In a recent blog post, Ontario Information and Privacy Commissioner Ann Cavoukian et al. offer a response to my keynote address at the IAPP Europe Data Protection Congress in December 2013 and also announce an upcoming whitepaper.
They do so, acknowledging that neither of them had actually listened to what I said at my keynote. Hence, their blog post is based on certain assumptions of what I said. Regrettably, those assumptions are not borne out in fact.
I very much appreciate a robust debate about the future of how we best protect information privacy. It is far too important a value to not do so. But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value. In the spirit of giving Cavoukian et al.—and the general audience—the opportunity to appreciate what I actually said, here are the facts.
* In her first paragraph, Cavoukian et al. argue that I suggested people had lost interest in privacy protection. I never said anything to that effect. In fact, I said the exact opposite:
“Some may think that this is the end of privacy—some have even said so. But nothing could be further from the truth. Humans on both sides of the Atlantic and across all age groups still value and desire information privacy. We must not and do not need to give up on privacy as a fundamental societal value.”
* In their third paragraph, Cavoukian et al. write that I suggested the “obliteration of Fair Information Practices.” I never said anything like this. Again, on the contrary I argued in my speech that: “In that very sense, then, this next phase in protecting information privacy more effectively could be anchored in the very principles that the founders of European data protection conceived in the 1970s.”
In addition I have taken part in a workshop that produced amended Fair Information Principles for the Big Data age. The resulting whitepaper has been available online since early December and was also available at the IAPP Congress where I spoke. The whitepaper—which like any consensus document reflects many but not all of my views—makes crystal clear the continuing import and need for Fair Information Principles.
* In their fourth paragraph Cavoukian et al. suggest that I argued for “taking away all control of [the public’s] personal information”. That, again, is incorrect. In fact, in my speech I said after explaining that we need more accountability of data users: “This does not imply that data subject’s consent is no longer important.”
This clear sentiment is echoed in the whitepapers—one, already mentioned here, on modern Fair Information Principles, and the other on data user accountability—which make clear that individual consent will continue to play a role in an amended information privacy framework.
* Cavoukian et al. also imply that I said privacy impedes innovation. By now you may already suspect the truth: Yes, I never said anything like that either. I, too, believe that privacy can be a force for innovation.
In fact, my view is even more principled than Cavoukian’s et al.: I believe that even if privacy would impede innovation, this should not be a reason to disregard privacy.
The focus in my speech was not information privacy as a value, but the mechanisms we currently employ to protect our privacy. My argument was—and is—that the core mechanism currently used to protect information privacy, namely consent at the time of collection, has in practice not been effective in protecting our privacy. The most recent revelations of Target losing personal data of 70 million customers just underscore my point: None of these 70 million people were protected because they had consented once when signing up for a Target account.
In fact, my suggestion and that of the whitepapers I have co-authored to focus on effective accountability of data users is much closer aligned than "consent at collection" with Cavoukian’s own well regarded work on privacy by design and the need to build privacy deep into the tools we use. (If this needs any more reinforcement, I did write an entire book on the need to build more ‘forgetting’ into our digital memory tools.)
In summary, Cavoukian and her colleagues repeatedly misrepresent what I said throughout their blog post. The truth is that our views are far, far closer than they suggest when it comes to the importance of privacy as a fundamental human value, and the need for effective and trustworthy mechanisms to protect privacy.
The important debate to be had is how to best achieve effective and robust information privacy while acknowledging the value of information use. My hope—and the reason for this clarifying post—is that we can focus precisely on this debate: Thinking hard about the best ways to improve the mechanisms we use to protect our privacy.
Will you join?