The base assumption for a right for personal privacy has been recognised around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties. Most countries in the world include a right for privacy in its constitution, and if it is not explicitly defined, it is in general implicitly acknowledged as a right.
Privacy International have categorised privacy into the following separate but related concepts: Information privacy, bodily privacy, privacy of communications and territorial privacy. This article visits briefly the subject of information privacy, why it is needed and what exactly does it mean?
We have for years been sharing our personal and often sensitive data with government authorities, and normally we do not have much choice in this. Sensitive data is any data that links specifically to you, and has the potential to be used to influence or discriminate for or against you, or can be used to target you specifically as identified as a part of a special group (e.g. woman, Muslim, black, HIV positive, etc).
Today there exists 1000s of databases setup by government authorities (health districts, police authorities, child protection agencies) busy collecting and storing this type of information on residents in every country around the world, all in the name of national safety, immigration, administrative efficiency, etc., but lacking the ability to manage this data effectively and securely.
And there is more, in that although we don't have much choice when it comes to sharing our personal and sensitive information with government authorities, where we do have choice, we share our personal information anyhow. And everything we share is stored in a database somewhere.
Not to be deterred, we are easily enticed to take out loyalty cards (store cards, air-miles, etc.) that give us privileged status with our favourite store, airline, etc. The card providers get information on us, consumer demographics: what we buy, how often we buy, where we travel and how often, etc. They may from this information derive the size of our household, our lifestyle, salary, age, job, children, cats, dogs etc.
What's more is that these card providers are friends with each other: stores, airlines, hotel chains, all in bed together in promiscuous mode, and sharing our personal data as quickly as it is collected.
Many of us that possess these cards have no idea what has been done with our personal data. There are no mechanisms in place today to inform us on how our data is being used and by whom.
Secure but enabled
Security and privacy sit on opposite sides of the coin. Although security is the enabler to protect our personal information, it is the privacy enhancing technologies that should, in addition, enable us, as the data subjects, access to what is being stored on us and the right to challenge what is being held. This is called transparency.
This need is recognised at the highest levels in Europe where we have, in the
European Union, the most stringent directives in place when it comes to each of us knowing what is being held on us and by whom, and data subjects have a right to see this information.
Since 1995, the European Union has enacted the Data Protection Directive in order to harmonise member states' laws in providing consistent levels of protections for citizens and ensuring the free flow of personal data within the European Union. The directive sets a baseline common level of privacy that not only reinforces current data protection law, but also establishes a range of rights for the data subject. A key concept in the European data protection model is 'enforceability'.
Data subjects have rights established in explicit rules. Every European Union country has a data protection commissioner or agency that enforces the rules. It is expected that the countries with which Europe does business will need to provide a similar level of enforcement.
In the UK this is codified as the Data Protection Act (DPA) which places pressures on governments and organisations to have the controls implemented to ensure the secure collection and storage of personal information, and that the processes are in place to enable the sharing of that information on request from the data subject.
The need for privacy of information, although driven by the European Union, has gained some interest and action in the rest of the world. The US and the 'Safe Harbor Agreement' is what has been achieved to overcome any deficiencies in the US approach to information privacy.
It is mainly self-regulated with minimal federal legislation and some state legislation that is in no way as encompassing and as far reaching as the EU Data Protection Directive.
The Safe Harbor permitted United States companies the option to voluntarily self-certify to adhere to a set of privacy principles worked out by the United States Department of Commerce and the Internal Market Directorate of the European Commission.
The Commission approved the Safe Habor agreement on 26 July 2000. All participating companies are presumed to adhere to those privacy principles as set out by the agreement which meant that they could continue to receive personal data from the European Union.
The principles require all signatory organisations to provide individuals with 'clear and conspicuous' notice of the kind of information they collect, the purposes for which it may be used, and any third parties to whom it may be disclosed. This notice must be given at the time of the collection of any personal information or 'as soon thereafter as is practicable’.
Individuals must be given the ability to choose (opt-out of) the collection of data where the information is either going to be disclosed to a third party or used for an incompatible purpose. In the case of sensitive information, individuals must expressly consent (opt-in) to the collection. Organisations wishing to transfer data to a third party may do so if the third party subscribes to Safe Harbor or if that third party signs an agreement to protect the data.
By 2003 Asia-Pacific Economic Cooperation (APEC) had 21 economies actively engaged in the process of developing the Asia-Pacific privacy standard. The idea of the standard was to provide a practical policy approach to enable accountability in the flow of data while preventing impediments to trade. It provides technical assistance to those APEC economies that have not addressed privacy from a regulatory or policy perspective.
More recently, in 2007, the Iberoamerican Data Protection, had its inception during a seminar held in Columbia with representatives of 12 Latin American countries, in addition to Spain and Portugal. At this seminar it was stressed the need to implement harmonised measures for the protection of personal data that would enable the free flow of information, thus facilitating trade.
Just as with the US, different data protection levels in Latin America and Europe represented an obstacle to flow of information that in turn were hindering economic activities. This was seen as a significant problem because very few Latin American countries have privacy legislation in this area.
Nonetheless there are no privacy directives worldwide that really match that of the European Union: which necessitates the security of the personal information of data subjects, and the right for transparency, the drive for privacy enhancing technologies (PETs) and transparency enhancing technologies (TETs) is gaining a strong momentum around the globe.
Governance and compliance are the buzz words along with a growing demand for accountability when sensitive data is lost, whether this is proved to be accidental or the result of deliberate sabotage. What is clear is that the European Union is the driving force for privacy initiatives worldwide.
This article has been adapted from the BCS book Virtual Shadows: Your Privacy in the Information Society by Karen Lawrence Öqvist.