There is a trend to equate “privacy” with “data protection” probably because many USA organisations like Google like to use the “p-word” quite a lot and there is a common desire to be “privacy friendly”. However, when you make this equation, it can be at the expense of ignoring many important data protection safeguards.
The divergence between the concepts of “privacy” and “data protection” emerges by an analysis of some of the Generally Accepted Privacy Principles (GAPP), which fall a long way short of anything recognisable as a European Data Protection standard. In fact I will go as far to say that the divergence is such that some GAPP Privacy Principles would struggle to meet the standards established by the UK’s old Data Protection Act 1984.
The GAPP Principles (and related criteria) have been produced by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) as part of its best practice audit role. The Principles “were developed and updated by volunteers who considered both current international privacy regulatory requirements and best practices”, and an informal study shows that 89% of organisations in the USA who have a privacy officer who is a member of the IAPP mailing list, have used these GAPP Principles.
So one can conclude that, in the USA, the GAPP Principles are not without significance. In relation to Canada, the OECD website confirms that “The GAPP are popular among Canadian privacy practitioners” and the OECD lists these Principles on the same page as its own Guidelines and the APEC Privacy Framework (for the Asia-Pacific region).
There are two main areas of deficiency or gaps, if we are allowed a pun. The first is around the area of data subject “consent” and fair collection notices, and the second is with the use of personal data in the public domain (i.e. posted on the Internet).
In the context of consent, the GAPP Choice and Consent Principle clearly allows “implied consent”; this contrasts with the European definition of “consent” which requires the data subject to signify agreement with the processing of his personal data. Thus in relation to consent, GAPP is describing procedures such as an organisation providing a notice to the data subject and equating the absence of a response as implied consent.
This can be seen in GAPP’s definition of “explicit consent” which stresses that “explicit consent requires the individual to affirmatively agree”; one can thus infer that “implied consent” does not need any such affirmation. In relation to the obtaining consent, GAPP states that such consent is obtained “at or before the time personal information is collected or soon after” (my emphasis: clearly inconsistent with European standards when collecting personal data from the data subject). GAPP even provides an example which fails to pass muster: “an individual subscribing to a newsletter gives implied consent to receive communications from that entity” (where the choice of the word “communications” clearly means communications other than the newsletter).
Of course the GAPP Choice and Consent Principle can include what one would recognise as European standards, but the “flexibility of the text” clearly allows procedures that many European Data Protection Officers would have difficulty in accepting as being valid.
In relation to Notice, there are some unusual recommendations. For instance it is consistent with the GAPP Principles to use or disclose personal data “without and individual’s knowledge or consent if the use (or disclosure) is for statistical or scholarly study or research”. Similarly, use and disclosure for debt recovery can occur without the knowledge of the data subject even though this “debt tracing purpose” appears in many fair processing notices in the UK – without one should add, little detriment to the debt recovery purpose.
With respect to “publicly available information”, GAPP recommends that these personal data can be collected, used, retained and disclosed without any knowledge or consent of the individual concerned. This position arises because if there is personal data in the public domain, then there cannot be any privacy – and because there can’t be privacy, the personal data can be used, retained, disclosed without any restriction.
This position highlights one fundamental difference which helps explain why the USA’s view of “privacy” is not the same as the European understanding of “data protection”. For instance, it is true that if personal data are in the public domain, there can be no privacy in those data. However, data protection is more than privacy and asks other questions when these data are used.
So, for instance, if an employer were to use personal data from the internet, European data protection legislation would ask three questions that the GAPP Principles fail to consider. These questions are:
1) Are the personal data “necessary” for the employer’s purpose (i.e. what is the basis for the processing in terms of Article 7 of the Directive 95/46/EC or Schedule 2 of the UK Data Protection Act)
2) Are the personal data “accurate” and “relevant” to that purpose (i.e. is there compliance with the Principles found in Article 6 of the Directive or Schedule 1 of the UK Data Protection Act)
3) Does the data subject know of the use of his personal data from the Internet (i.e. is there proper notice of the use of the personal data as required by Article 11 of the Directive of the fair processing notice of the UK Data Protection Act).
As respect to the latter point, the Information Commissioner emphasises the need for a fair processing notice in his Employment Code. He states that employers should "Explain the nature of and sources from which information might be obtained about the applicant in addition to the information supplied directly by the applicant". In other words, employers should state whether or not they browse the Internet to find out details about their prospective employees – even if the personal data is in the public domain.
One should add that the fundamental difference in approach between the USA’s view of “privacy” and Europe’s view of “data protection” will widen if the European Commission moves ahead with it’s idea of a “right to forget” (that allows data subjects to have personal data removed from the Internet). The right to forget infers deletion of personal data – something that does not trouble GAPP for personal data in the public domain.
The deficiencies in the GAPP Principles mirror the failings I found in the APEC Privacy Framework (see references). The USA were leading lights in the development of this Framework, and have produced an International Agreement which is strong on “privacy” but is somewhat at odds with current European expectations for “data protection”. As with the GAPP Principles, the APEC text is cleverly drafted to include procedures that could be compliant with European standards of data protection but also permits procedures that fall a long way short.
A final conclusion is perhaps more personal and one that I urge you to follow. Whenever you talk to American Privacy Officers do not use the term “privacy legislation” as a shorthand to explain the workings of Europe’s data protection legislation. There are far too many differences between the two concepts.
References: Access to the GAPP Principles and related criteria is on http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/default.aspx.
The APEC Privacy Framework and data protection – 2008 which explains why the APEC Framework is deficient in European Data Protection terms (e.g. Directive 95/46/EC); available on http://www.amberhawk.com/policydoc.asp
Advert: We are running several sets of data protection courses next year. We are starting a set of the 7-day DP course in London (beginning 18th January) and running the 5-day intensive course in Edinburgh (beginning 24th February) and in Leeds (beginning 3rd March). These courses cover the DP ISEB syllabus and prepares delegates for the examination in April 2011. Our courses are structured so they are also suitable for those who do not seek the ISEB qualification. See the “brochure” section of the Amberhawk website (www.amberhawk.com)