by Barbara J. Mack
“Transatlantic Conversation on Privacy and Personal Data“
With Isabelle Falque-Pierrotin and Cameron Kerry
MIT Media Lab, February 27, 2015
On February 27th, the Media Lab held a special event in its “Conversations” series, a discussion between Isabelle Falque-Pierrotin, who is Chair of the French Data Protection Authority, and Cameron Kerry, who is a Visiting Scholar at the Media Lab. Their conversation focused on the tensions between the pursuit of innovation in business, the need for regulatory control in government, and the wishes of citizens to have discretion over access to and use of their personal data.
Several features of the policy discussion in the European Union distinguish the approach from that taken in the United States. The views are expressed clearly in the joint statement of the European Data Protection Authorities Article 29 working party, issued in November 2014:
The protection of personal data is a fundamental right. Personal data (which includes metadata) may not be treated solely as an object of trade, an economic asset or a common good.
Data protection rights must be balanced with other fundamental rights, including non-discrimination and freedom of expression, which are of equal value in a democratic society. They must also be balanced with the need for security.
Technology is a medium that must remain at the service of man. The fact that something is technically feasible, and that data processing may sometimes yield useful intelligence or enable the development of new services, does not necessarily mean that it is also socially acceptable, ethical, reasonable or lawful.
Further points on European values in the declaration include the importance of preserving public trust and support for initiatives designed to improve public awareness and individual empowerment in the context of digital literacy, privacy education, and reporting of data protection violations.
In her talk, Ms. Falque-Pierrotin emphasized the principles that guide her work at the French Data Protection Authority: acknowledging the importance of modernization and allowing for the possibility of reinvention of norms and practices, while keeping both forms of progress in line with social values. She explained that in the effort to develop a new legal framework, there have been several areas of activity; first, there has been a focus on getting rid of excess administrative burdens on companies, leading to a reduction in the notification obligations. This does not mean that there is no responsibility, she was quick to point out, but rather that a new layer of accountability is engaged in the system now.
Second, turning to economics, Ms. Falque-Pierrotin noted that data has value; however, when data is being gathered and used, the business or government actor must take the human subjects into consideration. Certainly there are new and profitable opportunities to explore and innovation can bring efficiency and effectiveness – what is needed are concrete tools for companies to comply with privacy protection goals and mandates in their everyday use of data. With big data, in particular, she said, the central question is not so much about the principles of privacy preservation, but about the tools that will be used to achieve it. It is also important to influence the attitudes that are present in the data controllers and the way that citizens understand new initiatives.
There is strong interest on the part of businesses and consumers, for example, in smart grids and the Internet of Things (IoT), which will enable new services, greater transparency on bills and utility usage, and other useful functions. However, there is also a substantial level of concern that such grids could become spies, said Ms. Falque-Pierrotin, “They will know when you take a bath, if you take a walk in the evening, how many people are in the house.” This is frightening to people. Another example is emerging wearable devices that have generated much interest from consumers – as with the smart grid, in order for the companies to meet their business objectives and for consumers to benefits from an array of new data-driven services, they have to be sure on the guarantees for privacy. The French Data Protection Authority helps to generate compliance packages for industry, encompassing support for robust innovation while also requiring clear guidelines on how data are collected, used, and released.
Cameron Kerry addressed the work that has been done in the President’s Council and particularly the White House report on big data and evolving privacy regulations in the United States. He noted the current regime in Europe and the work that is underway in the Article 29 Working Party. He then asked for Ms. Falque-Pierrotin’s views on the ongoing dialogue between Europe and the United States. For international actors, she advised that it is important to appreciate the differences and respect European law. Europe is putting a great effort into tools in general, transparency on the part of data controllers, and training, in the form of digital and privacy education for citizens. On the regulatory and policy fronts, they are working, in part, on various aspects of pseudonymization and de-identification, with three main query parameters: 1) Is it possible to prevent linking to an individual directly, by name?, 2) Even if it is not possible to point to someone by name, is it possible to single out someone specific?, and 3) Is there a possibility of interfering with the data pertaining to the individual?
According to Ms. Falque-Pierrotin, the group is still working on this and does not have definitive answers yet. The working party document is the first step towards a broader European standardization. Part of the reason for her visit to the United States is to develop the understanding and also to obtain comments here, particularly from the policy and technology communities, on the way forward. “There is not one unique answer to the question of how we can have a data driven society that is both innovative and respectful of individual rights,” she explained, “We need to press on different buttons to achieve that balance.”
At the end of the conversation Ms. Falque-Pierrotin circled back to the MIT campus – she invited commentary on the work that is underway in the European Union and indicated that the transatlantic conversation has great merit; it will surely continue in the months to come.
See also, “Privacy and Data Protection by Design” – published in January 2015 by the European Union Agency for Network and Information Security
Cameron Kerry joined Governance Studies and the Center for Technology Innovation at Brookings as the first Ann R. and Andrew H. Tisch Distinguished Visiting Fellow in December 2013. He is also a visiting scholar with the MIT Media Lab. Kerry served as General Counsel and Acting Secretary of the United States Department of Commerce, where he was a leader on a wide of range of issues laying a new foundation for U.S. economic growth in a global marketplace. He continues to speak and write on these issues, particularly privacy and data security, intellectual property, and international trade.
Isabelle Falque-Pierrotin is the chair of the French Data Protection Authority (Commission nationale de l’informatique et des libertés). She was also recently elected chair of the Article 29 Working Party on the 27th of February, 2014. She first held various posts with the French State Council (Conseil d’Etat). After serving as chair of the Interministerial Commission on Internet Affairs in 1996, she was appointed as an expert adviser for the Organization for Economic Cooperation and Development (OECD). Isabelle Falque-Pierrotin graduated in France from the HEC School of Business Management, the National Administration School (Ecole Nationale d’Administration) and the Multimedia Institute.