I’m in Washington DC to talk privacy, or data privacy, or data protection, or however else this growing international preoccupation is described in different jurisdictions, sectors and economies.
In San Francisco on the way here, I picked up a copy of the New York Times. On the front page of its business section was an article about a Bill to be introduced by President Obama, the Consumer Privacy Bill of Rights Act, which quotes fellow kiwi, and Microsoft’s Chief Privacy Officer Brendon Lynch’s blog post on the subject.
Brendon will be one of the many delegates at this week’s International Association of Privacy Professionals (IAPP) Global Privacy Summit, the main reason for me being here.
When I started working in this field in the early 1990s, I could probably name most of the people in the world whose work included a significant privacy focus. These days it is area of law and public policy that engages tens of thousands worldwide. The IAPP has undertaken the significant task of providing some unity and coherence to the discipline, despite the widely divergent approaches from each side of the Atlantic and across the Asia Pacific region.
As the largest conference in the world of its type, it also attracts a number of side events, in order to capitalise on the agglomeration of expertise. This week I will be visiting the White House to meet with officials, attending a Big Data working lunch and Privacy Risk Framework Project Workshop, a “dinner dialogue" at the Brookings Institution on “Privacy Security and the US-Europe Relationship”, meetings with the NSA and others, including my counterparts at the Federal Trade Commission (FTC). I’ve already met with privacy officers and other senior officials at the 240,000 strong Department of Homeland Security, and the Department of Human and Health Services which administers and enforces regulations governing health information.
I was particularly impressed with the approach taken by the Department of Homeland Security. You might assume that an organisation formed in the immediate aftermath of 9/11 would be secretive and conservative in its policies on personal information. Not so. The department regularly undertakes, and publishes, privacy impact assessments on aspects of its activities. It sees transparency as a key element of the social contract under which it exercises state power. The department even has a policy (although not required by law) of giving access to information and its complaints processes to non-US citizens. If you’ve had a bad experience with the US Transportation Security Administration or border officials, you are entitled to have that looked into.
I asked my colleagues at the Department of Human and Health Services what the single most effective tool they had at their disposal to ensure compliance with the health data privacy rules. Their answer, the ability to levy heavy fines on recalcitrant agencies.
Since so many international colleagues are in Washington, the FTC has also kindly offered to host a meeting of the executive committee of the International Conference of Data Protection and Privacy Commissioners, which I chair.
The US has a different regulatory model to the EU, and at times there has been tension as a result of deep cultural and legal differences. Last year’s European Court of Justice decision on the so-called “Right to be Forgotten” is an excellent example of the divergence between the rights to freedom of expression and to profit from technological innovation, and the European model with its fetters on data aggregation and use. There are common elements though, and scope to bridge them, which are being explored here, and throughout the year.
On Sunday afternoon, after waiting in the snow and rain to climb the Washington Monument, I visited the National Holocaust Museum nearby. Among the many sobering images and displays was another reminder of the origins of one strand of thinking about privacy.
I’ll keep you posted on the rest of the week’s activities.