Breaking the data protection deadlock
The News of the World phone hacking scandal and Twitter superinjunction furore are the latest headaches for those who seek to outsource and profit from the legal flow and storage of information.
Of course, phone-hacking by a minority of journalists represents the worst excesses of privacy violation but, it is only the tip of the iceberg according to Christopher Graham, the UK’s Information Commissioner. In an article in last month’s Prospect Magazine he pointed to a pervasive culture of widespread personal data abuse:
“The problem actually involves a much bigger cast list — of lawyers, claims management companies, private investigators and scam merchants, to name but a few. And what about the dealers? Those who abuse their position of managing the millions of bits of personal data we lodge with service providers every time we buy something from a website, use a mobile phone, clock up loyalty points, register for internet banking, sign up with the local GP practice — or do almost anything else online. And what isn’t online, these days?”
The latest imbroglio will increase the sense of urgency for policymakers tasked with finding a new regulatory architecture which will safeguard personal privacy at the same time as allowing businesses and governments to use it to improve efficiency, spot trends, save money and increase profits. Of course, irrespective of legality, the definition of privacy and how it should be applied to individual, as well as mass personal data sets, is where the crux of the issue lies.
According to Martin Abrams, Executive Director of the Centre for Information Policy Leadership at law firm Hunton and Williams, notions of privacy vary in different countries, according to “how governments view the relationship between individuals and their community”. Hence, in the US, data protection and the privacy issues arising from it are largely seen as an issue of consumer protection whereas in the EU they are viewed as a fundamental right.
This culture clash is still a regular source of friction (although these sorts of tension are far from being the monopolies of the US and EU). The latest scuffle occurred when Microsoft recently admitted that not only might it have to hand over European customers’ data on one of its new new cloud services to US authorities but that the Patriot Act may mean the company would have to keep details of any such data transfer secret.
This is in direct contravention of the EU Data Protection Directive, which states (amongst other things) that organisations must inform users when they disclose personal information, whether it’s to governments or other businesses. The last time the EU and the US clashed so publicly on this issue was over the SWIFT agreement and whether or not EU citizens’ financial data could be exported outside the bloc as part of the US’s counterterrorism strategy.
The EU Directive, which was established in 1995, is in the process of being reviewed as the European Commission attempts to play catch-up with the breakneck speed at which technology is redesigning the relationships between businesses, individuals and the colossal data flows that are being generated.
Transatlantic security concerns aside, the economic case for sorting out the privacy issue seems to be compelling, if far from assured. Take the case of Big Data as an example. According to a recent (and rather breathless) report from The McKinsey Global Institute (MGI), Big Data – data sets that have the potential to spot meaningful trends but are too large to be stored on conventional database servers – are becoming a key way for major companies to perform better than their competitors:
“We estimate that a retailer embracing big data has the potential to increase its operating margin by 60%. We have seen leading retailers such as Tesco use big data to capture market share from local competitors, and many other examples…”
These figures are geared towards the US, which produced enough data in 2010 to fill 60,000 Libraries of Congress. But even in the more data conservative EU, MGI predicts that Big Data and its associate storage systems could end up saving Europe’s public sector around €250bn a year – more than the GDP of Greece.
Now, whether you are a Big Data evangelist, or think it’s a load of hype, it is clear that an information marketplace built on the movement of huge amounts of data around the globe is incompatible with a regulatory system which enshrines the notification of the individual every time their data is passed on to a third party.
According to Martin Abrams, in the case of outsourcing, the only way to move beyond the notification system in is to create an ‘accountability chain’, which includes national and transnational privacy bodies, privacy officers and businesses of all types.
All companies wishing to work with personal data will have to conduct risk assessments and show “the will and the capacity” to safeguard it, not just from security breaches but to make sure that it is not applied inappropriately. When I ask how it is possible to make these kinds of bold promises, Williams counters that the language that will be built into this kind of legislation will also “recognise that we need to be proportional to the size of organisation, the kind of data being held, any plans for that data and the scale of the risk.”
Abrams cites (perhaps unsurprisingly) Accenture, Hewlitt Packard, Microsoft and Google as examples of large organisations which are already starting to build this process of data risk assessment – or ‘Privacy by Design’ – into their business models. But he adds that the tools must be scalable to allow medium-sized and smaller organisations to compete fairly. One possible model would be the development of common tools by industry bodies, who would then license them out to their members.
A system such as this would certainly remove a lot of the process problems for companies trying to surmount different sorts of privacy rules. Whether the revised EU Directive will allow that degree of latitude remains to be seen.