It's Time to Forge Global Privacy Rules

 Whenever I’ve mentioned to chief privacy officers the idea of having a single set of privacy rules for their companies to abide by worldwide, their response has been unanimous: Bring it on. Why? The legal and technical costs of complying with an expanding patchwork of state, federal and foreign privacy laws are mounting for multinationals. Having one set of rules would improve the bottom line.

Data-protection commissioners from many world governments are singing the same tune. At a November conference in London, they issued a communique urging the United Nations to launch an international privacy convention toward this end.

> You and I as customers and employees would also benefit from one set of rules that we could come to know and understand — instead of the vast array of obtusely worded privacy notices that we see on Web sites and find in our mailboxes.

It’s hard to imagine a major constituency, outside of the Idaho and Michigan militias, that would be against the concept of a global privacy agreement, if it was properly worded. So, what’s the holdup?

> It all comes down to two questions that the U.S. and Europe answer differently: What does privacy mean? And is privacy an inalienable human right?

If two major blocs of the Western world can agree on the first question and just agree to disagree on the second, the stage will be set for serious negotiations.

> What does privacy mean? The word privacy is nowhere in the U.S. Constitution, and Americans have had a continuously changing view of what privacy means. I see three major turning points:

> In 1890, Chief Justice Louis Brandeis asserted that there’s a right to protection from public disclosure of private facts.

In 1960, law professor William Prosser said there are four types of privacy violations: public disclosure of private facts, false publicity, appropriation of a name or likeness, and intrusion upon seclusion.

> In 2006, law professor Daniel Solove offered four broader dimensions of privacy: information collection, information processing, information dissemination, and intrusion upon seclusion.

If you think that’s complex, consider this: The European Union has eight privacy principles, the U.S.-EU Safe Harbor privacy accord has seven principles, and Canada and Australia have each developed 10 privacy principles.

> Is it possible to bridge all of these differences into one common meaning of privacy? I think so. There’s a tremendous amount of overlap among these lists. So I’ve been sharing a list of seven global privacy principles with my CPO peers over the past year, and it hasn’t generated any major objection (see chart). The major industrialized countries are converging on the question of “What does privacy mean?” and the time is ripe to start forging a consensus.

Graphic 2
Global Privacy Principles?


These seven principles, which reflect the essential principles of the world’s various privacy laws, could form the basis of a global agreement on privacy:
1. Notice. Provide individuals a privacy policy at or near the time of collecting their data.
2. Relevance and Retention. Require individuals to provide only those data fields that are needed for the business at hand, and retain it only as long as needed for that business.
3. Access and Accuracy. Provide individuals a way to securely access and correct their information.
4. Security. Protect individuals' information from unauthorized access within the collecting organization and any other organization or country to which it is transferred.
5. Choice – Third-Party Sharing. Provide individuals a choice for whether third parties may access their information for analytical or marketing purposes.
6. Choice – Direct Marketing. Provide individuals a choice for whether they may be contacted for marketing purposes.
7. Enforcement. Appoint a senior executive to be responsible for annually assessing the organization's compliance with these principles.

Source: Jay Cline



Is privacy an inalienable human right? Europeans want the answer to be yes, and it’s hard to blame them. After the experiences of World War II, where Europe’s Axis-aligned governments exploited their access to citizen information to round up and execute opponents, you can see why Europeans want to go as far in the opposite direction as possible.

> But Americans don’t think privacy rises to the preeminence of an intrinsic human right — a right the government must recognize and cannot curtail. To say that we have a “freedom of privacy” and that the government can’t stop us from being private would be one of the most ambiguous amendments to the U.S. Constitution we’ve ever had.

> Every major constituency — citizens, businesses and governments — would benefit from a single set of global privacy rules. The question is, will the EU be open to compromise?

Jay Cline is a former chief privacy officer of a Fortune 500 company and now president of Minnesota Privacy Consultants. You can reach him at cwprivacy@computerworld.com.

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon