In the fourth of our series on the challenges the new government faces, Lilian Edwards, academic and ORG advisory council member, looks at the big privacy challenges, and particularly the review of data protection now starting in the European Union
"Day One: In what used to be the Big Brother House, Nick and Dave have decided to dismantle the database state" (quote from @futureidentity on Twitter, aka Robin Wilton)
Well, hello and welcome to the new politics – we hope. My fellow bloggers have got here well before me in wondering what the change of leadership might mean, if anything, for repeal of the Digital Economy Act – but there’s still a lot to celebrate (and of course pick at) in the realm of privacy and civil liberties. Many of us have felt unduly (and rather disbelievingly) pleased these last couple of days to see the dream list of civil liberties we’ve fought so long for seeing the light of the ConDemNation shopping list.
So far, pretty much the entirety of the Lib Dem’s pre-election Freedom Bill seems to have been essentially cut and pasted in, including of digital special interest:
It is, as in the old joke about 10,000 lawyers at the bottom of the Mariana trench, what you might call not a bad start. Some of the provisions , as noted elsewhere, have particular significance in the light of what is going on in Europe right now, namely, the long awaited review of the Data Protection Directive (DPD), the primary instrument which regulates informational privacy throughout Europe.
The principles of the DPD remain strong, but many acknowledge the implementation in practice is broken, as the Directive has fallen between the Scylla of ever greater public sector data collection and mining to (allegedly) combat terror and crime; and the Charybdis of private sector data collecting to create a revenue stream for “web 2.0”, particularly in the shape of targeted advertising schemes like Phorm.
Data retention in particular has been controversial; DP law says data should be retained no longer than necessary to fulfil the purposes for which it is collected, while states, including notoriously the UK’s former government, have pushed for as long a period of retention as they could get away in the name of law enforcement. The rolling back of data retention signalled above will thus require input into the EU DPD reform process; with the UK hopefully finding itself joining the ranks of countries like Germany and Romania which have opposed the Data Retention Directive as unconstitutional or invasive of privacy.
What more do we want from the European review? Three issues stand out which are not mentioned in the list above.
First, we have to think about what redress ordinary citizens and users can get in response to abuse of their personal data. DP law in theory provides for individual civil actions, but in practice these are rare to non-existent. It would be better to think of data breaches as a pollution of the data environment, with civil enforcement carried out by group (or “class”) actions lead by national data protection or consumer authorities, backed by far more stringent criminal penalties to deter data breaches than currently available. Extension of mandatory security breach notification from the telecoms industry to all sectors needs looking at too.
Secondly, what users increasingly want more than financial compensation are two things: first, an easy way to know what data is held about them; and second, an easy way to get that data deleted with no need to prove damage or abuse. The first can be met by mandatory schemes on online subject access, the second by a principled approach such as the French so-called “right to forget”. Both public and private sector must be forced to get in line behind these simple steps, although the marketing industry especially will no doubt put up strong opposition.
Thirdly, the headlines are alive again with yet another Facebook privacy scandal. Social networking sites are brilliant for communication, for campaigning, for expression and identity; but they do not have to be anti privacy to meet these functions (as the new experimental Diaspora may sometime show).
Users of sites like Facebook mainly sign away control of their personal data as the price of admission to the site, mostly without a thought or a glance; DP thus offers almost no protection as it is trumped by “consent”. Yet in other types of consumer contract, like sales, insurance and employment, the law says that users should be protected from simply signing away their rights, and that only certain types of contract terms are allowed.
Why should SNS contracts not be so regulated to provide minimum standards of data control and security for users, as well as transparency? This could be done by negotiating authorised standard contracts with industry, possibly implemented via standards or codes rather than primary law to allow speedy revision as and when.
Such contracts should in particular specify that privacy settings on social networks be set by default at a minimum protective level to combat consumer ignorance and inertia and the fact that privacy controls are typically hidden and impenetrable - a good example of the concept of “privacy by design” Viviane Reding has said she is considering introducing into the Directive.
Finally and perhaps most importantly, data protection simply cannot be enforced while national DP watchdogs are starved of the cash and personnel they need to manage an enormous task of supervision and education and take on the crucial job of leading test and group cases. But proper resourcing needs not more law but political will. That must come from ordinary users making it clear that contrary to whatever Marc Zuckerberg may think, privacy really does matter to them. It’s not ALL about the economy, stupid.