This article is also available in:
Deutsch: [2011 Public Voice Konferenz der Zivilgesellschaft: “Privacy is Freedom” |]

The Public Voice meeting that took place on 31 October 2011 in Mexico City
began with a discussion of the 2009 Madrid declarations (both those from
DPAs and civil society). Most participants felt there had been little
progress towards implementation or acceptance by governments. Peter Schaar
(Federal DPC Germany) stressed that upholding the rights of data subjects
required independent oversight, and that CoE Convention 108 was still
available for regulating transborder data flows, and was open to
third-countries. Discussions about multilateral vs. single global
instruments were becoming repetitive.

In the panel on Cultures of Privacy, Jacob Kohnstamm (Netherlands DPC &
Art.29 WP Chair) noted that databases were implicated in extensive human
rights violations during WW2, and the families of many Europeans had cause
to remember such risks. David Vladeck (FTC) saw his role not as “referee”
over different and clashing cultures, but to preserve consumer choice;
clicking through EULA “wordbarf” is not “meaningful” consent. He stated US
could not be more different from EU culture, but “we get to the same
result”, citing FTC support for “Do Not Track”.

Lara Ballard (US State Department) described an Egyptian activist creating a
database identifying members of the secret police (to name and shame them).
Flicker took down the pictures on copyright (not privacy) grounds. The
activist’s view was that the secret police had invalidated their own right
to privacy, because their conduct undermined the rule of law itself. Ballard
was sceptical of nostrums about lack of Asian sense of privacy, (e.g.,
non-legal concepts of Japanese politeness are similar) and, cited
sociologist Irwin Altman on privacy as dynamically negotiated social
boundaries. She asserted EU DPCs were mistrustful of major US Internet
companies, but trusted their own governments. She praised the concept of
“accountability agents” and the APEC privacy process. Moderator Alberto
Cerda (Derechos Digitales – Chile) remarked that global agreements for the
enforcement of “intellectual property” already existed, but there seemed to
be little prospect of comparable treaties for privacy.

Zhou Hanhua (China – Social Science Academy) said although China had no
history of privacy, the real concerns of people were similar. China today
may have the worst of both worlds. People felt resigned to marketing privacy
invasions such as endemic mobile voice spam. China has still not enacted a
DP law (and the choice between US and EU systems was most difficult), but on
paper, Constitutional protections were similar to developed countries, and
culture is changing rapidly. Moez Chakchouk (Tunisia) spoke of their first
free election, and new constitution next year. Their main priority was to
transform the former censorship agency into a human rights and privacy
agency (sic). Cerda asked whether EU standards were too high (so few
countries attained adequacy), and Kohnstamm replied national authorities
couldn’t do much without co-operation from the rest of the world. Schaar
said the EU should not lower standards, given European history; data
protection will stay a fundamental right in Europe.

Vladeck contrasted common-law vs. civil law cultures; in the EU privacy law
is very specific, in the US not. There was a vocabulary problem. To US ears,
rights mean what is in the US Constitution, “and why do I have to fill in a
form for the police when I check into a hotel in Europe?” – a right not
enforced isn’t much of a right. US goals were similar to the EU. “There is
no difference between opt-in and opt-out given current technology” (sic).
Ballard re-iterated support for “accountability agents” (“a new legal regime
accountable to e.g. TRUSTe”).

The panel on Raising Public Awareness on Privacy vs. Technology was
moderated by Pablo Molina (US), and began with a description of the new
Brazilian law from Danilo Doneda. Michael Donohue (OECD) stated that
transborder flows of data can be blocked only if there was no adequate
protection of sensitive data. Omer Tene said face recognition was not a new
issue (e.g. police line-ups). His view of consent was that an opt-out should
be sufficient if good information was provided. Thomas Nortvedt (TACD)
emphasized that consumers needed to be able to enforce rights.

Korina Velázquez (MEX) moderated the panel on Children’s Privacy Online,
with contributions from Adriana Labardini (Mexico – Alconsumidor), Kristina
Irion (CEU Hungary), and Conchy Martin Rey (TACD). Neuro-marketing
techniques were discussed, and Jeff Chester remarked that the COPPA
legislation was unique in the US, in that it gave opt-in protection (to
minors). There were few answers to a question on when children should attain
legal independence from their parents for the exercise of privacy rights,
given the wide differences between individual children.

Dave Banisar (Article 19) led a conversation with Marc Rotenberg (EPIC) on
the relationship (both deprecated the word “balance”) between Privacy and
Freedom of Expression. There were strong analogies between the right to
withhold identity and freedom of expression rights. Business obviously
prefers to conduct their activities unregulated. Banisar remarked that in
the UK, some attempted to justify “phone-hacking” in the name of free
expression, and Rotenberg recalled that Warren & Brandeis stipulated a
public interest exemption in their seminal article. Caspar Bowden asked if a
right of subject access to data in the private sector was feasible in the
US, and Rotenberg replied that the Federal Constitution normally doesn’t
coerce private parties, but some state constitutions do. Probably “compelled
speech” cases can be distinguished (to allow a subject access right). EPIC
has pursued information self-determination rights, and this one is on their
“to do” list. The office of the EDPS pointed to the ECJ “Bavarian beer”
case, and their intervention to ensure FOI rights aren’t subordinated to
privacy rights, in cases of public interest. Lara Ballard (US State
Department) asked whether government officials had privacy rights when
offering confidential advice. Dave Banisar said no, and deprecated the use
of the word privacy to mean “organizational secrecy”.

Simon Davies (PI) moderated the panel on a Right to Forget. Marie-Helen
Boulanger (EU Commission) said the data subjects’ existing rights needed to
be clarified, and that the impact of cheap data storage was that many traces
were left in online services. Data must be fully deleted when its processing
would be unlawful, e.g. when the retention period is not in line with the
purpose. However there is no “right to hide” in EU law. Regarding a right to
erasure of public records, it was preferable that unnecessary data was not
collected at all – data minimization remains a sound principle, in
conjunction with privacy-by-design. Peter Fleischer said Google merely
reflected the web, and should be allowed to index whatever is lawful on the
web, and mentioned a possible ECJ referral of the current Spanish case.
Alejandro Pisanty (Mexico) stressed the end-to-end principle of the Internet
(network flows should not depend on the content), and that
Mayer-Schönberger’s idea for self-deleting data would still leave metadata
traces behind, even after content was deleted. Banisar recalled that the
possibility for rehabilitation was an internationally accepted principle in
Freedom of Expression.

Chris Soghoian rounded on Fleischer’s assertion that Google “deleted” search
data after nine months, pointing out that their actual practice
(IP-last-byte-deletion) did not even properly anonymize the data. The
important “right to be forgotten” is over the behavioural data we are
scarcely conscious is being collected, but the public debate mostly avoids
this issue, focussing on e.g. tagged photos. The major Internet companies
don’t let the user delete behavioural data. Moreover there is the further
issue of aggregate data used to sort users automatically into marketing
buckets. Caspar Bowden asked why Google didn’t permit users to delete web
history from a “parallel” logging system, only disclosed by an elliptical
reference in an FAQ outside the privacy statement.

Gus Hosein (PI) moderated the final panel on Government Databases. Caspar
Bowden (EDRi) summarised the effect of the US law FISAA 2008 1881a; that
Cloud providers within US jurisdiction may be coerced into wiretapping their
own datacentres (inside or outside the US) to conduct purely political
surveillance on non-US persons outside the US.

Meryem Marzouki (France – CNRS) made a plea for a data confinement doctrine
and its strict application by law, in response to the vulnerability of
mega-databases to malicious intrusions, technical breaches and unlawful use.
Katitza Rodriguez (EFF), Cedric Laurent (Access) and Jessica Matus Arenas
(Chile) provided analysis on national legislations on data protection and
access to information, respectively in Mexico, Colombia and Chile, as well
as commented the current situation in these countries.

Public Voice conference

Caspar Bowden’s presentation at Public Voice event (31.10.2011)

(Contribution by Caspar Bowden – EDRi Observer)