Brandon Evenson is a 2010 JD Candidate at Osgoode Hall Law School.
In November of last year, as part of the 31st International Data Commissioners Conference, privacy experts from around the world met in Madrid Spain to draft an international standard for the protection of privacy and personal data. It does not come as a surprise that the new Standard significantly overlaps with the Global Privacy Standard (GPS) drafted in 2005 at the 27th International Data Protection Commissioners Conference in Switzerland. Both the GPS and Madrid Standard were created with an eye to fundamental privacy principles and appear to be compatible with one another. The purpose of the GPS was to provide a single instrument that reflected universal privacy principles. The Madrid Standard, however, was created with the ambitious goal of eventually becoming a binding international instrument. As such the GPS, for the most part, is written in more general language while the Madrid Standard fleshes out more of the details. It is apparent, though that the Madrid Standard is still in its infancy and far from ready to be adopted by states as a binding international agreement.
First, a number of important principles in the GPS were not included in the Madrid Standard. While the Madrid Standard explicitly recognizes the concept of “data minimization” – a concept first introduced in the GPS requiring data processors to make reasonable efforts to limit the use of personal data to the minimum necessary – it was disappointing to see that the GPS guidance statement was dropped. The GPS states that:
“the design of programs, information technologies, and systems should begin with non-identifiable interactions and transactions as the default and that wherever possible, identifiability, observability, and linkability of personal information should be minimized”
It was strange that this statement was not included given that the Madrid Standard is full of non-binding guidance statements (s. 22). The Madrid Standard should have taken the guidance statement one step further and added some mandatory language around it so as to add some teeth to the data minimization principle.
Second, one of the important ongoing privacy debates is in defining what information is private and subject to privacy standards. Should information that could only result in a real harm (eg. pecuniary harm, arbitrary discrimination, identity theft) be considered personal information, or should the definition be expanded to include perceived harm? Perceived harm is an amorphous concept and highly dependent on the individual and the situation. For example, an individual may not feel it is an invasion of their privacy if others were made aware of their purchase habits. They may feel, however, that their privacy has been infringed if their location is processed and communicated without their consent irrespective of whether this resulted in any negative consequences. In some situations the consequences may be remote and difficult to foresee but still possible and highly dependent on the situations. In 2007, Facebook enabled a service called Beacon which tracked a user’s purchases made on affiliate sites such as eBay North America and Travelocity, and then notified the user’s network of these purchase. Except for erotic materials, it would be difficult to see how the communication of someone's purchases could result in any harm. Harm nevertheless did occur. One commenter on a blog described how he had purchaed a diamond engagement ring for his girlfriend from Overstock.com. Without hours he received a call from one of his good friends to congratulate him on his engagement. The problem was that up until that point he had not told anyone of his purchase nor proposed to his girlfriend. Without his permission, Beacon and Overstock.com had posted his engagement ring purchase along with the amount paid and a link to the item on his Facebook profile for all his friends to see. Harm certainly did result, but who could have foreseen such a situation?
The Madrid Standard defines “personal data” in s. 2 as: “any information relating to an identified natural person or a person who may be identified by means of reasonably likely to be used.” Section 6 provides further guidance on what constitutes “personal data”. It says that: “Any processing of personal data that gives rise to unlawful or arbitrary discrimination against the data subject shall be deemed unfair.”
Even with s. 6, the definition of personal data is less precise than Article 2 of the EU Directive 95/46/EC which has been criticized for not providing enough guidance. Article 2 of this Directive defines personal data as:
Any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified directly or indirectly…by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Contrast this with the GPS which defines “personal data” this way: “An individual possesses a physical, social, and informational identity that relates to his or her private domain. We refer to this as personal information – recorded or oral information related to an identifiable individual.”
If one were to only use the Madrid Standard, it would be difficult to say whether, for example, an IP address, a picture of someone on the street (e.g. Google Streetview), or GPS location coordinates paired with a unique mobile phone identification number, would fall under the definition of “personal data”.
The Madrid Standard does attempt to provide a more precise definition of “personal sensitive data”:
"Data which affects the data subject’s most intimate sphere or data likely to give rise, in case of misuse, to: unlawful or arbitrary discrimination or a serious risk to the data subject. In particular, those personal data which can reveal aspects such as racial or ethnic origin, political opinions, religious or philosophical beliefs as well as those data relating to health or sex life, will be considered sensitive data." (s. 13)
Despite this definition, the Standard fails to specify how “sensitive personal data” should be treated differently from “personal data”. The Standard leaves it up to individual states to legislate additional conditions for processing sensitive data.
In addition, rather than providing clarification and consistency, s. 6 and s. 13 may actually result in more confusion. Information that falls under the definition of “personal data” in one state may not fall under the definition in another state because of geo-political differences. For example, if an individual’s political views are disclosed in Canada, it is unlikely it would result in arbitrary discrimination or a serious risk to the individual. In China, however, it is conceivable that the communication of an individual’s political views could indeed result in arbitrary discrimination or serious risk. Point in case, Google announced this past Tuesday that it had been targeted by a sophisticated cyber attack on its corporate infrastructure.
Google concluded that the primary goal of the attackers was to hack into the Gmail accounts of Chinese human rights activists. The attackers appeared, however, to succeed at obtaining access to only two accounts. That access was limited to basic account information, such as the date the account was created and the subject lines of e-mail, not the content of the correspondence. Based on the Madrid Standard’s definition, would this information be considered “personal data”? Assuming the Madrid Standard was in-force in both US and China, would Google be required to disclose such a breach only in China, but not in the US?
Finally, the Madrid Standard also fails to address some of the concerns raised in the Madrid Declaration. Among the many issues discussed in the Declaration, it specifically mentioned that privacy laws and institutions have failed to take full account of the risks to vulnerable groups such as children. The Madrid Standard as well, fails to provide additional protection for children with respect to privacy. The Declaration also urged countries to ensure that individuals are promptly notified when their personal information is improperly disclosed or used in a manner inconsistent with its collection. The Madrid Standard, however, only requires that individuals be informed of security breaches if it could “significantly affect their pecuniary or non-pecuniary rights.” (s. 20(2))
Finally, The Madrid standard lacks the look and feel one would expect from an international instrument. This is evidenced by the inconsistent use of words such as “shall”, “should”, and “must” to refer to obligations, the use of vague terms to describe important rights and powers, and the use of colloquial expressions throughout. This may be a minor point on instrument drafting, but it is important if this standard is to eventually govern the processing of personal data at the national and international level.
Despite these issues, certain aspects of the standard are commendable and forward-looking. For example, individuals are explicitly given privacy rights (s. 16-19). The Madrid standard recognizes that sensitive personal data includes more than just information creating a risk of tangible harm. It was also interesting to see an accountability principle included in the Standard. Accountability requires organizations to have the necessary internal mechanisms in place for demonstrating the observance of the other principles and obligations to the data subject and the supervisory authority. Note that Canada has a similar (but more detailed) clause in the Personal Information Protection and Electronic Documents Act, Schedule 1.
Despite these comments, one should bear in mind that the Madrid standard is still in draft form. It was only intended to be the next step towards the development of a binding international instrument. It will be interesting to see whether there is enough momentum and leadership to continue to build out this Standard in subsequent International Data Protection Commissioner Conferences.