180 likes | 307 Views
Malcolm Crompton Privacy on the International Stage: A Vision of the Future IAPP TRUSTe Symposium: Privacy Futures Plenary 2, Day 2 San Francisco 10 June 2004. The Future: Always start with the past. Over the last 5 years: Dot boom Dot crash 11 September 2001
E N D
Malcolm CromptonPrivacy on the International Stage: A Vision of the FutureIAPPTRUSTe Symposium: Privacy FuturesPlenary 2, Day 2San Francisco10 June 2004
The Future:Always start with the past Over the last 5 years: Dot boom Dot crash 11 September 2001 These events have clearly set the scene
Examples Adventurous additional use/disclosures Toysmart attempted sale of personal information a dot boom & crash example Malevolence & Mischief – Spam, viruses, spyware, ID theft, phishing Intellectual Property (IP) vs Personal Information (PI) rights & respect RFID Compares with GMO debate Total Information Awareness & other actions of the State in many countries Other tech – genetics, location tracking, …
The result: Trust dissipates • a nation’s economic strength is tied to its social unity • Fukuyama, 1995 • “In simple terms, the best safeguard is not that they know less about us, but that we know more about them; and that we are aware of what they know about us and how they use such information.” • Raab, 1998 • “… trust involves a number of disparate components & can not be reduced to a mathematical formula. ... The cultural influence can not be underestimated.” • McCullagh, 1998
The result: Trust dissipates • “… having misdiagnosed what ails British society we are now busy prescribing copious draughts of the wrong medicine. We are imposing ever more stringent forms of control. … Our revolution in accountability has not reduced attitudes of mistrust, but rather reinforced a culture of suspicion.” • Onora O’Neill, 2002 • “Trust will enable us to get the most out of globalisation … But we have to learn how best to place our trust, how to place it intelligently, in systems, in people, in institutions.” • O’Hara, 2004
How do we respond? Law USA – HIPAA, GLB, COPPA, FCRA, Can Spam, Do-Not-Call etc Aus – Privacy Act 1988, Spam Act 2003 etc Technology Filters – spam, virus Encryption Sub-optimise consumption & involvement Lie, don’t disclose, half truths Reduce participation
Feb 2003 International Privacy Framework is complex !
Feb 2003 International Privacy Framework is changing fast! Etc …
But since then: 10 more nations joined EU from 1 May & have or will have privacy laws PIPEDA has come into full effect in Canada Japan, Mexico, Thailand, Malaysia have all passed or progressed laws since then India is talking about it And of course PNR transfers
Asia Pacific privacy law – summary position Little or no recognisable law China Singapore Malaysia # Thailand # Mexico # Chile India Indonesia Russia, others # Law under consideration • Omnibus or sector law • USA * • Canada * • Japan • Korea * • Hong Kong * • Australia * • New Zealand * • Chinese Taipei • * With enforcement APEC Privacy Principles
Courts have contributed too, eg: Some read down privacy No tort of privacy in UK – Wainwright Internet access across borders not transborder data flow – Lindqvist Others have strengthened privacy protection Naomi Campbell does have some privacy An Australian tort of privacy? – Grosse v Purvis Australian union fails Principles of collection limitation & notice – Channel 7 v Media union
And so the future • Distributed business systems • Beyond ‘trans border data flows’ • Distributed consumption patterns • In the absence of trust, greater demands for privacy, high levels of data protection & limitations on use of personal data • Cannot have cake & eat it too, eg demand transparency in others but not in ourselves • Treat people like suspects & they respond accordingly
Law + Technology + Market + Transparency + Accountability = Privacy Law = promise; enforcement Technology = delivers promise Market = people don’t buy; nobody makes T+A = proof of promise kept Combined = total cost too high, except in extremes (High Court; or worth a massive tech attack; or ...) www.privacy.gov.au/news/speeches/sp1_04p.pdf
What can we do about it? • Support trust frameworks • Make self regulation work or support sensible laws • Assist innovative international frameworks – APEC looks promising • PETs not PITs • Trusted Computing Group • Federated Identity • Respect & respond to the human dimension; TAKE PEOPLE INTO YOUR CONFIDENCE • “socially based predictability … [is what] … computers find so hard to mimic” • O’Hara, 2004
Recommendation 3, UK NCC report on RFID, “calling in the chips?” : “… there is much to learn from the GM debate (about trust, communication, risk and consumer involvement) that has relevance here. … Industry and government need to build on this experience and pay real attention, not lip service, to consumer views by improving the quality of risk communication and investing in deliberative processes, to inform policy and build consumer literacy and trust.” Accenture survey reaches similar conclusion
International Privacy Needs in the Homeland Security Context • Policies and programs that are measured against fair information principles, compliance with law, and take into consideration their privacy impact upon Individuals • Use of Technologies that sustain and do not erode privacy protections for individuals • Best Practices – “Rules of the Road” for appropriate information sharing between private and public sectors • Recognition of common privacy principles and safeguards to enhance cross-border cooperation