Global privacy standards should focus on preventing harm to consumers
November 14th, 2007 | Published in Google Public Policy
We're gratified that Google’s recent call for global privacy standards has sparked a healthy debate. Nearly everyone agrees that factors such as globalisation, the growing recognition of privacy rights, and technological developments have accelerated the urgency of global privacy protection.
However, our support for the emergence of the APEC Privacy Framework has generated some criticism, which I'd like to address. The APEC Privacy Framework was inspired by the OECD Guidelines on the Protection of Privacy and is concerned with ensuring consistent and practical privacy protection across a wide range of economic and political perspectives.
At the core of the APEC framework is an entirely new privacy protection principle that does not exist in the regulatory frameworks of the 80s and the 90s: the “preventing harm” principle. The starting point is that personal information protection should be designed to prevent the misuse of that information. Since the greatest risk of that misuse is harm to individuals, we need a set of rules that seek to prevent that harm.
Using the reasoning of the APEC framework, global privacy standards should take account of the risks derived from the wrongful collection and misuse of people’s personal information and be aimed at preventing the harm resulting from those risks. Under the “preventing harm” principle, any remedial measures should be proportionate to the likelihood and severity of the harm. Some critics have said that the APEC framework is ambiguous and that the “preventing harm” principle does not look at privacy protection from the point of the individual. However, the focus of the “preventing harm” principle is precisely the individual and what is perceived as harmful by that individual.
Others see the APEC framework as the weakest international framework in this area and support the original OECD Privacy Guidelines because they are based on a simple approach to privacy protection. But is this approach a valid one to address the challenges of the Internet age? In today’s world, virtually every organisation – public or private, large or small, offline or online – relies on the collection and use of personal information for core operational purposes.
At the same time, regulators around the world are acknowledging the fact that they have limited resources to deal with all aspects of personal information protection. And three-quarters of the countries in the world still don't have meaningful privacy regimes in place. We believe that the APEC framework is the most promising foundation to advance privacy protections in those countries. What is wrong then with looking at this very practical challenge in a practical manner and trying to prioritise what really matters to people in an objective, yet flexible, way?
Fortunately, some regulators are also looking at the “preventing harm” principle as a valid way forward. The UK Information Commissioner recently published its data protection strategy which emphasises the need to make judgments about the seriousness of the risks of individual and societal harm, and about the likelihood of those risks materialising. The strategy document goes on to say that the UK regulator’s actions will give priority to tackling situations where there is a real likelihood of serious harm.
Using this approach, the key issue for policymakers and regulators is to figure out what is (or can be) harmful and what isn’t. Sure, identity theft and spam are bad. But is targeted advertising harmful or beneficial for consumers? What about the use of cookies to remember consumers’ preferences or computer settings? Do they make life easier or are they a harmful consequence of our online activities?
The truth is that the newest generation of Internet users are in the best position to know what is good and what is bad -- what amounts to 21st century online interaction and what is a potentially harmful intrusion into their private lives. Their perception of what is justified and what is not should be a determining factor in the protection of their personal information so that the “preventing harm” principle is not seen as a weakness, but as an objective yardstick of how to protect people’s privacy.