Privacy Law and Policy Reporter
These are selected extracts from Roger Clarke’s valuable summary of CFP 2000, available in full at <http://www.anu.edu.au/people/Roger.Clarke/DV/NotesCFP2K.html >.
Computer Freedom and Privacy (CFP) was opened by Conference Chair Lorrie Cranor the morning after the Canadian Parliament passed into law a privacy protection statute regulating the private sector. This directly addresses federally regulated sectors such as banking and telecommunications, but it also sets in train a process whereby all sectors will be covered in a few years’ time.
Brief welcomes were offered by the Privacy Commissioners of Ontario (Ann Cavoukian) and Canada (Bruce Phillips). This was the first occasion on which a CFP had been held outside the US, and hence it was also the first opportunity for the event to be launched by the local Privacy Commissioners. The subtext was (with apologies to Scott McNeely): privacy protection laws and privacy watchdogs are not only alive but they’re even normal. America, get used to it.
A panel chaired by political scientist and author Colin Bennett brought together Privacy Commissioners from four continents (Ontario, Germany, Hong Kong and Australia).
They first outlined their powers. The Australian Privacy Commissioner Malcolm Crompton said that he regards his overall mission as being to promote an Australian culture that respects privacy. He stated that a Government Bill to provide technologically neutral private sector regulation is due for tabling. (An analysis of that Bill shows, however, that it is not a privacy protection instrument at all, but instead is designed to legitimise a vast array of privacy invasive behaviour in the private sector, both existing and future.)
Although his office conducts around 20 investigations and handles nearly 1000 complaints (mostly involving a simple resolution process behind closed doors) every year, he sees his most important role as being promotion and education. He is concerned to help the consumer be more clever, and to promote to the private sector that ‘good privacy is good business’. He said he was pleased to be able to draw to the attention of Australian business that the American public fined DoubleClick $2 billion in one day, because that tends to capture their attention.
The Commissioners were asked to explain the processes involved in dealing with a specific scenario. The setting was that the government had just sent a confidential communication that it intended to announce the establishment of an ID card in two weeks’ time, that it sought a meeting with the Privacy Commissioner, and that it also requested the Commissioner’s participation in the announcement.
The Hong Kong Commissioner was forthright about a government attempt to force a quick decision on a contentious matter (in his case, the question isn’t just a hypothetical, but is actually a current issue). To him, a formal privacy impact assessment was a fundamental requirement. The Australian Commissioner appeared to be far less prepared to be confrontationist with the hypothetical government, to be very limited in the scope of the matters that he was prepared to consider, and to be concerned primarily with some controls over ‘function creep’. Unlike the Hong Kong and Ontario Commissioners, he seemed to be prepared to appear on a platform with the relevant Ministers even with only a fortnight’s notice.
A follow-on question related to whether and how the public would be involved by the Privacy Commissioner. The Australian Commissioner said he would work behind the scenes with the government, rather than becoming involved with the public, and would certainly not permit himself to be seen to be mobilising public sentiment. He mentioned the recent discussions he has co-ordinated concerning health privacy, where he believes that he has managed to get the agenda enhanced to include privacy, as a more important factor. The other Commissioners were also careful about the extent to which they would inflame the government, but were far less timid about the use of the media and the public.
The other scenario related to international data flows. A whistleblower is concerned that his employer, a bank in Germany, is sending employees’ personal data to other countries. He has requested that his identity not be disclosed to his employer.
It appears that handling the matter as an anonymous complaint would not be problematical in the circumstances in question, because it is a systemic matter, and no specific record is involved. For the Australian Commissioner, this is not within scope at present, and it may not be in scope even after the new Bill is passed (as employee records are to be exempt anyway, and the Principles may well be phrased in such a way that the action concerned is in any case not an interference with privacy, or is a trivial matter merely requiring better communication by the employer to the employee in the first place). In addition, he would be concerned about resources, and would probably accord low priority to a request of this nature.
At every turn, the Australian Commissioner gave the answers that indicated the least activist position among the Commissioners on the dais.
A panel chaired by Canadian academic Jim Tam considered the varying approaches to privacy protection adopted by the diverse countries on the western rim of the Pacific. The panellists were as follows.
Stephen Lau highlighted the recency of the emergence of privacy as a social policy issue in Hong Kong — and yet it has reached the same level of importance as health services and environmental hygiene.
He offered the following rough classification of the countries’ current approaches to privacy:
The Australia Card debate of the mid-1980s resulted in a Privacy Act (and no card). The Coalition Government promised privacy legislation for the private sector in 1996, then withdrew the promise, and subsequently reversed its position. Kate Lundy believes that the primary driver for the reversal was the furore over the Packer/Acxiom announcement that they were building a database about Australian consumers in the US. A further factor is the need to be seen to be satisfying the EU Directive. (My own interpretation is that the back-flip pre-dates the Acxiom issue, and that the biggest single factor has been the appreciation by industry associations that public confidence cannot be achieved without legislation.)
Debate is due shortly. The Senate is not controlled by the Government, and amendments are to be anticipated. The outcome could therefore be substantially different from the initial Bill.
Recent political change has focused attention on the privacy threats inherent in the application of information technology. Chinese culture has always had an emphasis on the skills of reading and interpreting people’s behaviour.
Jim Lin applied four dimensions of cultural difference:
Chinese culture is strongly collectivist. The term coined to correspond to ‘privacy’ is ‘invisible self’. It has some negative connotations, because ‘public’ is a good thing.
A data protection law was passed in 1995, along the lines of the OECD Guidelines, but it does not include the word privacy.
Recent privacy issues that have arisen have included:
There is a need for public awareness, and IT professional ethics need to be raised in relation to privacy.
The first question from the moderator asked the panellists about Nigel Waters’ notion of the legislation in Hong Kong and New Zealand being the third wave of privacy protection (the first being the European style of hard legislation, the second being American-style self-regulation, and the third being co-regulatory). Stephen Lau considered that it’s all a question of attitude, and partnership is a positive way to do it. Kate Lundy was very concerned about the risk in some co-regulatory approaches of corporate power resulting in inadequate sanctions, and the loss of parliamentary and even governmental oversight.
A further question related to data transfers from the public to the private sector. Kate Lundy was concerned about the effects of outsourcing on protections, which are merely subject to an advisory from the Privacy Commissioner that contracts should contain provisions carrying over the provisions to the provider; but the contracts are commercial-in-confidence. And anyway, privity of contract means that the approach reduces protections by precluding individual access. There are also possibilities of off-shore storage of personal data about Australians.
Whitfield Diffie was the co-inventor of public key cryptography. His declared motivation for that work was to enable security without dependence on other people. (In fact, he acknowledges, it succeeds in reducing that dependence, but it doesn’t remove it.) A theme of his presentation was that the deployment of a technology is a function not merely of invention and technical innovation, but also, quite vitally, of social systems that value the technology’s features.
He briefly reviewed the succession of computing and networking technologies from the perspective of the capacity that they embody to support the surveillance of the people using them.
Whit Diffie’s focus was on the use of the surveillance potential by employers in relation to their employees, but this analysis is just as relevant to employer surveillance of contractors, and of corporate surveillance of anyone who is attracted into using the technology in a manner that makes data available to the corporation. That includes the employee at home, using company-subsidised infrastructure and, of course, customers doing the same thing. ISPs that provide such devices at cheap rates to their customers also have these surveillance capabilities available to them in relation to the public at large.
Whit Diffie speculated that contractual arrangements were in the process of undermining employee protections that have been embodied over the years in labour law. He referred back to the discussion the previous day about the need for society to ignore ‘bad law’, and ‘bad technology’ as well. He hoped that CFPers would be active in the search for mechanisms that counter the trends towards recentralisation that he had identified in his paper.
Dan Gilmour from the San Jose Mercury wanted to know whether Whit Diffie had given a copy of his paper to his boss, Scott McNeely (Sun’s CEO — he of the renowned and very silly statement ‘Privacy is dead. Get over it’).
The 2000 Orwell Awards were organised once again by Privacy International (PI). This year’s awards were announced at the Conference. They went to:
PI also sends some positive signals, and gave Brandeis Awards to:
Roger Clarke, Principal, XamaX Consultancy Pty Ltd.