Data Protection – Law and Ethics
Today is Data Protection Day in the EU, and Data Privacy Day in the USA and Canada. It’s a time when privacy people will be engaged in all sorts of initiatives to help raise awareness and educate colleagues, customers and citizens about their respective rights and responsibilities.
The last 12 months or so have been pretty big for the privacy community. Debates over the EU Data Protection Regulation have rumbled along, with various parties being accused of delaying tactics – sometimes for diametrically opposed reasons, and with lots of talk about the lobbying efforts of the US tech giants. Business has argued for lighter regulation in the name of supporting innovation, whilst citizen advocates talk about the rise of online profiling and erosion of self-determination.
Then of course we have had Edward Snowden whose revelations have shone a spotlight on the actions of government spying agencies, principally the NSA and GCHQ. There have been important discussions about balancing civil liberties against security concerns. The tech giants have been caught in the middle this time – wanting stricter (or at least clearer) privacy laws this time. They worry that lack of trust in government data gathering will hamper their own data dependent business models.
Plus, on a third, quieter, track there is the gradual decline of the technology-led efforts to agree a Do Not Track standard, with a particular aim of giving users the tools to rein in the data collection of the vast online advertising business – much of which pays for the ‘free’ services web users enjoy. Intractable differences between the two sides of this argument make it look very unlikely any real change will come from that direction, but a few keep the faith that some ‘agreement’ will be reached.
Most people it seems agree that we need new rules and laws for the treatment of what is variously called ‘personal data’ or ‘personally identifiable information’. They are just finding it difficult to agree on what those laws should be.
The big question I have been pondering however is, will such laws, whatever form they take, ever be enough? Defining what is legal or illegal is really just about setting the lowest level of acceptable practice or behaviour. Even setting aside the difficult issue of enforcement (historically the weakest link in this arena), the law is there to says ‘this far, and no further’. However in most walks of life and especially ‘respectable’ or ‘professional ‘ society, mere compliance with the law is not enough to make something acceptable. In the UK we have the recent memory of the MPs expenses scandal to remind us of that, or the furore of whether mutlinational companies are making ‘fair’ tax contributions.
Which brings me round to the subject of ethics. For me, ethics fills the gap between what is legal and what is acceptable in society. Often ethics can seem a nebulous idea and very personal. There is an interchange between ethics and law, but when it comes to decisions on how we live our lives, personal ethics guide our behaviour much more than a knowledge of the law.
A code of ethics however, and especially a professional code of ethics, can be a very concrete thing. It can be specific where the law needs to be general. It can create lines that should not be crossed where the law provides a region of uncertainty. Very importantly, it can be easier for the non-legal professional to understand than the law itself.
It has another advantage that is particularly relevant to the world of data and privacy. It can easily cross international boundaries. Creating international legal treaties, or even mutually equivalent law in different countries with different legal traditions is notoriously difficult. The difference between common and civil law traditions can be especially difficult to bridge. In many ways this is precisely why the EU wants a new Regulation rather than a Directive for Data Protection.
However, a code of ethics, as long as it at least meets the minimum standard of relevant legislation, can create an international standard of behaviour much more easily, and potentially with a much more practical focus.
So while all this attention on revising legal instruments for data protection and privacy is good, I think we need to realise that it is not enough on its own. I know I am not alone in this view, a new academic paper from researchers in Washington University in the US, Big Data Ethics by Richards and King, presents not only a good argument – but also outlines the key areas that a code of ethics in this field needs to cover.
The data industry is on the cusp of massive change, brought about by increasing computing power to carry out analysis, and potential growth in collection of new data streams from the Internet of Things. For the potential benefits of this to be realised we need to act now to form the ethical norms to govern this industry. If we don’t, we run the risk of either alienating users and therefore stifling the flow of good quality data, or creating a society where individuals become prisoners of their own data.
January 13, 2017
Future of EU Cookie Compliance Webinar: ...
GDPR and now the proposed E-Privacy Regulation mean a stricter regime for cookie compliance, web governance and use of online tracking technologies. Join p...View Article →
December 14, 2016
Draft EU ePrivacy Regulation Leaked...
A draft of the proposed legislation to replace the outdated EU ePrivacy Directive was leaked on the Politico.eu (PDF) website this week. The proposal is fo...View Article →
November 3, 2016
GDPR Compliance Means Cookie Notices Mus...
Are you one of those people that ticked the cookie law box ages ago and not thought about it since? Well the game has changed and now is the time to re-vis...View Article →