The International Conference of Data Protection and Privacy Commissioners recently completed its 41st annual meeting in Tirana, Albania, and announced a new name for the organization — the Global Privacy Assembly — and Friday, it officially launched its new name and logo.
These annual meetings are very important for coordinating regulators and giving direction to the whole privacy and data protection community about the way regulators want to drive oversight and enforcement to protect people. The old name was too long, and there is no way to turn ICDPPC into a word that rolls off the tongue. Furthermore, the organization wants to change itself from an annual meeting into an ongoing discussion — an important imperative — and felt its new name would help facilitate that.
However, I am concerned that the new name doesn’t reflect the complexity of the issues confronting this community so that data serves humanity rather than making people targets. Why?
At my first conference in 1994, I thought data protection and privacy were the same thing. Many years later, I learned that under European law, the terms privacy and data protection are subject to two different fundamental rights under the Charter of Fundamental Rights of the European Union. Privacy relates to respect for private communications and for family life. Data protection is a broader fundamental right that includes the human interest in autonomy but also is protective of the full range of fundamental rights impacted by the processing of personal information.
Over time, as processing has become more complex, the completeness of data protection as a concept has become more important to my nerdy brain. In simple terms, privacy is driven by individual control, while data protection is driven by fair processing, an obligation for all users of data that's impactful on individuals.
In most jurisdictions outside Europe, individual control and fair processing are governed together by privacy law. For example, in Canada, the gating key is consent with fair processing under the accountability principle, which is necessary to achieve legitimacy. While the law is the Personal Information Protection and Electronic Documents Act, the agency that enforces it is the Office of the Privacy Commissioner. Hong Kong has the Privacy Commissioner for Personal Data. New Zealand has its Office of the Privacy Commissioner, as well. In all cases, the two fundamental rights addressed by European law are addressed by these other agencies under the term “privacy.”
However, the conference agenda and recent news suggest maybe the wrong name was selected. And maybe, just maybe, a new name could suggest a new direction for our profession and the enforcement agencies that provide oversight.
This year's ICDPPC conference discussed the misuse of observed data for many purposes but with a focus on how such data leads to micro-targeting in elections to put liberal democracies at risk. Since the conference, the willingness for companies facilitating digital political ads to police false information in those ads has been debated by the CEOs of Facebook and Twitter.
The ICDPPC conference also discussed the compatibility and friction between data protection and competition law. Privacy and data protection commissioners have been exploring cooperation with competition and consumer protection agencies. For that to happen, there needs to be a clear objective. That objective, from my perspective, is protecting people.
But what is it we are protecting people from? It is beyond privacy. It is beyond fair processing. It is beyond the fractionalizing of society by personalization. It is also beyond the empowering of data scientists to create real benefits for people from the processing of information.
However, in the end, it is all these.
I don’t know which phrase captures all these societal interests. I truly do not. But I will start with the concept of digital responsibility. So how about the Global Assembly for Digital Responsibility?
Well, the new name has been announced. So, perhaps, when understood in the global context, Global Privacy Assembly is the right name, after all, as long as it is understood the direction for our profession and the enforcement agencies that provide oversight is the protection of people as it relates to data. If we “privacy” professionals and regulators take the scope of our responsibilities too narrowly, then we will fail in the provision of our daily responsibilities as privacy professionals and regulators. So, as we embrace the new name, let's embrace the greater scope for privacy.
Featured photo from Jedidiah Bracy
If you want to comment on this post, you need to login.