31st International Commissioner Conference Promises Global Privacy Standard

Brandon Evenson is a 2010 JD Candidate at Osgoode Hall Law School.

On November 3rd, over 1000 privacy experts from 50 nations met in Madrid and drafted an agreement on international standards for the protection of privacy and personal data. Privacy organizations have touted the agreement as an expansive statement on the future of privacy. The agreement affirms that privacy is a fundamental human right and reminds “all countries of their obligations to safeguard the civil rights of their citizens and residents.”

Participants of the meeting hope the draft international standards will serve as the basis for a universal, binding legal instrument on data protection. Only a snippet of the draft standard has been released to the media, but a full 2-page declaration was provided at the end of the conference. It remains to be seen how similar the “new” privacy standard is to the one which was drafted in 2005 at the 27th International Data Protection Commissioners Conference. Ann Cavoukian, Ontario’s privacy commissioner, chaired a working group of commissioners convened for the sole purpose of creating a single Global Privacy Standard.  At the time, the working group recognized that a single law on data protection was beyond their reach, but felt it was possible to at least develop a single, global, privacy instrument.

Since then, other efforts at a global privacy standard have been undertaken. In September 2007, Google proposed a standard based on the Asia-Pacific Economic Cooperation Privacy Framework. The standard came under criticism because it was too narrow in scope. The primary objective of the framework was to prevent misuse of personal information and the consequent harm to individuals. It failed, however, to account for the fact that a failure to protect privacy jeopardizes other freedoms such as expression, assembly, access to information, and non-discrimination. Indeed, constant surveillance by an authority can deter citizens from voicing opinions about that authority or society in general. The harm that could result to society from constant surveillance is much more intangible than the financial loss from one individual’s stolen credit card number.

As discussed in Professor Lipton’s talk, Privacy is an amorphous concept which is difficult to define. Further evidence of this can be found in the Madrid conference’s declaration, which tries to identify a plethora of privacy issues that are occurring around the world. The declaration may also provide insight into the contents of the newly drafted Global Privacy Standard.

The declaration first begins with a preamble highlighting that there has been an increase in secret surveillance and collaboration between government and vendors of surveillance technology. It notes that new strategies to pursue copyright and unlawful content investigations pose a threat to communication privacy and that some corporations are acquiring vast amounts of personal data through internet-based services without independent oversight. The declaration also observes that existing privacy laws and institutions have failed to account for the new surveillance practices, the fusion of data between public and private sectors, and the privacy risks to vulnerable groups such as children, migrants, and minorities. The declaration preamble concludes with a warning that a failure to protect privacy jeopardizes other freedoms including the stability of a constitutional democracy.

The declaration then reaffirms support for a global fair information practices framework and independent data protection authorities; urges countries to implement and enforce their own privacy laws which, at a minimum discloses breaches in privacy to individuals; recommends further research into “deidentifying” techniques; and calls for a moratorium on the development of systems of mass surveillance.

Finally, the declaration concludes with a call for a new international framework for privacy protection that is based on principles such as the rule of law, respect for fundamental human rights, and support for democratic institutions.

While the Madrid declaration contains a number of motherhood statements about preserving lofty ideals via privacy, the true test of the conference’s success will be whether these statements can be transformed into a well balanced standard that appropriately regulates all forms of intrusions of privacy, now and in the future.