THE TRUST DIMENSION Malcolm Crompton Privacy on the

THE TRUST DIMENSION Malcolm Crompton Privacy on the International Stage: A Vision of the Future IAPP TRUSTe Symposium: Privacy Futures Plenary 2, Day 2 San Francisco 10 June 2004

THE TRUST DIMENSION The Future: Always start with the past Over the last 5 years: – Dot boom – Dot crash – 11 September 2001 These events have clearly set the scene

THE TRUST DIMENSION Examples Adventurous additional use/disclosures – Toysmart attempted sale of personal information a dot boom & crash example Malevolence & Mischief – Spam, viruses, spyware, ID theft, phishing Intellectual Property (IP) vs Personal Information (PI) rights & respect RFID – Compares with GMO debate Total Information Awareness & other actions of the State in many countries Other tech – genetics, location tracking, …

THE TRUST DIMENSION The result: Trust dissipates a nation’s economic strength is tied to its social unity Fukuyama, 1995 “In simple terms, the best safeguard is not that they know less about us, but that we know more about them; and that we are aware of what they know about us and how they use such information. ” Raab, 1998 “… trust involves a number of disparate components & can not be reduced to a mathematical formula. . The cultural influence can not be underestimated. ” Mc. Cullagh, 1998

THE TRUST DIMENSION The result: Trust dissipates “… having misdiagnosed what ails British society we are now busy prescribing copious draughts of the wrong medicine. We are imposing ever more stringent forms of control. … Our revolution in accountability has not reduced attitudes of mistrust, but rather reinforced a culture of suspicion. ” Onora O’Neill, 2002 “Trust will enable us to get the most out of globalisation … But we have to learn how best to place our trust, how to place it intelligently, in systems, in people, in institutions. ” O’Hara, 2004

THE TRUST DIMENSION How do we respond? Law USA – HIPAA, GLB, COPPA, FCRA, Can Spam, Do-Not-Call etc Aus – Privacy Act 1988, Spam Act 2003 etc Technology Filters – spam, virus Encryption Sub-optimise consumption & involvement Lie, don’t disclose, half truths Reduce participation

2003 Feb International Privacy Framework is complex !

2003 Feb International Privacy Framework is changing fast! Etc …

THE TRUST DIMENSION But since then: • 10 more nations joined EU from 1 May & have or will have privacy laws • PIPEDA has come into full effect in Canada • Japan, Mexico, Thailand, Malaysia have all passed or progressed laws since then • India is talking about it • And of course PNR transfers

THE TRUST DIMENSION Asia Pacific privacy law – summary position Omnibus or sector law USA * Canada * Japan Korea * Hong Kong * Australia * New Zealand * Chinese Taipei * With enforcement Little or no recognisable law China Singapore APEC Malaysia # Privacy Thailand # Principles Mexico # Chile India Indonesia Russia, others # Law under consideration

THE TRUST DIMENSION Courts have contributed too, eg: Some read down privacy • No tort of privacy in UK – Wainwright • Internet access across borders not transborder data flow – Lindqvist Others have strengthened privacy protection • Naomi Campbell does have some privacy • An Australian tort of privacy? – Grosse v Purvis • Australian union fails Principles of collection limitation & notice – Channel 7 v Media union

THE TRUST DIMENSION And so the future Distributed business systems – Beyond ‘trans border data flows’ Distributed consumption patterns In the absence of trust, greater demands for privacy, high levels of data protection & limitations on use of personal data – Cannot have cake & eat it too, eg demand transparency in others but not in ourselves – Treat people like suspects & they respond accordingly

THE TRUST DIMENSION Law + Technology + Market + Transparency + Accountability • Law = promise; enforcement • Technology = delivers promise • Market = people don’t buy; nobody makes • T+A = proof of promise kept • Combined = total cost too high, except in extremes (High Court; or worth a massive tech attack; or. . . ) www. privacy. gov. au/news/speeches/sp 1_04 p. pdf = Privacy

THE TRUST DIMENSION What can we do about it? Support trust frameworks Make self regulation work or support sensible laws Assist innovative international frameworks – APEC looks promising PETs not PITs Trusted Computing Group Federated Identity Respect & respond to the human dimension; TAKE PEOPLE INTO YOUR CONFIDENCE “socially based predictability … [is what] … computers find so hard to mimic” O’Hara, 2004

Recommendation 3, UK NCC report on RFID, “calling in the chips? ” : THE TRUST DIMENSION “… there is much to learn from the GM debate (about trust, communication, risk and consumer involvement) that has relevance here. … Industry and government need to build on this experience and pay real attention, not lip service, to consumer views by improving the quality of risk communication and investing in deliberative processes, to inform policy and build consumer literacy and trust. ” Accenture survey reaches similar conclusion

THE TRUST DIMENSION

International Privacy Needs in the Homeland Security Context • Policies and programs that are measured against fair information principles, compliance with law, and take into consideration their privacy impact upon Individuals • Use of Technologies that sustain and do not erode privacy protections for individuals • Best Practices – “Rules of the Road” for appropriate information sharing between private and public sectors • Recognition of common privacy principles and safeguards to enhance cross-border cooperation