This is not a post about hot-dogs, pretzels, fries or pizza. What we call “takeaways”, Americans refer to as “take-out”, or simply as “fast food”. That’s why there’s no confusion in the US when the handbook for the International Association of Privacy Professionals (IAPP) Global Privacy Summit explains what a participant can expect to “take away” from each session.
I spent a week in Washington DC, in part for the summit, but also to participate in the various side events arranged to capitalise on the presence of so many professionals engaged in privacy and data protection, and to meet with those people charged with implementing, or overseeing privacy controls in the US Federal Government, Canada, and much of Western Europe.
There was much to take away.
The conference included numerous sessions devoted to aspects of Big Data. It is affirming to see so many others grappling with the challenges and opportunities presented by large datasets, and increased computing power and capacity.
The work of New Zealand’s Data Futures Forum (DFF) is as current as any other thinking in the world. One question that came up time and time again is how the re-identification of anonymised data can be prevented. There are technical options, but I am convinced that the conclusion adopted by the DFF that there needs to be a statutory prohibition on the re-identification of unit level data from large data sets remains an important part of the mix.
There was also a great deal of talk at my meetings at the Brookings Institute and the White House about how the distinctly different approaches to privacy and data protection between the European Union and the United States might be reconciled. I saw trenches and olive branches in the process, but little evidence yet of the bridges proposed by those working on an ambitious project, to be road tested in Amsterdam in October, to find common ground.
I learned that in the US alone, corporations spent US$2.4 billion on privacy advice and compliance in 2014, and that that figure is set to rise to US$3 billion this year. Government agencies and private corporations alike are undertaking privacy impact assessments and sophisticated risk management programmes to ensure they meet the many and varied regulatory requirements of federal and state laws, as well as the laws of other jurisdictions in which they operate.
The US Federal Government is both subject to and an enforcer of privacy laws. The Federal Trade Commission requires corporations like Google and Facebook to comply with fair information practices, under the threat of heavy penalties. The Department of Health and Human Services administers the Health Insurance Portability and Accountability Act (HIPAA), and sees an ability to issue fines to non-compliant health agencies as the single most important tool in its regulatory and compliance toolbox.
Meanwhile, the Department of Homeland Security and the National Security Agency employ a network of privacy officers, and are seeking to embed a culture of privacy into organisations whose very nature requires them to undertake intrusive activities.
This extends to providing foreign nationals with the same level of protection, and the same remedies, as US citizens, as well as undertaking and publishing privacy impact assessments on a number of their programmes and initiatives.
On the day Glenn Greenwald opened the summit with a polished and fluent keynote, Nicky Hager, who might be seen as his New Zealand equivalent, published the first in what is apparently to be a series of stories based on what has become known as the Snowden Archive. I was asked to comment on those stories to the media, but declined. I have no direct jurisdiction over the information gathering activities of the GCSB. That is the job of my colleague, the Inspector General of Intelligence and Security.
But as you would expect, I am very interested in these issues, and the policy and statutory settings under which organisations such as the GCSB and NZSIS operate. There is to be a review of those organisations this year and I hope to have an opportunity to share with the reviewers some of my observations and takeaways from Washington.
Did you know, for example, that there is an independent board whose job it is to oversee the NSA? And that that board has given the President an opinion that the telephony metadata collection, also highlighted in the Snowden revelations, is unlawful?
The NSA disagrees with the board’s interpretation of the statutory authority under which that programme operates but, in any case, that authority is due to expire at the end of June this year. If the President and the NSA believe the utility and value of those programmes outweigh the adverse effect on privacy, they will have to make their case to the US Congress and receive an express and unambiguous legal power to continue.
There seems to be determined efforts from the NSA and others to increase the level of transparency of their activities and programmes, in what they are calling the “post disclosure” era. It will be important for their New Zealand counterparts to monitor these developments closely, and to continue to identify opportunities to involve the New Zealand public in a discussion about their role, powers, and accountabilities.