privacy in networked society guiding data protection principles

privacyin the networked society

POLICY RECOMMENDATION

GUIDING DATA PROTECTION PRINCIPLES

Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 |

agenda

› INTRODUCTION› BALANCING ACT› GUIDING DATA PROTECTION PRINCIPLES› CONCLUSIONS


society

› Finding a precise point of departure of a “history of human rights (HR)” is controversial and a politically charged matter.

› It is quite unrealistic to credit any: Culture, Religion or Region of the world with the origins of human rights.

› A common theme in the early development era of HR: “the limitation of absolute power and arbitrary power of the sovereign” (starting with 1215 Magna Carta)

› Thinkers of the Enlightenment period (~1650 ~ 1790) introduced the concept: “everyone was born with certain rights which no authority could take away”.

Source: Moecki, Shah & Sivakumaran, International Human Rights Law, Oxford 2010


Legal perspective

› 1215 - Magna Carta › 1689 - English Bill of Right

› 1776 - US Declaration of Independence / Virginia Declaration of Rights› 1789 - French Declaration of the Rights of Man and Citizen, US Constitution› 1791 – US Bill of Rights› 1798 Netherlands, 1809 Sweden, 1812 Norway, 1814 Belgium, 1831 Liberia, 1847 Sardinia, 1849 Denmark, 1850

Prussia…

Transformation into positive law

Limitations of POWERS

Landmarks but with limited practical EFFECTS


Legal perspective

› UN Universal Convention of Human Rights› EU Convention on Human Rights › Continued expansion of Constitutional recognition (explicit/implicit)› Continued expansion in National Laws / Directives (EU)› Creation of Data Protection Agencies (DPA)

Right to PRIVACY as a distinct right > articulated

› OECD Privacy Guide Lines

› APEC Privacy Framework

› Certification (Safe Harbor Company, Corporate Biding Rules)

› Generally Accepted Privacy Principles (GAAP)

Emerging alternatives to “TOP-DOWN” legislation


Technology - scale

› Manual Era of data processing:

Data processing was not automatic, and the large-scale, uncontrolled surveillance was too costly, and all this provided a natural barrier for protecting privacy

› Computerized Era of data processing:

Spread of computerized processing from late 60s from US onwards, gradually led to the disappearance of the “natural privacy barrier”


Technology-scope


The advent of attention economics


creates also new privacy business opportunities

Source: Ericsson Consumerlab, Consumer Privacy in an Online World, http://www.ericsson.com/res/docs/2012/ericsson_privacy_report_updated_20120203.pdf

http://www.ericsson.com/res/docs/2012/ericsson_privacy_report_updated_20120203.pdf


Regional Conceptual fragmentation

Source: http://www.worldvaluessurvey.org/

› Values and expectations culturally fragmented

› Concept of privacy “in the eye of the beholder”

› Privacy as concept fragmented within and between cultures

http://www.worldvaluessurvey.org/


Perception / individuals/Confusion


Privacy theory development

› The right to be let alone› Limited access to the self› Secrecy – the concealment of certain matters› Control over personal information› Personhood – protection of personality, individuality and

dignity› Intimacy – control over ones intimate relationships or

aspects of life

Challenge: Over inclusive > VAGUE / Too Narrow > Restrictive


Policy Challenge

“Privacy problems are often not well articulated, we frequently lack a compelling account of what is at stake when privacy is threatened and what precisely the law must do to solve this problem.”

MATCHING: Policy JUSTIFICATION (WHY) = POLICY OBJECTIVES (WHAT ENDS)

= REGULATORY INSTRUMENTS + REGULATORY APPROACH (HOW TO REGULATE)

Solve, Understanding Privacy, Harvard Press 2008


Balancing Privacy

Universal

Particular

Absolute Relative


Individual Absolutism – no social trust ?


agenda



Balancing act

SOCIETY

INDIVIDUAL

PROGRESS TECHNOLOGY


delicate Balancing actCompetitiveness of Nations impact of digitization

Source: World Economic Forum, Global Competitiveness Report 2010-11 Source: Booz & Company: Maximizing Impact of Digitization

INNOVATION & SOPHISTICATION• Business sophistication• Innovation

EFFICIENCY ENHANCERS• Higher education and training• Goods market efficiency• Labor market efficiency• Financial market development• Technological readiness• Market size

BASIC REGUIREMENTS• Institutions• Infrastructure• Macroeconomic environment• Health and primary education

Key forfactor-driveneconomies

Key forefficiency-driven

economies

Key forInnovation

-driveneconomies

ECONOMYGDP GROWTHJOB CREATIONINNOVATION

SOCIETYQUALITY OF LIFEACCESS TO

BASIC SERVICES

GOVERNANCETRANSPARENCYE-GOVERNMENTEDUCATION

Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 20

delicate Balancing act

SOCIETY individual


Transformation of Society a delicate balancing act

› Continued ICT-led transformation, aka digitization of the Society

› Comes with necessary and desirable socio-economic benefits

› Facilitates the fulfillment of other classes of individual rights /human rights

› Needs of the Society – individual rights in isolation have limited /no meaning

› Economic progress at the expense of fundamental rights; poses questions of legitimacy, desirability and sustainability


Progressive rights- based approach

› Anchored in the recognition of a certain set of individual rights e.g. privacy and a commitment by policy makers to protect these rights

› Is a holistic, with a broad policy perspective that is not singularly constrained

› It aims to conciliate and balance between competing legitimate policy objectives; market, society and individual

› As a principle individual rights are neither subordinate nor superior

› Adherence to certain key guiding principles


Human Rights DeclarationConstitutional or other statutory provisions

Scoping Data protection

Data Protection (DP) Lawful Intercept (LI) Data Retention (DR) Cyber Security (SC)

Right to Privacy

Information Management

DP DRLI CS


Modeling DP - activities and stakeholders

DATA SUBJECT

INFORMATIONPROCESSING

INFORMATIONDISSEMINATION

INFORMATIONCOLLECTION

INVASION

1

2

3

5

CONTROLLER PROCESSOR

CONTROLLER

Territorial Jurisdictions

Source: Ericsson Adaptation: Solve, Understanding Privacy, Harvard Press 2008.

Controller and Processor may or may not be independent legal entities

USE4


agenda



Guiding principles

› Targeted & transparent› Technology neutral› Role specific› Flexible› Efficient› Trans-border tolerant


Targeted & Transparent

› Focus on the purpose› Respect territorial requirements› Aimed at Personal Data› Approach Sensitive Data – in a territorial context› Up to date, relevant and accurate› Obtained with knowledge/consent› Respect data subject rights; access, rectification etc


Technology neutral

› Neutral treatment of platforms, business models and business processes

› Technology neutrality is not a source for circumvention› Is the flip side of a well target purpose focused

principle› Technology neutral encompasses:

– Legal and regulatory frameworks– Choice of regulatory instruments– Implementation strategy of regulatory instruments


Role specific

DATA SUBJECT

INFORMATIONPROCESSING

INFORMATIONDISSEMINATION

INFORMATIONCOLLECTION

INVASION

1

2

3

5

CONTROLLER PROCESSOR

CONTROLLER

Territorial Jurisdictions

Source: Ericsson Adaptation: Solve, Understanding Privacy, Harvard Press 2008.

Controller and Processor may or may not be independent legal entities

USE4


maintain: Roles & Responsibilities (EU Directive 95/46)

› The relation with data subjects is established and maintained by controllers and this is why the existing legal framework foresees direct responsibilities for controllers whilst the responsibilities of processors are left to be determined bilaterally between controllers and processors, depending on the circumstances.

› This current approach in existing EU regulation is well understood and has proven to be workable.


flexible

› Inherent tension - the need for flexibility and the demand for predictability and consistency

› Dealing with sensitive data› Alternatives to top down/hard law approaches› Accountability seeking› Less descriptive regulatory instruments› Makes room for co-regulation and self regulation› Privacy by design with substance


efficient

› Periodic reviews to keep pace with technology› Promotes framework simplification› Provides sunset provisions › Minimizes the cost of regulation to the public,

consumer and business› Measured breach notification measures› Enforcement, contextually sensitive


Contextual Enforcement strategy

INT

EN

DE

D

INFORMEDWELL

ILL

ILL

ACCOUNTABLECOMPANY

EVILCOMPANY

UNINFORMEDCOMPANY

DECEPTIVECOMPANY

PUNITIVE DETERENCE

PARTICIPATORY COMPLIANCE


Trans-border tolerant

› Economies of scale > open flow of data› Welcomes international de-facto harmonization› Streamlining regulation between group of companies

and between independent legal entities› Where harmonization cannot be realistically achieved

or is expected to take a long time >› Fill the gaps between standards in national DP rules

with CBR (EU) or Safe-Harbor Company (US) certification.


agenda



conclusions

› The reality for the foreseeable future of DP: a continued fragmented and geographically contingent concept

› A progressive rights-based regulatory framework is the appropriate approach to safeguard data privacy

› Main challenge is to get the delicate balance right› Safeguarding the right to privacy as well as to cater for public and

market needs with the aim to gain, grow and maintain the trust of end-users which will benefit the digital market and consumer choice

› Flexible and adaptable to geographical contingencies, open to trans-border data flows, business and innovation friendly but also very importantly, aligned with national data protection policy standards

privacy in networked society guiding data protection principles

Documents