Private behaviour

But while the likes of Twitter and Facebook insist that the introduction of stricter legislation around surveillance and data-gathering is necessary to restore the public’s faith in the internet, privacy and data protection law expert Eduardo Ustaran doesn’t believe that it’s as easy as it sounds.

“A lot of privacy law is about regulating technology – regulating cookies for example. That’s the wrong way to go, because technology evolves far quicker than law; engineers think and act much faster than lawyers. Legislators could never attempt to catch up – it’s impossible to try to regulate technology.”

Ustaran is a qualified solicitor and has recently written a book – The Future of Privacy – in which he outlines his theories on how to strike that all-important balance between the needs of both data users and gatherers. “Achieving the right balance between the protection of our privacy and the potential to exploit the data we generate is equally critical for human freedom and mankind’s future prosperity,” he writes.

“Ignore privacy as a human value and we risk losing a big chunk of our ability to make choices. Restrict the opportunities presented by what our data says about us and we will have killed the next stage of our development as a species.”

Game changers

Ustaran describes what he sees as the three ‘game-changers’ in the world of data privacy. The first is, unsurprisingly, what he describes as the technological revolution: the advent of concepts such as the internet of things, cloud computing and social networking.

The second ‘game-changer’, he says, has been society’s realisation of the value of information as an asset. He describes data as “the blood that keeps the information society alive and makes it grow” and points out that many companies are now using their knowledge of people’s behaviour as the basis for their entire business plan.

The third ‘game-changer’ is what Ustaran refers to as ‘data globalisation’ – the fact that all of these things are happening on a global scale, and the subsequent impact that this has on regulation. “You can’t just say: ‘Okay well we’ll regulate it with the laws of the European Union’. Data is flowing constantly. Global connectivity needs some form of global response to regulate it.”

Regulate behaviour, not technology

These three things are the catalysts for a number of public policy suggestions and recommendations that Ustaran makes. The first of these is that, instead of regulating technology, Ustaran believes that the law should focus on behaviour.

“I believe that certain behaviours like privacy-friendly technologies should be encouraged, should be incentivised. Harmful uses of technology should be prevented, irrespective of the technology you’re talking about. The law focuses a lot on preventing and prohibiting certain things, but it doesn’t really encourage privacy-friendly practices. It doesn’t rely on the value of data to, say, companies and governments – if you use or collect data in this way, you can do more with the information, you can exploit the value of the data better, to your advantage, if you use it and collect it in a way that’s better protected, less harmful to the users and individuals.”

Ustaran also argues that the current emphasis on informed consent is redundant. “If you print Amazon’s privacy policy it’s about 30 pages long. Does anybody read that? If you read it, would you really understand it?”

He believes that the introduction of a system of icons – similar to those used as washing instructions for items of clothing (an icon that denotes the use of cookies, another that tells a user that no location data is being taken etc.) could simplify privacy policies and make them more worthwhile. But he believes that it would be more valuable still to shift the responsibility away from the consumer.

“The law shouldn’t rely on giving people the ability to consent so much – that only gives a sense of false security. What the law should do is to find out a formula to give some of the value of the data back to the individual.”

Ustaran believes that the thinking behind loyalty schemes should inform legislation around data collection: “Yes, [loyalty] data is gathered to the most granular level of detail, but people receive some of the benefits yielded by that data. If this simple principle has worked for so long in a commercial setting, perhaps there is room for the same approach to be part of a framework that seeks to not only protect individuals, but to empower them.”

The basic principle behind Ustaran’s thinking is that, in the absence of being in complete control of our own data, if someone wants to use our data, we should get something in return; a concept that, he says, doesn’t exist in the law today in any rigid way.

Global compliance

These suggestions address Ustaran’s first two ‘game-changers’, but the last – data globalisation – is covered in his final recommendation: a set of common principles across countries and governments.

“At the moment, there is no recognised set of global standards for the use of personal data, and I don’t think we’re going to have that anytime soon. It may happen in 20 years, but not today.

“I think countries and governments need to agree some common principles so that they work towards working on their own laws, but acknowledging that there have to be some, at the very least, high-level principles. That’s known as the interoperability of systems – we identify those common principles and build global compliance on that basis.”

The book can be ordered here.