Privacy laws protect lucky few as millions lose in data breaches

Data-breach reports have tripled in a year yet the protection of a few remains privileged

PRIVACY HAS two definitions. There is the definition that applies if you are wealthy, or a celebrity, or a corporation or organisation, and you wish carefully to protect from the public eye your infidelities, personal peccadilloes, ethically questionable activities, illegal doings or other foibles that might damage your income, reputation or bottom line.

Then, there is the definition that applies if you are just an ordinary citizen and a bank, an insurance company, an electronics manufacturer, a telecommunications company, a law enforcement agency, a government department or other organisation holds or would like to view lots of potentially sensitive information about you.

If you are in the former, elite group, lucky you. You will find you are entitled to all sorts of perks and privileges when it comes to your special definition of privacy. Your national government may come up with laws specifically to protect your version of privacy.

Justice systems may invent special protections that mean not only is no one allowed to mention whatever it is you or your company is said to have done, but no one is even allowed to mention that such a legal protection is there in the first place.

Social media and internet companies may, despite public statements about valuing their users and freedom and democracy, relinquish information about the people who might have said something annoying about you, your company or your government, the better to enable the justice system to get these aggravating people off your back.

If you are in the second group, your privacy is too often a commodity.

Even though there are distinct legal requirements for a citizen’s information to be protected in specific ways, companies will ignore them or implement lacklustre protections and policies. Then they will say publicly they are shocked, shocked to find 1) their customers’ personal details and credit card information have been stolen by hackers; 2) their employees have lost numerous laptops and memory devices full of unencrypted client or customer information, which has gone who knows where; 3) their lack of strict access policies has meant employees have amused themselves with trawls through people’s personal data. Particularly interesting items may have been sold to private investigators or to tabloid newspapers.

Governments will enact laws that require years of information about you, the citizen, to be stored away, just in case you commit a crime at some distant, future point. In general, governments will ignore the recommendations from their own data privacy officials and even statistics from their own law enforcement agencies, which indicate that far shorter storage periods for such information are more than adequate for the occasional court cases that arise.

And governments will work to set up more protections for the privacy of the first group, through various press commissions and by failing to modernise defamation laws that already make it almost impossible for investigative reporting (as our years and years of tribunals in Ireland make clear), much less for anyone to operate even an internet discussion board without fear of being sued.

The past couple of weeks have certainly highlighted these two different definitions of privacy.

On the one hand, we all learned about so-called “superinjunctions” in Britain that prevented a wealthy English footballer allegedly involved in an extramarital affair from being named. As tens of thousands of Twitter users made clear, the law is a bit of an ass in this regard.

Radio and television talkshows explored every aspect of the issue, often, in a farcical twist, without naming the footballer whose name everybody already knew.

Meanwhile, Twitter has handed over account information on at least one of those said to have revealed the superinjunctions.

At least in this particular situation, the UK government has recognised that the system needs to change. British prime minister David Cameron told an ITV programme this week: “It’s not fair on the newspapers if all the social media can report this and the newspapers can’t, so the law and the practice has got to catch up with how people consume media today.”

But this is the same government that has – as does our own – some of the most far-reaching laws internationally on retaining citizen data, with some of the weakest protections on the privacy of the average citizen.

On the other hand, for tart contrast, one can read the annual 2010 report of Ireland’s Data Protection Commissioner, Billy Hawkes, published this week (www.dataprotection.ie).

According to the report, the commissioner’s office received three times as many reports of data breaches this year as last. As the report states, “Higher levels of awareness and stricter requirements under the Security Breach Code of Practice that we issued in July will have contributed to the increase. But this does not explain or excuse a tripling of the number of breach reports to our Office over the past year.”

In the report, as in the news generally over the past year, one is presented with a roster of data breaches: of companies that admit personal information held on their files was hacked into or lost; of government department and insurance company employees improperly viewing or selling on files of personal information; and of incorrect marketing use of data. Once again, the commissioner also points out various concerns with how organisations manage citizen data.

Yet the “privacy” of one celebrity or company is often deemed more critical than millions and millions of citizen data records. That’s an imbalance that is long overdue for proper scrutiny and redress.