This article is also available in:
Deutsch: 2011 Public Voice Konferenz der Zivilgesellschaft: "Privacy is Fr...
The Public Voice meeting that took place on 31 October 2011 in Mexico City began with a discussion of the 2009 Madrid declarations (both those from DPAs and civil society). Most participants felt there had been little progress towards implementation or acceptance by governments. Peter Schaar (Federal DPC Germany) stressed that upholding the rights of data subjects required independent oversight, and that CoE Convention 108 was still available for regulating transborder data flows, and was open to third-countries. Discussions about multilateral vs. single global instruments were becoming repetitive.
In the panel on Cultures of Privacy, Jacob Kohnstamm (Netherlands DPC & Art.29 WP Chair) noted that databases were implicated in extensive human rights violations during WW2, and the families of many Europeans had cause to remember such risks. David Vladeck (FTC) saw his role not as "referee" over different and clashing cultures, but to preserve consumer choice; clicking through EULA "wordbarf" is not "meaningful" consent. He stated US could not be more different from EU culture, but "we get to the same result", citing FTC support for "Do Not Track".
Lara Ballard (US State Department) described an Egyptian activist creating a database identifying members of the secret police (to name and shame them). Flicker took down the pictures on copyright (not privacy) grounds. The activist's view was that the secret police had invalidated their own right to privacy, because their conduct undermined the rule of law itself. Ballard was sceptical of nostrums about lack of Asian sense of privacy, (e.g., non-legal concepts of Japanese politeness are similar) and, cited sociologist Irwin Altman on privacy as dynamically negotiated social boundaries. She asserted EU DPCs were mistrustful of major US Internet companies, but trusted their own governments. She praised the concept of "accountability agents" and the APEC privacy process. Moderator Alberto Cerda (Derechos Digitales - Chile) remarked that global agreements for the enforcement of "intellectual property" already existed, but there seemed to be little prospect of comparable treaties for privacy.
Zhou Hanhua (China - Social Science Academy) said although China had no history of privacy, the real concerns of people were similar. China today may have the worst of both worlds. People felt resigned to marketing privacy invasions such as endemic mobile voice spam. China has still not enacted a DP law (and the choice between US and EU systems was most difficult), but on paper, Constitutional protections were similar to developed countries, and culture is changing rapidly. Moez Chakchouk (Tunisia) spoke of their first free election, and new constitution next year. Their main priority was to transform the former censorship agency into a human rights and privacy agency (sic). Cerda asked whether EU standards were too high (so few countries attained adequacy), and Kohnstamm replied national authorities couldn't do much without co-operation from the rest of the world. Schaar said the EU should not lower standards, given European history; data protection will stay a fundamental right in Europe.
Vladeck contrasted common-law vs. civil law cultures; in the EU privacy law is very specific, in the US not. There was a vocabulary problem. To US ears, rights mean what is in the US Constitution, "and why do I have to fill in a form for the police when I check into a hotel in Europe?" - a right not enforced isn't much of a right. US goals were similar to the EU. "There is no difference between opt-in and opt-out given current technology" (sic). Ballard re-iterated support for "accountability agents" ("a new legal regime accountable to e.g. TRUSTe").
The panel on Raising Public Awareness on Privacy vs. Technology was moderated by Pablo Molina (US), and began with a description of the new Brazilian law from Danilo Doneda. Michael Donohue (OECD) stated that transborder flows of data can be blocked only if there was no adequate protection of sensitive data. Omer Tene said face recognition was not a new issue (e.g. police line-ups). His view of consent was that an opt-out should be sufficient if good information was provided. Thomas Nortvedt (TACD) emphasized that consumers needed to be able to enforce rights.
Korina Velázquez (MEX) moderated the panel on Children's Privacy Online, with contributions from Adriana Labardini (Mexico - Alconsumidor), Kristina Irion (CEU Hungary), and Conchy Martin Rey (TACD). Neuro-marketing techniques were discussed, and Jeff Chester remarked that the COPPA legislation was unique in the US, in that it gave opt-in protection (to minors). There were few answers to a question on when children should attain legal independence from their parents for the exercise of privacy rights, given the wide differences between individual children.
Dave Banisar (Article 19) led a conversation with Marc Rotenberg (EPIC) on the relationship (both deprecated the word "balance") between Privacy and Freedom of Expression. There were strong analogies between the right to withhold identity and freedom of expression rights. Business obviously prefers to conduct their activities unregulated. Banisar remarked that in the UK, some attempted to justify "phone-hacking" in the name of free expression, and Rotenberg recalled that Warren & Brandeis stipulated a public interest exemption in their seminal article. Caspar Bowden asked if a right of subject access to data in the private sector was feasible in the US, and Rotenberg replied that the Federal Constitution normally doesn't coerce private parties, but some state constitutions do. Probably "compelled speech" cases can be distinguished (to allow a subject access right). EPIC has pursued information self-determination rights, and this one is on their "to do" list. The office of the EDPS pointed to the ECJ "Bavarian beer" case, and their intervention to ensure FOI rights aren't subordinated to privacy rights, in cases of public interest. Lara Ballard (US State Department) asked whether government officials had privacy rights when offering confidential advice. Dave Banisar said no, and deprecated the use of the word privacy to mean "organizational secrecy".
Simon Davies (PI) moderated the panel on a Right to Forget. Marie-Helen Boulanger (EU Commission) said the data subjects' existing rights needed to be clarified, and that the impact of cheap data storage was that many traces were left in online services. Data must be fully deleted when its processing would be unlawful, e.g. when the retention period is not in line with the purpose. However there is no "right to hide" in EU law. Regarding a right to erasure of public records, it was preferable that unnecessary data was not collected at all - data minimization remains a sound principle, in conjunction with privacy-by-design. Peter Fleischer said Google merely reflected the web, and should be allowed to index whatever is lawful on the web, and mentioned a possible ECJ referral of the current Spanish case. Alejandro Pisanty (Mexico) stressed the end-to-end principle of the Internet (network flows should not depend on the content), and that Mayer-Schönberger's idea for self-deleting data would still leave metadata traces behind, even after content was deleted. Banisar recalled that the possibility for rehabilitation was an internationally accepted principle in Freedom of Expression.
Chris Soghoian rounded on Fleischer's assertion that Google "deleted" search data after nine months, pointing out that their actual practice (IP-last-byte-deletion) did not even properly anonymize the data. The important "right to be forgotten" is over the behavioural data we are scarcely conscious is being collected, but the public debate mostly avoids this issue, focussing on e.g. tagged photos. The major Internet companies don't let the user delete behavioural data. Moreover there is the further issue of aggregate data used to sort users automatically into marketing buckets. Caspar Bowden asked why Google didn't permit users to delete web history from a "parallel" logging system, only disclosed by an elliptical reference in an FAQ outside the privacy statement.
Gus Hosein (PI) moderated the final panel on Government Databases. Caspar Bowden (EDRi) summarised the effect of the US law FISAA 2008 1881a; that Cloud providers within US jurisdiction may be coerced into wiretapping their own datacentres (inside or outside the US) to conduct purely political surveillance on non-US persons outside the US.
Meryem Marzouki (France - CNRS) made a plea for a data confinement doctrine and its strict application by law, in response to the vulnerability of mega-databases to malicious intrusions, technical breaches and unlawful use. Katitza Rodriguez (EFF), Cedric Laurent (Access) and Jessica Matus Arenas (Chile) provided analysis on national legislations on data protection and access to information, respectively in Mexico, Colombia and Chile, as well as commented the current situation in these countries.
Public Voice conference
http://thepublicvoice.org/events/mexicocity11/
Caspar Bowden's presentation at Public Voice event (31.10.2011)
http://edri.org/files/Public%20Voice%20-%20Mexico%20%28Caspar%20Bowden...
(Contribution by Caspar Bowden - EDRi Observer)