Saturday 4 June 2011

Let’s not expect too much from a revised data protection directive

I’ve recently been engaged in an on-line exchange of views which started with me commenting on whether Google and Facebook should be regulated to protect our privacy, but it quickly turned into a commentary on the futility of believing that a formal Directive was all that was required to achieve change.

I started my intervention by commenting that: If we are really worried about Google or Facebook then we should just stop using them. These companies should regulate themselves, and allow the market (ie us citizens, us individuals, us consumers) to decide if we want to use them. There is no law that compels me to use them - so I should be allowed to use them at my own risk. And if I feel they can't be trusted to protect my privacy then I will just stop using them. It’s as simple as that. Will regulation work? Ask King Canute - or King Lear.

A chum of mine then wrote back: From 30 years of working in data privacy, governance, information risk management and law — with many very well educated people in some amazing client companies — it continues to be evident that people from all generations, income levels, and educational levels and abilities are generally ignorant of data protection issues and risks, and of privacy laws and what to do about them. That includes people in government and private sector organizations large and small, many of whom are responsible for access and privacy for their organizations — and despite the fact that privacy legislation has been in force in Canada for many years now. A survey done for Canada’s federal Privacy Commissioner said the same thing: "almost 3 in 5 are not aware of their rights in relation to how governments and companies collect and disclose personal information" and "only 1 in 5 express an above average amount of knowledge" of privacy and access laws.

How many parents and teachers (and legislators and bureaucrats and ) are capable of advising children about the privacy risks? Do they understand the issues, the technology, or the laws well enough to teach children what to do (or not do) or how to protect the privacy of their own data?

So how likely is it that children will avoid using social media? The pervasive message is that ‘everyone’ has joined Facebook and other social networking sites; and the silent message is that having a Facebook account and many ‘friends’ is validation of one’s existence.

While adults and children have the same fundamental need for acceptance, few adults I've met are capable of teaching the facts, and fewer still are courageous enough to demand that these topics be included in their children's curriculum. Meantime, children are told to “stay safe online” while school districts are adding iPads to their lists of mandatory kindergarten classroom items.

From an economic perspective it’s easy to see the imbalance between the revenue to be earned from worthwhile education about the risks and consequences, and the billions of dollars being spent – and being earned – by encouraging children and adults to sign up, log on, and join in. So the situation is being perpetuated as the next generation is being groomed (through ignorance and/or omission) to be an entire target market to be fleeced and exploited.

Looking further into the future are the additional benefits to our national economy that come from the new industry of cybercops, reputation defenders, technology vendors, legislators, bureaucrats and lawyers – all of whom are assured job security while individuals see their identities stolen, their insurance voided, and their futures and careers put at very real risk of significant harm.

This very thoughtful reply caused me to stop and think for a bit, before posting the following: I must say that I agree with many of your sentiments, but I was making a more fundamental point. It comes from my school experience - I vividly remember going to boarding school during a period of industrial action known then as the 3 day week, where striking workers caused widespread power cuts, post delays (horrific for a child waiting for his daily letter from his parents!), and disruption all around. Were we turning into an ungovernable society, commentators thought. It was certainly clear that the Government was not able to govern effectively, and eventually that Government fell.

My professional background in self, mutual, co and formal regulation tells me that calls for more laws to regulate the behaviour of internet actors is unlikely to be very effective. What I think we really need to do is work from the other direction - ie changing the expectations of individual consumers (perhaps, unfortunately, by allowing a few of them to suffer some form of mild harm so that others realise the potentially horrific results of poor data protection standards). Then the consumers themselves ought to be able to group together to demand change.

As far as the private sector is concerned, I believe that it is only really going to be customer behaviour that will influence the minds of the Board Members of the major data controllers. I don't think regulatory action is necessarily going to do the trick. There fear has to be the fear of the market - that customers are so unhappy that they move with their feet (or cursors) to other competitors.

Regulators have done little to address the war on drugs. Or the war on anti-social behaviour. Many young people find it hard to keep their jeans around their waists without exposing their underwear. Why - because they wish to behave that way.

So lets not expect regulators to have powers that, in these financially straightened times, they will never get. Or that data controllers will naturally respect the views of regulators. Not all of them are independent from the governments of all EU Member States. And, given the global reach of the internet (evidenced only recently in the UK by the failure of English courts to prevent news about celebrities from leaking - despite injunctions in England), that their wishes/opinions will automatically be respected by many people.

Of course regulators have a role to play, in championing the rights of the individual - but for them to be really effective there has to be a robust tide of public opinion behind them. If they are not careful, regulators will spend increasing amounts of time considering technical issues in an introverted manner that does not reach out to the individual. So they will be ignored by the data controllers of social networks and the internet search engines who are more concerned about the aspirations of their customers than they are of the regulators.

We are on the same side - honest!

And peace broke out as my chum graciously replied: I agree that we are on the same side. I do not think that regulation is the answer. How can it be when the regulators, bureaucrats, legislators and their minions are among those I've dealt with who are ignorant of data protection and privacy. Too often they make, debate, and create laws without understanding the real need (if any), the impact, and the unintended consequences. I've seen it first-hand with laws created by the Government of Canada and provincial governments. And it was spectacular to see how "consultation" is apparently disregarded, short-sighted legislation is passed, and the creator(s) are hailed and promoted as the victims (citizens) are left to keep their nose above the muddle munificently created on their behalf. Then there's the whole regulatory nightmare and unintended consequences of the negotiated-in-secret Anti Counterfeiting Trade Agreement, but that's another discussion entirely.

So, the moral of this blog posting is that we should not expect too much from formal regulation. Let’s adopt a common sense approach first of all, embracing the principles of transparency and choice – and help the individual appreciate the benefit of trading some of their privacy for a tangible reward.

Image credit:
The first English Edition (1954) of the play “Waiting for Godot”.