October 26th, 2022
I first attended an international meeting of the world’s privacy and data protection commissioners in 1987 in Quebec city – 35 years ago. I was a student, and the hosts gratefully allowed me, and a few other observers, to watch the one-day public session of what was then a very small gathering of no more than a dozen data protection authorities.
The keynote was given by my friend and mentor, David Flaherty, who as you know has just sadly passed away. David had just completed his important book, Protecting Privacy in Surveillance Societies. And he decided to give a keynote that was unequivocally critical of the collected data protection and privacy officials around the table. He succeeded in irritating almost everyone in the room. The data protection authorities were “legitimating” surveillance, he argued. Through their laws and decisions they were allowing surveillance societies to develop. They were concentrating too much on resolving individual complaints, and were blind to bigger societal transformations.
So in the spirit of my dear late friend, I also intend to be deliberately provocative, safe in the knowledge that nobody is going to accost me during the Turkish coffee break.
According to Graham Greenleaf, there are now over 140 countries with data protection or privacy statutes. We now have privacy management programs, privacy impact assessments, privacy enhancing technologies, privacy officers and their associations and so on. There is a lot of activity. There is a lot of policy. Privacy has become big business. And yet, we undoubtedly also have more surveillance. We have far more policy, law, engagement and education, but we also have an unprecedented level of monitoring of our citizens that at any time in history.
Some would say that, of course, it would be a lot worse but for the important work of this community. And there is much truth to that. You and the laws you administer do constrain, and they do check the obvious appetite of some businesses and governments for more and more data.
But the root of the problem is that mass surveillance is not the side-effect of personal data processing, it is the essential reason. Contemporary data protection and privacy principles need to now address the reality that dominant data-driven enterprises have shifted away from a service-oriented business model towards one that relies on monetizing personal information through the surveillance and manipulation of individuals and groups, thus exacerbating the power asymmetries between these organizations and individuals.
“Mass surveillance enables significant power imbalances and hinders people’s autonomy and dignity. It creates an environment of suspicion and threat, which can cause people who are not engaged in any wrongdoing to change their behaviour, including the way they act, speak and communicate…..in doing so, it inhibits the legitimate exercise of our rights. It endangers society’s ability to experiment and evolve.”
Thus, with all respect to our Turkish hosts, this is not a “matter of balance” as the central theme of this conference is defined, it is a question of power and control. “Balance” is the problem. For 40 years, governments and DPAs have been “balancing” privacy rights with the inexorable appetite of organizations for personal data. And privacy has generally lost. As soon as the question and the problem are framed as a question of “balance,” the game is up. Surveillance will continue largely unregulated, and individuals will continue to be appeased with soothing and melifluous guarantees that “your privacy is important to us” — a phrase that is so appealing precisely because “privacy” is so nebulous and malleable.
Think back to 1987. If the participants at that meeting had been told that companies were going to monitor not only what people were buying (which of course they were doing) but what they were thinking of buying, or even predicted to be thinking of buying, or feeling like buying, there would have been outrage. Just suppose that companies were actively following people around shopping malls and recording not only what they purchased, but what they were looking at in the shop windows, it would widely have been regarded as unequivocally wrong – as a “no go zone” in contemporary parlance. And nobody would have contended that there was a need to “balance” the legitimate needs of the organization with those of the individual.
And yet that is exaclty what is happening on the internet today, largely in secrecy and involving a complex and obscure network of actors and technologies that no one regulator, let alone academic, can completely understand. And yet we still talk about the need to balance the needs of the organizations and platforms within the complex internet advertising “ecosystem” with the privacy rights of individuals.
Tragically, mass surveillance on the web is premised on the assumption that most regulators lack the resources and the ability really to do much about it – just ask the Office of the Privacy Commissioner of Canada and its struggles with Facebook.
It is premised on the assumption that “consent” is not a constraint on corporate behavior — but a license.
And it is based on the fiction that “your privacy is important to us.”
Thus, what are the key privacy risks? I have come to the conclusion that that is not the main question any more. The question is about power and about democratic control – but perhaps it always has been.
And I think my late friend and colleague, David Flaherty would have agreed.