With Wikileaks dominating international headlines, governments across the globe will no doubt begin assessing how their digital borders are patrolled to ensure their diplomatic data doesn’t fall into the wrong hands.
Most of the public have warmly welcomed the cable leaks, many following the riveting revelations with fervor. Put the boot on the other foot, however, and most of us wouldn’t be overly ecstatic with our private information finding its way into the public domain. Of course, the two scenarios are different. Our own personal information relates to ourselves, whilst the leaked cables from the US State Department involve the whole world, even if it does cause diplomatic distress.
Privacy and data protection in 2010
Europe’s leading tech festival
TNW Conference is back for its 12th year. Reserve your 2-for-1 ticket voucher now.
Privacy and data protection have been major talking points throughout 2010 with social media at the centre of much of the furore.
For example, Facebook has ruffled a few feathers this year when it made certain key privacy changes ‘opt-out’ rather than ‘opt-in’. And then there was the admission that many of its third-party apps and games breached data-protection rules. However, public privacy concerns don’t seem to have been too bad for business, with Facebook now teetering on the brink of 600 million users worldwide and showing no sign of slowing. But one of the by-products of its global growth – in a year that saw Facebook overtake Orkut in India and make significant inroads in key markets such as Brazil and Russia – has been the security issues raised by various countries.
No global privacy law
Facebook is entering a minefield of State-led objections to how the social networking giant handles its users’ private information. Canada’s privacy commissioner has previously threatened legal action against Facebook, whilst Korean, German and Swiss regulators have recently voiced concerns too. Brussels has also stated that privacy will be one of its key regulatory issues moving forward.
It can try, but it may find it difficult to keep everyone happy. Facebook’s growing legion of users clearly can’t get enough of it, whilst businesses love having access to the 24-hour global gathering that permeates Facebook. It’s a match made in heaven for all involved. Given that data protection and privacy laws vary between countries, it’s difficult for any company to know what they can and can’t do across the world.
Google discovered this to its chagrin earlier in the year, when three Google executives were handed out jail sentences in Italy for allowing users to post a controversial video on its website – a violation of local privacy laws. The sentences were suspended, but it helps to highlight that many companies – including the major digital players – are constantly treading a thin line between facilitating freedom of expression, and breaking the law.
US vs. EU
In the US, data privacy isn’t heavily legislated. There are regulations in place – but there is no overarching governmental law that stipulates how data can be acquired, stored or used. Bill Clinton and Al Gore even recommended in their “Framework for Global Electronic Commerce” that private companies should ‘self-regulate’.
Europe, on the other hand, heavily regulates and rigidly enforces laws to protect a person’s “family life, his home and his correspondence”, as outlined in Article 8 of the European Convention on Human Rights. To ensure information flows freely across the EU, the various data protection regulations from the member states were brought together under the directive on the protection of personal data, which EU states were required to transpose into their respective laws by the end of 1998.
And for US and other non-EU parties, this directive specifies that data can only be transferred to other countries where a similar, adequate level of data protection exists. The US-EU Safe Harbor Principles were thus drawn up, a program which US companies can sign-up to if they adhere to the seven principles outlined in the privacy directive. US organizations – in theory – must re-certify under Safe Harbor every twelve months.
The seven principles are:
1. Notice: Individuals must be informed that their data is being collected and about how it will be used.
2. Choice: Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
3. Onward Transfer: Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
4. Security: Reasonable efforts must be made to prevent loss of collected information.
5. Data Integrity: Data must be relevant and reliable for the purpose it was collected for.
6. Access: Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
7. Enforcement: There must be effective means of enforcing these rules.
Whilst this EU legislation is designed to unify policy across the member states, each country within the EU still has its own individual laws. And this is why it’s so difficult to know what’s allowed and where. Throw into the equation the myriad of other cultures and laws across the world, and it’s clear that the Schmidts, Zuckerbergs and other digital Dalai Lamas will have their work cut out for them in an increasingly global market.
Facebook unleashed its Open Graph protocol in early 2010, meaning developers can now integrate their websites with the social sphere. So whilst you can now ‘like’ something on any website, this data is passed through the Facebook channels and you can be pretty certain that you’ll be receiving targeted ads that correspond with your ‘likes’. And if you change your relationship status to ‘single’, you can expect to be inundated with ads for dating websites soon.
So Facebook can either adapt its model to suit each country’s requirements – something that really isn’t workable for any true social network – or adopt a different philosophy that adheres to a one word philosophy at all times: permission. Permission marketing was a term coined by marketing guru Seth Godin. It applies to all areas of marketing, where you seek permission from the user before proceeding to the next stage of the buying process.
In the case of Facebook, permission simply means being open and up-front at all times about what data it’s gathering, how it will be used and, crucially, it should always be opt-in. This won’t circumvent every international legislative concern, but it will go a long way towards getting local regulators on its side.