Post on 09-May-2015
privacyin the networked society
POLICY RECOMMENDATION
GUIDING DATA PROTECTION PRINCIPLES
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 2
agenda
› INTRODUCTION› BALANCING ACT› GUIDING DATA PROTECTION PRINCIPLES› CONCLUSIONS
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 3
society
› Finding a precise point of departure of a “history of human rights (HR)” is controversial and a politically charged matter.
› It is quite unrealistic to credit any: Culture, Religion or Region of the world with the origins of human rights.
› A common theme in the early development era of HR: “the limitation of absolute power and arbitrary power of the sovereign” (starting with 1215 Magna Carta)
› Thinkers of the Enlightenment period (~1650 ~ 1790) introduced the concept: “everyone was born with certain rights which no authority could take away”.
Source: Moecki, Shah & Sivakumaran, International Human Rights Law, Oxford 2010
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 4
Legal perspective
› 1215 - Magna Carta › 1689 - English Bill of Right
› 1776 - US Declaration of Independence / Virginia Declaration of Rights› 1789 - French Declaration of the Rights of Man and Citizen, US Constitution› 1791 – US Bill of Rights› 1798 Netherlands, 1809 Sweden, 1812 Norway, 1814 Belgium, 1831 Liberia, 1847 Sardinia, 1849 Denmark, 1850
Prussia…
Transformation into positive law
Limitations of POWERS
Landmarks but with limited practical EFFECTS
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 5
Legal perspective
› UN Universal Convention of Human Rights› EU Convention on Human Rights › Continued expansion of Constitutional recognition (explicit/implicit)› Continued expansion in National Laws / Directives (EU)› Creation of Data Protection Agencies (DPA)
Right to PRIVACY as a distinct right > articulated
› OECD Privacy Guide Lines
› APEC Privacy Framework
› Certification (Safe Harbor Company, Corporate Biding Rules)
› Generally Accepted Privacy Principles (GAAP)
Emerging alternatives to “TOP-DOWN” legislation
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 6
Technology - scale
› Manual Era of data processing:
Data processing was not automatic, and the large-scale, uncontrolled surveillance was too costly, and all this provided a natural barrier for protecting privacy
› Computerized Era of data processing:
Spread of computerized processing from late 60s from US onwards, gradually led to the disappearance of the “natural privacy barrier”
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 7
Technology-scope
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 8
The advent of attention economics
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 9
creates also new privacy business opportunities
Source: Ericsson Consumerlab, Consumer Privacy in an Online World, http://www.ericsson.com/res/docs/2012/ericsson_privacy_report_updated_20120203.pdf
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 10
Regional Conceptual fragmentation
Source: http://www.worldvaluessurvey.org/
› Values and expectations culturally fragmented
› Concept of privacy “in the eye of the beholder”
› Privacy as concept fragmented within and between cultures
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 11
Perception / individuals/Confusion
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 12
Privacy theory development
› The right to be let alone› Limited access to the self› Secrecy – the concealment of certain matters› Control over personal information› Personhood – protection of personality, individuality and
dignity› Intimacy – control over ones intimate relationships or
aspects of life
Challenge: Over inclusive > VAGUE / Too Narrow > Restrictive
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 13
Policy Challenge
“Privacy problems are often not well articulated, we frequently lack a compelling account of what is at stake when privacy is threatened and what precisely the law must do to solve this problem.”
MATCHING: Policy JUSTIFICATION (WHY) = POLICY OBJECTIVES (WHAT ENDS)
= REGULATORY INSTRUMENTS + REGULATORY APPROACH (HOW TO REGULATE)
Solve, Understanding Privacy, Harvard Press 2008
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 14
Balancing Privacy
Universal
Particular
Absolute Relative
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 15
Individual Absolutism – no social trust ?
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 16
agenda
› INTRODUCTION› BALANCING ACT› GUIDING DATA PROTECTION PRINCIPLES› CONCLUSIONS
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 17
Balancing act
SOCIETY
INDIVIDUAL
PROGRESS TECHNOLOGY
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 18
delicate Balancing actCompetitiveness of Nations impact of digitization
Source: World Economic Forum, Global Competitiveness Report 2010-11 Source: Booz & Company: Maximizing Impact of Digitization
INNOVATION & SOPHISTICATION• Business sophistication• Innovation
EFFICIENCY ENHANCERS• Higher education and training• Goods market efficiency• Labor market efficiency• Financial market development• Technological readiness• Market size
BASIC REGUIREMENTS• Institutions• Infrastructure• Macroeconomic environment• Health and primary education
Key forfactor-driveneconomies
Key forefficiency-driven
economies
Key forInnovation
-driveneconomies
ECONOMYGDP GROWTHJOB CREATIONINNOVATION
SOCIETYQUALITY OF LIFEACCESS TO
BASIC SERVICES
GOVERNANCETRANSPARENCYE-GOVERNMENTEDUCATION
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 20
delicate Balancing act
SOCIETY individual
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 21
Transformation of Society a delicate balancing act
› Continued ICT-led transformation, aka digitization of the Society
› Comes with necessary and desirable socio-economic benefits
› Facilitates the fulfillment of other classes of individual rights /human rights
› Needs of the Society – individual rights in isolation have limited /no meaning
› Economic progress at the expense of fundamental rights; poses questions of legitimacy, desirability and sustainability
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 22
Progressive rights- based approach
› Anchored in the recognition of a certain set of individual rights e.g. privacy and a commitment by policy makers to protect these rights
› Is a holistic, with a broad policy perspective that is not singularly constrained
› It aims to conciliate and balance between competing legitimate policy objectives; market, society and individual
› As a principle individual rights are neither subordinate nor superior
› Adherence to certain key guiding principles
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 23
Human Rights DeclarationConstitutional or other statutory provisions
Scoping Data protection
Data Protection (DP) Lawful Intercept (LI) Data Retention (DR) Cyber Security (SC)
Right to Privacy
Information Management
DP DRLI CS
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 24
Modeling DP - activities and stakeholders
DATA SUBJECT
INFORMATIONPROCESSING
INFORMATIONDISSEMINATION
INFORMATIONCOLLECTION
INVASION
1
2
3
5
CONTROLLER PROCESSOR
CONTROLLER
Territorial Jurisdictions
Source: Ericsson Adaptation: Solve, Understanding Privacy, Harvard Press 2008.
Controller and Processor may or may not be independent legal entities
USE4
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 25
agenda
› INTRODUCTION› BALANCING ACT› GUIDING DATA PROTECTION PRINCIPLES› CONCLUSIONS
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 26
Guiding principles
› Targeted & transparent› Technology neutral› Role specific› Flexible› Efficient› Trans-border tolerant
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 27
Targeted & Transparent
› Focus on the purpose› Respect territorial requirements› Aimed at Personal Data› Approach Sensitive Data – in a territorial context› Up to date, relevant and accurate› Obtained with knowledge/consent› Respect data subject rights; access, rectification etc
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 28
Technology neutral
› Neutral treatment of platforms, business models and business processes
› Technology neutrality is not a source for circumvention› Is the flip side of a well target purpose focused
principle› Technology neutral encompasses:
– Legal and regulatory frameworks– Choice of regulatory instruments– Implementation strategy of regulatory instruments
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 29
Role specific
DATA SUBJECT
INFORMATIONPROCESSING
INFORMATIONDISSEMINATION
INFORMATIONCOLLECTION
INVASION
1
2
3
5
CONTROLLER PROCESSOR
CONTROLLER
Territorial Jurisdictions
Source: Ericsson Adaptation: Solve, Understanding Privacy, Harvard Press 2008.
Controller and Processor may or may not be independent legal entities
USE4
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 30
maintain: Roles & Responsibilities (EU Directive 95/46)
› The relation with data subjects is established and maintained by controllers and this is why the existing legal framework foresees direct responsibilities for controllers whilst the responsibilities of processors are left to be determined bilaterally between controllers and processors, depending on the circumstances.
› This current approach in existing EU regulation is well understood and has proven to be workable.
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 31
flexible
› Inherent tension - the need for flexibility and the demand for predictability and consistency
› Dealing with sensitive data› Alternatives to top down/hard law approaches› Accountability seeking› Less descriptive regulatory instruments› Makes room for co-regulation and self regulation› Privacy by design with substance
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 32
efficient
› Periodic reviews to keep pace with technology› Promotes framework simplification› Provides sunset provisions › Minimizes the cost of regulation to the public,
consumer and business› Measured breach notification measures› Enforcement, contextually sensitive
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 33
Contextual Enforcement strategy
INT
EN
DE
D
INFORMEDWELL
ILL
ILL
ACCOUNTABLECOMPANY
EVILCOMPANY
UNINFORMEDCOMPANY
DECEPTIVECOMPANY
PUNITIVE DETERENCE
PARTICIPATORY COMPLIANCE
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 34
Trans-border tolerant
› Economies of scale > open flow of data› Welcomes international de-facto harmonization› Streamlining regulation between group of companies
and between independent legal entities› Where harmonization cannot be realistically achieved
or is expected to take a long time >› Fill the gaps between standards in national DP rules
with CBR (EU) or Safe-Harbor Company (US) certification.
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 35
agenda
› INTRODUCTION› BALANCING ACT› GUIDING DATA PROTECTION PRINCIPLES› CONCLUSIONS
Rene Summer | Public | © Ericsson AB 2013 | 2013-01-08 | Page 36
conclusions
› The reality for the foreseeable future of DP: a continued fragmented and geographically contingent concept
› A progressive rights-based regulatory framework is the appropriate approach to safeguard data privacy
› Main challenge is to get the delicate balance right› Safeguarding the right to privacy as well as to cater for public and
market needs with the aim to gain, grow and maintain the trust of end-users which will benefit the digital market and consumer choice
› Flexible and adaptable to geographical contingencies, open to trans-border data flows, business and innovation friendly but also very importantly, aligned with national data protection policy standards