Privacy by design: the way forward

(Panel 1: “Is privacy an obstacle or an asset for global economic growth?”)

Ladies and gentlemen,

First of all I would like to thank the French (CNIL) and German (BfDI) data protection authorities for organizing this conference and for this invitation.

Today I speak on behalf of BEUC - the European Consumers’ Organisation - but I am also deeply involved in the Danish Data Protection Agency through my seat on its board - an example of stakeholder participation that may be used as inspiration elsewhere.

Today I will touch on three issues strongly related to today’s panel:

• consumer awareness of privacy issues on the web
• the case for privacy-friendly business models
• and finally: what solutions for the future

In the digitalised and borderless world of the Internet consumers are leaving traces everywhere. Cookies, crawlers and similar software are reporting on our use of web pages, search terms and shopping - and we are read over our shoulder when we are using free email accounts or online social networks such as Facebook. An ever increasing, effortless and invisible collection of our personal data and our behaviour takes place.

This steep increase in data generation also increases the risk of data being compromised.

But what do consumers know about this?

Do they realise to what extent they leave (digital) traces that are stored and analysed? Unfortunately only a minority are aware!

This does not mean that consumers do not care!

Let me give you a few figures which were published in a Eurobarometer survey from February 2008:

• 64% of EU citizens are concerned about data protection issues. They feel that awareness and information on these topics are not yet satisfactory.
• Only 48% of respondents thought that their data was properly protected in their own country.

But despite the many who care and are concerned, consumers often have little choice but to accept the insecurity - the only alternative is renouncing on the use of technology.

And do consumers know that when they use web services they in many cases accept contracts which allow companies to transfer the right to use their data to a foreign jurisdiction?

They don’t know - because it is very difficult to find out!

Even if such practice should be stated in an Internet company’s privacy policy, you first have to find these policies!

And even if you are lucky enough to find the well-hidden terms of contract related to privacy, you then have to work out what they mean… Again, that’s far from being simple even for specialists.

These observations are important for my second point and the topic of this panel: the case for privacy-friendly business models.

When a consumer, knowingly or not, entrusts his personal data to an undertaking, he is usually unaware of the subsequent use of his or her personal data. And the consumer is also unaware of the economic value of his personal data. Consumers therefore give data away for free and - unfortunately - often in a rather careless way.

Companies see this value and will in various ways seek to explore it as much as they possibly can. Combining data sets from different sources dramatically increases the economic value of data - but also the potential intrusion into consumers’ privacy.

Respect for privacy and controlling access to own data has a value to consumers - either because consumers want to keep their privacy - private! - or because they may want to decide for themselves who gets access to data - maybe in the future for a fee or, more likely, by getting some service in return.

The existence of this economic rent tells us that there must be a case for developing privacy-friendly business models that give consumers full control over own data. In fact companies should see data protection as part of their Corporate Social Responsibility. They should build their reputation on the confidence consumers can have in them as to the protection of their personal data - and perhaps even the possibility of influencing future use of this data.

However, for companies to derive this privacy rent we need strong data protection - both in terms of legal instruments and effective enforcement. Otherwise the economic value of privacy is eroded.

Unfortunately, in our view, the current situation with too little awareness among consumers, rapidly expanding data-flows and insufficient enforcement is not providing strong incentives to establish privacy-friendly business models.

Hopefully higher consumer awareness and better legal means may change this in the future.

Finally, I would like to say a few words about the possible solutions for the future.

One solution - often proposed - is to have more self-regulation or co-regulation. Let me be clear: We in BEUC do not think this is a good idea. Our experience shows that in order for such a system to work at least two crucial conditions must be present:

1. Having clearly identified stakeholders - which is difficult at the global level

2. A strong commitment of the industry representatives. This implies a well-organised industry -which is not, or rarely, the case.

Our negative conclusion seems to be shared by the EU Commission, at least when it comes to European codes of conduct regarding personal data.

Another solution could be an international legal instrument: several initiatives already exist at OECD, Council of Europe or UN level. Without even considering the problem of enforcement, the difficult question is whether countries could ever agree to a single set of ambitious rules - knowing that the notion of “privacy” is very closely linked to culture, legal systems and tradition. For the time being this seems in our view unlikely.

So what’s then? There is probably not one magic solution, but what we call ‘privacy by design’ needs to be part of the solution.

Privacy by design means to include privacy in the design of the technology and the business model rather that dealing with privacy questions afterwards. Data protection principles such as data minimisation, allowing customers to conceal identity or to control access to own data, should be built into a company’s system as from the start of the design of its business model. Data protection should also be an inherent part of new technologies such as RFID chips. Including it from the start is cheap - adding it afterwards is expensive and less safe.

To conclude:

Consumers are insufficiently aware that data protection is an important issue and a concern to them personally. They feel quite unable to respond to this concern as issues linked to privacy on the web seem concealed - often deliberately. However, awareness is increasing - not least due to some recent scandals about breaches of privacy.

There is a strong case for developing more privacy-friendly business models in the future. Strong legal means are necessary to support this development. Self-regulation will not do the trick. And finally, privacy by design needs to be part of the global solution, regardless of the choice of legislative approach.

Thank you for your attention.