This article is also available in:
Deutsch: 33. Internationale Datenschutz Konferenz in Mexico City
The 33rd International Conference of Data Protection and Privacy Commissioners was held in Mexico City, on 2-3 November 2011, hosted by IFAI (The Mexican Federal Institute for Access to Information and Data Protection). This year theme, "Privacy, the Global Age", showed the clear willing of the organizers to make it a direct follow-up to the 31st Conference held in Madrid and its adopted resolution on global standards. As a matter of fact, Jacqueline Peschard, IFAI President, called in her opening remarks for a plan of action to be proposed by this conference. This commitment to take further steps was shared by most, though not all, of the DPA (Data Protection Authorities) at the conference.
The two-days conference included four plenary sessions and four sets of four parallel sessions. A useful innovation consisted in the presentation of highlights from parallel sessions, to keep the audience updated of all discussions. While the parallel sessions addressed a broad range of current hot data protection issues, the plenary sessions focused on various aspects of the "big and distributed data" challenge: "Observation, Analytics, Innovation and Privacy", "The Drivers for Data Protection Law in Latin America, Asia, and Africa", "Security in an Insecure World "and "One Data Protection Community. Many Cultures, Threats and Risks".
The "big data challenge" was rather overstressed in the first plenary session, especially through the keynote presentation by Ken Cukier (The Economist), followed by two panel sessions.
In the first panel session, Jacob Kohnstamm, Peter Schaar and Marie Shroff (DP Commissioners of The Netherlands, Germany and New Zealand, respectively) and David Vladeck (FTC, USA) were asked whether the growth of data, its mining and application challenge the way privacy enforcement agencies protect individuals. The two European DP Commissioners insisted on the need for a strict application of the legislation and more independent control powers given to DPA, while the New Zealand Commissioner rather took the view that there is a need to move from a focus of compliance to rules towards being more strategic, identifiy the big risks, strategizing, and move to a leadership mode or, as she said, "move from a negative mode to a positive mode". The FTC representative insisted on the changing nature of big data (collected from smartphones, sensors, social networks.), leading to the importance of privacy by design. He acknowledged that "the burden has to be on the company, not on the consumer, to protect the data".
In the second part of this session, gathering a panel of other stakeholders, Gus Hosein (Privacy International) and Joel Reidenberg (Fordham Law School) reminded the audience that the basic DP principles still applies. The former warned that it would be a mistake to only focus on the use of big data while forgetting about their collection process. The latter insisted on the need to consider the broader systemic risks arising with big data, as they create an unprecedented level of transparency of the citizen, who loses any anonymity and choice capabilities, with the consent model breaking down.
One very informative sessions on new legal developments was the one dealing with "changing laws in the US and the States".
Françoise Lebail (EC DG Justice) presented the main features of the deep reform the EU has undertaken in terms of privacy legislation. She made clear that the revised legislation, to be adopted at the beginning of next year, will leave less room for intrepretation for Member States, as the disparities are currently huge: "no longer legal fragmentation", she said, mentioning both the national legislations and the two sectors, public and private, including sectors formerly falling under the 3rd pillar. Other important new features include: data breach notification, better enforcement of rights, harmonization and increase of DPAs resources and powers, stronger cooperation between DPAs (a reflection on a cooperation mechanism is ongoing). On International aspects, she mentioned the need for a continuation of EU citizen protection, not only through the adequacy but also through the interoperability of the different DP schemes.
Lawrence Strickling (NTIA, USA) also introduced the big changes undertaken in the USA to strengthen the privacy regime towards a general regime of consumer data privacy, with a large focus on the international interoperability of DP systems. A white paper will be issued in the weeks to come, valid for the entire Obama administration, developing a four-pillars framework: (1) A consumer bill of rights, that should be enacted in legislation; (2) Codes of conduct developed by stakeholders; (3) Enforcement of these codes of conducts by FTC; and (4) International interoperability. One probably needs to wait until this white paper will be made available to understand the exact share of enforced legislation and of self-regulation this framework will actually encompass, as well as to which extent industry lobbies will impose their views in the so-called multi-stakeholder process of codes of conduct development.
"International interoperability" seems thus to be the new buzzword, and the most that would be conceded in international discussions on a global privacy and data protection framework. Civil society, as well as many DPAs, expect more, though. They expect global privacy and data protection standards, and this was precisely the topic addressed at the session on "Global Standards Linked to Global Value", organized and moderated by Lillie Coney (Electronic Privacy Information Center).
During this session, Jörg Polakiewicz (Council of Europe) introduced the major features of the current revision of Convention 108 that will soon been submitted to consultation, and insisted on the fact that this Convention is and will still be open to signatures and ratifications by third countries, being the ideal vehicle towards a global privacy and data protection standard.
Rafel Garcia (Spanish DPA) reminded the main advances of the Madrid Resolution on global standards, adopted at the 31st DPA two years ago, and mentioned the progress, though slow, made since then.
Meryem Marzouki (EDRi) took as a starting point the Madrid Civil Society Declaration on "Global Privacy Standards in a Global World" adopted at the 2009 Public Voice Civil Society Conference organized in Madrid, in liaison with the DPA Conference. She identified 6 main steps for an urgent action plan to implement the provisions of this Declaration. EDRi representative also reacted to the way the "big data" issue (or rather propaganda, in view of radical deregulation of privacy forced by technological determinism, as many civil society representative analysed) was addressed during the conference. Meryem Marzouki reminded that "privacy is a fundamental human right, that shouldn't be adapted to new technical developments or economic models". Asking to put this dialectic back on its feet, she added that "it is rather the technical, economic and behavioral norms that should comply to international human rights standards."
The next International Conference of Data Protection and Privacy Commissioners will certainly bring interesting follow-up to this year conference, especially with the new EU and US legislative frameworks, as well as the revised Council of Europe Convention 108 being discussed. The 34th Conference will be held again in Latin America (Uruguay).
33rd DPA Conference, Mexico City (2-3.11.2011)
http://www.privacyconference2011.org
31st DPA Conference, Madrid (4-6.11. 2009)
http://www.privacyconference2009.org
The Madrid Civil Society Declaration (3.11.2009)
http://thepublicvoice.org/madrid-declaration/
Meryem Marzouki (EDRi) Presentation (3.11.2011)
http://edri.org/files/Marzouki-DPA-talk.pdf
"Big data and Small Agencies" - Colin Bennet's Reflections on the 33rd DPA
Conference (7.11.2011)
http://www.colinbennett.ca/2011/11/big-data-and-small-agencies-reflect...
(Contribution by Meryem Marzouki (EDRI member IRIS - France)