This one's for Patrick... a 'blog buddy' who I finally got the chance to meet face to face this week in Stockholm. Patrick, thanks for the great conversation; keep blogging, and I wish you every success in your new role with Mozilla.
The UK's Information Commissioner, Richard Thomas, has instigated a study of current EU Data Protection law to look for ways of bringing it up to date. The case for doing so is pretty strong; after all, the EU Data Protection Directive has its roots in a set of OECD principles which were set out in 1980. Here's a short historical detour:
I don't have a Facebook or Myspace page.
I published a profile on LinkedIn in 2004.
I didn't set up my own web page until 2001.
I first used Google in 1999.
In the early 90s the read-only web started to impinge on my (working) life. Later than some, I know, but I was deep inside IBM at the time, where the corporate intranet was a big enough ecosystem to satisfy most informational demands.
In 1985 I started to use a network-attached (3270) terminal, send emails and instant messages on an intranet; tin the early 90s it was dial-up modem access from home (but still only to the same email system).
From 1980 to 1984 I had occasional dealings with a Sinclair Spectrum and a couple of word processors (remember those?), and it wasn't until I started work in 1984 that my life began to involve regular daily access to a personal computer.
In 1982, the nearest (Barclays) ATM did not have a digital display; it had a mechanical belt with the UI messages printed on it: the belt rolled around to the appropriate points as you progressed through the transaction.
In 1980 my own experience of computing devices was limited to a slide rule, a Commodore calculator, and games of Star Trek on the school's Digital machine (two 8-inch floppy disk drives, one for the OS, one for the games programmes). I only mention this to put into context the idea that, at the same time, someone was formulating principles for the privacy of personal data: principles which are still the basis of most data protection law today.
At that time, the idea that storage, communication and publication of my personal information had anything to do with computers would have seemed esoteric. It certainly would have had none of the resonance it has today, when the mere act of walking down a UK high street or submitting an internet search query can leave an indelible digital footprint, where mass volumes of data can be correlated on any laptop, and where an individual ISP user can be identified and physically located just by analysing their search history.
Current data protection principles have little or nothing to say about those concepts. Indeed, current data protection principles seem to start to run into boggy ground when the ideas of anonymity and pseudonymity are introduced: for instance, if a user's real identity is obfuscated through the use of a Liberty Alliance-style "opaque handle", does that opaque handle constitute 'personally identifiable information'? In other words, some of the innovations which have been introduced over the last 5-6 years, specifically to help protect users' privacy, themselves start to challenge the adequacy of the original principles sketched out all those years ago by the OECD.
That does argue for change - but with a 28-year lifespan to beat, anyone revising the principles has a pretty high bar to clear.
At the other end of the time-scale, the assistant information commissioner, Jonathan Bamford, spoke recently at a Kable event to warn that privacy needs to be a core component of government ID architectures from the outset. "Public confidence, like personal privacy, is almost impossible to recover once you have lost it", he says.
I would be happier with that assertion if I had not also heard Jonathan speak, a number of times over the past year, on the subject of an ICO strategy 'based on the principle of enabling data sharing'. If that is your key message for several months, then changing to a message of 'designing personal privacy in from the outset' is a tough switch to pull off without losing a lot of credibility.
If privacy really is such a key principle, might it not be better to have been setting out a strategy described in terms of 'data minimisation', 'data ephemerisation' and 'minimal disclosure', rather than 'enabling organisations to share data more effectively'? A change of core public messaging like this, with respect, communicates uncertainty about the relative importance of the underlying principles.
That's crucial in the present context. If the ICO is going to consider overhauling the OECD principles, it needs to do so with an eye to timescales of 28 years, not 28 weeks.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}