By Chris Wolf, FPF Founder and Co-Chair
On October 21st, I was invited by the French Minister for Industry, Energy and the Digital Economy, Eric Besson, to participate in a seminar on the future of the Internet in Paris. The privacy session was entitled “Reconciling the Internet business model and respect for privacy” and billed as follows:
Since the appearance of data processing tools more than four decades ago and the introduction of personal data files, States have acquired both tools and organizational structures in order to protect their citizens’ privacy. These include strict legal and regulatory frameworks, guidelines (like those of the OECD), the appointment of privacy-protection authorities, and the development of “privacy by design” technologies and applications.
Moreover, the use of personal data is a complex issue today, given the number of intermediaries involved in an Internet-based transaction, and given the arrival of cloud computing. Cross-border flows of personal data are today widespread, given the global nature of the Internet.
These shifts are overturning the relationship between personal data held by individuals and organizations. Given these challenges and conflicting interests, we need to strike the right balance between the right to privacy and the Internet’s business model.
How can we give individuals permanent control over their personal data on the Internet, particularly given the explosion in the use of social networks, without hampering the growth of the digital economy? What are the best practices to avoid using personal data for commercial purposes, without individuals’ consent? What initiatives can be taken in terms of international cooperation?
I was asked to be the first intervener following a presentation by this panel of government officials and business representatives:
Simon Kennedy, Vice—Minister for Industry – Canada
Igor Shchegolev, Minister of Communications and Mass Media – Russia
Yong Sup Shin, Commissioner, Korean Communications Commission
Ed Vaizey, Minister of Culture , Communications and Creative Industries – United Kingdom
Esko Aho, Executive Vice-President, NOKIA
Simon Davies, PRIVACY INTERNATIONAL
Herman Heunis, Founder and CEO , MXit
Denis Jacquet, Chairman, YATEDO
Elliot Schrage, Vice-President of Global Communications, Marketing and Public Policy, FACEBOOK
Moderator: Shrrry Contu, UK-based Entrepreneur
The government officials uniformly stressed the need for a light regulatory touch (what former Finland Prime Minister and NOKIA representative called “smart regulation”). Still, there were repeated references to the need for businesses to adopt self-regulation and follow principles of Privacy by Design (the concept originated by Ontario DPA Ann Cavoukian and highlighted at the conference by the Canadian Minister). The Russian Minister expressed his government’s commitment to Internet privacy. M. Jacquet stressed the importance of consumer education. Elliot Schrage highlighted the granular tools available to Facebook users to control their data, and the fact that Facebook does not share personal data with third parties. The other industry representatives highlighted some of their best practices. And Simon Davies of Privacy International sounded the only slightly negative note of the panel, questioning whether Privacy by Design was more than just a slogan, and challenging Facebook on its privacy protection.
Notably, one of the more important policy questions on the agenda, “What initiatives can be taken in terms of international cooperation?” was addressed only in passing.
Thus, when I was called upon, I praised the panel for highlighting the importance of sharing best practices and for recognizing the role of limited regulation combined with private sector responsibility. Still, I urged the panel and the few Data Protection Authority representatives in the audience, mostly from the French DPA — the CNIL, to focus more on the convergence internationally in privacy protection and less on the differences in national frameworks. I mentioned how Fair Information Practice Principles, reflected in the OECD guidelines, underlie all modern privacy protection regimes. And I mentioned how concepts of Privacy by Design, Codes of Conduct, Accountability, cross-border enforcement, the rise of the Chief Privacy Officer profession and the international sharing of best practices (such as data breach notifications and new ways to notify and empower consumers) were far more important in an interconnected/cloud computing world than the perceived superiority of a national framework. Finally, I noted the extreme cost that framework superiority rules impose on businesses in countries deemed not to have the identical protections as a national framework, and that the cost ultimately is borne by consumers.