As the Data Protection Authority and Privacy Commissioner Conference in Jerusalem winds up, Hogan Lovells Privacy and Information Management Practice Leader Christopher Wolf shares this report published in the Huffington Post which he co-authored with his co-chair of the Future of Privacy Forum think tank, Jules Polonetsky:
Modern democracies agree that the issue must be addressed, but the path to agreement is rough. This may describe the current political situation in the Middle East, but it also describes the conundrum of a global framework to protect the personal information of individuals in an increasingly technological age. All sides recognize that personal privacy is exposed in ways never before seen, but what legal framework is best to ensure responsible data practices is open to great debate.
We live in a time when companies are compiling digital dossiers about us, and are collecting information about our web browsing, our searches and our shopping habits. Geo-location data from our mobile phones is allowing a wide range of services, and new forms of online technology also allow targeted, so-called "behavioral" advertising. The increasing use of social networks, shows that people are more willing than ever to publish and share information about themselves, which provides an even richer trove of information that can be used to analyze consumers and predict their interests. And governments are eager to access the data in the name of national security.
Not all data collection and use is bad, of course. The use of online data subsidizes free content and enables new services. It is allowing us to better connect with each other. But lack of transparency about what is going on with personal data is a real problem, because it takes away personal control over who gets to see and use our information.
This week, in Jerusalem, regulators and policy-makers from around the world are meeting to discuss the best way to fix the world’s increasing privacy problems. There will be no disagreement over the technological threats to privacy. But disagreement is likely on what framework is best to improve individual privacy protections in this technological age. In the EU and in Israel, the preferred legal framework is an across-the-board privacy law for all data, while the US takes a more focused, harms-based approach to the protection of privacy
So how do we get an improved global baseline of privacy, one that allows people to understand what is going on with their information and that gives them control?
There is much to commend the mandate in the EU and Israel that all businesses that collect and use personal information must have privacy top of mind for all data. But even in the EU, there is an emerging understanding that specific privacy problems require more focused attention.
The hallmark of the current legal and regulatory privacy regime in the United States is its focus and flexibility. Lawmakers have enacted strict laws about financial privacy, health privacy, and children’s privacy. They recognized that financial data, medical data and personal information of kids deserve priority protection. Other personal information is protected through enforcement actions initiated by the Federal Trade Commission and state regulators.
Indeed, while the US lacks a comprehensive across-the-board privacy law like that in the EU and Israel, our framework of shared lawmaking authority and targeted enforcement has led to better privacy protection than ever according to a new study by professors at the University of California at Berkeley. The threat of enforcement plays a large role in getting companies to better protect privacy. In the last year we have seen important steps by companies and trade groups that have real promise. For example, companies have started to venture beyond legalistic privacy policies and are using more intuitive symbols or icons to begin to alert users to different kinds of data use. And companies are coming together in voluntary, self-regulatory groups with new privacy standards.
Interestingly, the idea of self-regulation is gaining a foothold of sorts in the EU, just as legislative proposals for comprehensive privacy law been introduced in the US Congress. So, while the privacy officials meeting in Jerusalem this week are unlikely to change their views on what is the best legal framework to protect privacy, they will have a chance to see the benefits of alternative approaches. This ultimately may lead to more common ground in the quest to protect the personal privacy of people around the world.
Wolf and Polonetsky are co-chairs of the Future of Privacy Forum, a think tank in Washington, DC that promotes responsible data practices.
Relatedly, see this report on proposals for reform of the EU Data Protection Directive and this report on the presentation Chris Wolf made at the Jerusalem conference on the effectiveness of the US enforcement model.
Word has it that the 33d Annual Conference of DPAs and Privacy Commissioners will take place in 2011 in Mexico, where a new national privacy law is being implemented. While it does not quite have the biblical ring of last year’s proclamation upon the selection of Israel as the site of the DPA meeting, "Next year in Jerusalem": El año que viene en México!