Monday, June 15, 2009

Online privacy - it's complicated

Lilian Edwards has been analysing the state of online privacy in Sydney and Hong Kong with a degree of pessimism.
"Before HK, Pangloss was in lovely Sydney enjoying the hospitality of the Cyberspace Law and Policy Centre at University of New South Wales at SoGikii, aka the conference on the beach at Coogee :-))

SoGikII was bijoux but very interesting. Graham Greenleaf and Ian Brown swapped multi Continental ideas, helped by the audience, on how to reform personal data protection laws, calling on current moves to reform of the EU DPD, the evolving APEC privacy principles, Graham's work on comparative Asian privacy law and the far famed (everyone in Oz spoke about it in hushed tones) 2000 pages AU$2 m ALRC report on privacy.

The general emerging ideas seem to be:
  • one size does NOT fit all : more prior privacy impact assessment and privacy engineered in ("privacy by design") needed for large data bases and other such projects, especially in public sector;
  • in the EU the effect of Lindqvist needs rolled back for small data processors such as the millions of user generated content providers. A stronger domestic purposes exemption might meet these needs, linked to stronger obligations on platforms to take down on complaint (though Pangloss wonders about the free speech impact of this?) and industry codes on privacy protective default settings on social networks.
  • for all data processors, more emphasis on data minimisation - collecting less data ab initio, by code means and by reliance on principles such as the Australian rule that systems must be designed to allow an anonymity option if practical (eg London't Oyster system is designed for identifying users; Singapore's Octopus is not). This is all the more important as security of large multiple access dbs is increasingly unreliable.
  • more concern for the merging human rights protection for privacy not just under DPD rules - eg the recent UK ECHR defeat in the DNA database case.
  • DP export laws must be maintained despite business opposition
On remedies and enforcement some ideas were
  • better remedies for users including class action rights for consumer organisations
  • replace boilerplate registration of purposes with online subject access rights and tracking of use of data (PG sez: could semantic web data help here??)
  • penalties for abusive use of "DP" by companies to restrict access to info by consumers
  • security breach notification was controversial with some complaining in US it had done little or nothing to stop malware breaches."
I'm sorry I missed it and it reminds me I must, if I can find the time, suggest a paper for GikII 2009.

No comments: