The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada Presentation to Conference on “Power and Difference,” Tampere, Finland, August 29 th

Trends in Surveillance Practices – The “New Transparency”  Routinization and expansion of "everyday surveillance”  Ambiguity about the nature of personal information  Surveillance of mobility and location  Embedding of surveillance in material objects  Peer-to-peer (horizontal) surveillance  Globalization of surveillance practices and processes Is the concept and regime of “privacy” appropriate to meet these challenges?

Justifications for Privacy in the West As a Right of the Person – La Vie Privée (France) – Privatsphäre (Germany) – The “ Right to be Let Alone ” (United States) – “Integritet” (Sweden) As a Political Value: A Check against Powerful State and Private Organizations As an Instrumental Value – To ensure that the right data are used by the right people for the right purposes – To build “ trust ” in e-commerce and e-government – To manage “risk”

The Sociological Critique of “Privacy” Rooted in individualism A rights-based discourse Excessive use of spatial metaphors Insensitive to discrimination and “social sorting” Cultural relativism

The Information Privacy Principles Accountability Purpose identification at time of collection Informed consent for collection To limit use and disclosure (finality) Retention limitation Data quality Data security Openness about policies and practices Individual access and correction

A principled-based approach appears in : Comprehensive data protection laws in around 80 countries Sectoral Legislation in information intensive industries International agreements from Council of Europe, OECD, European Union, Asia- Pacific Economic Cooperation Self-regulatory codes and management and technical standards

International Policy Convergence International policy learning Elite networking Policy harmonization Policy penetration

EU DATA PROTECTION DIRECTIVE/REGULATION OECD GUIDLINES COUNCIL OF EUROPE CONVENTION INTERNATIONAL STANDARDIZAATION ORGANIZATION APEC PRIVACY PRINCIPLES

The European Union Directive 95/46/EC on Personal Data Protection – Harmonization of all European Data Protection laws to higher and common standard – Insistence on a “supervisory authority” with common powers in each state – An “adequate level of protection” in countries that receive European personal data Directive 2009/136/EC: The “Cookie Rules” Draft Regulation on Data Protection, January 2012

The EU’s “Adequacy Standards” Articles 25 and 26 of the EU Data Protection Directive (1995) 95/46/EC Personal data should not be transferred outside EU unless an “adequate level of protection” which requires: – Basic content principles: Purpose limitation; data quality and proportionality; transparency; security; rights of access, rectification and opposition; restrictions on onward transfers – Procedural/enforcement principles: good level of compliance with the rules; support and help provided to individual data subjects; appropriate redress provided to the injured party Administered by Article 29 Working Party of Supervisory authorities

The Council of Europe Regime 1981 Convention on the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Treaty 108) – Ratified by 25 countries – Signed by 33 countries – Recommendations on specific practices

The OECD Regime Guidelines on the Protection of Privacy and Transborder Flows of Personal Data(1981) Guidelines for the Security of Information Systems (1992) Guidelines for Cryptography Policy (1997) 30 year anniversary of guidelines and analysis of their future?

The APEC Regime The APEC Privacy Principles (2005) Pathfinder process for accountable cross- border flows of personal data within APEC

International Standards Regime ISO series (Data Security) ISO (Biometric Information Protection) ISO –( Framework for Identity Management). ISO – (A Privacy Framework) ISO (Privacy Reference Architecture)

The Policy Dilemma ADEQUATE LAWS? The presence of key legal principles An independent supervisory authority A good level of compliance ACCOUNTABLE ORGANIZATIONS? Makes original collector of personal data ‘responsible’ – ‘liable?’ Evaluates the “due diligence” of the organization – Use of contracts – Binding corporate rules – Self-certification schemes – Third-party certification to management and technical standards

The Framing (Discursive) Dilemma The Protection of “Privacy”? The Minimization of “Surveillance”?

The Geo-Political Dilemma National Sovereignty Personal Identity and Subjectivity The “Anti-Geography” of the Internet