If there ever was a “year of privacy,” surely it was 2013. A year that ends with dictionary.com selecting “privacy” as “word of the year;” with privacy making front-page headlines in The New York Times and The Washington Post—not to mention The Guardian—on a weekly, indeed almost daily, basis; with cross-Atlantic ties stretched to the limit over privacy issues, the UN passing a privacy resolution and armies of lobbyists spinning BCRs and Do-Not-Track in Washington bars and Brussels cafes—ladies and gentlemen, 2013 was the year of privacy.
This was the year that privacy became a head-of-state issue on the global stage. And literally so, with German Chancellor Angela Merkel looking over her shoulder as her U.S. allies allegedly snooped on her private conversations. It is the year that the European legislative process appeared to be increasingly tied in knots over the stalled reform of the data protection framework. And even as policymakers grappled over a decades-old regulatory framework, technology continued to march on with the Internet of Things, in-store location tracking and facial recognition in vogue.
You've got to admit that as a privacy professional who used to get a blank look when telling an outsider what you do for a living, 2013 marks a turning point. “I work on privacy,” you told them. “Mmmmmm. What does that mean?” they used to counter. Now, all you have to say is—“Have you heard about Snowden? The NSA?”—to shame them into submission. The growth of the profession, as manifest in the number of IAPP members, is telling. In March 2012 there were 10,000 of us; now there are 15,000. If 2013 was all privacy, then 2014 will be even privacier. I know it’s not a word. But it will be!
Here’s a short summary of the major privacy events of the year.
The (not so) secret life of the NSA. It turns out that while we were debating the minutiae of data retention and notice and choice, the NSA had been vacuuming up all of the world’s data—traffic, content, encrypted, the kitchen sink–and using them for … what exactly? Well, let’s leave that for another day. Clearly, nothing has ever come close to impacting the privacy debate like the Snowden revelations about government surveillance. Bulk collection of all of the communications data of American citizens; wholesale monitoring of the contents of non-U.S. persons’ communications directly via the servers of Silicon Valley-based tech giants; breaking and allegedly corrupting encryption standards; intercepting huge volumes of stored data as they shift from server to server; hacking into anything and everything; deploying teams of secret agents to monitor the activities of players on World of Warcraft (The Guardian reported that “so many different U.S. intelligence agents were conducting operations inside games that a ‘deconfliction’ group was required to ensure they weren't spying on, or interfering with, each other.”) Need we go on? We do not know how far along in the NSA revelations we are and what’s yet to come in 2014. But for better or worse, the discussion of privacy will never be the same after Snowden.
3,999 and 1. A veritable emotional rollercoaster for lawyers and lobbyists, the European data protection reform process now appears to have spun out of control. Ironically, 3,999 amendments submitted by Members of the European Parliament to the LIBE committee were not enough to break the spirit of Jan Philip Albrecht, the rapporteur. In a feat of political mastery (some think magic), the soft-spoken, 30-year-old Green Party MEP was able to broker a deal between all political factions, submitting a compromise draft integrating all 3,999 reservations, concerns and comments. Yet one additional comment—this one coming from the senior legal advisor to the European Council—was enough to derail the legislative reform at the very last moment, leaving European Commission Vice President Viviane Reding, who has also suffered a stinging political setback in her home country, incensed. The legal advisor opined that a central pillar of the reform (some would say the central pillar), the one-stop-shop concept, is unconstitutional as it subverts the fundamental human rights of European citizens. This, he argued, is due to the fact that individuals across the EU would not have sufficient access to justice if they needed to navigate the multi-jurisdictional regulatory maze. The claim, which cuts to the core of the delicate balance between European federalism and continued nationalism, exposes a deep rift between the council and commission on a fundamental aspect of the reform. It means that in the short- to medium-term, that is until the May elections for the European Parliament and subsequent formation of a new commission, privacy folks can return to their day jobs and focus on existing law.
Do Not What? After more than two years of deliberations, the W3C Tracking Protection Working Group appears to be going nowhere. Initially assembled with a rather modest objective—to standardize a browser-based option to express a Do-Not-Track preference—the group has become a policymaking debacle, trying to define an endless array of fraught terms and unable to close an issue without opening a dozen new ones in the process. Given the group’s inability to agree on what tracking even means, it is probably time to move on.
Wyndham trying to knock the wind out of the FTC. Unresolved in 2013, the FTC v. Wyndham case continues to command the close attention of privacy professionals worldwide. In this case, the Wyndham hotel chain is challenging the authority of the FTC to regulate privacy and data security. Wyndham claims that the FTC’s authority, which hinges on a general statutory mandate to enforce against “unfair and deceptive acts and practices,” is overly vague and fails to provide businesses with any guidance to help avoid noncompliance. A similar argument has been raised in another case by LabMD. Clearly, any judicial decision circumscribing the authority of the FTC to regulate in this space would have profound implications not only domestically but also with respect to the stature of the U.S. in the data protection world.
Privacy and cybersecurity: friends or foes. For many years, we have been debating whether privacy and data security are two sides of the same coin or opposites in constant conflict. As has been made clear by the demise of CISPA over privacy concerns, achieving cybersecurity without privacy is untenable. Yet the same is true the other way around. Privacy cannot be maintained without security. Just ask anyone whose information was lost in a data breach. Enter the National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which is being developed pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. According to the NIST, any security tit must be met by a privacy tat, as manifest in a special appendix to the draft Cybersecurity Framework neatly calibrating privacy controls to security requirements. Businesses’ response to the draft was lukewarm, arguing that the administration should not slip in through the backdoor a privacy framework that it is unable to legislate. Clearly, the cybersecurity/privacy tango will continue in the year to come.
Reprinted with permission from IAPP Privacy Perspectives. Photo: Twitter @NYCONLY