Threats to privacy from new trends and developments in technology look set to continue in 2020 and beyond. But the impact of the counter-trends and the effect they may have in constraining or shaping technology has received less attention – perhaps with the exception of law and regulation. As someone who has spent most of their professional life helping large organisations comply with law and regulation, I am often surprised at the level of faith in the law or regulation alone in delivering acceptable outcomes to complex problems like the impact of technology on our privacy.

Law and regulation is very effective at creating momentum and movement. By creating fear in board rooms, it can galvanise organisations to focus on compliance. But this does not guarantee that the things organisations do as a result will be pleasing to all concerned, even if they appear to meet the requirements of the law, and organisations can claim to be fully compliant. This is the problem we have faced to date with technology and privacy – there is no lack of law, legal opinion and guidance; yet there is continuing dissatisfaction with how things are, i.e. the outcomes we are left with.

This is because very often policy makers do not know what those outcomes should be and it would be a mistake for the law to try to determine them. While we are capable of identifying what we don’t like, it’s much harder to say what we do like – or more to the point, how we would like the future to actually look.

It’s therefore a case of sticks and carrots. Hit the donkey with a stick and the donkey will move. But it’s unlikely to go in the direction we want it to. Dangle a carrot under its nose in the direction we do want it to go, and it will generally follow the carrot. Law and regulation is good at creating impetus and momentum, but it won’t guarantee that we get to a desirable destination. To do that, we need incentives. Fortunately, the green shoots of these incentives can be found among the other counter-trends.

The possibility that individuals can now begin to take control of their own personal data is upending long established norms about the control of personal data – the assumption that the organisation is the default point of control. This is heralding the emergence of new entrepreneurs that see an opportunity to strike a new deal with consumers, offering them control. But not control simply for its own sake (worthy though that may be); rather control as a way to exercise greater autonomy over many aspects of their lives that today are made too complex and too difficult by data being controlled elsewhere.  And in doing so, there is the potential to unlock enormous economic value from personal data.

This potential for economic disruption to come to the aid of privacy (if not its complete rescue) by shifting power over data from the organisation to the individual is one of the most significant trends emerging as we look to 2020. It needs to be harnessed if we want to shape the development of technology to preserve the rights enshrined in all the major human rights instruments.

The 19th August 2014 was the 25th anniversary of the Web. This year, 2015, is the 800th anniversary of one of the most important legal developments in history – the Magna Carta. The Magna Carta was all about a shift in power – from the English King to the nobles, but in defining the principles for how power is distributed and constrained, it laid down the foundations of England’s legal system, and has influenced legal systems across the world. In celebration of the 25th anniversary of the web and the 800th anniversary of the Magna Carta, Sir Tim Berners-Lee has called for the creation of a ‘Magna Carta for the Web’ in 2015[1], and has declared that we need to “hardwire the rights to privacy, freedom of expression, affordable access and net neutrality into the rules of the game[2].

This is a fitting aspiration. But just as the Magna Carta was a response to the shift of power from King to nobles, hardwiring the web in order to protect privacy will require a shift of power over personal data from the organisation to the individual.

[1] “Tim Berners-Lee calls for internet bill of rights to ensure greater privacy”, The Guardian, available at: http://www.theguardian.com/technology/2014/sep/28/tim-berners-lee-internet-bill-of-rights-greater-privacy (accessed 17/12/2014)
[2] Supra note 12
  • Tim Jones

    Privacy as Competition

    Privacy is not about the individual – it is all about the value of data. Therefore we will see increasing data fragmentation as companies seek to use data for competitive advantage and create new barriers to entry. Today governments are erecting data transfer requirements and engaging in selective enforcement. At the same time several companies are asserting better collection and use practice to partially influence consumers and regulators. In the future, we will see increased data balkanization and cost without any increase in privacy or changes to substantive business practice. The changes taking place in regulation in China, Russia and the EU are all driving towards more use of privacy as a basis of competition and, as the importance of the data driven economy increases across the globe so we see more discussions that are about self-interest.

  • Tim Jones

    Data Risk Management

    As privacy and data are subsumed within wider risk frameworks, greater self-regulation and more in-house data risk management will lead to deeper integration of engineering, privacy and policy. We will see more contextual risk management in sectors such as health and finance where more resources will be devoted to
    privacy but in many the emphasis on privacy vs. security will vary. In terms of more internal self-regulation and accountability, the auto industry is already moving towards more self-regulation and in-house privacy management programmes around issues such as connected car etc. In addition, there is uncertainty in the US as to whether ISAO (Information Sharing and Analysis Organizations) will drive more collaboration between industry and government. Underlying all of this are however some core assumptions, namely that: privacy will continue to be seen as a value but, with limited resources, privacy will be seen as a cost center.