Data Privacy and Security

Purpose
• To discuss the meaning of privacy in a cyber
security and human rights frame
• To explore how the notion and realization of
privacy is changed by the internet
• To identify the factors shaping the way that
privacy is being affected online
• What could different stakeholders do to
respect privacy online
 What is privacy
• Privacy has different meanings in different contexts
and societies.
• Linked to security and to control of immediate
environment - what is known or can be known
about us.
• Exact definitions are elusive – national and
international courts have refused to provide clear
definitions of privacy.
• There can be tensions between freedom of
expression rights and privacy rights.
 Privacy is not data protection
• Data protection rules are designed to address
the systematic collection of data about
individuals and the rules apply to all
personally identifying data held by designated
“data controllers”.
• Privacy is more fluid concept applying to
information about which a person may have a
reasonable expectation of privacy.
 Meaning of privacy changes
• Personal integrity lies at the heart of privacy.
• Privacy in a communal village or modern city very different.
• Emergence of generalized private property ( single
households) has shaped notions of privacy.
• Also shaped by technology, e.g. modern notions growing from
debate about newspaper photographs.
• No exact boundary, a dramatic technological change like the
Internet will inevitably re shape understandings of privacy.
• Contrast between what people say about privacy and the
internet and how they behave.
 The internet
• Enables the collection of new types of personal
information
• Facilitates (and economically demands) the collection
and location of personal information
• Creates new capacities for government and private
actors to access and analyse personal information
• Creates new opportunities for commercial use of
personal data
• Creates new challenges for regulation given the
transnational nature of the internet.
Internet services redefine privacy environment dramatically

• Cloud computing (raises questions of security, data

breaches and ownership),
• Search engines (systematically track and monitor our
behaviour),
• Social networks (depend on a company led exchange
and analysis of data provided by users),
• The mobile internet (ties internet use to geo-located
devices);
• Internet of things connecting all potential objects
which together convey a complete picture of our lives
 Government use of data
• E-government - governments moving to digital
platform and provision of services.
• Government increasingly seen as a digital platform.
• Some governments have designated e-identities that
allow services, banking, voting, health monitoring etc.
• With the sheer volumes of data available it is difficult
to conceive that governments won’t seek to access it.
• How to balance the provision of e services (much
cheaper than human services) with security and
personal privacy.
 Internet technologies and government
• Governments have become increasingly concerned about security
issues online – for legitimate and illegitimate reasons.

• All govs are attempting to access information online (Snowden)

with concerns are about
– Scope of surveillance (who are the targets and how big is the
net)
– Legal framework of surveillance
– Use of mass metadata searches excluded from legal
accountability
– Weakness of oversight
– Absence of legislative competence
 Internet is built and operated by the private
sector not a public utility
• Provision of internet services based on a business model
based on advertising.
• We trade or cede our privacy in exchange for free services.
• Such service models either directly depend upon exposing
private information (Facebook).
• Or intrude on privacy to create efficiencies (tools that optimize
searches based on tracking user preferences).
• Generally little real public pressure or incentives to challenge
this model.
• Informed consent to data use for users online is complicated by
range of different applications, complexity of terms of use, and
apparent public indifference.
 Economic growth and internet
• New emphasis on economic growth and internet
development
• Increasing pressures for data sharing, cross border
transfers of data
• But a business environment that depends on people
feeling secure and that categories of information –
financial, health etc. need to have guaranteed
confidentiality
• Cybersecurity – understood as providing privacy – is
essential to internet based economy
 Cross border data transfers
• Cross border transfers of personal data now common in utility provision,
financial services, education, e-commerce and health research;

• Cross-border internet traffic grew 18-fold between 2005 and 2012

(McKinsey);

• Growing digital trade and new technologies such as 3D printing could

see global flows of capital, data, goods and services more than triple
from the $26tn recorded in 2012 to an estimated $85tn by 2025;

• Key question: how to protect privacy and individual liberties while

enabling the free flows of personal data and maintaining security of
personal data
 Privacy offline and online
• Privacy online should be protected as privacy offline –
what does this mean in practice?
• Need to understand what is new about the environment
and how to tackle it.
• Next generation of innovation – internet of things,
wearable technologies, AI and robotics, 3D printing are all
critical to society, to economic growth and will provide
further challenges to and reshaping of notions of privacy.
• All will depend upon strong security both technically –
encryption – and normatively – legal rules governing
access to and use of personal information.
 Two related issues to consider

• Implications of developments in private sector and

where the technologies and markets are leading.
• The use of personal data by governments – not just
security surveillance but wider recasting of
citizen/government relationship digitally – tax,
health, etc.
• How to balance tackling crime and terrorism with
the free-flow of information and anonymised
identities fall?
 What is the privacy agenda?
• At the heart of the notion of privacy lies sense of personal
integrity and dignity whatever the social context. At the
core of this is sense of ownership and control, i.e. consent
to use of information (basis of data protection system) and
what can be known.
• Current business models require us to hand over ownership
of our data to companies in exchange for benefits -use of
that data is loosely regulated if at all. How do we control
this?
• Government access to data, however intrusive, at least in
most democracies operates in some kind of legal
framework. How can this be strengthened to respect
privacy in the broadest sense.
 Governments should:
• Commit to ensuring user security and privacy as a policy goal
• Commit to freedom of expression, aware of the need to
balance both rights
• Understand cyber security as embracing users interests
• Be transparent about the rationale and scope of surveillance
or other measures violating privacy
• Ensure that rules governing surveillance and privacy violations
are grounded in law, consistent with international principles
and subject to supervision by independent courts
• Regulate effectively e.g.by having technical skills on regulatory
bodies
 Companies should

• Practice greater transparency about data management

practices
• Provide accessible and reasonable terms of service
• Explore shift of business model to one where there is
greater user control of data with the ability for users to
own data and grant permissions for use.
• Encourage higher standards of encryption and
anonymity, as both are enablers of privacy rights
• Publish details about government requests for user data
 Civil society role
• To represent consumers and consumer
interests
• To bring concerns from excluded and
marginalized groups
• Provide innovative ideas and policy options
• To champion a public interest approach to
privacy policy
 Conclusion
• Ten years ago, the International Law
Commission concluded that “no homogenous
hierarchical meta-system is realistically
available” within the international legal order
to resolve detailed differences among the
separate spheres, that this would have to be
left to the realm of practice.
• This means little prospect of a global privacy
policy – so how can it be “practiced”
 The realm of practice
• Policy forums - International Conference of Data Protection and
Privacy Commissioners discussions, Internet Governance Forum
• UN normative standards setting such as the UNGA (resolutions on
privacy),
• Recommendations such as the OECD Guidelines on the Protection of
Privacy and Transborder Flows of Personal Data
• UN Special procedures e.g. UN Human Rights Commissioner (recent
report on privacy); new Special Rapporteur
• Technical bodies – e.g Internet Engineering Task Force (IETF)- work on
increased encryption standards, RFC 6973, RFC 6772, RFC 6280
• Regional courts – ECHR generic privacy cases
• National courts – Yahoo, Louis Feraud judgements
 The practice of privacy
• Promote business models that provide for user data
ownership
• Look for consensus-based, consumer friendly norms which
incorporate international standards for data protection and
internet security across boundaries
• Encourage transnational co-regulatory initiatives;
• Promote voluntary co-operation among stakeholders;
• Set appropriate regional or multi-lateral standards;
• Set appropriate national regulation
• Anticipate future privacy challenges and how to meet them.