Privacy law and compliance make me humble. Devising practical privacy guidance for an enterprise client is hard.
The reason is that privacy interests envision rights and responsibilities that conflict with other worthy interests.
Shelter from Persecution
Take the so-called right to be forgotten. Thought leaders in Europe argue that as a matter of human rights an individual should be able to force someone, like Facebook or a tax authority, to search through its records and delete data about the individual. The justification for this right is that it shelters the individual from pestering, persecution and embarrassment.
The right carries appeal in this networked age of big data. Which 35-year-old wants employers – or their own children -- to have google access to indiscreet photos they posted to Myspace back in high school?
Absurd Extremes
Yet the right to be forgotten, like many other data privacy principles, seems absurd when taken to extremes.
Should a stupid politician (Anthony Weiner) be able to force Twitter to delete embarrassing photos of himself that he himself transmitted by accident? No, argues Alexander Alvaro, vice president of the European Parliament and an influential voice on privacy. Public interests including freedom of expression seem to outweigh the politician’s interest in his own personal privacy.
Other interests conflict with an absolute right to be forgotten . . .
Conflict: Records as Legal Proof
An organization like a tax authority may have a plethora of sound reasons for retaining records about a person. The organization may need the records to fulfill lawful investigations, or to prove the organization complied with myriad legal requirements relative to the individual (e.g., paid her a refund or granted her an exemption).
Similarly, a commercial business may need records about its customers to ward off lawsuits alleging that it defrauded the customers or failed to account for transactions with the customers.
Imagine the injustice that could ensue if individuals possessed an absolute right to be forgotten. Suppose customers sue an insurance company for cheating them. Under an absolute right to be forgotten, the customers could demand, while the lawsuit is pending, that the company delete the very records that show the company treated them honestly!
Conflict: Far-flung Copies of Data
An absolute right to be forgotten conflicts with the configuration of modern technology and the public’s expectations for the cost and performance of the technology.
Enterprise computers today are not stand-alone devices. They are connected to complex networks. Data are replicated across many media and machines for purposes of speed, efficiency, reliability and backup.
The implication is that for an enterprise to find and delete each and every copy of a photo or statement about a person can be next to impossible.
Conflict Compounded by Overlapping Laws
In our global Internet, the laws applicable to any given transaction or unit of data can come from multiple countries simultaneously. A retailer in Hong Kong can process a transaction with a Canadian customer through a financial system and servers located in Singapore. Tax regulation in Hong Kong may require retention of records for seven years, while a Canadian privacy authority may opine that the customer has the right to force destruction of such records at 18 months.
Which Principle Triumphs?
Obviously, in a conflict any principle of privacy must yield to other, superior principles.
By the same token, privacy advocates argue that principles like freedom of expression and record retention regulations must yield when privacy interests are superior.
This conflict of principles promises to endure even if the right to be forgotten itself is never enshrined into any particular law. Before the right-to-be-forgotten debate started, privacy authorities had already said data must sometimes be deleted when it is no longer needed.
Conflicts Bewilder Data Holding Enterprises
The foregoing conflicts among laws and principles bewilder businesses and government agencies as they develop data policies and manage data systems.
The conflicts apply across innumerable units of data, as the volumes of data swell.
The conflicts can apply with a fine degree of granularity: careful analysis may conclude that one bit of data about John must be deleted while a similar bit of data about Sally must be preserved.
Analysis and debate about which principle (retain or destroy) is superior under different particular situations can go on endlessly. With time, the analysis and debate – keep this unit of data, destroy that unit of data – begins to feel like an all-consuming, ivory tower exercise.
Demonstrated Intent to Be a Good Citizen
What is a data holding enterprise to do? It cannot employ armies of academics to research and debate all sides of every issue applicable to every unit of data.
Unfortunately, however, the conflicts above will not go away. The risk that an enterprise will make the wrong decision – and suffer under law – will persist.
The best an enterprise can do is to strive to be a good citizen, and demonstrate that it is earnestly trying to do what is right, within its limited resources.
A Genuine Process Lowers Risk
The enterprise lowers its risk if it maintains a genuine, on-going process for evaluating and improving its compliance amid the conflicting principles . . . even though it will never achieve perfection.
Such a process can include informed, documented deliberation about decisions on data retention and destruction. Such a process appears more genuine when the enterprise employs people who are qualified to engage in the deliberation and then implement decisions that emerge from the deliberation.
An authentic process evinces an attitude of compliance and good intent, even though the process will be overwhelmed in practice by the magnitude of the conflicts and the ever-growing volumes of data.
–Benjamin Wright
Mr. Wright teaches the law of data security and investigations at the SANS Institute.
The reason is that privacy interests envision rights and responsibilities that conflict with other worthy interests.
Shelter from Persecution
Take the so-called right to be forgotten. Thought leaders in Europe argue that as a matter of human rights an individual should be able to force someone, like Facebook or a tax authority, to search through its records and delete data about the individual. The justification for this right is that it shelters the individual from pestering, persecution and embarrassment.
The right carries appeal in this networked age of big data. Which 35-year-old wants employers – or their own children -- to have google access to indiscreet photos they posted to Myspace back in high school?
Absurd Extremes
Yet the right to be forgotten, like many other data privacy principles, seems absurd when taken to extremes.
Should a stupid politician (Anthony Weiner) be able to force Twitter to delete embarrassing photos of himself that he himself transmitted by accident? No, argues Alexander Alvaro, vice president of the European Parliament and an influential voice on privacy. Public interests including freedom of expression seem to outweigh the politician’s interest in his own personal privacy.
Other interests conflict with an absolute right to be forgotten . . .
Conflict: Records as Legal Proof
Similarly, a commercial business may need records about its customers to ward off lawsuits alleging that it defrauded the customers or failed to account for transactions with the customers.
Imagine the injustice that could ensue if individuals possessed an absolute right to be forgotten. Suppose customers sue an insurance company for cheating them. Under an absolute right to be forgotten, the customers could demand, while the lawsuit is pending, that the company delete the very records that show the company treated them honestly!
Conflict: Far-flung Copies of Data
An absolute right to be forgotten conflicts with the configuration of modern technology and the public’s expectations for the cost and performance of the technology.
Finding Data in the Cloud |
The implication is that for an enterprise to find and delete each and every copy of a photo or statement about a person can be next to impossible.
Conflict Compounded by Overlapping Laws
In our global Internet, the laws applicable to any given transaction or unit of data can come from multiple countries simultaneously. A retailer in Hong Kong can process a transaction with a Canadian customer through a financial system and servers located in Singapore. Tax regulation in Hong Kong may require retention of records for seven years, while a Canadian privacy authority may opine that the customer has the right to force destruction of such records at 18 months.
Which Principle Triumphs?
Obviously, in a conflict any principle of privacy must yield to other, superior principles.
By the same token, privacy advocates argue that principles like freedom of expression and record retention regulations must yield when privacy interests are superior.
This conflict of principles promises to endure even if the right to be forgotten itself is never enshrined into any particular law. Before the right-to-be-forgotten debate started, privacy authorities had already said data must sometimes be deleted when it is no longer needed.
Conflicts Bewilder Data Holding Enterprises
The foregoing conflicts among laws and principles bewilder businesses and government agencies as they develop data policies and manage data systems.
The conflicts apply across innumerable units of data, as the volumes of data swell.
The conflicts can apply with a fine degree of granularity: careful analysis may conclude that one bit of data about John must be deleted while a similar bit of data about Sally must be preserved.
Analysis and debate about which principle (retain or destroy) is superior under different particular situations can go on endlessly. With time, the analysis and debate – keep this unit of data, destroy that unit of data – begins to feel like an all-consuming, ivory tower exercise.
Demonstrated Intent to Be a Good Citizen
What is a data holding enterprise to do? It cannot employ armies of academics to research and debate all sides of every issue applicable to every unit of data.
Unfortunately, however, the conflicts above will not go away. The risk that an enterprise will make the wrong decision – and suffer under law – will persist.
The best an enterprise can do is to strive to be a good citizen, and demonstrate that it is earnestly trying to do what is right, within its limited resources.
A Genuine Process Lowers Risk
The enterprise lowers its risk if it maintains a genuine, on-going process for evaluating and improving its compliance amid the conflicting principles . . . even though it will never achieve perfection.
Such a process can include informed, documented deliberation about decisions on data retention and destruction. Such a process appears more genuine when the enterprise employs people who are qualified to engage in the deliberation and then implement decisions that emerge from the deliberation.
An authentic process evinces an attitude of compliance and good intent, even though the process will be overwhelmed in practice by the magnitude of the conflicts and the ever-growing volumes of data.
–Benjamin Wright
Mr. Wright teaches the law of data security and investigations at the SANS Institute.
No comments:
Post a Comment