“Trust is essential to maintaining the social and economic benefits that networked technologies bring to the United States and the rest of the world. With the confidence that companies will handle information about them fairly and responsibly, consumers have turned to the Internet to express their creativity, join political movements, form and maintain friendships, and engage in commerce.”
So begins the White House publication, “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (2012). This statement does capture certain widely held visions for the internet. The first developers and users of the internet saw it as a movement for the free sharing of knowledge, resources, ideas, and connections. Second-generation users tended to see it as a tool, through which organizations provided information and services. These users generally did have an implicit confidence that companies would only collect personal information needed to provide services and would handle it “fairly and responsibly”. The third generation of internet users sees the internet as a means of relating to others – no longer a tool, but a social environment. Many of these third-generation users share information online based on an understanding of assumed implied consent, expecting that companies will keep their information secure and ensure that it is not used for exploitative purposes.
However, none of these popular views of the internet correspond to the paradigm of the American privacy framework, which bases its recommendations on the concept of informed consent. From this perspective, companies have a responsibility clearly to inform users of their policies for collecting, using, and disclosing personal information. Users have a corresponding responsibility to judge whether to entrust companies with their personal information. The truth is, however, that the vast majority of internet users do not operate according to an understanding of informed consent. American companies have successfully appealed to the hearts, not the minds, of internet users. They have created websites and applications that are popular, attractive, and useful, and that have, in some cases, rapidly become daily necessities for work and socializing. Most internet users give little thought to whether they trust the companies whose services they use. They do not read user agreements or carefully consider what information they give to companies, but have a general expectation that they will not be exploited. For the average internet user, it is only when this expectation is violated that privacy becomes an issue.
What does privacy really mean?
For many internet users, the use of terms such as “trust,” “fair” and “responsible” to describe internet companies’ handling of personal information will seem disingenuous. Since Edward Snowden’s revelations about United States government internet surveillance began making headlines last year, expectations of online privacy have plummeted. Many internet users, in the US and internationally, have realized that they do not know how companies and governments are using their personal information or whether they should be trusted. If citizens are to rebuild their trust in companies and governments alike, a public discussion is needed about what privacy really means and how it can be enforced.
Despite its somewhat vague language, the American framework’s Consumer Privacy Bill of Rights does provide some useful definitions of privacy. Privacy is fundamentally about context: as the Privacy Bill of Rights states, “Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” Similarly, “Consumers have a right to reasonable limits on the personal data that companies collect and retain.” The question then becomes, what is reasonable? Neither citizens, nor companies, nor government have a clear set of ground rules about the legitimate collection, use, and disclosure of personal information. The White House Administration proposes implementing privacy through flexible codes of conduct negotiated with individual companies; such a decentralized, corporate-friendly approach is unlikely to clarify these basic questions.
International approaches to privacy
As American companies have increased their international reach, many countries have manifested their lack of confidence in the American approach to privacy. Particularly informative is the European Union’s adoption of a strong privacy framework regulating local and international companies operating within the EU. As the European Commission’s General Data Protection Regulation (proposed in 2012) is implemented, it appears likely that companies operating within the European Union will be required to locate their servers within the EU, where they will be subject to local laws and protected from US surveillance. As non-US based online services become more available, it is entirely probable that privacy-conscious North Americans will abandon US companies as well.
In our previous article, “The EU, North America, Big Data, and Privacy: Lessons Learned,” we discussed several key differences between European and North American privacy laws. The EU regulation strengthens privacy protections in several areas:
- It implements a shared responsibility model for data sharing scenarios: all parties can be held accountable for protecting the privacy of personal data they hold, not only the organization which first collected the data.
- It holds companies accountable to the privacy laws of their customers’ jurisdictions, rather than allowing them to avoid responsibility towards foreign citizens.
- It outlines specific criteria for privacy impact assessments of companies, rather than allowing companies broad freedom to define the codes of conduct to which they are accountable.
- It holds companies to stricter requirements in the event of data breaches and enables collective action by citizens.
These contrasts not only illustrate a stronger privacy framework, but also disprove the US Administration’s assertion that rapid changes in technology make it impossible to define a uniform standard for privacy and that company-drafted codes of conduct are the only option for enforcement. Governments can take a more active and assertive role in enforcing privacy and it is time for them to do so.
About the Author
Dr. Waël Hassan, PhD, is a privacy evangelist, and a writer, designer and implementer of privacy enhancing solutions. Over 16 years of privacy experience, Waël has contributed to privacy practice by developing methodologies and frameworks for envisioning, evaluating, and implementing privacy, with an emphasis on design maturity.