Presentation on Privacy (EN) by Cedric Laurant (22/02/06)

Introduction

The Tunis Agenda of Nov. 18, 2005 states:

"We call upon all stakeholders to ensure respect for privacy and the protection of personal information and data, whether via adoption of legislation, the implementation of collaborative frameworks, best practices and self-regulatory and technological measures by business and users.

The reference to a "right to privacy" does not appear as such in the language of the Tunis Commitment. The need for security is instead underlined throughout the text. The problem is that security is viewed as something more important than what is a right ? the right to privacy ? even though security is not a right, but only a value, unlike privacy, which is a fundamental right enshrined in several international human rights instruments, including in the United Nations' Universal Declaration of Human Rights.

Since the language of the Tunis Commitment and Agenda do not contain strong wording on the necessity to comply with fundamental human rights, such as the freedom of speech and the right to privacy, there is a risk that authoritarian and undemocratic governments around the world might use the loose language to justify many of their political actions in the name of security without respecting citizens' privacy rights.

For the last eight years, EPIC has been publishing an annual report about the developments in the field of privacy in more than 70 countries in the world, Privacy and Human Rights. I will go through some of the most important developments in the field of privacy in the last 2 years.

1. Most important recent developments in privacy in the world

New anti-terrorism laws tend in all countries to go beyond their original intended purposes, and are often disproportionate to their objectives. Concept of function creep.
- Ex.: video surveillance.
- Ex.: New identification and authentication measures; e.g., national ID.
More powers for governments and law enforcement without counterbalancing oversight powers.
Data mining is used by governments in more cases. Outcome : danger of dragnet surveillance. The principle of presumption of innocence is reversed.
Government surveillance starts with a control over minorities, then expands over the whole population.
- Ex.: US-VISIT (fingerprinting); ID cards.
Governments use forum of international organizations to bypass the democratic debate when trying to get their own parliaments to adopt measures that would be hard to pass if debated nationally.
- Ex.: RFID passports; Council of Europe Cybercrime Convention.

2. Important debates in the field of privacy in the world

The value of national security trumps the fundamental right to privacy and self-determination.
How is it possible to protect privacy while increasing security and fighting against terrorism? How far will a society go to achieve the ideal of total security? When is the objective of security going too far? The Tunis Agenda for the Information Society recommends that a global culture of cyber-security be developed, which "requires national action and increased international cooperation to strengthen security while enhancing the protection of personal information, privacy and data." It is this debate that many governments have focused their attention on in the last 5 years. However, this cannot be done without taking all stakeholders' concerns into account and thinking whether absolute security is very likely to put a heavy toll on people's expectations for privacy and freedom of speech.
Collaboration between private and public entities. Law enforcement is delegating its surveillance duties to private sector entities. Lack of strong privacy frameworks to regulate the flow of personal data between the private and public sectors.
- Ex.: ChoicePoint case;
- Data retention debate in Europe: collaboration between ISP's and phone companies and the government;
- DOJ -> MSN, AOL and Yahoo.
- Next Little Brother: Google?
Consumer privacy issues of concern: Transborder data flows and outsourcing of data processing to third world countries. How to conciliate the need for flexible data processing across borders and the protection of data subjects' privacy interests?
The processing of personal data can be used as a tool of discrimination, especially between developing and rich countries, the rich and the poor.

3. What should be the focus of discussions at the Internet Governance Forum next autumn?

The scope of "Internet governance" includes the establishment of privacy rules.
"Internet governance" is defined as "the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures, and programs that shape the evolution and use of the Internet." Civil society has an important role in the debate on Internet governance, including on the public policy issue of privacy. It is necessary to work with inter-governmental and international organizations (OECD, APEC,?), and a stakeholder approach and international collaboration are needed.
The IGF will be an opportunity for all stakeholders (including civil society) to identify and develop implementation strategies, mechanisms and processes for WSIS outcomes at international, regional, national and local levels. The IGF needs to involve all Internet stakeholders: --> good opportunity for civil society to get involved.
The promotion of ICT's and national technological development depends in part on strong data protection frameworks. Example of emerging economies such as India, Singapore, China that have understood the importance of coming up with a data protection framework.
The development and implementation of e-government applications is promoted in the Tunis Agenda as a way to build an Information Society that furthers access to government information and services for people. E-government applications cannot exist without strong privacy protections.
Civil society can have a role at the national level to suggest e-strategies and Information Society policies to their governments that include the protection of individuals' and consumers' privacy rights.
Data protection laws encourage e-commerce and promote consumer trust. There is a need to enact privacy and data protection laws when creating the legal and regulatory frameworks of developing countries and countries without such privacy and data protection frameworks. The success of the harnessing of the potential of ICT's and their development is therefore related to strong privacy and data protection laws.
Security is emphasized throughout the Tunis Agenda. There is a need to develop security of the Internet in compliance with the right to privacy and freedom of expression, as protected in the Universal Declaration of Human Rights.
Necessity to implement privacy protections at the level of, and into, the ICT's themselves rather than adopting privacy laws that would apply to ICT's that have not been created and developed with privacy concerns in mind. In this regard, Privacy Impact Assessments are useful.
- Ex. of PET (privacy-enhancing technologies)'s: a browser that incorporates privacy protections, such as a feature that automatically rejects cookies and allows opt-in for the user.