Every year, the Data Protection Commissioners of the world assemble in an annual public conference and private meeting. This year's event — the 21st in the series — took place in Hong Kong in September. The conference attracted nearly 400 participants, with a smaller-than-usual contingent from the American business community. Stephen Lau, Hong Kong Privacy Commissioner for Personal Data, was the host, and he set the tone for the conference by raising the themes of Internet surveillance, human rights and electronic commerce.
The keynote speaker was the Honorable Michael Kirby, Justice of the High Court of Australia. Kirby chaired the committee that produced the original OECD privacy guidelines in 1980, a document that continues to have great international significance. Kirby reviewed the history of the guidelines, calling them a union of economics and human rights. He affirmed the value of the guidelines and expressly rejected those who see the end of privacy as inevitable. He also recognized that some changes may be needed because of developments in cyberspace, electronic commerce and genetics.
Technology was a major subject at the two-day conference, as was the European Union data protection directive. Panels also considered telecommunications, public registers, law enforcement, privacy audits, freedom of information conflicts, the news media, electronic commerce and the law of cyberspace. A novel session considered how surveillance has been depicted in movies such as “1984” and “Gattaca.”
Peter Swire, the newly appointed chief counselor for privacy at the Office of Management and Budget, represented the United States at the public conference and the closed meeting of the commissioners. After some backstage controversy, the Commissioners accepted Swire as an observer — not a full member — at the closed meeting. Given Swire's limited portfolio, this seemed to be an appropriate result, and exclusion of Swire would have been a poor outcome. Some commissioners actively welcomed Swire's presence and thought that the advance represented by the establishment of his position should be recognized and encouraged.
Swire's public performance was credible. He showed respect for data protection objectives and displayed substantive knowledge about privacy. Swire tried hard to put a good face on U.S. privacy activities. He also usefully explained the realities of the American system of government and how the control of the White House by one party and Congress by another prevented passage of some administrative initiatives. Reactions to Swire's presentation from commissioners ranged from very positive to grudging acceptance. Swire made a much better impression than Barbara Wellbery, last year's American speaker from the Department of Commerce. Of course, improving on Wellbery's hostile and insulting presentation was not hard.
The most provocative paper at the Conference came from Nigel Waters, an Australian privacy consultant and a former Australian Deputy Privacy Commissioner. Waters courageously questioned the effectiveness of the EU supervisory authority model in achieving public recognition and in limited surveillance activities. It took some nerve to do that at a meeting of supervisory authorities. He also called for a re-examination of the U.S. model of privacy protection, noting that the lack of a supervisory authority did not inhibit popular pro-privacy responses to some recent events.
I thought that Waters' paper set too high a standard for assessing privacy authorities. They need credit for trying, but they cannot be held fully accountable for technological and governmental activities beyond their control. His assessment of privacy success in America was also too optimistic for me. The paper was interesting nevertheless. Some Europeans privately expressed sharply negative reactions to the unfavorable comments about traditional EU privacy strategies. Waters promoted what he called the “Asian-Pacific model” for privacy protection, which relies on statutory principles developed collaboratively with information users, sectoral codes, and avoidance of registration and licensing.
The ongoing Safe Harbor discussions between the United States and the EU received limited public attention at the conference, but it was a frequent subject in private discussions. Data protection commissioners and their staffs remain unhappy about the Safe Harbor process. This is, of course, no surprise, because the national data protection authorities in Europe see the European Commission as potentially usurping their own authority under national laws. The underlying battle is between the committees established under Article 29 (controlled by national data protection authorities) and Article 31 (controlled by the Commission).
I did not find anyone who was willing to predict that the Safe Harbor discussions would fail, however. The next opportunity for a formal agreement will come in December. The ultimate significance of Safe Harbor remains to be seen, but national authorities will still have plenty of ability and opportunity to create trouble for multinational companies that do not meet national standards.
Direct marketing was not a significant issue at the conference. A representative of an Asian direct marketing company participated in the session on public records. Surprisingly, he expressed little interest in most public records.
One issue that will concern the direct marketing community is property rights in personal information. That subject was not on the agenda, but it was repeatedly mentioned throughout the conference. It is far from clear that most data protection officials support the idea, however. Perhaps it will be on the agenda of next year's conference, which is scheduled for September 28-30 in Venice, Italy.
Immediately following the conference, a typhoon hit Hong Kong for the first time in 16 years. Readers can make their own assessments of the cosmic significance of the typhoon for data protection.
Robert Gellman is a Washington, D.C.-based privacy and information policy consultant and former chief counsel to the U.S. House of Representatives' subcommittee on information, justice, transportation and agriculture. His e-mail address is [email protected].