Saturday, June 13, 2009

SoGikII and DP reform

Before HK, Pangloss was in lovely Sydney enjoying the hospitality of the Cyberspace Law and Policy Centre at University of New South Wales at SoGikii, aka the conference on the beach at Coogee :-))

SoGikII was bijoux but very interesting. Graham Greenleaf and Ian Brown swapped multi Continental ideas, helped by the audience, on how to reform personal data protection laws, calling on current moves to reform of the EU DPD, the evolving APEC privacy principles, Graham's work on comparative Asian privacy law and the far famed (everyone in Oz spoke about it in hushed tones) 2000 pages AU$2 m ALRC report on privacy.

The general emerging ideas seem to be:
  • one size does NOT fit all : more prior privacy impact assessment and privacy engineered in ("privacy by design") needed for large data bases and other such projects, especially in public sector;
  • in the EU the effect of Lindqvist needs rolled back for small data processors such as the millions of user generated content providers. A stronger domestic purposes exemption might meet these needs, linked to stronger obligations on platforms to take down on complaint (though Pangloss wonders about the free speech impact of this?) and industry codes on privacy protective default settings on social networks.
  • for all data processors, more emphasis on data minimisation - collecting less data ab initio, by code means and by reliance on principles such as the Australian rule that systems must be designed to allow an anonymity option if practical (eg London't Oyster system is designed for identifying users; Singapore's Octopus is not). This is all the more important as security of large multiple access dbs is increasingly unreliable.
  • more concern for the merging human rights protection for privacy not just under DPD rules - eg the recent UK ECHR defeat in the DNA database case.
  • DP export laws must be maintained despite business opposition
On remedies and enforcement some ideas were
  • better remedies for users including class action rights for consumer organisations
  • replace boilerplate registration of purposes with online subject access rights and tracking of use of data (PG sez: could semantic web data help here??)
  • penalties for abusive use of "DP" by companies to restrict access to info by consumers
  • security breach notification was controversial with some complaining in US it had done little or nothing to stop malware breaches.
Very much stuff to think about there. Other great papers involved Will Uther, Senior Lecturer (School of Computer Science and Engineering, UNSW) on Patent Law in the Federation: Replicators and Piracy which relied on 23rd century Star Trek Federation law to assess how future technology might disturb patent law :)); and Andrea Matwyshwn (Wharton, Penn) on Bourdieu, privacy and social capital. (Book of the week, btw, has definitely been Lanham's Economics of Attention.)

Pangloss herself argued gloomily (in both HK and Oz) that rights to control and bequeath digital assets after death (such as eBay reputations and Facebook profiles as well as the much discussed virtual world/MMORPG assets) would become increasingly important as digital natives age and die, and life logging expands. the key problems are the intermediation of the assets, leading to a loss of control by both creator and heirs, and the lack of any locus to consider societal interests in access to and preservation of digital cultural/literary heritage. This builds on my previous work suggesting that regulation of virtual assets generally is incoherent and ad hoc, as well as my FB /SNSs and property in VWs work. I'll get the new ppt up shortly!

No comments: