CFP96@MIT --Colin Bennett

CFP96 Paper

For the plenary session: Privacy and the GII

Colin J. Bennett

Associate Professor
Department of Political Science
University of Victoria
Victoria, BC V8W 3P5 Canada
(604) 721-7495
cjb@uvic.ca

A Standard For Privacy on the Global Information Infrastructure?

Forces For Policy Convergence

Strong pressures for "policy convergence" have forced different states to define "privacy protection" in similar ways and to legislate a broadly similar set of statutory principles to grant their citizens a greater control over personal information (Bennett, 1992). These pressures for convergence will increase. National and international initiatives to construct "information infrastructures" will extend the technological imperative and create inexorable pressures to globalize data protection. The European Union's Data Protection Directive contemplates a further harmonization in Europe of both the principles of data protection and the means by which those principles are implemented (EU, 1995). It will have an extra-territorial effect, both as a model for others to emulate, and as an instrument to force other countries to "come up to standard."

The general pressures to conformity have increased as more and more countries have joined the "data protection club." At the end of 1995, of 24 OECD countries, only 7 (the US, Canada, Australia, Japan, Italy, Greece and Turkey) have failed to enact a comprehensive data protection statute, overseen by an independent oversight agency. The issue is firmly on the political agendas in each of these countries, with the exception of the United States.

The Limits to Privacy Protection on the GII

The making of privacy policy is an activity that takes place in anticipation of largely unknown technological developments and dangers, producing a strong incentive to formulate laws with sufficient latitude to embrace future eventualities. Legislators in national and international arenas have always had to operate on a ground that is moving beneath their feet. The rapidity of change will continue to call for policies that are stated in terms of very general principles that can be applied to the technology practices that enter our public and private organizations.

To the extent that privacy protection policy will continue to converge, therefore, it will probably do so at high levels of generality. A continued convergence of the principles of data protection, and to some extent of the instruments through which those principles are enforced, does not necessarily mean a convergence of practice. Even in Europe, therefore, convergence will only extend to the expected principles rather than the observed practices, as no national data protection authority has the resources to audit organizations on a continuing basis to ensure that "adequate levels of protection" are indeed met. None, moreover, has been able to develop a yardstick by which to evaluate how a "level" of data protection may be observed, let alone measured (Raab & Bennett, 1995). The translation of fair information principles into fair information practice is a slow, halting and frustrating process which demands more than legal fiat and regulatory power. It also requires a shift in organizational culture and citizen behaviour which is dependent on a complicated and fluid set of organizational, cultural, economic and technological forces.

Proponents of a global privacy protection policy also have to confront the likelihood that policy convergence will never extend to every country on the GII. It will probably not even extend to the United States where privacy policy will continue to be susceptible to the vagaries of a fragmented and reactive political system in which anti-privacy interests will always be strong. This is ironic as the modern theory of "information privacy" and the associated "fair information practices" doctrine was largely an American invention. This American exceptionalism will continue to be justified with a number of specious arguments that proceed from the faulty assumptions that the US is "different" and that the hodgepodge of federal and state laws enforced through the courts amounts to data protection by other means.

The Need For an International Standard For Privacy

Some hope for progress might lie in the development of an international privacy standard. This process began in Canada when in 1992 the Canadian Standards Association (CSA) began to negotiate a Model Code for the Protection of Personal Information with a committee of stakeholders from business, government and consumer groups (CSA, 1995). The CSA Model Code was passed without any dissenting vote on September 20, 1995, approved by the Standards Council of Canada and published in March 1996. The privacy code can now be adopted by different sectors, adapted to their specific circumstances and used as a way to promote the fair information principles in both public and private organizations. There is a possibility that it will be referenced in federal/provincial law (IHAC, 1995).

The CSA Model Code is a different instrument from those "voluntary codes" developed by companies or trade associations. It is a standard and has the potential to operate in the same way as many other quality assurance standards (such as those within the increasingly popular ISO 9000 series). Organizations would be pressed by government, clients and/or consumers to demonstrate that they implement fair information practices, would adopt the standard and would then be obliged to register with an accredited certification or registration body. The scrutiny of internal operational manuals and/or onsite auditing would hopefully be a prerequisite for maintaining a registration (Bennett, 1995).

In 1995 the International Standardization Organization (ISO) began to examine the feasibility of an ISO privacy standard based on the Canadian model. Such a standard would assist international business in its attempts to claim an "adequate" level of data protection. It would bolster the enforcement of the EU Directive. It could add an important instrument of enforcement even within societies that have omnibus data protection law. A standards-approach is based on the assumption that higher levels of privacy awareness are required in some organizations over others, and that over time these higher standards would be forced through marketplace and governmental pressure.

An ISO privacy standard is not a replacement for law, which still constitutes the only instrument by which a society as a whole can draw a line between acceptable and unacceptable practices. On the other hand, an ISO standard could prove a valuable policy instrument that might "plug the leaks", enforce the adequacy standard within the EU Directive, subject the worst abusers of personal information to regular auditing and be more flexible than law to the new surveillance challenges of the global information infrastructure.

References

Bennett, Colin J. (1992) Regulating Privacy: Data Protection and Public Policy in Europe and the United States. Ithaca: Cornell University Press.

________. (1995) Implementing Privacy Codes of Practice: A Report to the Canadian Standards Association. Rexdale: CSA.

Canada, Information Highway Advisory Council (IHAC). 1995. Connection, Community, Content: The Challenge of the Information Highway. Ottawa: Minister of Supply and Services.

Canadian Standards Association (CSA). 1995. "Model Code for the Protection of Personal Information". CAN/CSA-Q830-1995 Rexdale: CSA.

European Union (EU). 1995. Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data. Brussels, OJC 93, 13 April 1995.

Charles D. Raab & Colin J. Bennett. 1995. "Taking the Measure of Privacy on the Information Highway." Paper

Back to CFP96 plenary session page

Back to CFP96 home page

Last updated June 23, 1996
cfp96@mit.edu