On Tuesday, October 23, FPF’s Chris Wolf was one of the first plenary speakers at the
34th Annual Conference of Data Protection and Privacy Authorities in Punta Del Este, Uruguay. Here is the text of his remarks:
Privacy and Technology in Balance
Thank you for the opportunity to present on behalf of the Future of Privacy Forum, our think tank devoted to advancing responsible data practices.
Privacy has never mattered as much as it does today. We are in an era of rapidly-evolving technology capable of collecting, storing, sharing (and potentially, mishandling) personal data about every aspect of our lives.
One measure of the progress on privacy in the Information Society is the sheer number of people concerned with the privacy profession, in government, civil society, academia, in business and in law. This is true around the world, but perhaps nowhere is there a greater proliferation of people concerned with privacy than in my own country, the United States.
My personal experience is an example. I have been practicing law for more than three decades, and I focused on technology and the Internet early on. I was one of the first American lawyers to devote myself exclusively to privacy law.
My full concentration on privacy law arose from my representation in federal court of a gay sailor as to whom the US Navy illegally obtained information from AOL in a discriminatory effort to oust him from the service. I saw then as I see today, the potential personal harm that can come from illegal collection and use of data.
And so, I am devoted to responsible data collection and use. I now lead a full-time team in Washington, DC of 17 lawyers, and have dozens of law firm colleagues who focus on privacy around the world in our European and Asian offices. We are soon to open an office in Brazil.
The Future of Privacy Forum, the think tank I founded in 2008 and that I co-chair with Jules Polonetsky has grown dramatically from our first days, and we now have dozens of academics, consumer advocates and business representatives participating.
We are focusing on a wide range of issues from Big Data, to de-identification, to the Smart Grid to mobile and Application Privacy, and many more issues that are arising with new uses of data.
In my law practice and at the Future of Privacy Forum, we recognize that a greater understanding of the expectations raised by the Information Society can contribute to improving data protection regulation and control.
In considering the issue of progress in privacy and data protection, I am reminded of the observations by the author Doug Adams who wrote the book entitled “The Hitchhiker’s Guide to the Galaxy.”
Adams made these three observations about our reactions to new technology.
1) The things that exist in the world when you’re born are normal and acceptable;
2) Anything invented between when you are born and before you turn thirty incredibly exciting and creative;
3) Anything invented after you turn thirty is against the natural order of things and the beginning of the end of civilization as we know – that is, until it’s been around for about ten years when those investions gradually turn out to be alright really.
And likewise, progress in data protection is a matter of perspective. Ten years ago, I never would have imagined the scope of the privacy profession. The International Association of Privacy Professionals, started just over a decade ago with a handful of members, now has membership in the tens of thousands. Those numbers reflect the range of privacy issues being addressed by businesses that recognize a responsibility due to laws, regulations — but also out of a sense of responsibility and data stewardship, and the commitment to maintain consumer trust.
Earlier this year, I testified before the United States Senate Judiciary Committee Subcommittee on Privacy concerning a law passed in 1988 called the Video Privacy Protection Act, or VPPA. That law obviously was passed to react to the practices of videocassette rental stores, well before the Internet era; before Netflix, and before Facebook. Yet, the VPPA is being applied to the technologies of the Internet era even though Congress never contemplated such a world.
My experience with the video privacy law is part of what gives me concern that data protection that is put in place to react to new technologies may in time not be viewed as progress at all but rather as a barrier to progress.
I know that some DPAs react viscerally when objections to certain regulations are made because of the risk to innovation. But it is axiomatic that over-regulation thwarts innovation.
What is needed is smart, forward-looking regulation, and it can come from many sources – from law and yes from enforceable self-regulation created by those who are closest to the workings of changing technologies. Perhaps a better label for what I am describing is co-regulation.
The theme of this conference, “Privacy and Technology in Balance” captures perfectly the tension between privacy rules and advances in the Information Society.
And the conference comes at a time when the privacy frameworks in the US and the EU are under re-examination.
There are common aspects to the EU and U.S. proposals. Both fundamentally are premised on Fair Information Practice Principles. Both call for implementation of the “Privacy by Design” concept intended to build in privacy sensitivity and consideration into every stage of the development of products and services. Both recognize the importance of accountability by those who collect and use personal data. Both reflect the principle that people should not be surprised by the use of their personal data collected for one purpose but used for another purpose.
There is no disagreement about the need for informed consent about the collection and use of personal information (although the kind of consent envisioned in each jurisdiction differs as to various categories of data). Finally, the U.S. view of what constitutes “personal data” seems to be moving toward the EU’s: the FTC refers to data that can be “reasonably linked to a specific consumer, computer or other device,” a standard very close to ––and arguably even broader than––the EU definition of personal data.
Big differences in approach emerge from the fact that the United States, while proposing a first-ever federal privacy law with a “Privacy Bill of Rights,” still intends to rely on a variety of self- or co-regulation. And the U.S. proposed rules do not contemplate a “right to be forgotten”
Similarly, there is no right to “data portability” in the U.S. proposals as there is in the EU plan.
And even though the EU has borrowed the data breach notification idea from the United States, it proposes a presumptive obligation to provide notice within twenty-four hours of a breach, a time frame widely regarded as wholly unworkable by those who have worked under the U.S. data breach laws. Finally, the EU proposes a schedule of monetary fines of up to 2 percent of an entity’s global worldwide turnover for violations of the proposed Regulation––an amount that many stakeholders view as unreasonable due to the apparently wide discretion given to enforcers in assessing such a fine.
The period ahead will be one of adjustments to the proposed EU Regulation to make it acceptable to the European Parliament and to the Council of the European Union, the bodies responsible for the co-decisioning process required to adopt the Regulation. Likewise, in the United States, the exact shape of the new privacy framework is still to be determined, on Capitol Hill and through the work of the Executive Branch, and the results of the election in a few weeks will be import.
As things now stand, there is a big gap to bridge between the two trans-Atlantic approaches, i n many ways, so close. Yet, they are very far apart in fundamental respects.
Privacy will most effectively evolve in the Information Society when the privacy frameworks are interoperable. My hope is that the fundamental differences in approach give way to that fundamental understanding.
And therefore, to close, I commend to you the recent remarks of Cameron Kerry, the General Counsel at the US Department of Commerce before the European Parliament, who quite wisely observed that for the information society to thrive, “the global marketplace will require mutual recognition and innovative solutions that permit businesses to streamline their operations across countries with differing legal regimes.”
This conference is a perfect opportunity to explore such innovative solutions towards mutual recognition and cooperation, and towards a robust and growing information society.