Privacy and Accountability
Challenge of Privacy Advocacy
• Privacy is often conceptualize:
– negative terms, right of being left allone, in metaphors of defense: the home, the self,
the citadels of individual and group privacy (Westin 1967)
Ø An idea of a universal, natural-law-like value
• Privacy is a historical concept:
– challenged by technological change and
– changing with social trends…
– Privacy is part of the social fabric, constituted by mechanism of sorting,
exclusion and inclusion, such as surveillance and social control.
Ø What is to be defended and protected against … is constantly
changing in itself…
Discourse on Data Sensitivity:
Beliefs and Political Views or Health and Wealth?
• Idea: Sensitive data needs special protection!
• Issue: what is sensitive data?
– Legal recognized definitions: Council of Europe Convention (1981); UN-Guidelines (1990); EU
Data Protection Direction (1995):
Racial or Ethnic Origin,
Political opinion, Religious,
Philosophical or other Beliefs,
Sex life, Trade union membership,
Association membership;
Health; Criminal convictions;
Colour of skin
– Assessment of people:
Financial Data,
Health Information; Sex life
Personal Contact Data,
Genetic & Biometric Information
Addresses
Data
Collection
Linkage
Problem: Can data senistivity – in an age of increasing
interconnectivity, -operability, and data linkability –
still be normatively defined without blinding out
sensitive data ?
If law is not enough, how can accountability be of
stakeholders, e.g. in the area of security, be achieved?
Analysis
Circles of
inclusion
Decisions
and
exclusion
Towards Accountability?
• Stepping beyond Law and Technology; focusing on
organisations and their privacy awareness!
• Accountability depends on the privacy awareness of
an entitity or organisation collecting and/or processing
data.
• However, privacy awareness heavely depends on the
relative position of an organisation with in the security
regime.
Privacy Awareness
•
Privacy awareness may follow different rationales of security organisations
depending on market, market-state and/or state-citizenship relations.
•
Thus, accountability will differ from security to security organisation may it
be a Securtiy Technology Producer, a Security Service Provider, an Security
Association, or a Governmental Security Agency etc.
•
To assess the privacy awareness of security organisations it can be distinguished between:
– the Incentive for privacy awareness: (1) Avoid public slaughter, (2) better
image, (3) ethical position
– the Scope of privacy awareness: (1) Achieve compliance, (2) achieve
privacy compliance, (3) privacy enhancement
– the Communication of privacy awareness: (1) intra-oganisational,(2) interoganisational, (3) public
Delegation of accountability or the
Americanisation of the Privacy?
Organisational Perspective
•
•
•
Privacy efforts rarely exceeds
compliance; it is confused with data
security.
Privacy, if at all, is communicated
mainly inter-organisational; public
communication is often avoided; only
scandals triggers public debate;
Privacy is not translated through
market mechanisms (for most actors
are mainly b2b-producers or service
providers).
Accountability
•
•
•
Security organisations hold not
themselves but the client accountable
for privacy (consumer's choice, no
demand/awareness on client side).
Interviewees point at (young) people's
inresponsible behavior
The attitude of “users' own fault” is
very commonly used to relocate the
privacy problem
Not the governmental security agencies (acting according to the law), but the
private security organisations, not the security privacy providers but the
customers or end-users, not the customers or end-users but the consumer
respectively the citizen is accountable for his individual privacy!
Regulative Instruments
•
•
•
•
Informative
– Privacy Seals
– Privacy Policies
•
Regulative Self-Regulation
•
– Privacy Audits
– Privacy Codes of Conduct
•
– BDSG
•
Participative & Deliberative
– Reputation Systems
– Privacy Nutrition Label
– […]
Technologies
•
•
•
•
[…]
EU-Directive
Privacy
Principles
Legal Provisions
Anonymisation
Pseudonymization
Storage Systems: eSafe
[…]
[…]
Privacy Innovations
Low data protection relevance
Information based
measures
Low user acceptance
High data protection relevance
Process structuring
measures
Infrastructural
measures
direct or indirect
user interaction
Law &Technology
High user acceptance
Diffuse user acceptance
Thank you for your attention!