Defining privacy

The spreading of personal information in the digital age and the loss of control over it is continually increasing. In it’s essence, it is nothing very new but we witness (or are part of) some major shifts right now: the rise of online social networks, high precision targeted advertising, and the level of surveillance as part of the anti-terrorism measures. The significance of privacy is currently being re-negotiated (details below).

At the same time, the technical possibilities to control and broker one’s personal data streams have increased just as much – unfortunately most of these possibilities are stuck in theory and decent tools are missing. We should expect (or build) a ground breaking solution here. I find this particularly striking as I had the priviledge to work on such a tool over a year ago and sadly enough it hasn’t really come to market as of today (I’ll go into details in a separate article).

Photo (slightly cropped) by ecoev on Flickr

Photo (slightly cropped) by ecoev on Flickr

A couple of days ago, I had the privilege to attend a conference on privacy from Germany’s internet industry association eco. By the mere count of participants (overwhelmingly in black suits) it was a small meeting, but as the participation of the German Minister of the Interior, Hans-Peter Friedrich, and the EU commissioner for “Justice and Fundamental Rights”, Viviane Reding, shows, it was of extremely high profile for our societies’ rule makers.
From a citizen’s point of view, the event was pretty interesting as you could witness the actors and debates that shape the laws of tomorrow. For designers, however, the lack of discussable solutions, or just adventurous experiments, was disappointing. I have the strong impression that some practical contributions will inspire the debate and could bring a more differentiated or “realistic” view to some legal considerations.

Defining terms – not just a question for law makers

While defining terms sounds like hairsplitting detail work, knowing about different aspects and concepts of privacy and data protection focuses the often superficial and emotional debates. I’ll look very briefly at two questions: protect data against whom or what? And what is the data to be protected?

During the eco meeting, Axel Spieß, an international expert in this (legal) domain, pointed out the very different meanings of “privacy” in the US and “Datenschutz” in Germany: in the US, privacy was mainly referring to the “right to be let alone”, as a citizen against the state (4th amendment). In contrast, acquiring and selling user data is a pure matter of private business and contracts. “Data protection” would usually refer to measures that prevent the theft or loss of data.
Under German jurisdiction, however, “Datenschutz”/data protection is affected by all transactions (or even just the collection) of “information that identifies a person” because it is considered to violate one’s “informational self-determination“. And this needs to be respected by governmental authorities as well as private companies.
(For the UK position, BBC News has a comprehensive article for you.)

There is also a fundamentally different perception of who owns the data (US (mostly): the company who collects (or buys) it. Germany: the person it refers to). Ownership of personal information is also an important point for a couple of service ideas around a transparent data trade (see the practicle article on that)

In his speech at the congress, Minister Friedrich implied that data collection by authorities was rather harmless since it couldn’t happen without laws and was under public control. But since the 9/11 attacks, we should be aware of how easily security (or anxiety) rules above freedom (and as part of it, privacy), and otherwise illegal activities and questionable surveillance pass through.
[end of sidetrack]

The other important definition is the term of “identifying personal information”: intuitively, one would think of more sensitive information, such as name, address, phone numbers (IP numbers? already a hot debate!). And indeed, some laws contain such lists. However, in the age of sophisticated data mining, “insensitive” data (such as items of a single purchase) is easily combined into “more sensitive” data (such as buying habits and all deviations, like job loss, illnesses, diets, or even pregnancies). As behaviour prediction is becoming reality, there is no insensitive data any more (as the German Constitutional Court stated already 1983).

Who defines the privacy of the future?

Inside the EU, the debate around privacy is active for quite a while now. Commissioner Reding claims that it is at the heart of the Digital Agenda (which has its own commissioner, Nellie Kroes). For the EU, a unified data protection and privacy legislation would not only facilitate trade inside the union, it would also be a strong signal towards other societies and markets. Companies with businesses in the EU would at least have to take the EU rules into account, if not completely follow them (what this could mean can be seen in discussions around facebook, Street View).

So far, the EU has been quite successful in setting the agenda and the terms of the discussion. They also convince/persuade more and more non-European countries to follow their model. Obviously, this upcoming normative power of the EU is at odds with US interests and US companies (who form, again, most of the internet as we know it). More or less recently (02/2012), the Obama administration came up with a regulation of its own, the much debated Consumer Privacy Bill of Rights. Given the US traditions as described above, this might appear as a strange thing (some of the differences are lined out here and here).

With the models currently debated on both sides of the Atlantic Ocean, we negotiate nothting less than the fundamental privacy rules of the future digital society.