No privacy left to protect?

24 Jun 2004

Have you said goodbye to your own privacy? And more importantly, do you care? Right now, details of your movements, phone calls, purchases, credit worthiness and website visiting traits, to name but a few of your unique identifying habits, reside on many databases belonging to several different public and commercial organisations. Whether you consider this to be mere information gathering or something closer to surveillance depends on your point of view.

Worryingly, the signs are that we just don’t care — not much anyway. Under EU data protection laws, citizens have a right to know what information is held about them. For a nominal fee they can write to an organisation, making what’s known as a ‘subject access request’. What they receive in return is a detailed list of the data held by that organisation. This allows the individual to see if the data held is accurate and if it is being processed fairly and lawfully so that it complies with data protection legislation.

The trouble is, few people know that this right exists and fewer still exercise it. According to Caspar Bowden, chief privacy adviser for Microsoft EMEA, only one third of EU citizens know of this rule and less than 3pc have availed of it.

But nonetheless the facility is there and it will have an effect on many businesses that routinely — and legally, it must be said — collect data on their customers. Bowden, along with Dave Aron, research director of Gartner Consulting, was visiting Dublin this week to address the privacy issue with senior management figures in Irish organisations.

For any organisation, dealing with data protection and privacy is a complex legislative and technical burden. Dealing with subject access requests is just one part of this area and companies must start preparing for the day when the trickle of requests could turn into a flood. Are businesses ready for this?

It’s still early days says Aron, who presented Gartner research, which showed that privacy has jumped from 10th place to third place as a priority for chief information officers. He stresses many organisations make the mistake of assuming that this can be handled purely by throwing technology at the problem.

“Privacy is really not a technology issue,” Aron says. “You need to start with a customer information strategy, achieve trust, define your privacy policy, then define the business processes and only then implement the technology.”

One of the most obvious and commonplace examples of data collection on consumers is via the internet. There are moves afoot to make this process more transparent to the user. “I don’t think it’s reasonable to expect the average individual to be an expert on data privacy,” says Bowden. “There’s work to be done to make tools available to computer users to clarify what is happening to their data.” To that end, development work on Microsoft’s next Windows client, codenamed Longhorn, will contain provisions for this, Bowden adds.

Microsoft is more non-committal about the prospect of high-end tools to help organisations comply with their data protection obligations. “Customers have to tell us that they need this, to provide a really clear rationale for building it,” says Bowden.

What makes the situation even more complicated is the fact that research in the US has revealed three very distinct types of consumer attitudes to privacy. Harris Interactive has charted the unconcerned, pragmatist and fundamentalist user — either very resistant to a further loss of privacy, prepared to concede parts of it for other benefits or simply not bothered. Bowden elaborates: “This tells us that privacy is psychologically an issue with which people have different dispositions and it’s very difficult to find an average [between those three]. Organisations will probably have to devise strategies to cater for each kind.”

What seems clear is that some very smart businesses are likely to try to pounce on this and seek to use it as a competitive advantage, Aron asserts. Companies can now create ‘value’ around being seen to be responsible in handling and protecting data, he says. Gaining a consumer’s trust will be critical to many firms, agrees Bowden. “I’m not quite persuaded the reality is there yet, but I’m convinced it’s coming.”

Aron cites eBay as one of the best examples of good practice and a firm that has travelled some way towards becoming a trusted entity. “It means taking an enlightened view of privacy rather than doing just what the legislation requires,” he says. Bowden adds: “Most businesses that have anything to do with e-commerce will have privacy crucially linked to their business strategy.”

Both Aron and Bowden highlight a difference of opinion between the US and Europe on the issue. In the US the preference is for data to be held in trust by businesses and private enterprise rather than by ‘big government’. In contrast, EU citizens seem altogether more suspicious of corporates that answer only to shareholders and would prefer that data would be guarded by public institutions. Aron believes that the European mindset will change over time.

Europe certainly has strong existing data protection legislation on its side, with most countries in the EU now harmonised on the issue. The laws cover not only protection of privacy but they also demarcate where information sharing is allowed. Aron and Bowden point out that legislation by its nature tends to reflect past experience more than anticipating future events.

For that reason they are optimistic that corporate good behaviour, underpinned and supported by legislation, can take up the running as other issues emerge around the wider subject of privacy. “We can harness competitive forces to finish off the job that legislation starts,” Bowden concludes.

By Gordon Smith

Pictured in Dublin to address data privacy issues were Dave Aron; research director of Gartner Conculting; and Caspar Bowden, chief privacy advisor for Microsoft EMEA