Alex Gloor is a JD candidate at Osgoode Hall Law School
January 28th was Data Privacy Day, in case you needed a reminder. This day, celebrated in Canada, the United States and 27 EU countries, is aimed at promoting privacy awareness among youths, at promoting the development of privacy related technologies and at encouraging compliance with privacy laws.
The government of Canada has apparently done little beyond formally recognizing the day, with a press release and a blog post being the extent of their recognition in 2010. However, many blogs, organizations, Provinces and municipalities have adopted January 28th as a means of raising awareness towards privacy related issues, showing that the idea has taken hold. Finally, Viviane Reding, the European Commissioner for Information Society and Media, used the day as a platform to address the privacy challenges faced by the EU.
In her speech at a Data Privacy Day conference, Ms. Reding gave both sweeping statements and concrete examples of privacy concerns in 2010. Many of these concerns have been investigated ad nauseum on both this site and in other blogs already (ie: the dangers of social networking sites), while others may not be of great interest to a Canadian audience (ie: the application of the European Charter of Rights).
First of all, Ms. Reding makes the statement that protection of data is often not a key factor in the development of new products. She then supports Canadian Ann Cavoukian’s privacy by design concept, which operates on the principle that regulatory frameworks will never by sufficient to ensure adequate privacy. Privacy by design supports increased proactive measures in developing privacy measures alongside product development, rather than reactive measures that address problems once they arise.
It is plain that oftentimes privacy issues are inadequately addressed before a product is introduced to the market. However, simply advocating the use of a conceptual system is not a solution. I perceive three major reasons that lead to this problem. First is the nature by which many of these technologies are developed and introduced. Often, the latest tech trend is as much a byproduct of luck or individual ingenuity as it is a well thought out corporate scheme. Take facebook as an example; started out of a dorm-room in 2004 and wildly popular at universities across North America by 2005. Upstart products such as these will virtually always be inadequately prepared to deal with large scale privacy issues.
The second main reason that I can see is the obvious one in the corporate world: money. A company will not address a privacy issue if it stands more to gain from not doing so. Again, this situation is easily foreseeable; perhaps an unsolved issue would delay the products release? Maybe it would be cheaper to simply ignore the issue and pay for litigation costs in the future? Additionally, the value conferred by infringing privacy may be so great that it becomes nearly impossible for those seeking to protect privacy to actually do so. An example of this scenario is behavioural advertising, as is mentioned in Ms. Reding’s speech.
Finally, privacy issues are not always foreseeable in the development stage. As technology develops, so too do the ways that privacy can be breached. As noted in the above paragraph, given the valuable benefits that can be obtained by invading ones privacy, it is often impossible for the protectionist to keep pace from a protectionist point of view.
Ms. Reding concludes her presentation by discussing airport body scanners, as I did in a post last month. Still very much a hot topic in the realm of privacy law, Reding is definitive in her view that it they should not be implemented without “full consideration” of their impact. Considering that Reding had previously discussed numerous examples of oft-used technologies that tend to be reactionary in terms of privacy protection, she seems determined to let body scanners become another product caught in this cycle.
I am of the view that this cycle is inevitable, unfortunate as it may be. While some of the best and the brightest work diligently to protect our freedoms, there will always be others in this category who will use their skills to earn some coin by infringing them. Regardless of the measures taken, there will always be a limit on what can be done. And, as with anything, there should be a limit. With overly stringent laws and regulations perhaps Mark Zuckerberg would have never developed Facebook in the first place. Instead, he is the world’s youngest self-made billionaire and provider of addiction to millions.
One Response
Hi Alex.
I have to disagree. There will always be actors that use personal information improperly, just as there will always be others that break the law in minor and major ways. Nevertheless, there are countless individuals and corporations that take information security and privacy into account when developing new products – networked or not. They do so because it’s a good business practice: it encourages a trusting relationship with their clients; it meets regulatory requirements; it calms investors and the markets; and it protects their internal processes and clients from bad actors.
Arguing that product development is a seat-of-your-pants process is an extension of the popular perception of artists and other creative types as free spirits, unfettered by society’s conventions. It’s also a cloak under which developers can hide their ignorance of basic information security practices, or their unwillingness to incorporate these practices in their work.
While the public generally seems to discount the value of data protection and privacy when they first examine and adopt new technologies, recent history shows that privacy always emerges as a concern and priority of a vocal minority of users. The outcry against Facebook’s Beacon program is just one example.
I think we’re in a period of transition, where we are all exploring new forms of communication and new business models. We shouldn’t assume, however, that the path of least resistance is the most appropriate.
On a side note, our activities around January 28 included a nation-wide radio public service announcement, a series of radio interviews, and speaking engagements by senior officials in the Office.
Colin McKay
Director of Research, Education and Outreach
Office of the Privacy Commissioner of Canada
Comments are closed.