During the session "Data Protection and Defining Personal Information” at the annual Conference of Data Protection and Privacy Commissioner in Mexico City last November, one panelist asserted that privacy regulators need a better toolkit. Specifically, Prof. Charles Raab of the University of Edinburgh said regulators need to better understand probability theory, statistics and risk analysis. The Privacy Advisor caught up with Prof. Raab recently to find out why he feels this important.

There has been much concern in recent years that data protection authorities (DPAs) or privacy commissioners do not have sufficient knowledge of information and communication technologies (ICTs). This lack is said to leave DPAs prey to the pleading of special interests who are concerned to portray technological development as innocuous in terms of its effects on privacy and other social values that DPAs are supposed to protect. Many DPAs cannot find the resources to hire technologically knowledgeable staff at levels high enough, and in the numbers that might be required, to make a difference. Of course, other governing institutions that make or carry out public policy are at the same disadvantage: how many legislatures and executives are up to speed on ICTs? Especially at a time when Privacy by Design (PbD), and related tools such as Privacy-enhancing technologies (PETs) and Privacy Impact Assessment (PIA) are to the fore as privacy protection instruments, how can DPAs and others adequately assess the impact of the latest technologies and information processes so that they can take appropriate regulatory action?

These concerns are valid, and they highlight crucial issues for privacy protection. But it is also important—as part of technological understanding, but not only for that reason—that DPAs have a grasp of probability theory, statistics and risk analysis. This is because so much of the debate about technology, privacy and security (both information security and national security) revolves around evaluations of the likelihood of events and broader phenomena happening, so that laws, technical solutions and regulatory activity can be at least commensurate to the threats, and at best anticipate them. For different reasons—competing interests included—different proponents or critics of ICTs and their application promote light or dark scenarios about the benefits and losses of new innovations, playing up or playing down the benefits or the dangers. Regulators have to make up their own mind about this, and they are handicapped without an understanding of the likelihood and severity of privacy risks. How far should they entertain worst-case scenarios? How far should they espouse glowing visions of the technical boon? How, and in what way, should they develop their regulatory strategy around applications of the precautionary principle, or instead should they wait for things to happen and then respond resiliently?

PbD and PIA are predicated on an appreciation of probabilities and magnitudes of the consequences of using certain technologies, and they are founded on a basis that includes, at its very centre, the assessment of risk. This requires both conceptual understanding and numeracy, and a socio technical perspective on the ICTs and systems to which DPAs are supposed to apply laws, codes and other instruments of regulation. The latter include raising the level of public understanding; education about risk questions is at least implicit in this. How likely are data breaches? How likely are we to suffer harm from them? How large are the dangers of putting huge quantities of personal data on social networking sites? How many crimes would go undetected without the creation of yet more inter-operative databases of personal information, and is that a risk we can live with? Finer discriminations are needed than to say, too simply, that “x poses (or does not pose) a threat to privacy (or to national security),” or that “you are (or are not) at risk through this form of data processing.” If they had the ability and inclination to so do, DPAs would be in a good position to offer guidance on these questions. They could demand evidence and sound reasoning— ideally, scrutinised publicly—from interested parties when claims are made or denied about the privacy-friendliness or the necessity and proportionality of new ICTs, information systems and applications. Many DPAs may already act in something like this way, because assessments of necessity and proportionality are central to many regulatory judgments that are made daily, and to the developing jurisprudence on privacy. But how well equipped are DPAs to get their minds around the risk issues and to analyse them in a nuanced and sophisticated way? Arguably, as little equipped as they are to understand how technologies work, and what they are capable of, let along what their social and privacy consequences might be. How can they do better?

This note is not the place to develop these points in any depth, or to explore the complex issues of improving regulatory policy and practice to which they give rise. But the IAPP might be well placed to take up these matters, along with academics and others, from its own vantage point. It could provide the means and locus for focusing attention and deliberation on what, precisely, DPAs—not uniquely—need to know about risk, and how they might acquire and incorporate the necessary knowledge and understanding within their own structures. Many DPAs are already in the throes of taking stock of their roles as they enter a new era of global information flows and patterns, new regulatory challenges and new legislation—for instance, the new European Union regulatory pattern that will supersede the 1998 European Data Protection Directive. This would be an opportunity for the IAPP to foster and disseminate greater learning about crucial questions of risk amongst privacy professionals and broader constituencies and publics with a stake in privacy, including DPAs and chief privacy officers. Without this, we might only be left with yet more of the deadly antinomy of scare stories and complacent whitewash about ICTs and the corporate or governmental life in which they play a large part. This is not a happy prospect for DPAs or anyone else.

Written By

Charles Raab


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

IAPP-OneTrust PIA Platform

Simplify privacy impact assessments with this cloud-based customizable platform - free to IAPP members!

72% say privacy is now a board-level concern

Find out more about privacy governance in the IAPP-EY Annual Privacy Governance Report 2016.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Time to Get to Work at the Congress

It's almost here! Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register now!

Plan for the Summit

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Registration opens December 19!

Intensive Education at the Practical Privacy Series

This year's Series spotlights Data Breach, FTC and Consumer Privacy, GDPR and Government privacy issues. It’s the education you need NOW. Early bird ends Nov. 4!

Speak at the Symposium

The call for speakers is open! The Symposium returns to Toronto this Spring and programming is now underway. Looking to share your privacy prowess? Submit by November 20!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»