Personal privacy issues in the global public eye


NET RESULTS:The world has taken a significant step towards greater data protection with the signing of a new international deal

THE WORLD took a significant step towards better protection for personal data privacy last week – with some direct involvement from Ireland.

At an annual gathering of data protection officials in Madrid, attended by more than 50 countries and 100 representatives and – significantly – some of the biggest corporate data gatherers including Google and Facebook, experts signed off on a draft agreement for basic international data protections.

The agreement would allow data processing within and across borders only after permission – “free, unambiguous and informed consent” – is obtained from the “data subject” (eg the person whose data is involved) and should be held only as long as it is needed for the specific purpose for which it was gathered. Data may also only move across international borders to jurisdictions that afford, “as a minimum, the level of protection provided for” in the agreement.

Ireland’s Office of the Data Protection Commissioner was involved in drafting the agreement for the 31st International Conference of Data Protection and Privacy, and was also one of the original sponsors, says Data Protection Commissioner Billy Hawkes.

The agreement as it stands is non-binding, but the intention by those attending is to have an international binding agreement, probably via the UN, Hawkes says. The current document “has indicative elements of what might be agreed” in a final draft.

It is no accident that such an agreement is emerging now, as the broadband web enables fresh business models such as cloud computing and outsourced data-transfer activities to proliferate. In addition, both individuals and companies are increasingly immersed in social networking, search technologies, online commerce and many other activities in which information about an individual is sent from one point to another. It is hard to do business these days without managing and transferring personal data.

The last time a (semi) international agreement on data transfer and protection was sought – via the EU-US negotiations that became the so-called Safe Harbour principles – discussions were fraught between the EU, with its broad range of data protection legislation, and the US, where it was routine for commercial interests to use and even sell on personal data.

But in a globalised economy, world representatives increasingly recognised an agreement was needed between more countries than just the EU and US. In a major shift from past approaches, businesses are also realising they cannot simply argue that data should be free and that we needn’t worry as they’ll look after it for us.

Companies including Google and Facebook have come under continuous pressure from governments and citizens to reform their data use and management practices.

In Canada, Facebook recently changed significantly some of the ways in which it handles personal data in response to complaints from the Canadian privacy commissioner. Google has repeatedly revised its own practices of handling and retaining personal data in response to complaints from the European Commission.

This is why it is so significant that senior representatives from Microsoft, Google, Facebook and other companies were active at the Madrid data privacy event. For such companies, having a clear international agreement on data management and transfer practices creates a stable operating environment and a level playing field.

Over time they have realised that having some restrictions and responsibilities that are clearly spelled out and are the same in dozens of key markets is, commercially and economically, much better than operating with fewer impositions but greater uncertainty in multiple jurisdictions.

Microsoft’s chief privacy strategist, Peter Cullen, made such a point in a statement issued in advance of the Madrid event: “As the patchwork of worldwide laws has become increasingly difficult to navigate, Microsoft has repeatedly called for a comprehensive, workable global privacy framework that is consistent, flexible, transparent and principles-based.”

He noted that cloud computing was one of the primary game-changers because “global data flows have changed to become continuous and multipoint rather than linear and point-to-point. Chances are that data will flow differently in 10 years than it does today, and privacy rules will need to anticipate these inevitable changes.”

The agreement has been welcomed by data privacy advocates such as TJ McIntyre, chairman of Digital Rights Ireland and a law lecturer at UCD. “This is particularly useful given that it has been backed by representatives from the major internet companies as well as by data protection authorities. This gives it some authority though it remains legally non-binding.”

He notes that the agreement represents a substantial change from other international negotiations in that non-governmental organisations concerned about data privacy were also active in creating the agreement. Too often, such negotiations give “preferential access to industry while freezing out NGOs”, he says.

Perhaps the key element of the agreement, according to both Hawkes and McIntyre, is that it is based on the higher data protection standards of the EU rather than the lowest common denominator. “It harmonises up rather than down. The language used is very close to that of EU data protection law, which suggests – though the devil is in the detail – that it would require non-EU privacy standards to be significantly improved,” says McIntyre.

It’s a great start. Now the deal will go back to a working group to move it towards – many hope – an international, binding agreement.

Blog and podcasts: