On January 28, thousands of organizations in the United States and European Union observed Data Privacy Day, which has as its goals to raise privacy awareness, recognize shared privacy values and promote transatlantic cooperation. The day is especially significant for me, because it originated from a conversation around my dinner table eight years ago.
Leonardo Cervera Navas (then with the European Commission and now with the European Data Protection Supervisor’s office) and Jolynn Dellinger (then with Intel and now with Minding Privacy) joined my family for dinner, and the conversation turned to privacy attitudes in the U.S. and Europe. While we noted many differences, we also talked about the many values shared across our cultures. Leonardo had the idea first that there should be a day where people could recognize those shared values and promote transatlantic cooperation. Data Protection Day had already been recognized in Europe and held on January 28, the anniversary of the Council of Europe’s signing of Convention 108, recognizing privacy as a fundamental human right. By the end of dessert, Data Privacy Day was born.
{mosads}The Day has come a long way since that dinner, and the challenges to fostering transatlantic cooperation have multiplied. Media attention to activities of U.S. government surveillance agencies has generated barriers to international data transfers and damaged privacy stakeholder relationships across the Atlantic (witness the breakdown of the U.S.-EU Safe Harbor agreement last year). Terrorist attacks in Paris and San Bernardino have further challenged cooperation among policy stakeholders. In an environment of continued concern about terrorism, it is important to have structures that allow law enforcement and intelligence agencies to accomplish their critical missions. At the same time, a pre-condition to these government activities should be sufficient oversight and controls to allow individuals to know their information will not be misused.
Recent news of a cyber-attack on the Ukraine electric grid brings further attention to the need for governments to protect networks, critical infrastructure and their citizens. To provide this protection, government and the private sector will need to process personal data and share some of that data with other organizations. It takes data to protect data. At the same time, we need to focus on providing the right oversight and controls to give citizens in all countries comfort that data relating to them will not be used inappropriately.
Intel has been working for some time to define how to promote privacy while also allowing organizations to pursue the innovative use of data. We call this effort “Rethink Privacy” and ground our recommendations in the Fair Information Practice Principles (FIPPs) as articulated in the OECD Privacy Guidelines. The FIPPs are foundational and do not need to be changed; rather, they need to be implemented in new ways to properly adjust to an environment of the internet of things, cloud computing and advanced data analytics.
As EU and U.S. negotiators focus on a new agreement to provide a lawful basis for the transfer of personal data, we offer the following recommendations:
Collection Limitation – Government agencies should not hold the entire “haystack” to needles. Instead, the private sector should keep data for its business purposes, and when provided with lawful government demands following reasonable due process, apply algorithms to the data to note information that may require law enforcement focus.
Use Limitation – If data is provided to governments to protect against terrorism or cyberattacks, it should not be used by agencies for other purposes. To drive consensus on this issue it is important to limit law enforcement and surveillance agency use of personal data to only the most important concerns.
Accountability – All companies and government organizations should have an adequately resourced privacy officer. If an agency or company cannot identify one person who is in charge of privacy, or if that person is mired deep in the organization, then it is a sure sign privacy is not a priority.
Security Safeguards – We need to invest more in cybersecurity. The unfortunate steady stream of high profile data breaches shows us how much work we have yet to do to properly protect data. Cybersecurity tools and services require constant innovation to stay ahead of evolving threats, and innovation requires investment.
Much has changed since the dinner at my house eight years ago. Now individuals around the globe are asking for better solutions to provide privacy while also allowing them to get value from data that relates to them. Data Privacy Day is an excellent opportunity to both think about and “rethink” privacy. In addition, let’s not limit that international cooperation and dialogue to a single day.
Hoffman is associate general counsel and Global Privacy officer, Intel Corporation.