Privacy Audits

In theory, privacy audits are a sensible and useful thing. Regardless of whether they're conducted internally or externally, they can provide insights into data handling systems, identify shortcomings, and help prioritize resources. They can provide external, independent validation of compliance with privacy laws and contractual commitments. And they can be a useful source of transparency. Sometimes, they're even mandated by privacy law, e.g., in some controller-processor outsourcing arrangements under EU data protection rules. Considering how many good reasons there are to conduct privacy audits, it's a bit of a mystery to me why there isn't more of an industry to provide them. Indeed, if you were looking to hire external experts to conduct privacy audits, and if you asked me for a recommendation, well, I'd be kind of stuck to give you a name. I've asked a bunch of my peers at other companies too, and privately, they're stumped too.

Lots of people purport to be able do privacy audits. Law firms, accounting firms, consulting firms are all ready to sell this service, at sometimes astronomical costs, but in practice, if you ask around amongst people who have tried to hire them, you often hear people complain about high-priced pay-as-you-learn tutorials for junior professionals. There are also a few "low-cost" versions floating around, but they are often rudimentary checklists (e.g., "do you have a written privacy policy in place? yes, check!") etc. There must be more room for the happy middle ground between the super-high-cost customized audit and the self-audit checklist models.

So, here's a business idea. Why don't some enterprising people work to establish a privacy auditing business, combining some deep technical understanding with process rigor, offer the service at a competitive cost, and help fill a vacuum? Almost everyone in the profession whom I know agrees that privacy audits are, in theory, a useful tool for privacy hygiene, but in practice, it's hard to find the right level of professional service.

There seems to be a clear market failing here. Over time, surely, the idea of privacy audits will become more integrated into good privacy practice. Whoever can figure out how to provide this service will be contributing to the privacy profession and probably end up making a lot of money. Good luck!

A new chance to get the Working Party to work better?

I'm delighted to see a new Chairman, Jacob Kohnstamm, assume the helm at the Working Party, which is the group of all of Europe's national Data Protection Authorities, created to try to achieve common approaches to privacy across Europe. Mr. Kohnstamm is a privacy leader whom I've known for years, and whom I greatly admire, even when we find ourselves on the opposite sides of the debate. I'm confident he'll provide new leadership and relevance at the Working Party. I also think it's healthy for European institutions to break away from alternating franco-german leadership, which has so dominated the Working Party over many years.

As a privacy professional, people sometimes ask me why I take the Working Party seriously, and why I would want to see it play a greater role in privacy matters in Europe? The answer is simple: with all its institutional flaws, any body that contributes to a more harmonized data protection across Europe is better than the alternative, with 27 different approaches and inconsistent cacophony. Since the Working Party is the best instrument we've got in Europe to try to do things in a coherent way, I think it's worth taking a moment to make suggestions about how it could work better. My comments are strictly focused on only one aspect of its role, namely, the extent to which it interacts with the private sector in a semi-regulatory context. My critiques are offered in a spirit of constructive feedback.

So, what are the key issues that deserve attention to make the Working Party work better in the future?

Public Transparency: the Working Party operates behind closed doors. It rarely involves outsiders in its deliberations. It almost never publishes draft opinions for external review, and rarely (if ever) opens its meetings to the public. As far as I know, it never publishes the range of consenting/dissenting views with its opinions, and it publishes little more than a summary agenda and adopted Opinions. I strongly believe that transparent government is good government, and the Working Party is simply not transparent today.

Accountability and Review: the Working Party's opinions are not "binding" and therefore have never, to my knowledge, been subject to judicial review. Sometimes Working Party opinions make sense, sometimes not. Sometimes they're insightful, sometimes they're gibberish. External, objective, academic, technical, maybe even judicial review, is much needed.

Technical expertise: The Working Party has many times embarked on issues which turn on Internet technical architecture. There is not enough technical expertise at the Working Party level, which is unsurprising, considering that the members generally come from political or administrative backgrounds. But to have well-informed discussion about Internet regulation, a foundation of technical knowledge must be in place, or must be provided from the outside.

Confidentiality: To deal with confidential business matters in a semi-regulatory context, any regulatory body needs to be able to respect business secrets submitted to it. Maintaining confidentiality has not been a strong point of the Working Party, given that its documents are routinely distributed amongst 27 countries. But leaks damage the ability of the Working Party to be effective.

Speed: In tech circles, things move fast. This is an innovation business, after all. But a discussion with the Working Party can often take years, with rather stilted exchanges of letters, each exchange punctuated by multi-month pauses. Surely, there must be a faster, less formalistic, way to collaborate.

All in all, these critiques are meant to be constructive. I think privacy would be well-served by a more realistic and collaborative dialogue between the Working Party and industry. The old Working Party made some progress, but there's room for more. I'm hopeful about the future.

Billions of photos online, Billions of privacy offenders?

With the proliferation of Internet platforms for user-generated content, people are increasingly seeing examples where one person's right to freedom of expression may infringe someone else's right to privacy, and vice-versa. If I upload my holiday pictures to the Internet, taken from a public place, and if they capture you lounging by your pool, does my freedom of expression trump your right to privacy, or the other way around? Whatever you think, there are already billions of such photos online and publicly accessible.

Both freedom of expression and privacy are fundamental human rights. But those rights are not both equally enforced, protected or policed. There are literally thousands of data protection bureaucrats in Europe whose job is to enforce European data protection regulations. As far as I can tell, there is not a single government official in all of Europe whose sole job is to do the same for freedom of expression. Curious, no?

As I go to privacy-centric conferences where people invariably talk about the problems and risks of social networking sites, I'm often the odd guy out who seems to think that they're also precious platforms for freedom of expression. Lots of guys in power lecture about how lives or careers or futures are jeopardized by a single embarrassing photo posted to a platform.

Well, I'm not so sure. I was thinking about what this guy showed when he was young, and he just got elected Senator, so maybe things are changing.

A privacy regulator in Europe told me the other day that he thought it was a data protection violation for anyone to post a photo online if it captured someone's face or property without their consent. I asked him whether he thought this restricted the right to freedom of expression. He didn't seem to understand the question.

Grazie! for your support

I'm thinking about Italy a lot these days. Many of you have expressed your support, and I'm gratified by your concern and your solidarity.

I see this case has prompted an important debate and passionate expressions of support for the principles of freedom of expression that I have always felt are at stake in this prosecution. We'll get the Judge's written opinion within 90 days of last week's verdict, so probably around mid-May. Until then it's hard to speculate about his precise legal reasoning, even if the implications of this conviction are already being widely discussed in terms of the potential liability of employees working for internet platforms that host user-generated content. As for me, I'm not really at liberty to comment much publicly, because, anything I say about it can (and has!) been used against me.

Many thanks to you, my many friends in the privacy community who have reached out to me. Grazie!