From Uruguay, Chris Wolf: Privacy and Technology in Balance

From Uruguay, Chris Wolf: Privacy and Technology in Balance

On Tuesday, October 23, FPF’s Chris Wolf was one of the first plenary speakers at the
34th Annual Conference of Data Protection and Privacy Authorities in Punta Del Este, Uruguay.  Here is the text of his remarks:

Privacy and Technology in Balance

Thank you for the opportunity to present on behalf of the Future of Privacy Forum, our think tank devoted to advancing responsible data practices.

Privacy has never mattered as much as it does today. We are in an era of rapidly-evolving technology capable of collecting, storing, sharing (and potentially, mishandling) personal data about every aspect of our lives.

One measure of the progress on privacy in the Information Society is the sheer number of people concerned with the privacy profession, in government, civil society, academia, in business and in law.   This is true around the world, but perhaps nowhere is there a greater proliferation of people concerned with privacy than in my own country, the United States.

My personal experience is an example. I have been practicing law for more than three decades, and I focused on technology and the Internet early on. I was one of the first American lawyers to devote myself exclusively to privacy law.

My full concentration on privacy law arose from my representation in federal court of a gay sailor as to whom the US Navy illegally obtained information from AOL in a discriminatory effort to oust him from the service.  I saw then as I see today, the potential personal harm that can come from illegal collection and use of data.

And so, I am devoted to responsible data collection and use. I now lead a full-time team in Washington, DC of 17 lawyers, and have dozens of law firm colleagues who focus on privacy around the world in our European and Asian offices. We are soon to open an office in Brazil.

The Future of Privacy Forum, the think tank I founded in 2008 and that I co-chair with Jules Polonetsky has grown dramatically from our first days, and we now have dozens of academics, consumer advocates and business representatives participating.

We are focusing on a wide range of issues from Big Data, to de-identification, to the Smart Grid to mobile and Application Privacy, and many more issues that are arising with new uses of data.

In my law practice and at the Future of Privacy Forum, we recognize that a greater understanding of the expectations raised by the Information Society can contribute to improving data protection regulation and control.

In considering the issue of progress in privacy and data protection, I am reminded of the observations by the author Doug Adams who wrote the book entitled “The Hitchhiker’s Guide to the Galaxy.”

Adams made these three observations about our reactions to new technology.

1) The things that exist in the world when you’re born are normal and acceptable;

2) Anything invented between when you are born and before you turn thirty incredibly exciting and creative;

3) Anything invented after you turn thirty is against the natural order of things and the beginning of the end of civilization as we know – that is, until it’s been  around for about ten years when those investions gradually turn out to be alright really.

And likewise, progress in data protection is a matter of perspective. Ten years ago, I never would have imagined the scope of the privacy profession. The International Association of Privacy Professionals, started just over a decade ago with a handful of members, now has membership in the tens of thousands. Those numbers reflect the range of privacy issues being addressed by businesses that recognize a responsibility due to laws, regulations — but also out of a sense of responsibility and data stewardship, and the commitment to maintain consumer trust.

Earlier this year, I testified before the United States Senate Judiciary Committee Subcommittee on Privacy concerning a law passed in 1988 called the Video Privacy Protection Act, or VPPA.  That law obviously was passed to react to the practices of videocassette rental stores, well before the Internet era; before Netflix, and before Facebook.  Yet, the VPPA is being applied to the technologies of the Internet era even though Congress never contemplated such a world.

My experience with the video privacy law is part of what gives me concern that data protection that is put in place to react to new technologies may in time not be viewed as progress at all but rather as a barrier to progress.

I know that some DPAs react viscerally when objections to certain regulations are made because of the risk to innovation.  But it is axiomatic that over-regulation thwarts innovation.

What is needed is smart, forward-looking regulation, and it can come from many sources – from law and yes from enforceable self-regulation created by those who are closest to the workings of changing technologies. Perhaps a better label for what I am describing is co-regulation.

The theme of this conference, “Privacy and Technology in Balance” captures perfectly the tension between privacy rules and advances in the Information Society.

And the conference comes at a time when the privacy frameworks in the US and the EU are under re-examination.

There are common aspects to the EU and U.S. proposals. Both fundamentally are premised on Fair Information Practice Principles. Both call for implementation of the “Privacy by Design” concept intended to build in privacy sensitivity and consideration into every stage of the development of products and services. Both recognize the importance of accountability by those who collect and use personal data. Both reflect the principle that people should not be surprised by the use of their personal data collected for one purpose but used for another purpose.

There is no disagreement about the need for informed consent about the collection and use of personal information (although the kind of consent envisioned in each jurisdiction differs as to various categories of data). Finally, the U.S. view of what constitutes “personal data” seems to be moving toward the EU’s: the FTC refers to data that can be “reasonably linked to a specific consumer, computer or other device,”   a standard very close to ––and arguably even broader than––the EU definition of personal data.

Big differences in approach emerge from the fact that the United States, while proposing a first-ever federal privacy law with a “Privacy Bill of Rights,” still intends to rely on a variety of  self- or co-regulation. And the U.S. proposed rules do not contemplate a “right to be forgotten”

Similarly, there is no right to “data portability” in the U.S. proposals as there is in the EU plan.

And even though the EU has borrowed the data breach notification idea from the United States, it proposes a presumptive obligation to provide notice within twenty-four hours of a breach, a time frame widely regarded as wholly unworkable by those who have worked under the U.S. data breach laws. Finally, the EU proposes a schedule of monetary fines of up to 2 percent of an entity’s global worldwide turnover for violations of the proposed Regulation––an amount that many stakeholders view as unreasonable due to the apparently wide discretion given to enforcers in assessing such a fine.

The period ahead will be one of adjustments to the proposed EU Regulation to make it acceptable to the European Parliament and to the Council of the European Union, the bodies responsible for the co-decisioning process required to adopt the Regulation.  Likewise, in the United States, the exact shape of the new privacy framework is still to be determined, on Capitol Hill and through the work of the Executive Branch, and the results of the election in a few weeks will be import.

As things now stand, there is a big gap to bridge between the two trans-Atlantic approaches, i n many ways, so close. Yet, they are very far apart in fundamental respects.

Privacy will most effectively evolve in the Information Society when the privacy frameworks are interoperable. My hope is that the fundamental differences in approach give way to that fundamental understanding.

And therefore, to close, I commend to you the recent remarks of Cameron Kerry, the General Counsel at the US Department of Commerce before the European Parliament, who quite wisely observed that for the information society to thrive, “the global marketplace will require mutual recognition and innovative solutions that permit businesses to streamline their operations across countries with differing legal regimes.”

This conference is a perfect opportunity to explore such innovative solutions towards mutual recognition and cooperation, and towards a robust and growing information society.

Leave a Reply


Privacy Calendar

Apr
22
Tue
10:00 am Privacy Principles in the Era of Massive Data @ Georgetown Law Center
Privacy Principles in the Era of… @ Georgetown Law Center
Apr 22 @ 10:00 am – 12:00 pm
Experts from the public and private sectors will join public policy experts from the Georgetown University McCourt School of Public Policy and privacy law experts [...]
Apr
24
Thu
all-day 6th Biannual International Surveillance & Society Conference
6th Biannual International Surve…
Apr 24 – Apr 25 all-day
The 6th Biannual International Surveillance & Society conference hosted by the University of Barcelona and supported by the Surveillance Studies Network is currently calling for [...]
12:00 pm Data Privacy in Education: Ensuring Student Security while Encouraging Innovation in K-12 Education @ Rayburn House Office Building, Room B-354
Data Privacy in Education: Ensur… @ Rayburn House Office Building, Room B-354
Apr 24 @ 12:00 pm – 1:00 pm
The Congressional E-Learning Caucus in cooperation with Into and the National Coalition for Technology in Education and Training presents a luncheon to discuss “Data Privacy [...]
Apr
29
Tue
all-day IAPP Europe Data Protection Intensive 2014
IAPP Europe Data Protection Inte…
Apr 29 – May 1 all-day
The IAPP Europe Data Protection Intensive features timely programming centred on the top issues impacting the European data protection community, with a focus on addressing [...]
Apr
30
Wed
5:30 pm InSecurity: Race, Surveillance and Privacy in the Digital Age @ New America Foundation
InSecurity: Race, Surveillance a… @ New America Foundation
Apr 30 @ 5:30 pm – 7:30 pm
Now more than ever, digital tools sit at a precarious tipping point, and many question whether they will be used to address pre-existing disparities, [...]
May
7
Wed
all-day IAPP Canada Privacy Symposium 2014
IAPP Canada Privacy Symposium 2014
May 7 – May 9 all-day
The IAPP Canada Privacy Symposium is the leading conference for education, debate and discussion of issues that matter most to Canadian privacy and data protection [...]
Jun
5
Thu
all-day Privacy Law Scholars Conference (7th Annual) @ The George Washington School of Law
Privacy Law Scholars Conference … @ The George Washington School of Law
Jun 5 – Jun 6 all-day
  UC Berkeley School of Law and The George Washington University Law School will be holding the seventh annual Privacy Law Scholars Conference (PLSC) on [...]
Jun
8
Sun
all-day Computers, Freedom, and Privacy 2014 Conference @ Airlie Center
Computers, Freedom, and Privacy … @ Airlie Center
Jun 8 – Jun 10 all-day
Mark your calendars! The 2014 Computers, Freedom, and Privacy Conference will be held June 8-10 at the Airlie Center in Warrenton, Virginia. The Airlie Center [...]

View Calendar