RegulationSecuritySurveillance-ITWorkspace

Why Data Protection Day Is A Dismal Failure

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Data Protection Day fails to inspire yet again – it’s time for a different story, says Tom Brewster

There are few things that make me genuinely despair, but awareness days around security issues make me want to annihilate my keyboard with my forehead. They just don’t do what they are supposed to – make people interested enough in privacy issues to actually do something about it.

So, on a cold Monday morning in January, when normal people have zero funds left in their bank accounts, and their depression quotient is almost full up, New Year’s resolutions are dismally forgotten, and spin-merchants are fighting over which day is really the elusive “Blue Monday”, the Data Protection Day organisers add to our joy with their ever-so-special event. The name itself is enough to make your stomach sink, but it has aliases – the thrilling European Privacy Day and the racy Data Privacy Day.

Privacy © Tischenko Irina Shutterstock 2012The “promotion” around this special day is equally, depressingly, drab. In Europe, the “charge” is being led by the European Commission – the body that is deciding the fate of data privacy legislation across member states right now. The Commission has gone down the same utterly predictable route as the umpteen security vendors piggybacking on the event to push their products: shoving out some research and talking about their plans.

Non-commitments

Then there’s the horde of organisations who have made “commitments” to “ensure” data privacy, as if it shouldn’t have been enshrined in every company policy and government manifesto years ago. Take the GSMA. It has today released its  Accountability Framework. It looks to get app makers to sign up to some general principles around privacy, built on its surprisingly brief Privacy Design Guidelines released last year. But those principles are broad and unspecific, ranging from giving users “meaningful choice” over personal information, whatever that means, to using “reasonable safeguards” to protect data.

I’m fairly sure any company that signs up and breaks those rules won’t be severely reprimanded in any notable way.

Here’s the GSMA’s threat for serial offenders: “Continued non-compliances or serious  breaches will be referred to the appropriate governing subcommittee of the GSMA Board – the GSMA Public Policy Committee – to identify and implement an appropriate sanction, up to and including public expulsion from the programme for repeated non-compliances.” Oh. No. There’s only a handful of signatories thus far anyway.

Something that could be a tad more positive is the “Fair Data” badge, set up by the Market Research Society. The “ethical mark for personal data” will help people “easily identify between those organisations which collect, use and retain personal data properly and ethically, and those that do not”.

But, of course, it requires willing organisations to sign up to ten core principles. It is thus predictable what will happen: those companies who know they aren’t at much risk of landing in hot water over what they do with people’s information will sign up so they can brag about how much they respect privacy, whilst those businesses that are of real concern will stay away. The launch partners do not include any notable data handlers, at least none the public are concerned about, like Facebook or Google.

So well done, a pat on the back for all those organisations today who effectively just said “yeah, sure, I’ll sign this and then forget all about it once this pointless day is through”. I haven’t seen any meaningful commitments not to sell people’s information, to give users more opt-in or opt-out choices around where they data goes, or for what purposes it is used.

Campaign groups are making a lot of noise, with the Brussels Privacy Declaration signed by various non-profits and concerned individuals, but for this day to be important, it needs those in government and business to show they care. Maybe they do, but there’s no evidence of it today.

Time to tell stories

It’s all such a shame. There is an opportunity for making noise here, piquing people’s interest in what is a genuinely fascinating topic and talking about why privacy actually matters. But those in charge just do not get it. They do not understand that what we need to hear are stories, narratives around privacy issues, ones that make us feel concern both for ourselves and for fellow human beings.

Because the only way we are going to improve privacy for everyone is by ensuring that people, and businesses, care about one another’s rights. That is really what privacy is about – respect for each other, respect for one another’s personal space, and an understanding of people’s freedom to decide on what they expose to the world.

And what breeds respect? Stories. Stories about personal strife, cases where organisations and governments have encroached on people’s privacy, perhaps by selling their data or maybe by not releasing it to its owners. Or where someone’s day-to-day existence has been thrown into disarray because their information has been mishandled and used for nefarious purposes, like identity theft.

For instance, a friend of mine last year, two days before Christmas, had her wallet stolen. Hours later she learned the thieves had walked into a bank, one of Europe’s biggest, which failed to do proper checks on her data, and stole a significant sum of money by pretending to be her, only armed with her cards, nothing else. It seems those holding our most critical information, in cases such as these, are not being responsible with it, are not using it to protect us as we trust them to do.

And what about all those stories of UK government failures to prevent privacy infractions? Just look at the Department of Work and Pensions. FOI requests I put in last year showed it was the most complained about central government department when it came to data breaches.

Another FOI I put in recently found that between 1 January 2011 to 31 October 2012, 2,519 DWP employees were disciplined for improper or inappropriate use of the Internet or of departmental data. According to Computer Weekly, public bodies have sacked at least 120 employees for abusing access to the Customer Information System, thought to be the “largest government database of personal information in Europe”. Something is clearly very, very wrong here – government employees should not be abusing people’s data on this scale.

Or we could tell stories about how the US government and corporations are trying to decide the future of data protection in Europe, with bitter narratives evolving in Brussels. Did you know that before EU officials had made their political stance known on proposals to change European law, US government busybodies had sent over documentation trying to sway their opinion? Did you know that the US Chamber of Commerce, with the backing of the US government, has a 50-strong task-force working to weaken the proposals? And it looks like they’re winning – a  European Parliament commission last week voted to water down the plans.

The organisers of Data Protection Day, or whatever it’s called, should be talking about specific cases where the public are affected, not shoving out meaningless studies and repeating the same lines they have been for years. There are many stories to tell. Ones that can get the public interested. It’s just that the people who are supposed to be spreading a positive message don’t know how to tell them.

What do you know about Europe’s role in Tech history? Take our quiz!