Does Privacy Need a Complete Overhaul?

I have been reading, and re-reading a very interesting paper recently (Nov. 2012) published by Microsoft – Notice and Consent in a World of Big Data

It is a report on a series of summit meetings sponsored by Microsoft in Washington DC, Brussels, Singapore, Sydney, Sao Paulo and then a final one back at Microsoft HQ in Redmond.  The meetings brought together leading privacy experts from academia, government, business and advocacy groups for high level discussions on the future of privacy.

The discussions were held under the Chatham House Rule, which prevents the reporting of individual contributions and therefore encourages more open and free discussion.  As nobody goes on record, they don’t have to be seen to promote or adhere to the views of their employers or interest groups they may normally represent.

The aims of the meetings were not to establish or agree on particular policy approaches or specific issues in different part of the world, so they didn’t get booged down in specifics like the Do Not Track debate.  Rather the aim was to create a dialogue around some of the fundamental principles and ideas that underpin national, regional and industry laws and guidelines.

Those principles are the OECD Privacy Guidelines adopted in 1980, based on the Fair Information Practices concepts developed during the ’70s. 

Those OECD guidelines provide the underpinning for almost all privacy legislation around the world today.  They established the basic model that processing of personal information should be based on informing people about the processing, and obtaining consent.

It is these principles that have given rise to ever more complex privacy notices and tick-boxes for accepting terms and conditions that few people ever read, or even have time to.

The basic premise for the discussions was that these principles, written long before the emergence of the internet as a global communications tool, are not fit for purpose in a world ever more dependent on big data.

They don’t protect privacy when such a small proportion of those impacted by data collection and processing even read, let alone understand what they are effectively giving consent to.  They also create barriers in some cases, to the ability to exploit data processing power to drive huge potential social, scientific and economic gains that could benefit us all.

Therefore, according to the report, what is needed  are  a new set of principles that will power an entirely new approach to the use of data, better balancing the right to privacy with competing interests for both commerce and society as a whole.

Key phrases that jump out are ‘responsible stewardship’, ‘transparency’, the opportunity for individuals to exercise their rights, and clear oversight by regulators.  The need for better security of data against loss or theft was also highlighted.

The report recognises that this is a difficult goal, and is likely to take a lot of effort, especially if consensus is to be achieved.  However, it also rightly points out that some degree of global consensus is needed – because in an environment where data moves freely all around the world, there needs to be consistency of expectation that it will be secure and fundamental privacy rights respected.

Overall the paper is an excellent overview of the important issues that need to be tackled, and while it claims to provide no answers, gives some strong indications of where they may come from.

We are probably a long way away from a world where it no longer becomes necessary to read privacy policies of Shakespearian length in order to understand our rights, and have them protected.  However, it we can find a way to change the game, and give individuals greater control over their privacy more effectively and efficiently but without preventing innovation, then it will be a worthwhile journey.

If Microsoft can continue to help drive this effort forward, they should be encouraged at every turn.