Kirby on privacy…30 years laterDo the world’s privacy principles need updating? The first privacy guidelines were developed under Australian Michael Kirby in Paris in 1980. Here, on the 30th anniversary, he reflects on the challenges ahead. Privacy advocates and organisations like CLA are “guardians of a fundamental attribute of the human personality”, he says.
In March 2010, former Australian High Court judge Michael Kirby returned to Paris to deliver a memorial lecture. He was speaking to the group charged with further developing the Organisation for Economic Cooperation and Development (OECD) guidelines on privacy. Thirty years earlier, Mr Kirby headed the expert group which developed the world’s first privacy principles. Here are excerpts from the Kirby speech…
THE HISTORY, ACHIEVEMENT AND FUTURE OF THE
1980 OECD GUIDELINES ON PRIVACY
The Hon. Michael Kirby (Australia)
As the chairman of the OECD expert group on trans-border data flows (TBDF) and the protection of privacy (1978-80), I am proud to be invited to return to this Roundtable which is aimed at giving contemporary participants in the OECD an opportunity to reflect on the achievements of the Guidelines on Privacy (“the Guidelines”), developed by the expert group. They were adopted by the Council of the OECD and recommended to OECD member countries in 1980.
One normally thinks of the OECD as a body of sober economists, statisticians and technologists. One does not normally expect such people to be dripping with human rights sentiments. Yet the OECD Guidelines have proved to be one of the more effective international statements of recent times in affording protections for the basic human right of privacy, as that right has came to be understood in the context of contemporary information technology.
(Mr Kirby honoured those who worked on developing the guidelines, and spoke about the history and the context of the original expert group…which was formed to address “trans-border data barriers and the protection of privacy”).
Before and during the work of the expert group, numerous seminars and conferences were held in Paris and elsewhere concerned with aspects of the problems that led to the creation of the group. One of these was a large conference in Paris attended by the then President of the French Republic (Mr. Valéry Giscard d’Estaing). In the course of that conference, to which I contributed, the powerful feeling that lay behind the European response to the dangers to privacy was brought home to me in a vivid way. During an interval for public participation, an audience member leapt to his feet. I knew that his contribution would be unusual. His appearance was arresting. He had a long beard and his eyes gleamed as he spoke:
‘Why, Mr. President, did so many refugees and Jews in France survive during the War? Why did so few resistance fighters and Jews survive in The Netherlands?’, he said. ‘It happened because, in the 1930s, The Netherlands government, with typical efficiency, had devised an identity card with a metal bar installed through the photograph. This was then the latest in secure technology. In France, we had an ordinary photograph, pasted on cardboard. It was easily imitated. Upon that difference hung the lives of thousands of good people. In France, they survived. In The Netherlands they perished. Efficiency is not everything. A free society defends other values. Personal control over data is one such value.’
It was a powerful intervention. It made a good point. Not to laud inefficiency, as such. But to remind the listeners of the importance of keeping both governmental and private power under legal control. And of ensuring that the individual remained in ultimate control of most personal data concerning that individual. The memory of the misuse of data by officials was too fresh to warrant enlarging official power and especially given the growth of multi-national corporations often insusceptible to local regulation.
I never forgot the point which this contributor made in the presence of the French President. My own legal training and tradition was sympathetic to the emphasis placed by the United States participants in the expert group on the value of TBDF. However, the reminder from the heart of Europe, of the importance of democratic values and individual integrity was equally important and useful.
III. THE FUTURE
What of the future? Given the astonishing developments of technology, can we really expect that the OECD Guidelines will continue to be relevant and influential in the future? To answer this question, it is necessary to face once again the difficulties that the OECD expert group faced in 1980:
(1) Realism: It is important to tackle issues presented to information, computer and communications policies with realism. That realism must be founded in the recognition of the objective value of TBDF, something that the Guidelines specifically recognise and assert. TBDF undoubtedly has great utility to the economies and societies of OECD member states. That utility has extended to citizens and to corporations. Prosperity is dependent on these characteristics. There is an extent, of course, to which the advance of information technology reduces the capacity of the individual to control his or her information penumbra. This is the aspect of individual privacy that is placed at risk by informatics. To some extent, that risk must be candidly acknowledged in measuring the value of the technology itself to the lives of all people living in a modern community. Putting it in terms that would be understood in the OECD, there is an ultimate economic question to be addressed by policy-makers as they reflect on the continuing utility of the OECD Guidelines in today’s world. That question may be expressed thus: does the marginal utility of attempting to impede TBDF, so as to protect attributes of individual privacy, outweigh the marginal costs involved in any such interference in the operation of TBDF. It is necessary to face this quandary candidly and to discuss it openly so that decisions are made transparently. The use limitation principle in the OECD Guidelines (para.10) is an example. The social networks that have arisen in the past decade are an illustration. To what extent would the utility of endeavouring to impose individual control over data in information systems outweigh the cost of erecting impediments and providing pre-access controls? These are eternal questions. They remain applicable today, although the technology that presents them for resolution changes every year.
(2) Protecting privacy: Having acknowledged the inevitability of some erosion of aspects of personal control over data and individual privacy, it is important not to give up on protection of this value. It is a value that lies deep in the desires of the human person and affects the dignity and integrity of that person. Privacy as a value is not something dreamed up by the OECD. It was recognised as a basic human right in the Universal Declaration of Human Rights (art.12) and in the International Covenant on Civil and Political Rights (art.17). Accordingly, there is much wisdom in the Madrid Privacy Declaration of November 2009. In that declaration, civil society organisations, convening in association with the annual meeting of the Privacy and Data Protection Commissioners Conference, re-asserted the centrality of fair information practices; of principled decision-making; of effective and enforceable protection; of international implementation; and accessible remedies for individuals. Uncritical technological euphoria is not a proper response to the challenge for privacy presented by new technology and the shifting public use of it. This is not a subject where ‘anything goes’;
(3) Importance of empiricism: One feature of the work of the OECD expert group in 1980 was its insistence that the Guidelines, and all policy and law in this area, should be based on an accurate and thorough understanding of the operation of the relevant technology. Any acquaintance with that technology teaches that failure of action amounts to making a decision. That decision permits technology, developed generally for profit, to take the user and society where the technology leads. The intervention of law and principle and of effective practice is needed to continue protection for the individual that safeguards fundamental human rights and upholds the integrity of information systems;
(4) Reconceptualising issues: To some extent, in the decades since the OECD Guidelines were adopted, policy developments have been confined to particular areas of information, computer and communications policy. Thus, treaties or guidelines have been adopted to deal with the special problems of spam; cybercrime; malware; worms and viruses and other attributes of modern informatics. One role of the OECD is surely to link these issues in conceptual terms and to ensure that these separated responses operate in harmony and in a way that defends their interlinked values. It may be that the responses to the foregoing issues can be seen, with privacy protection, as an endeavour of the global community to preserve the benefits of information technology while guarding users and others affected from anti-social information activities. The OECD should constantly be on the alert, as the expert group was in 1978-80, against a fractured approach to what are basically integrated social and ethical problems. If there is one organisation in the global community that has the legitimacy and mandate to maintain this conceptual approach, it is the OECD. It can derive encouragement, and lessons, from the way in which the expert group which developed the 1980 Guidelines tackled its task within the broader context of information, computer and communications policy;
(5) New challenges: There is no doubt that many new challenges face any organisation that is addressing computer and communications policy today. Some of the challenges include:
- The development and implementation of new systems of mass surveillance, including facial recognition, whole body imaging, biometric identifiers and imbedded RFID tags which the Madrid Declaration suggests should not be implemented at all without “a full and transparent evaluation by independent authorities and democratic debate”;
- Privacy protectors must ever be on the lookout for privacy enhancing technology (PET) and the ways in which such technology itself can be invoked to afford better privacy protection to the individual;
- Cross-border co-operation in drafting, implementing and enforcing laws for privacy protection is a daily challenge but one that is already attracting responses. Such responses were envisaged by the provision in the 1980 Guidelines (para.20) for measures of international co-operation that included (para.21) information exchanges and mutual assistance in any procedural and investigative matters involved;
- End-user education may be necessary to sustain community awareness about the value of privacy. The social networks that have grown up in recent years are often used by young persons who may not be fully aware of the way in which their personal data, disclosed today, can return to affect their lives in years or decades to come. Balancing individual freedom against personal immaturity may sometimes require new responses and some impediments to TBDF at least for vulnerable users. But these need to be developed in conformity with the basic objectives of the OECD Guidelines which continue to provide a framework for resolving such issues; and
- Beyond the OECD, even as its membership has expanded in the decades since 1980, lie the overwhelming majority of nation states and peoples of the world. Inevitably, the OECD Guidelines (for default of any other global principles) affect the privacy of individuals throughout the developing world. But are the values of the Guidelines in harmony with the values of people living in such countries? Are those people really concerned about values such as privacy? What should the OECD do to include representative opinions from developing countries in the expression of values that impact on global technology? Given the rapid advance of information technology in most developing countries, these are valid questions. They present important dilemmas for the OECD as it takes forward its work on information, computer and communications policy.
IV. RE-ASSURANCE
There is a last thought which I leave as a re-assurance. From this Roundtable, I return to Australia. But, in less than a week, I travel once again to Europe to a conference on a different but equally urgent and important issue – the AIDS epidemic and religion. This will take place in Utrecht, The Netherlands, 21-23 March 2010.
If there are difficulties in getting common ground within the OECD and beyond on the issues of privacy, data protection and data security, as considered in this Roundtable, they pale in significance beside the larger problem of tackling an epidemic whose vectors include sexual activity, drug use and whose vulnerable populations include sex workers, drug users, homosexuals and women. At least in information policy, it may be hoped that an agreed, rational and empirical approach will prevail. Where God is said to intervene, the mind of the policy-maker will often be influenced by holy texts and religious doctrines.
I mention these facts to remind the OECD that its tasks, although substantial and difficult, are basically manageable. The technology is shared. The challenges can generally be addressed without the intrusion of non-objective factors. From this, the OECD and its committees can take encouragement. As they can from the work of the expert group thirty years ago and the success of that work and its utility in the intervening decades.
I invoke the spirit of the late Jan Freese and the late Frits Hondius as I return to the OECD. I invoke the participation today of Louis Joinet and Hanspeter Gassmann, here with me. I pay tribute to Peter Seipel, Bill Fishman, Hans Corell, Inger Hansen, Stefano Rodata and all the others who worked on our project. But above all, I pay respects to those who continue to work in the field of privacy protection and security of information, whether in the OECD or in national privacy data protection authorities or in civil society organisations such the Electronic Privacy Information Center (EPIC), the Centre for Information Policy Leadership (CIPL) and leaders in public institutions and academic life.
The level of control which the individual maintains over personal data in the future will depend on the efforts made today by these bodies and individuals. They are guardians of a fundamental attribute of the human personality. They deserve our support and our acknowledgement. The OECD does well to take stock, to reflect on its achievements and to derive strength for the greater challenges that lie ahead.
Speech to the:
ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT
DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY
COMMITTEE FOR INFORMATION, COMPUTER AND COMMUNICATIONS POLICY
WORKING PARTY ON INFORMATION SECURITY AND PRIVACY
PARIS, 10 MARCH 2010.
Round Table on the 30th Anniversary of the OECD Guidelines on Privacy
Full speech and other details of the project:
http://www.oecd.org/document/35/0,3343,en_2649_34255_44488739_1_1_1_1,00.html