Mobile and internet privacy

In honour of European Consumer Day today, and World Day Against Cyber-censorship earlier this week, two privacy reports have caught my eye. Privacy is concerned as much with what we wish to keep private as it is with how we control what others do with our private data. Both reports cover both issues. First, the Article 29 Working Party (the co-ordinating group of EU data protection commissioners) have published an opinion addressing the key data protection risks of mobile apps (press release | opinion). Mobile devices increasingly store larger and larger amounts of personal data, and this poses many risks for individual privacy, both in terms of keeping the data private and secure, and in terms of what developers can do with the data collected by their apps. The Working Party recommend that all those in the app ecosystem should understand their own responsibilities, but they also acknowledge that, to achieve the highest standards of privacy and data protection, collaboration with other parties in the app ecosystem is necessary.

Mobile apps are simply one of a plethora of modern technological challenges to privacy. Many of the others are addressed in a new UNESCO publication (cover pictured above left): Global survey on Internet privacy and freedom of expression. These principles are as likely to reinforce as to oppose each other. For example, as the executive summary puts it:

The right to privacy underpins other rights and freedoms, including freedom of expression, association and belief. The ability to communicate anonymously without governments knowing our identity, for instance, has historically played an important role in safeguarding free expression and strengthening political accountability, with people more likely to speak out on issues of public interest if they can do so without fear of reprisal. At the same time, the right to privacy can also compete with the right to freedom of expression, and in practice a balance between these rights is called for. Striking this balance is a delicate task, and not one that can easily be anticipated in advance.

The Internet presents significant new challenges for protecting the right to privacy, and creates many contexts in which privacy has never been so necessary or so precarious. To aid in the process of striking the necessary balances, the book provides an up-to-date “overview of legal protection, self-regulatory guidelines, normative challenges, and case studies relating to the topic”. It therefore covers threats to privacy that have developed through the internet (chapter 2), international legal standards on privacy (chapter 3), and the complex intersections between the rights to privacy and freedom of expression (chapter 4). Drawing on these chapters, the report then makes a series of recommendations to states and corporations for better practice (chapter 5), including:

Strong constitutional protection should be provided for both privacy and freedom of expression. This should encompass positive protections for these rights and, ideally, impose a positive obligation on the State to provide protection against private interferences with these rights.

The constitution should allow only limited restrictions on both privacy and freedom of expression.

The civil law should provide a private remedy against invasions of privacy, though this should allow for a public interest balancing when issues of freedom of expression are involved.

States should put in place sector-based criminal rules on privacy, to protect certain highly sensitive information, such as privacy of telecommunications and banking.

States should put in place strong data protection regimes which include the key features of: (i) broad applicability, (ii) the right of consent, (iii) the right to access and correct, (iv) obligations on data controllers, and (v) the right of redress.

There should be exceptions to these rules for certain types of data collection, in particular where this is for purposes of freedom of expression.

Corporations should develop strong privacy policies to protect users.

States, corporations and the media should undertake awareness-raising efforts about privacy and new technologies.

My sense is that Irish law broadly comform with these standards, but that state and private pratice still have a long way to go to comply. Moreover, I would not want either report to obscure the role of personal responsibility: you may not notice you’ve lost your privacy till it’s gone, so you have a responsibility to inform and protect yourself as much as you can. If you don’t, then all the constitutional and legal structures and privacy policies and information campaigns are for naught.