In recent years, privacy and data protection have become business critical issues whose significance is only set to increase. Due to the combined effect of three factors – the evolution of technology, the realisation of the strategic and commercial value of personal data, and the globalisation of data-reliant activities – we find ourselves at a crucial crossroads. The implications of devising an effective legal framework to regulate the use of personal information are crucial for the future of humanity, our freedoms and our economic wellbeing.
Achieving the right balance between the protection of our privacy and the potential to exploit the data we generate is equally critical for human freedom and mankind’s future prosperity. Ignore privacy as a human value and we risk losing a big chunk of our ability to make choices. Restrict the opportunities presented by what our data says about us and we will have killed the next stage of our development as a species. That balance is a movable target that will need recalibrating as we go along. What is necessary is an understanding of the factors that affect most directly the issues at stake so that policy makers, legislators, regulators, privacy professionals, lawyers and decision makers can address them.
Both privacy as a social issue and data protection law as a legal discipline are intrinsically linked to the evolution of technology. Computing and more specifically the Internet have given us the amazing wonders that we see today. Does anybody remember the world before tablets and smart devices? The need to regulate the use of information generated by our use of computers and many other Internet-connected devices has also become more prevalent. Until now, this has been a nearly parallel journey with legislators doing their best to catch up with technology. But as technology progresses and buzzwords like the Internet of Things, cloud computing and social media become more pervasive and embedded in our lives, it is more and more apparent that engineers think and act much faster than lawyers and legislators. This tells us very loudly and clearly that addressing the privacy and data protection challenges thrown up by fast evolving technology – let alone anticipating them – is only going to become more testing.
Aside from technological issues, another absolutely critical factor in the overwhelming jump to fame of privacy and data protection has been the progressive realisation that information about people is a very powerful asset. Data is the blood that keeps the information society alive and makes it grow. Our daily interaction with technology – whether through smart personal communication devices or simply a piece of plastic with a chip – makes data almost self-generating and more importantly, increasingly valuable. Like oil, people’s data is not always easy to capture and in its raw format, not that useful. But when properly and systematically gathered and studied, it can make a difference between failure and success for both governments and businesses. It is no coincidence that public authorities and commercial organisations are constantly hunting for data about their citizens and customers. The biggest success stories of the internet age are directly linked to the collection and exploitation of data about users, and the level of success is only growing in direct proportion to the amount of data produced by users. Data is not just blood. Harvesting and handling data is the new alchemy.
What is clear is that the unprecedented amount of data generated through our digital personas is allowing a new kind of world to arise. It is a world where residual or exhaust data becomes gold dust. It is a world where super-size is matched by ultra-personal, and where complete anonymity is a myth because every one of us will eventually be recognisable through our use of technology. But above all, it is a world which will never surrender the amazing value of data. In addition, our interactions with others through the myriad of means of communications available throughout the world – from local internet cafÃ©s in every corner of the planet to airlines at 40,000 feet – are generating not just loads of data, but universally ubiquitous data.
Data globalisation is not a threat but the consequence of a number of factors which cannot be ignored and are here to stay. The regulatory answer should not be to retreat to our national trenches and build even more restrictive legal frameworks. The future of privacy will only be as good as our ability to accept the constant evolution of technology, to recognise that personal information is an asset, and to see data globalisation as an unavoidable fact. These are the catalysts that have put privacy and data protection on the priority list of policy makers and business leaders and that will shape the future of privacy.
Regulating the development and use of technology is like chasing a moving target. However effective, powerful and sophisticated policy makers and regulators may be, they face an insurmountable challenge when attempting to apply existing privacy rules to this ever changing technological revolution, or indeed, devise new rules. However, if it is true that our use of technology generates the information that has become the golden ticket to economic and, hopefully, social prosperity of the world, it is in humanity’s interest that the right legal frameworks are in place to preserve the value of that information and protect those who generate it – us.
We do not want to stifle the thinking and creativity of those at the forefront of technological innovation. We need to encourage the development of ambitious technology that, at the same time, protects information and people’s privacy. The starting point is to recognise the limitations and possible drawbacks of regulating technology. Instead, we must direct our attention to the behaviour that should either be encouraged or prevented – irrespective of the technology in place. Another way of putting this is that laws should be geared towards achieving certain outcomes, such as incentivising compliance, empowering individuals or preventing harm whilst facilitating progress and technological innovation. So, whatever the state of technological development, it is clear to all what the direction of travel should be and where the behavioural red lines lie.
The most effective way of regulating the exploitation of data as an asset is to prove that responsible exploitation brings benefits that organisations can relate to. In other words, policy making in the privacy sphere should emphasise the business and social benefits – for the private and public sector respectively – of achieving the right level of legal compliance. The rest is likely to follow much more easily and all types of organisations – commercial or otherwise – will endeavour to make the right decisions about the data they collect, use and share. Right for their shareholders, but also for their customers, voters and citizens. The message for policy makers is simple: bring compliance with the law closer to the tangible benefits that motivate decision makers.
A complementary approach to incentivising compliance would be to require that all users of personal information give back a demonstrable benefit to the individuals to whom the information relates, unless there is a higher interest that should prevail, such as law enforcement or public safety. Compliance with this obligation would involve being able to show that when a commercial entity or public authority collects data from someone, those individuals are getting something back, such as a service of some kind that is of value to them. So the more you take, the more you give back. The law does not need to be prescriptive but simply create an expectation that value derived from personal information will be shared by default and it will be up to those who seek to exploit it to figure out how.
This is a defining moment to get our public policies right in terms of global data protection and privacy. Ignore the human and social implications of the exploitation of personal information and we will lose forever the right to privacy and possibly, our freedom. Be too overprotective with one of the greatest assets of our time and we will definitely block progress and prosperity. Fortunately for all, while regulatory regimes may differ across the world’s jurisdictions, there are common principles at the heart of all systems that should always be a reminder of how privacy regulation can tackle data globalisation.
Privacy compliance for the future
What does a privacy compliance programme for the future look like? Personal information will flow back and forth across geographical boundaries and therefore we need to find a credible mechanism for ensuring the right level of privacy and data protection, irrespective of where the data is accessed or stored. Much emphasis will continue to be given to transparency, particularly in the context of profiling, data analytics and anything that could be regarded as surreptitious.
The greatest novelties will be around people’s rights and their empowerment through value sharing. This may well create legal uncertainty that lawyers, decisions makers and regulators will need to live with, but the idea of giving back some of the value of data to their sources is one of our best chances of getting the balance right. Given the lack of effective control over our own personal information, the concept of passive empowerment is a realistic and fair substitute. Just getting companies and governments to think about how to give value back will be a great achievement. What that value amounts to and how the law reflects that is something that will need to be determined, but as a principle, this is set to affect privacy professionals going forward and make their role even more vital.
Another novelty will be the prevalence of risk-based Privacy Impact Assessments as a “must have” tool. More and more data uses will qualify for this type of exercise, which will embed privacy considerations as part of the development process of most technology-driven products and services. Using risk as a metric will only grow in importance and privacy professionals as well as policy makers and regulators will need to make realistic assessments of what is risky and what is not. This will vary slightly from organisation to organisation, but all these key elements will certainly be part of future compliance programmes. The sooner we accept this, the sooner we will achieve our objective.
Eduardo Ustaran is an internationally recognised expert in privacy and data protection law. He is a dually qualified English Solicitor and Spanish Abogado based in London. Eduardo advises some of the world’s leading companies on the adoption of global privacy strategies and is closely involved in the development of the new EU data protection framework. He has been named by Revolution magazine as one of the 40 most influential people in the growth of the digital sector in the UK. Eduardo is co-founder and editor of Data Protection Law & Policy.
The Future of Privacy by Eduardo Ustaran was published in November by Data Guidance, part of the Cecile Park group at £19.99 + p&p.
Part I looks at the changes due to the evolution of technology and the global exploitation of data. Part II exposes the limitations of attempting to regulate technology and offers an approach for dealing with data globalisation based on the interoperability of regulatory models. Part III covers the compliance perspective and considers the key elements that will need to be tackled to comply with the regulatory framework of the future.