The Centre for Information Policy Leadership’s Executive Director, Marty Abrams, brings you these thoughts on a recent data protection summit in Barcelona.
Harmonized international data protection rules have been privacy’s Holy Grail since the EU Directive was enacted in 1995. Harmonized, globally recognized rules would simplify life for privacy protection authorities and companies. Numerous efforts have been undertaken to create a harmonized code. The most recent, an international standards project led by the Spanish Data Protection Commissioner, began on January 12 as international privacy experts met in Barcelona. The Spanish Data Protection Commissioner leads the project, and the finished product — a harmonized privacy code that will be the basis for a data protection treaty— will be a center-piece of the 31st International Conference of Data Protection and Privacy Commissioners on November 2009 in Madrid.
The Barcelona meeting focused on a draft standards document developed by the Spanish Data Protection Authority, Agencia Espanola de Proteccion de Datos. The document integrates many of the elements from the OECD Privacy Guidelines, Council of Europe Convention, EU Directive and APEC Privacy Framework. In its 30 sections, the document recognizes almost every concept found in this existing guidance.
Among the goals of the project begun in Barcelona is to produce a document that promotes fair processing of data worldwide. In fact, the goal of all privacy laws is fair processing of data. But what constitutes fair processing is colored by culture. Sometimes, what is fair in one location will not be considered fair in another.
Basic principles, articulated in the OECD Guidelines and the APEC Framework, form the foundation of information privacy protection everywhere. By being more general they tend to be less biased toward or away from any particular local orientation about privacy. However, more detailed laws such as the EU Directive and the implementing laws in the 27 EU member states capture details that, in some instances, reflect specific cultural mores.
For example, the Directive contains a principle about the right of individuals not to be subject to automated decisions. What is an automated decision? It is a decision driven by analytic analysis that does not require an individual’s intervention. For example, the analytic tools that protect organizations from fraud yield automated decisions. A credit card transaction is scored to determine whether it is likely fraudulent — if the transaction scores high, it is rejected. A global rule that prohibits subjecting an individual to automated decisions to prevent fraud would increase the incidence of financial loss due to fraud.
In practical terms, data protection officials exempt fraud tools either explicitly or implicitly — from the automated decision-making provisions of most privacy laws. However, other forms of commonly automated decisions are not exempt. For example, the automated decision-making provisions clause of the EU Directive covers credit scoring. Credit scoring is the probabilistics-based process that predicts whether or not the terms of a new line of credit will be met. Research conducted in the United States by the Credit Research Center and others has demonstrated that scoring algorithms establish the basis for more consistent decisions than people do. In the United States, consumer protection laws ensure that credit scoring is fair. The United States Federal Trade Commission determined that fair processing is reflected in the more accurate decisions that come from credit scoring.
I buy into the concept of privacy as a fundamental interest of all individuals. But when the day is done, local rules reflect cultural sensitivities. The process led by Spain needs to take this into consideration. A code should harmonize key concepts, and mandate respect for local rules.
Peter Hustinx, the European Union’s Data Protection Supervisor, has suggested the first step toward a harmonized code would be a feasibility study. I would concur. I believe the process in anticipation of the November meeting in Madrid might better focus on the key structural concepts that are common everywhere and on a mechanism for assuring respect for fair processing concepts that are culturally based.