions that really matter. They can bring out the big guns to prosecute the baddies and have a better chance of having the ability to do so.
None of this means to say that the process of relying on third party accountability agents to assist in personal information governance is perfect. 
Nothing is (just ask Enron or look at some of the claimed causes of the GFC), but the evidence is mounting, in the case of personal information at least, that it can be better than leaving it all up to the responsibility of the individual.
Nor does it mean that the Individual Participation Principle need be compromised.  Just because, between my foot on the brake pedal & the brakes, there is a computer that intervenes & makes a lot of decisions for me (anti-brake lock etc, etc) it doesn’t mean to say that I don’t have control of the motor car. 
Ditto personal decisions about personal information.  

But the world clearly wants most of the decision making to be done on ‘automatic’ for most of the time, while allowing the opportunity to intervene.

More disclosure does NOT necessarily mean we are better informed or empowered to make better decisions.
Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information.  He is also foundation President of the International Association of Privacy Professionals, Australia New Zealand, www.iappANZ.org.