Last week the privacy world gathered in Montreal for the most important global privacy conference on the calendar. The International Data Protection and Privacy Commissioner’s conference brings together hundreds of privacy commissioners, government regulators, business leaders, and privacy advocates who spend three days grappling with emerging issues. I was privileged to be asked to provide some concluding remarks in the final plenary.
This year’s conference theme was “Terra Incognita,” a reference to the unknown lands that typify the fear of the unknown in a world of rapidly changing technologies that challenge the core principles of privacy protection. Yet despite a dizzying array of panels on new technologies such as ubiquitous computing, radio frequency identification devices (RFID), and nanotechnology, it was a reference by U.S. Secretary of Homeland Security Michael Chertoff to a simple fingerprint that struck the strongest chord.
Canada last hosted the conference in 1996 and it quickly became apparent that privacy has become virtually unrecognizable in the intervening eleven years. The technological challenges were on display throughout the event including eye-opening presentations on the privacy impact of popular children’s websites such as Webkinz and Neopets, on genetic innovation that is pushing the boundaries of science without regard for privacy, and on the continual shift toward tiny devices that can be used to collect and disclose personal information.
The conference placed the spotlight the growing “toolkit” of responses, including privacy audits of both public and private sector organizations, privacy impact assessments that are used to gauge the effect of new regulations and corporate initiatives, trust seals that include corporate compliance programs, and emphasis on global cooperation in a world where personal data slips effortlessly across borders. While the effectiveness of these measures has improved in recent years, there remained a pervasive sense that these responses are inadequate.
Part of the unease arises from the growing realization that the legal foundation of privacy law is being rendered increasingly irrelevant. Canadian privacy law has long relied on the twin pillars of notice and consent whereby consumers are notified of, and consent to, the collection, use, and disclosure of their personal information. Critics argue that both notice and consent are today little more than legal fictions, as consumers ignore overly complex notices and shrinking technology makes it virtually impossible to obtain informed consumer consent.
Moreover, privacy law has also emphasized the distinction between personally identifiable information – information that can be traced to a particular person and is therefore deserving of legal protection – and non-identifiable information that does not enjoy any legal protection. Technology threatens the ability to easily distinguish between the two as powerful computers and ever-expanding databases make it easier to identify individuals from what was once thought to be non-identifiable information.
Addressing these legal shortcomings will command the privacy community’s attention for the foreseeable future; however, it was Chertoff’s keynote address that crystallized the challenge to global privacy protection. In a room full of privacy advocates, Chertoff came not with a peace offering, but rather a confrontational challenge. He unapologetically made the case for greater surveillance in which governments collect an ever-increasing amount of data about their citizens in the name of security.
For example, in support of his security agenda, he noted that U.S. forces in Iraq once gathered a single fingerprint from a steering wheel of a vehicle that was used in a bombing attack and matched it to one obtained years earlier at a U.S. border crossing. He added that there was a similar instance in England, where one fingerprint in a London home linked to a bombing was matched a fingerprint gathered at a U.S. airport (the identified person was actually innocent of wrongdoing, however). Chertoff explained that this fall the U.S. intends to expand its fingerprinting collection program by requiring all non-Canadians entering his country to provide prints of all ten fingers (it currently requires two fingerprints). In the process, his vision of a broad surveillance society – supported by massive databases of biometric data collected from hundreds of millions of people – presented a chilling future. Rather than terra incognita, Chertoff seemed to say there is a known reality about our future course and there is little that the privacy community can do about it.
As privacy advocates lamented the remarks, warning of creeping surveillance and urging commissioners to take action, delegates were left to wonder whether the privacy world will again be unrecognizable when the Data Protection and Privacy Commissioner’s conference next convenes in Canada.