Privacy and Security TidBits

Privacy and Data Protection Week in Mexico City


This past week was “Privacy Week” in Mexico City, where three seperate conferences were held back-to-back.

The Public Voice  conference, chaired by Lillie Coney of EPIC, had as its theme: “Privacy is Freedom”

One of the highlights was a discussion between David Benasar, Senior Legal Counsel Aticle 19 and Marc Rotenberg, President of EPIC, titled: Frame the Issues Related to Freedom of Expression. Here are some of the ideas that were expressed:

About the Right to Freedom of Expression claimed by business and Right to Privacy:

Right to Privacy is essentially a pre-requisite for Freedom of Expression: the right of anonymity, for example, is the right to withhold our identity so we can express our views. Think for example the Arab spring or the protests in London and Vancouver. On the other hand, to call the actions of businesses to do away with our privacy for the purpose of conducting business “a right to freedom of expression” is like putting a Halloween costume on something and calling it “the Right to Freedom of Expression.” (In other words, it is a travesty.)

About the Right to Freedom of Expression claimed by journalists and Right of Privacy:

There is in media law a tension between freedom of expression and privacy rights of public officials and private individuals. It is important to be able to talk publicly and critically, particularly about public officials. But on the other hand, newspapers which publish gossip in order to sell (like in the recent UK phone hacking scandals) have a less defensible case for breaching people’s privacy. Yes, the news may be “news”, but it is meaningless news. This should not be defendable as a “freedom of expression” excuse to breach privacy.

Another very interesting panel was “Cultures and Privacy around the World“, moderated by Alberto Cerda, ONG Derechos Digitales.

This panel considered whether privacy and data protection are culture dependent. From left to right: Jacob Kohnstamm, Chair Article 29 Working Party (EU), Moez Chakchouk, CEO, Tunisian Internet Agency (TUN), David Vladeck, FTC (USA), Alberto Cerda, moderator, Lara Ballard, Department of State (USA), Zhou Hanhua (CHN).
(Note: this video is edited; the moderator’s recap comments have been edited for lack of space.)

Interesting note: At around 11:00, David Vladeck declares that clicking through an opt-in consent without even reading the dozen or so pages of “gobbledygook” or “word barf”, (as most of us do), is not a meaningful “consent”.


The OECD Conference, held on November 1, had as its theme: “Current Developments in Privacy Frameworks: Towards Global Interoperability”

The international character of personal data flows have accentuated the cross-border dimension of privacy issues and the corresponding need for a truly global dialogue.

As the OECD Secretary-General Angel Gurriá noted in a videotaped message:

“We describe our activities on social networks. We disclose our interests through our Internet browsing habits and online purchases with credit cards. We are located in time and space through the mobile devices we use. Detailed digital profiles of each of us can be assembled, and they can affect our opportunities positively or negatively.

Secondly, today’s data flows are continuous and global. The hype around terms like “cloud computing” and “big data” remind us that we are facing dramatic transformations in the delivery of online services. These shifts challenge the governance mechanisms we created in the pre-Internet era.”

Three of the primary frameworks with an international dimension (OECD, European Union, and Council of Europe) are as a consequence currently under review, and a fourth (APEC) is developing new cross-border implementation arrangements.

The Terms of Reference of the review of the OECD Privacy Guidelines were released on November 1.

One of its primary objectives is to ensure the global interoperability of privacy frameworks. Although each national culture has its own vision and approach to privacy,  a level global playing-field is needed. Widespread agreement on core privacy principles is not sufficient. We also need to strengthen mutual recognition and co-operation in their implementation.

Finally, The 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC 2011), was held on November 1 and 2 and was titled “PRIVACY: The Global Age.

Diego Rivera Mural; picture by Monique Altheim


Peter Schaar, Federal Commissioner for Data Protection in Germany, explained the need for global standards well:

He said that the EU Data Protection framework was based on a model, in which data are collected by a data controller in a data base in the EU and then sent cross-border. Today, however, most data are collected directly from the end-user by data collectors outside of the EU, which creates enforcement issues for the EU authorities.

The buzz words at the conference were: accountability, privacy by design, privacy by re-design, education, information governance, the obsolescence of “consent” in the age of “big data”. The term “global interoperability by design” was coined.

One of the livelier discussions occurred during the panel titled “How does the growth of data, its mining and application challenge the way privacy enforcement agencies protect individuals”.

Peter Schaar, Federal Commissioner for Data Protection in Germany, pointed to the need to protect consumers from automatic and algorithmic decision making from big data. For example, should credit institutions be allowed to predict the likelihood of someone paying back a loan, based on who his/her Facebook friends are?

There were a few points of agreement during the conference: There was unanimous consensus that the user/consumer/ customer/citizen should have control over the use of his/her data. The discussions turned more on how to achieve that goal. Most data protection authorities seemed to agree that, in the age of big data, and re-purposed uses of big data, the consent-model of control has become obsolete, because it has become impossible to give a truly informed consent concerning the uses of one’s data: it is today impossible to predict what use our data will be put to. For example, when one uses Google’s search engine, does one consent that, if one searches for a certain chronic disease, one’s insurance premium might go up because of those search terms? Or that no employer will hire someone, based on the presumption of chronic disease as created by the use of that search term? This has led some to push for more regulation of the use of data, as opposed to regulation of the collection of data.

Another point of agreement was the need for data protection authorities to avail themselves more of IT and forensic expertise as wel as the need to educate the ignorant masses.

A very interesting term was coined by Jose Clastornic from the DPA of Uruguay: Global interoperability by design; Global privacy interoperability by design means the incorporation of international privacy standards into a national privacy legislation. This will guarantee that nation a boomig service industry, since it will become the go-to place because of its interoperable, international standards of privacy protection. This seems to be a trend in most Latin American countries, as well as China and other Asian countries.