Data privacy, for all that has been written on the topic,remains a fluid concept, continually evolving as the winds of change sweepthrough the digital frontier.
At times in 2016, those winds felt like a hurricane.
For Data Privacy Day 2016, SCMagazine.com asked key thoughtleaders to pull back on the curtain on the very concept of data privacy. They identified key events over the last year that have reshaped publicpolicy and expectations of what happens—and what should happen—to personally identifiable information when users go online.
Many of the most important developments have had aEurocentric flavor to them. For instance, the European Court of Justice in October 2015 struck down the EuropeanCommission's Safe Harbour Decision that had declared the data exchange frameworkestablished between the U.S. and Europe as secure. Albert Gidari, Director ofPrivacy at Stanford University Law School's Center for Internet and Society,called the decision a “watershed moment” because it “largely invalidated SafeHarbor data transfers to the U.S. and called into question all other bases fordata transfer to the U.S. as well.”
On the other hand, “Critics note that individual European government surveillance practices will continue, while U.S. companies are targeted, using privacy as a commercial mallet,” cautioned Rhea Siers, Scholar inResidence at George Washington University's Center for Cyber and HomelandSecurity, and former Deputy Associate Director for Policy at the National Security Agency.
The European Union also reached agreement on its landmarkGeneral Data Protection Regulation, which gives citizens increased control overtheir personal data and sets continent-wide standards for the export ofpersonal data outside of Europe. Omer Tene, Vice President of Research andEducation at the International Association of Privacy Professionals, called theregulation a “once-in-a-generation legal reform which will shape the web's nextdecade.
But these victories for online privacy advocates were counterbalancedby calls for stepped-up surveillance following the shocking Paris terroristattacks and other global ISIS-driven violence. Reports of terroristscommunicating with each other through encrypted messaging applications haveprompted a new round of security vs. privacy debates, including whether or not technologyvendors should provide encryption backdoors and keys to federal enforcementagencies to prevent the next attack.
“The Paris nightclub massacre unleashed a wave ofsecurity measures that, as we know in the U.S. post-9/11, will take a long timeto roll back,” said Gidari.
In the U.S., the Cybersecurity Act of 2015 was passedafter years of false starts—albeit by folding the legislation into a larger spendingbill. The act aims to accomplish many of the same goals outlined in PresidentObama's February 2015 executive order on cybersecurity: to encourage andincentivize collaboration and cyberintelligence sharing between governmentagencies and corporate entities.
Policies that didn't passed were in their own way significant.Efforts to implement a federal data breach notification law stalled, despitemounting concerns over the latest barrage of cyberattacks—most notably, thehacking of the U.S. Office of Personnel Management. “The OPM hack seemed tomotivate Congress, but definitive action is still pending,” noted Siers. Discoveredin April 2015, the OPM breach compromised the records of at least 22.1 millionpeople, and was reportedly perpetrated by Chinese hackers.
Data breach fears also grew, added Tene, due to the “increasedrollout of the Internet of Things (IoT), with smart cities, smart cars, smart toysand a whole variety of devices talking to each other and silently documentingour digital trail.”
But with all that has changed in the last 12 months, hasthe average citizen's expectations of privacy been transformed in proportion?
“I think there are significant shifts in consumers'expectations concerning timely breach notification,” said Siers. “There isgrowing consumer concern that they are vulnerable to breaches and growing fearsthat companies on the web simply can't guarantee the privacy of their users,from medical records held by health insurers to Ashley Madison.”
New research indicates that certain views on privacy may beas much as rooted in generational influences as they are by current news andevents. A survey study released this month by the Center for GenerationalKinetics found that Generation Z members (those born no earlier than themid-to-late ‘90s) are least concerned about their privacy compared to older generationswhen it comes to paying with mobile apps or using social media. In contrasthowever, they are more concerned about privacy when sending and receivingmessages (38 percent of Generation Z members compared to 29 percent of Millennials.)
While generational differences may exist between in termsof privacy expectations, these differences are “related to usage of technology,not just to age,” argued Siers.
Gidari seemed to agree, adding, “The privacy impacts ofnew technology have been experienced by each and every generation. Thetelephone, camera and hearing aids all raised red privacy flags in their time.But as technology gets adopted, laws catch up to address perceived privacyinadequacies, usually just in time to meet the next innovation.”