Privacy Commissioners: Powermongers, Pragmatists or Patsies?

by Bill Bonner

Preview

The provocative title of this session challenges our categorical thinking of the potential impact which privacy commissioners can have on the issues of privacy. To think in either-or categories, or in the strict terms of the legislative frameworks of the commissioners, may be to miss more their more subtle potential.

The purpose of this panel is to explore the informal strategies that Privacy Commissioners can and do use to advance the privacy value in their respective jurisdictions. Too often we tend to focus on the "black letter of the law" when evaluating privacy protection policy. Much can be done by an assertive privacy commissioner who knows how to act strategically within the political and administrative arena. Informal strategies could included the use of the media, the formation of alliances with others and educational activities that enable them to have a broader impact on issues of privacy.

This session will employ the use of two difficult cases exploring how these four Commissioners from four different countries, with different political and administrative cultures, respond to advance the privacy value. The first case involves a clash between privacy and an important issue of public safety. The second case involves the international transfer of personal information, from Europe to other jurisdictions.

This session will challenge our assumptions with respect to privacy commissioners.

Review

Four Privacy commissioners offered us insight into their world yesterday. Ann Cavoukian, Information and Privacy Commissioner, Ontario, Canada Stephen Lau, Privacy Commissioner for Personal Data, Hong Kong Malcolm Crompton, Federal Privacy Commissioner of Australia Hansjuergen Garstka, Data Protection and Information Commissioner of the State of Berlin each operate within different governmental structures and different legislative frameworks. Each commissioner provided a brief outline of their formal roles and capabilities revealing considerable variances in length of time that privacy legislation has been in place, the sectors that are covered, the formal authority of the commissioners to access sites and information and their respective powers of enforcement.

In spite of these differences, there were some striking similarities. The commissioners felt that their ability to positively impact the privacy value extended beyond their purely legislated powers. They emphasized the need to be involved in providing education and the importance of building a general awareness of privacy issues in all constituencies, public and private, businesses and individuals. Examples of such activities include never turning down a invitation to a speaking engagement and actively seeking out audiences such as system developers. System developers have a variety of options in their toolkits, each capable of meeting the overall system objectives, but each having potentially different impacts on privacy. Through increased awareness and education, privacy considerations can gain broader support and in the case of system developers, the very expensive retrofitting of systems to protect privacy can be avoided if they had been built into the systems as it was built. This also provides a good 'business case' for developing systems with privacy in mind and therefore appeals to the motivation of businesses.

There was also considerable consensus among the commissioners on the need to be pragmatic, needing to recognize and work within the subtleties of any given situation. The successful influence of a commissioner depends to a large degree on their judicious consideration of when and how they are most likely to be effective, now and in the future. While commissioners possess legislative legitimation, they also possess a considerable degree of less formal legitimation acquired through the status of their offices. This individual status can facilitate less official discussions on privacy issues that arise. Privacy concerns raised through such discussions could lead to an new awareness of such issues on the part of the other party and, perhaps with moral suasion, could lead to changes in data practices in a non-confrontational manner.

Perhaps there is no surprise that the privacy commissioners classified themselves as pragmatists. This pragmatism did not come across as a limiting factor. Rather, with a focus on the privacy value, this pragmatism appears to lead to the creation of innovative strategic means through which the value can be promoted. The formal powers of the offices and the potential use of the media are only two specific devices in the repertoire available to the commissioners. Overuse of these particular tools could potentially lead to a diminishment of the ability of privacy commissioners to effectively promote and encourage the protection of privacy values by making the process antagonistic, rather than being cooperative and promoting self-reflection.

The commissioners believe that the selective use of their formal tools as well as the strategic use of their considerable repertoire of less formal tools will more effectively promote the privacy value in the longer term.