Defense In Depth
Why U.S. Security Depends on Alliances—Now More Than Ever
Craig Mundie recommends changing privacy laws and practices to focus more on preventing and mitigating the misuse of personal data than on limiting the collection and retention of such data (“Privacy Pragmatism,” March/April 2014). That would be a mistake: limits on the collection of personal data should remain central to the protection of privacy. Simply put, governments and organizations cannot abuse or lose control of personal data that they cannot collect or retain in the first place.
Mundie also believes that better control over the use of personal data would obviate the need for businesses to obtain individuals’ consent to collect their information. According to Mundie, consent is often too difficult to obtain in a world of “passive” data collection, complex data flows, and incomprehensible privacy policies. But the solution to such problems is not to eliminate consent or to lower the expectations one should have about how one’s data will be used. Individuals deserve the right to control what happens to their personal data at any given moment -- not only after someone else has obtained it, perhaps even without consent. Consent allows individuals to set conditions for the use of their data, access the information relating to them that others have obtained, verify the accuracy of that information, check to make sure companies comply with the rules, and seek redress for any harm that results from the misuse of their data. Remove consent, and the other privacy checks and balances collapse.
In place of such protections, Mundie proposes a draconian government oversight scheme in which regulators would impose mandatory registration, auditing, and presumably new sanctions on all organizations seeking to use personal data. Such a system would rely mostly on after-the-fact remedies for abuse. But when it comes to personal data, once the harm has been done, it is extremely difficult to make things right again. Regulators all over the world already struggle to police privacy infractions. In this era of massive online connectivity, the majority of privacy breaches and data leaks remain unknown, unchallenged, and unregulated. Regulatory compliance alone cannot ensure privacy.
In addition to his regulatory proposal, Mundie suggests a technological approach to preventing the misuse of data: placing all personal data in a “wrapper” that would control how the data could and could not be used. Such an approach -- similar to the digital rights management “locks” that many common computer applications already use -- is certainly intriguing. But the idea of wrapping personal data has been proposed many times during the past decade without gaining much traction, probably because it would be hard to make it work.
Indeed, Mundie is unclear when it comes to precisely how his mixture of regulatory reform and technological innovation would come to fruition and concedes that it “would require political will and popular support” as well as “a combination of innovative new national and international laws and regulations.” That sounds like a daunting task -- and a risky course to take, given the fundamental shifts in privacy law and practice it would entail.
Mundie is right to seek more accountability when it comes to the misuse of personal data. But he is wrong to advocate abandoning the user-centric practices and principles that have guided privacy protection since the 1970s and that arise from a fundamental belief that individuals must be allowed to exercise control over the collection, use, and disclosure of their personal data by others. Indeed, Mundie’s proposals are out of step with cutting-edge thinking in policy circles on both sides of the Atlantic. The administration of U.S. President Barack Obama recently released two major reports on the challenges that “big data” poses to privacy: both affirmed the right of individuals to understand what happens to their personal information and to enjoy privacy-enhancing options and tools. Meanwhile, in May, the Court of Justice of the European Union issued a landmark ruling that recognized a “right to be forgotten” and directed Google to remove outdated personal data from its search results.
If Mundie truly believes that dramatic changes are required, he should forgo his narrow conception of pragmatism, which would mostly serve corporate and government interests at the expense of individual privacy, and instead pursue a more radical form of pragmatism that would embed privacy protections into the design and architecture of information technologies, business practices, and government operations. Individuals must be able to directly share in the production and consumption of their personal data, impose limits and conditions on that data’s use by others, and choose whom they want to trust. When it comes to regulating privacy, let the people decide.
ANN CAVOUKIAN is Executive Director of Ryerson University’s Institute for Privacy and Big Data and previously served as Information and Privacy Commissioner of Ontario, Canada.