IAPP-GDPR Web Banners-300x250-FINAL
"I Never Said That"—A Response to Cavoukian et al.

In a recent blog post, Ontario Information and Privacy Commissioner Ann Cavoukian et al. offer a response to my keynote address at the IAPP Europe Data Protection Congress in December 2013 and also announce an upcoming whitepaper.

They do so, acknowledging that neither of them had actually listened to what I said at my keynote. Hence, their blog post is based on certain assumptions of what I said. Regrettably, those assumptions are not borne out in fact.

I very much appreciate a robust debate about the future of how we best protect information privacy. It is far too important a value to not do so. But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value. In the spirit of giving Cavoukian et al.—and the general audience—the opportunity to appreciate what I actually said, here are the facts.

* In her first paragraph, Cavoukian et al. argue that I suggested people had lost interest in privacy protection. I never said anything to that effect. In fact, I said the exact opposite:

“Some may think that this is the end of privacy—some have even said so. But nothing could be further from the truth. Humans on both sides of the Atlantic and across all age groups still value and desire information privacy. We must not and do not need to give up on privacy as a fundamental societal value.”

* In their third paragraph, Cavoukian et al. write that I suggested the “obliteration of Fair Information Practices.” I never said anything like this. Again, on the contrary I argued in my speech that: “In that very sense, then, this next phase in protecting information privacy more effectively could be anchored in the very principles that the founders of European data protection conceived in the 1970s.”

In addition I have taken part in a workshop that produced amended Fair Information Principles for the Big Data age. The resulting whitepaper has been available online since early December and was also available at the IAPP Congress where I spoke. The whitepaper—which like any consensus document reflects many but not all of my views—makes crystal clear the continuing import and need for Fair Information Principles.

* In their fourth paragraph Cavoukian et al. suggest that I argued for “taking away all control of [the public’s] personal information”. That, again, is incorrect. In fact, in my speech I said after explaining that we need more accountability of data users: “This does not imply that data subject’s consent is no longer important.”

This clear sentiment is echoed in the whitepapers—one, already mentioned here, on modern Fair Information Principles, and the other on data user accountability—which make clear that individual consent will continue to play a role in an amended information privacy framework.

* Cavoukian et al. also imply that I said privacy impedes innovation. By now you may already suspect the truth: Yes, I never said anything like that either. I, too, believe that privacy can be a force for innovation.

In fact, my view is even more principled than Cavoukian’s et al.: I believe that even if privacy would impede innovation, this should not be a reason to disregard privacy.

The focus in my speech was not information privacy as a value, but the mechanisms we currently employ to protect our privacy. My argument was—and is—that the core mechanism currently used to protect information privacy, namely consent at the time of collection, has in practice not been effective in protecting our privacy. The most recent revelations of Target losing personal data of 70 million customers just underscore my point: None of these 70 million people were protected because they had consented once when signing up for a Target account.

In fact, my suggestion and that of the whitepapers I have co-authored to focus on effective accountability of data users is much closer aligned than "consent at collection" with Cavoukian’s own well regarded work on privacy by design and the need to build privacy deep into the tools we use. (If this needs any more reinforcement, I did write an entire book on the need to build more ‘forgetting’ into our digital memory tools.)

In summary, Cavoukian and her colleagues repeatedly misrepresent what I said throughout their blog post. The truth is that our views are far, far closer than they suggest when it comes to the importance of privacy as a fundamental human value, and the need for effective and trustworthy mechanisms to protect privacy.

The important debate to be had is how to best achieve effective and robust information privacy while acknowledging the value of information use. My hope—and the reason for this clarifying post—is that we can focus precisely on this debate: Thinking hard about the best ways to improve the mechanisms we use to protect our privacy.

Will you join?

Written By

Viktor Mayer-Schonberger


If you want to comment on this post, you need to login.
  • Christopher Wolf Jan 15, 2014

    At the Silicon Flatirons conference this week, I plan to build on your thesis Viktor with respect to measuring and preventing privacy harms through use analysis since notice and choice by definition limited the scope of harms being avoided.

  • R. Jason Cronk Jan 15, 2014

    Unfortunately, Viktor uses a linguistic trick to try to convince the reader that his position is pro-privacy. However, the astute reader need not be fooled. What Viktor is describing in his talk is, as the title makes clear, "data protection" not privacy. Data protection is the realm of the benevolent steward who safeguards people's personal information. Privacy, in contrast, is the notion that one may dictate (to some degree) the dividing line between the individual and society. Without such personal decision making then there is NO privacy only social control, benevolent or not. Redefining privacy to exclude conscious consent is not an option.

  • Christopher Vera Jan 15, 2014

    (my comments are my own and do not necessarily represent that of my employer). Thanks to the Privacy Association for giving Professor Mayer-Schönberger the opportunity to clarify his views. Privacy is already a confusing enough topic to the layperson so it is important for us to ensure we have such clarity. My only pet peeve is with the use of the term "information privacy." Information has no privacy, could care less about its privacy. COntinuing to refer to privacy as "information" or "data" privacy muddies the waters between privacy and security, which is concerned more with confidentiality than with true privacy.

  • Viktor Mayer-Schönberger Jan 16, 2014

    Mr Cronk is obviously confused about the principle concepts in our domain. "Data protection" is the term used for what in the North American context often is referred to as information privacy, and while nuances exist (and I have written academic articles about it), neither I nor most others in this discussion make any difference between "data protection" and "information privacy". He is simply beating a dead horse. To Mr Vera: I appreciate your concern. I did neither coin the term information privacy, nor am I particularly happy about it. But it has come to be used to differentiate informational privacy from physical privacy. Would you prefer the term "information privacy" over the sloppier "information privacy" (btw a similar issue arises with the term "data protection" - as it is not data but the data subject that is afforded protection).

  • Viktor Mayer-Schönberger Jan 16, 2014

    Ooops, should read "'informational privacy' over "information privacy'"

  • Eduardo Ustaran Jan 16, 2014

    Terminology is always a bit of an issue in this field, but please let's not get bogged down in a trivial matter when the future of privacy (including within that data protection) is at stake. My interpretation of the point made by Viktor is that since we are no longer able to control the uses made of our information by others, the protection of our privacy (or our data) mainly needs to come from something else. This is an argument with which I concur in the book 'The Future of Privacy' and my suggested policy alternatives are a combination of greater incentives for the deployment of privacy practices, the passive empowerment of individuals by giving part of the value of the data back to people, and a range of practical measures to do with transparency, anonymisation, individuals' rights, security by default and privacy-risk assessments.

  • Gabriela Zanfir Jan 16, 2014

    I absolutely agree on every point you made. I have already argued in the paper I presented at CPDP 2013 in Brussels (Forgetting about consent. Why the focus should be on suitable safeguards in data protection law, published in "Reloading Data Protection") that instead of mystifying consent in data protection and instead of perpetually looking for solutions to make consent rules clearer and stronger, legislators - analysts - scholars must concentrate on other safeguards which are undoubtedly more suitable to protect the object of the right to personal data protection. My proposition (which, of course, can be improved, as it was coined exclusively from the point of view of EU data protection law) was to consider 1. the rights of the data subject (access rights, erasure rights etc), 2. rules regarding purpose limitation and 3. accountability rules the main three "prerogatives" or "derived prerogatives" to achieve personal data protection. I also pointed out that I am not pleading in favor of completely disregarding consent, as consent and, generally, choice are important in the conceptualization of informational self determination. I am only arguing that there are more powerful and more effective instruments in data protection law which should be further developed. I will most certainly follow this debate and your opinions on it, as well as Eduardo's. I really believe this approach is the future in regulating and enforcing data protection/privacy.

  • Name Rick Klumpenhouwer Jan 17, 2014

    From someone who delivered a presentation titled "Why I Hate Consent" (a riffing on Will Ferguson's "Why I Hate Canadians") back in 2008, it is no surprise that I would agree with Mr. Mayer-Schonberger's general thesis that individual consent is fast becoming an ineffective tool for protecting individual privacy. At the same time, I still believe that consumer participation in how they submit personal information and what happens to it once it is submitted is extremely important and if anything, needs to be enhanced. In a massively networked, complex information environment, individuals are more gamed that informed by the consent process. A series of symbols or quick data on specific services or companies, much like nutritional information on food products, is one kind of example that uses effective communication rather than a legal contract relationship to encourage participation. Providing good and useful information about information, for both regulators and citizens, will determine the outcome of any real battle for individual privacy on the ground. This, in my mind, is what Information Governance is all about. In any case, great to see this discussion taking root.

  • Peter Westerhof Jan 18, 2014

    The devil as always is in the details. Therefore anyone, academic or not, should be know that obfuscating definitions is the root cause for poor discussions and poor politics. Suggesting ignorance with the other party, or coining a 'North American context for privacy' does not help much either.

  • Jason Cronk Jan 22, 2014

    VMS: 'neither I nor most others in this discussion make any difference between “data protection” and “information privacy”.' That's the problem. There is a world of difference and your failure to recognize it does not excuse your manipulate the argument by interchanging them. Alan Westin seminal definition of information privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" certainly predates your data protection = information privacy confusion, even if shared by others. Simply put, the notion of privacy includes individual participation, not pure paternalism. If you want to talk about a data protection regime, then talk about "data protection", don't call it privacy, because it isn't that. Eduardo, I'm sure as a lawyer you can appreciate of the importance of terminology. I often time run into two parties which are miscommunicating because they are using terminology different. Further my intention in responding was to reduce the attempted watering down of the word. Continue misuse only perpetuates the idea that information privacy equates to data protection. “But if thought corrupts language, language can also corrupt thought.” -George Orwell


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»