Consumer data privacy in the Information Age – Are we protected?

An expert once quipped that “discussing privacy and technology in the same breath reminds one of a simile of a mouse sleeping next to an elephant. You hope the elephant doesn’t roll over. Sometimes, rather than simply rolling over, technology positively clamours to dance on privacy’s head.”

The veracity of the above remark is established when one considers the force with which new technologies and especially the internet and the resultant commercial forces confront privacy.

This is an adage which began as the caption of a cartoon by Peter Steiner published by The New Yorker on 5 July 1993. The cartoon symbolised an understanding of the internet that stresses the ability of users to send and receive messages in general anonymity.

Lawrence Lessig suggests “no one knows” because internet protocols do not force users to identify themselves, although local access points such as a user’s university may; but this information is privately held by the local access point and not part of the internet transaction itself (Wikipedia) .

The present – “Net is an irreverent, snarling watchdog”

However, anonymity is no longer one of the net’s virtues. Contrary to the earlier upheld view, the advent of the internet has dramatically enhanced the ease and the speed with which personal data can be exchanged throughout the world.

Information generated by means of consumer behaviour and transactions on the internet is tracked, recorded and correlated with other sources. Anyone with access to information can collate personal data and use it freely and subsequently sell it to third parties for lucrative amounts of money.

Once divulged on the net it is no longer possible for consumers to effectively control the usage of their personal data by third parties. Most often individual consumers are unaware of the fact that their personal information is seen as a commodity that can be traded at a discount or for some other benefit in the virtual world.

In short, the net offers no controls and imposes no limitations on content and hence requires no editors. As such it has been justifiably equated to a diverse, decentralised, irreverent, snarling watchdog that will generate vast quantities of data that can be easily and cheaply stored, analysed, recycled and traded. This poses an incredible risk to personal privacy as it generates more intrusive forms of privacy violations in an unprecedented manner. 

Is privacy of our main mode of communication compromised than before? 

In a rapidly evolving and globally connected information society, addressing privacy concerns of users deems to be a continuing challenge. As such a critical factor for the sustainable development of this eco-system is a robust and effective framework for the protection of privacy as users seek consistent treatment of their privacy when subscribing to any services. 

Accordingly, legal frameworks have been created and privacy laws have been enacted in many parts of the world for the protection of private individuals’ information. For example, the European Union through the enactment of the Data Protection Directive has attempted to protect the privacy of its citizens’ personal information on the internet by imposing significant restrictions on data usage.

However, it is an established fact that the lawyers across the globe have failed to keep pace with the technology revolution and as such the legal frameworks afforded by many jurisdictions have not been successful in adequately safeguarding the privacy of consumer data where users can continue to have confidence and trust in the system.

In the US, according to some consumer privacy advocates, “the legislation gives more protection to a letter in a filing cabinet than it does to emails on a server”. Because under the Electronic Communication Privacy Act, law enforcement agencies need only a subpoena from a prosecutor to access an individual’s online data while they must obtain a warrant form a judge to access documents.

Experts argue that “with online storage and transmission of data becoming more frequent and hard copy storage and snail mail transmission less so, it seems inconsistent that privacy in our main modes of communication in 2011 is granted far less protection than our main modes of communication 50 or even 100 years ago.”

The issues related to privacy and the adequacy of protection meted out continue to confound lawmakers throughout the world. This has prompted most of them to concede that they are yet to fully comprehend the limitations and scope of privacy laws amidst the onslaught of the evolving technologies associated with the information highway. 

Nonexistent privacy framework in Sri Lanka 

While the world moves towards a paperless society, it is alarming to note that Sri Lanka is yet to introduce any specific regulations that protects individual privacy or the collection of personal information even though several initiatives were taken in the recent past to discuss, debate and address this key lacuna in the framework.

The stated vision of slow but positive initiatives such as the e-Sri Lanka programme is to leverage ICT to improve public service delivery and private sector competitiveness to enable growth, social development, peace and equity. One of the key deliverables of the programme is to computerise all Government departments in the country and facilitate electronic documentary service, as opposed to the traditional manual process of government services. 

However a precursor to the achievement of these goals set out in the e-Sri Lanka programme would be the presence of an enabling policy environment that can effectively promote consumer confidence.

Lack of framework an opportunity to leapfrog to information society

The absence of any privacy regime presents Sri Lanka the opportunity to leapfrog to information society by carefully analysing the lessons learned by other jurisdictions and coming up with the most appropriate legislative/regulatory framework for consumer privacy. 

A comprehensive study of the gradual evolution of law relating to consumer privacy in many parts of the world dictates that the recommended policy framework on consumer data privacy and protection should take into consideration the establishment of:

nAn overarching set of core principles codified in a general law to adjudicate the collection and dissemination of personal data to effectively safeguard consumer privacy.

nSector specific regulations (e.g. finance, heath and technology) to deter the abuse/misappropriation of sensitive information, which if divulged can result in grave consequences to the owner of such information.

nSelf-regulatory measures such as industry codes of conduct that are enforceable by the regulatory agencies.

nAn agency to act with responsibility for privacy to raise consumer and business awareness of the issues in order to raise the demand for informational privacy protection to its optimal level.

The future – Privacy in the clouds

While we still struggle to promulgate the proper framework to address the nascent challenges revolving around consumer privacy, the debate on consumer privacy has now taken a new dimension with the entry of cloud computing, classified as the “thing of the future” promising many benefits such as enhanced scalability flexibility and cost efficiency. 

It will require a distinctively different legal approach in handling “privacy in the clouds” as data management is often no longer carried out by a single organisation and data is generally stored in various places in the cloud.

Forward-thinking jurisdictions such as EU are presently paying special attention to privacy aspects related to managing information in the cloud and this will, in all probability, result in new legislation. 

Consumers beware

It will continue to be a daunting challenge for lawyers to keep pace with technology. However it’s time we in Sri Lanka fast tracked our attempts to address this lacuna in our legislative framework and provide adequate safe guards to protect the privacy of all Sri Lankans.  Until such time this happens, consumers are advised to be more literate about the ways in which your personal data can be utilised by various service providers and take precautionary measures to safeguard your privacy when divulging your personal information. It’s never too late to question the policy relating to data privacy of your service providers. 

(The writer is a lawyer by profession with over 15 years of senior management experience in the technology sector and international wholesale telecom business.)