TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | "I Never Said That"—A Response to Cavoukian et al. Related reading: European Commission issues guidance on Data Act



In a recent blog post, Ontario Information and Privacy Commissioner Ann Cavoukian et al. offer a response to my keynote address at the IAPP Europe Data Protection Congress in December 2013 and also announce an upcoming whitepaper.

They do so, acknowledging that neither of them had actually listened to what I said at my keynote. Hence, their blog post is based on certain assumptions of what I said. Regrettably, those assumptions are not borne out in fact.

I very much appreciate a robust debate about the future of how we best protect information privacy. It is far too important a value to not do so. But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value. In the spirit of giving Cavoukian et al.—and the general audience—the opportunity to appreciate what I actually said, here are the facts.

* In her first paragraph, Cavoukian et al. argue that I suggested people had lost interest in privacy protection. I never said anything to that effect. In fact, I said the exact opposite:

“Some may think that this is the end of privacy—some have even said so. But nothing could be further from the truth. Humans on both sides of the Atlantic and across all age groups still value and desire information privacy. We must not and do not need to give up on privacy as a fundamental societal value.”

* In their third paragraph, Cavoukian et al. write that I suggested the “obliteration of Fair Information Practices.” I never said anything like this. Again, on the contrary I argued in my speech that: “In that very sense, then, this next phase in protecting information privacy more effectively could be anchored in the very principles that the founders of European data protection conceived in the 1970s.”

In addition I have taken part in a workshop that produced amended Fair Information Principles for the Big Data age. The resulting whitepaper has been available online since early December and was also available at the IAPP Congress where I spoke. The whitepaper—which like any consensus document reflects many but not all of my views—makes crystal clear the continuing import and need for Fair Information Principles.

* In their fourth paragraph Cavoukian et al. suggest that I argued for “taking away all control of [the public’s] personal information”. That, again, is incorrect. In fact, in my speech I said after explaining that we need more accountability of data users: “This does not imply that data subject’s consent is no longer important.”

This clear sentiment is echoed in the whitepapers—one, already mentioned here, on modern Fair Information Principles, and the other on data user accountability—which make clear that individual consent will continue to play a role in an amended information privacy framework.

* Cavoukian et al. also imply that I said privacy impedes innovation. By now you may already suspect the truth: Yes, I never said anything like that either. I, too, believe that privacy can be a force for innovation.

In fact, my view is even more principled than Cavoukian’s et al.: I believe that even if privacy would impede innovation, this should not be a reason to disregard privacy.

The focus in my speech was not information privacy as a value, but the mechanisms we currently employ to protect our privacy. My argument was—and is—that the core mechanism currently used to protect information privacy, namely consent at the time of collection, has in practice not been effective in protecting our privacy. The most recent revelations of Target losing personal data of 70 million customers just underscore my point: None of these 70 million people were protected because they had consented once when signing up for a Target account.

In fact, my suggestion and that of the whitepapers I have co-authored to focus on effective accountability of data users is much closer aligned than "consent at collection" with Cavoukian’s own well regarded work on privacy by design and the need to build privacy deep into the tools we use. (If this needs any more reinforcement, I did write an entire book on the need to build more ‘forgetting’ into our digital memory tools.)

In summary, Cavoukian and her colleagues repeatedly misrepresent what I said throughout their blog post. The truth is that our views are far, far closer than they suggest when it comes to the importance of privacy as a fundamental human value, and the need for effective and trustworthy mechanisms to protect privacy.

The important debate to be had is how to best achieve effective and robust information privacy while acknowledging the value of information use. My hope—and the reason for this clarifying post—is that we can focus precisely on this debate: Thinking hard about the best ways to improve the mechanisms we use to protect our privacy.

Will you join?


If you want to comment on this post, you need to login.

  • comment Christopher Wolf • Jan 15, 2014
    At the Silicon Flatirons conference this week, I plan to build on your thesis Viktor with respect to measuring and preventing privacy harms through use analysis since notice and choice by definition limited the scope of harms being avoided.
  • comment R. Jason Cronk • Jan 15, 2014
    Unfortunately, Viktor uses a linguistic trick to try to convince the reader that his position is pro-privacy. However, the astute reader need not be fooled. What Viktor is describing in his talk is, as the title makes clear, "data protection" not privacy. Data protection is the realm of the benevolent steward who safeguards people's personal information. Privacy, in contrast, is the notion that one may dictate (to some degree) the dividing line between the individual and society. Without such personal decision making then there is NO privacy only social control, benevolent or not. 
    Redefining privacy to exclude conscious consent is not an option. 
  • comment Christopher Vera • Jan 15, 2014
    (my comments are my own and do not necessarily represent that of my employer).
    Thanks to the Privacy Association for giving Professor Mayer-Schönberger the opportunity to clarify his views. Privacy is already a confusing enough topic to the layperson so it is important for us to ensure we have such clarity. My only pet peeve is with the use of the term "information privacy." Information has no privacy, could care less about its privacy. COntinuing to refer to privacy as "information" or "data" privacy muddies the waters between privacy and security, which is concerned more with confidentiality than with true privacy.
  • comment Viktor Mayer-Schönberger • Jan 16, 2014
    Mr Cronk is obviously confused about the principle concepts in our domain. "Data protection" is the term used for what in the North American context often is referred to as information privacy, and while nuances exist (and I have written academic articles about it), neither I nor most others in this discussion make any difference  between "data protection" and "information privacy". He is simply beating a dead horse.
    To Mr Vera: I appreciate your concern. I did neither coin the term information privacy, nor am I particularly happy about it. But it has come to be used to differentiate informational privacy from physical privacy. Would you prefer the term "information privacy" over the sloppier "information privacy" (btw a similar issue arises with the term "data protection" - as it is not data but the data subject that is afforded protection).
  • comment Viktor Mayer-Schönberger • Jan 16, 2014
    Ooops, should read "'informational privacy' over "information privacy'"
  • comment Eduardo Ustaran • Jan 16, 2014
    Terminology is always a bit of an issue in this field, but please let's not get bogged down in a trivial matter when the future of privacy (including within that data protection) is at stake.  My interpretation of the point made by Viktor is that since we are no longer able to control the uses made of our information by others, the protection of our privacy (or our data) mainly needs to come from something else.  This is an argument with which I concur in the book 'The Future of Privacy' and my suggested policy alternatives are a combination of greater incentives for the deployment of privacy practices, the passive empowerment of individuals by giving part of the value of the data back to people, and a range of practical measures to do with transparency, anonymisation, individuals' rights, security by default and privacy-risk assessments.
  • comment Gabriela Zanfir • Jan 16, 2014
    I absolutely agree on every point you made. I have already argued in the paper I presented at CPDP 2013 in Brussels (Forgetting about consent. Why the focus should be on suitable safeguards in data protection law, published in "Reloading Data Protection") that instead of mystifying consent in data protection and instead of perpetually looking for solutions to make consent rules clearer and stronger, legislators - analysts - scholars must concentrate on other safeguards which are undoubtedly more suitable to protect the object of the right to personal data protection. My proposition (which, of course, can be improved, as it was coined exclusively from the point of view of EU data protection law) was to consider 1. the rights of the data subject (access rights, erasure rights etc), 2. rules regarding purpose limitation and 3. accountability rules the main three "prerogatives" or "derived prerogatives" to achieve personal data protection. I also pointed out that I am not pleading in favor of completely disregarding consent, as consent and, generally, choice are important in the conceptualization of informational self determination. I am only arguing that there are more powerful and more effective instruments in data protection law which should be further developed. 
    I will most certainly follow this debate and your opinions on it, as well as Eduardo's. I really believe this approach is the future in regulating and enforcing data protection/privacy.   
  • comment Name Rick Klumpenhouwer • Jan 17, 2014
    From someone who delivered a presentation titled "Why I Hate Consent" (a riffing on Will Ferguson's "Why I Hate Canadians") back in 2008, it is no surprise that I would agree with Mr. Mayer-Schonberger's general thesis that individual consent is fast becoming an ineffective tool for protecting individual privacy. At the same time, I still believe that consumer participation in how they submit personal information and what happens to it once it is submitted is extremely important and if anything, needs to be enhanced. In a massively networked, complex information environment, individuals are more gamed that informed by the consent process. A series of symbols or quick data on specific services or companies, much like nutritional information on food products, is one kind of example that uses effective communication rather than a legal contract relationship to encourage participation. Providing good and useful information about information, for both regulators and citizens, will determine the outcome of any real battle for individual privacy on the ground. This, in my mind, is what Information Governance is all about.
    In any case, great to see this discussion taking root.
  • comment Peter Westerhof • Jan 18, 2014
    The devil as always is in the details. Therefore anyone, academic or not, should be know that obfuscating definitions is the root cause for poor discussions and poor politics.
    Suggesting ignorance with the other party, or coining a 'North American context for privacy' does not help much either.
  • comment Jason Cronk • Jan 22, 2014
    VMS: 'neither I nor most others in this discussion make any difference between “data protection” and “information privacy”.'
    That's the problem. There is a world of difference and your failure to recognize it does not excuse your manipulate the argument by interchanging them. Alan Westin seminal definition of information privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others" certainly predates your data protection = information privacy confusion, even if shared by others. Simply put, the notion of privacy includes individual participation, not pure paternalism. If you want to talk about a data protection regime, then talk about "data protection", don't call it privacy, because it isn't that.
    Eduardo, I'm sure as a lawyer you can appreciate of the importance of terminology. I often time run into two parties which are miscommunicating because they are using terminology different. Further my intention in responding was to reduce the attempted watering down of the word. Continue misuse only perpetuates the idea that information privacy equates to data protection. 
    “But if thought corrupts language, language can also corrupt thought.” -George Orwell