it law : the middle kingdom between east and west
DESCRIPTION
Privacy as a value is often as conflicting with and less important than other major societal goals such as nation state secureity and business profits. China as a socialist state emerging a a major digital economuic force may fall prey to both these assumptions. However the recent history in the West shows that over zealous national secueity infringing citizen privacy, as revealed in the recent Snowden PRISM/TEMPORA etc scandals, may backlash against business profits as well as reducing citizen trust in security.China can learn from these lessons as it expands its own privacy law especially in the IT/telecoms area.TRANSCRIPT
IT Law: the Middle Kingdom between East and West
Lilian EdwardsProfessor of E-Governance and Director,
Centre for Internet law and PolicyUniversity of Strathclyde
http://www.strath.ac.uk/internetlaw/ [email protected]
Privacy as a Middle Kingdom
Security
Privacy Business profits
Freedom of speech
Consumer convenience
Lessons for China?
• Privacy vs security – recent Western experience
• Impact of lack of privacy on profit – recent Western experience
• Does limiting privacy law in favour of other values work?
• What can China learn from this?
Privacy vs security
Richard Hannigan, Director GCHQ, 3 November 2014
• Calling for technology firms such as as Facebook and Google to share personal data of users more readily with security service s eg by not supplying stronger encryption to consumers in the wake of Snowden
• Tech firms “little more than “command and control networks of choice for terrorists and criminals”
• “GCHQ is happy to be part of a mature debate on privacy in the digital age. But privacy has never been an absolute right and the debate about this should not become a reason for postponing urgent and difficult decisions.”
Privacy and profit
OBA: data as “the new oil” of the economy
• “Advertising based on the observation of the behaviour of individuals over time. Behavioural advertising seeks to study the characteristics of this behaviour through their actions (repeated site visits, interactions, keywords, online content production etc) in order to develop a specific profile and provide data subjects with adverts tailored to match their inferred interests” (Art 29 WP 2/2010)
• Online advertising now largest sector in UK (since 2009) c 30% – bigger than TV, radio, newsprint etc. c 59% spend of this on search ads , mainly AdWords (Google revenues).
• IAB: Social media revenues - advertising delivered on social platforms, inc social networking and social gaming -> rose by 58% H1 2014. Mobile revenues increased 76%.
• Wired: “every industry that becomes digital eventually becomes free” (Anderson, 2008)
• Failure to find other business models for digital world?
Big data• “If information wants to be free, data wants
to merge” (Grossman)• UK Government Information Economy
Strategy 2013: 90% of global data generated in the last 2 years -> “business sectors across the economy have the potential to be transformed by data, analytics and modelling”
• “..UK Government will continue to drive and influence EU …to ensure that growth opportunities are not inhibited by new or existing levels of regulation”
• ? Challenges DP princs of data minimisation and purpose specification (Tene and Polonetsky, 2013) – “fishing expedition”
Big bureaucracy?• Considerable opposition by both UK and US to enactment of General Data
Protection Regulation to improve data privacy in EU – not “business friendly”
• HMG Seizing the Data Opportunity 2013 : “the GDPR does not strike the correct balance between ’privacy and innovation.. we should be careful about overly prescriptive regulation that increases red tape and costs for businesses, the public sector, and for regulators”
• Similar earlier reactions by industry to new laws on cookies consent 2009-2011 – OUT-law “Please kill this cookie monster to save EU websites”
• And to the “right to be forgotten” (Google Spain), HL, 2014: “..judgment of the Court is unworkable. It does not take into account the effect the ruling will have on smaller search engines which, unlike Google, are unlikely to have the resources to process the thousands of removal requests they are likely to receive.”
Privacy and consumer enjoyment
C4, May 2010
From virtual to real world “sharing”: consumers gain?
Smart meters
Privacy and freedom of expression
How does the law protect informational privacy?
• International human rights law eg ECHR, UNDHR• Specific international guidelines/treaties/supranational law – OECD guidelines on personal data,1980 – Council of Europe Convention on Automatic Processing of
Personal Data 1981– EC Data protection law – required minimum in EU states -
taken up as “gold standard” in many overseas states– US : no similar omnibus protection of personal data – but some
strong sectoral laws eg health, financial info, kids data– China : no omnibus “DP” law but increasing legal protection in
Internet related sector• What lessons can China learn from current concerns about
balancing privacy, security and profit?
Data Protection Principles – DP Directive 95/46/EC
1. Personal Data shall be processed lawfully and fairly (“collection limitation”).
2. Personal Data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with those purposes (“purpose /use limitation”).
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it was processed (add “data minimisation” principle? – DP Reg)
4. Personal data shall be accurate and kept to date if necessary (“data quality”).
5. Personal data shall not be kept for a longer time than it is necessary for its purpose. (“retention”)
6. Personal data can only be processed in accordance with the rights of the data subjects (“openness”)
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing (“security”).
8. Data export principle
PLUS – independent regulator/watchdog + some degree of bureaucracy for business?
Global adoption of DP law (or DP+)as a standard for privacy rights?
• Greenleaf 2012 – not EU v US anymore• DP laws fast becoming a comprehensive global
standard – 89 such laws 2012, growing fast• Only just over half are in European states (56%)• 2/3 of APEC members have data privacy laws in private
or public sector• Some new laws exceed current EU DP norms, rts of
interoperability, privacy by design, etc – “third wave”• Remaining outliers among “digital” nations – China and
the US!
Privacy vs security OR loss of privacy -> loss of profit?
1. Does promoting security over privacy help industry?Snowden – loss of consumer confidence in both B2C and B2B markets in EU• Evidence from EU industry
– Information Technology & Innovation Foundation report, 2014 – US cloud providers may lose 10-20% of their EU market share = $35 billion over the next three years
– Cloud Security Alliance report,10% of 207 non EU companies had cancelled contracts with US cloud cos since Snowden
– NTT Comms report: c 25-30% of IT decisionmakers in Germany, France, UK “wanted to keep data in own country”
– AWS setting up German data centre– “"Right now, there are many customers who don't want to buy American -- or to buy from a NATO
country in general," F-Secure– Impact on government procurement -
• Evidence from non-EU states– Election officials in India canceled a deal with Google to improve voter registration. – In China, sales of Cisco routers dropped 10 percent (Huffington Post)– Russia ban on user data being stored in US -> possible ban on all Apple products (
• Reaction from UK industry and government- – Plea for ethical codes and MORE privacy restraints/supervision for industry not LESS – “Addressing consumer confidence in the Digital Economy” – DP plus ethical approval for new big data
products, security by design, privacy by design – IEC committee– “A Unified Ethical Frame for Big Data Analysis” , industry, lead by Hewlett Packard
• Do consumers care about privacy after all? Not just about business attitudes?
• Citizen attitudes towards data privacy – EuroBarometer 201• People disclose personal data, including biographical
information (almost 90%), social information(almost 50%) and sensitive information (almost10%) on these sites.
• 70% said they were concerned about how companiesuse this data and they think that they have onlypartial, if any, control of their own data.
• 74% want to give their specific consent before their` data is collected and processed on the Internet.• Privacy affecting if not ending data market – cf rise of
Snapchat, Whatsapp, Ello – privacy as a feature not a bug
Privacy vs consumer convenience?
Conclusions
• Privacy is seen as a value which may be damaging to other more crucial societal goals such as (crucially) national security, business profits
• These are both concerns to legislatures in China and the EU/UK
• However recent history shows that downgrading privacy protection in the name of security and profit may be counter productive
• And the global trend is in fact to greater privacy protection – by both soft and hard law as well as “code” - to restore business and consumer trust and confidence