Craig Mundie recommends changing privacy laws and practices to focus more on preventing and mitigating the misuse of personal data than on limiting the collection and retention of such data (“Privacy Pragmatism,” March/April 2014). That would be a mistake: limits on the collection of personal data should remain central to the protection of privacy. Simply put, governments and organizations cannot abuse or lose control of personal data that they cannot collect or retain in the first place.
Mundie also believes that better control over the use of personal data would obviate the need for businesses to obtain individuals’ consent to collect their information. According to Mundie, consent is often too difficult to obtain in a world of “passive” data collection, complex data flows, and incomprehensible privacy policies. But the solution to such problems is not to eliminate consent or to lower the expectations one should have about how one’s data will be used. Individuals deserve the right to control what happens to their personal data at any given moment -- not only after someone else has obtained it, perhaps even without consent. Consent allows individuals to set conditions for the use of their data, access the information relating to them that others have obtained, verify the accuracy of that information, check to make sure companies comply with the rules, and seek redress for any harm that results from the misuse of their data. Remove consent, and the other privacy checks and balances collapse.
In place of such protections, Mundie proposes a draconian government oversight scheme in which regulators would impose mandatory registration, auditing, and presumably new sanctions on all organizations seeking to use personal data. Such a system would rely mostly on after-the-fact remedies for abuse. But when it comes to personal data, once the harm has been done, it is extremely difficult to make things right again. Regulators all over the world already struggle to police privacy infractions. In this era of massive online connectivity, the majority of privacy breaches and data leaks remain unknown, unchallenged, and unregulated. Regulatory compliance alone cannot ensure privacy.
In addition to his regulatory proposal, Mundie suggests a technological approach to preventing the misuse of data: placing all personal data in a “wrapper” that would control how the data could and could not be used. Such an approach -- similar to the digital rights management “locks” that many common computer applications already use -- is certainly intriguing. But the idea of wrapping personal data has been proposed many times during the past decade without gaining much traction, probably because it would be hard to make it work.
Indeed, Mundie is unclear when it comes to precisely how his mixture of regulatory reform and technological innovation would come to fruition and concedes that it “would require political will and popular support” as well as “a combination of innovative new national and international laws and regulations.” That sounds like a daunting task -- and a risky course to take, given the fundamental shifts in privacy law and practice it would entail.