The following day I was off to hear the current Information Commissioner, Christopher Graham address the Data Protection Forum. You should have been there – he followed Dr Chris Pounder to the podium, and delivered an impassioned rebuttal about the gentle ribbing he had received at the hands of this particular data protection giant. Chris tells me that he’s thinking about retiring in 5 years time (probably well before the next Data Protection Directive is in force), so fight to buy your tickets to his events now. His farewell tour will be pretty spectacular. His knowledge of data protection law and the culture of privacy will not easily be replaced.
But I digress.
Christopher Graham made a number of interesting points in his presentation, which explained his vision of the role the ICO would play over the next few years. He began by setting the cultural scene, pointing to a significant shift which few are only now beginning to appreciate, and which the rest of us will latch onto with a vengeance in the coming months.
The issue is one of surveillance and who is carrying it out. Christopher’s thesis was that, previously, citizens have been concerned at the activities of the State. Think about CCTV cameras, the Regulation of Investigatory Powers Act, the Interception Modernisation Programme, GCHQ’s “Mastering the Internet” initiative, the ContactPoint database about all children, the DNA Database, the NHS spine and the information retained for long periods on the Police National Computer. These were all examples of the State developing tools to monitor its citizens. Privacy International and the rest didn’t like it very much. They asked obvious questions, such as “what’s the benefit to society? and what are the safeguards against misuse?” They were not overly impressed with the replies. But there was not much they could do about it. When the State is a monopoly provider of services, it’s not that easy to boycott them.
The interesting development over the recent months has been the transition of public awareness (to be followed by some public concern) to the surveillance activities which are carried out by private companies. And these databases, being global in nature, are significantly larger than some of the national databases I’ve already referred to. Think about behavioural advertising, Google’s Satellite and Streetview service, the data retention obligations that may fall on providers such as Yahoo, Amazon, Facebook, Gmail and the rest. And we don’t see much of an equivalent array of controls (such as those contained in the Regulation of Investigatory Powers Act to monitor the behaviour of these private activities. Where are the equivalents to the Surveillance Commissioners, with experience, audit powers and real sanctions? Is this role adequately addressed by the Privacy Regulators around the world? Why did I bother typing the last sentence?
What interests me is the role that Privacy International and the rest will play in issues relating to the privatisation of the surveillance state, either in stoking up public concern (as, say, they did in the Phorm debate), or in playing a role to reassure citizens that some of these public companies can be trusted to respect the legitimate expectations of people whose records remain in their databases. To a large extent, these companies are not monopoly providers of services (not quite, anyway), so presumably a well organised public boycott would swiftly bring about changes. It didn't take thet many people to crush Phorm. Only a few days ago my nephew told me about the tsunami of change that had recently occurred on Facebook – with people changing their main image to that of their favourite character from their childhood, as a way of identifying themselves with a topical children's campaign.
Is briefly changing your Facebook image the equivalent of wearing a red ribbon to mark World AIDS Day? I think it is. Will this craze catch on next year, perhaps with a special icon for Children in Need?, or for Help for Heroes?, or for imprisoned Nobel Peace Prize Laureates? Again, I think it might.
So, where does this leave us data protection professionals? With jobs for a long, long, time, I guess. As we seek to explain to colleagues within private companies that the “new, innovative, exciting, sticky” (but oh, so slightly intrusive) services they are creating can only work within a culture of transparency and respect for people who don’t want to participate in these new services. Well, they don’t want to participate just yet, anyway. They may come round to it in the end, but we must not be so presumptive as to believe that the citizens of this world will instinctively share the vision of the geeks who try to earn money by exploiting the links they perceive exist between people and commercial services.
As Ken Dodd used to say, “We have to woo our audiences. We can’t just expect them to like us.”
.
Posts
