The Seven Global Privacy Standards
Daniel Undem
The seven global privacy standards that are currently in place are by and large ineffective due to their vagueness and as a result of this do nothing more than allow the industry to say they are performing some type of self-regulation. If these standards to become useful to the end user a more robust set of policies and standards need to be adopted. In addition, enforcement of these standards needs to take place to ensure that the companies who have the standards in place are following their own recommendations.
According to Minnelli, Chamber, & Dhiraj (2013), the seven privacy standards are adopted as a way for companies to establish a level of trust with their customers. The goal of the seven standards is to demonstrate to end user that the firms have considered that there is value in the data provided by users and that the firm has taken steps to ensure that some level of protection is afforded to that data (Minnelli, Chamber, & Dhiraj 2013). The issue with using a set of self-established guidelines to establish data privacy standards is threefold. First, each company is able to develop its own interpretation of the global standard. Second, related to who is responsible for enforcement of the standards. Third, the variability in standards is confusing to the end user.
Looking at the first issue, self-established guidelines, it is all too easy for a company to establish a use guideline that allows them to use the data to serve their best interest first while appearing to adhere to the global standard laid out in the seven standards. For example, consent is listed as one of the seven global standards. According to Minnelli, Chamber, & Dhiraj (2013) consent is defined as “inform individuals about the purposes for which their data is collected" (p156). At first glance, this seems like a fairly cut and dry standard, as it is pretty easy to define what information is being collected and how that data will be used by the company that collected it. Where this becomes challenging is what if that company that collects the data determines a new use for the data that is similar to the original intent that is was collected but varies enough to border on requiring a new notice be sent out to customers, companies could draft their internal policy to allow this modified use to happen. There are a number of reasons why firms would not want to notify customers of a usage change including the cost of notification and the possibility that users will object to the new use, therefore, reducing the number of data points available to the company.
Another issue with having companies self-regulate their privacy standards is the difficulty in enforcing these standards if there is a violation. If there is no enforcement of these standards they become tantamount to window dressing as there is no penalty if the policy is violated. While the firm may lose trust with their customers if there is a violation of the policy, this is not enough of a deterrent to prohibit them from acting in ways that violate the terms of the agreement. Additionally, even if a government agency was tasked with enforcing a set of company-issued policies, it would be tough for that agency to do so because each set of privacy standards would vary depending upon the company. If the seven global standards are to viewed as effective there needs to be a robust regulatory/enforcement component included as well.
Since the self-regulated model encourages self-interpretation of the standards this leads to confusion amongst the end user as to how their data is being handled. The end user may inadvertently assume that a standard in place at company X is also the same standard in place at company Y. While both standards may be reflective of the same global standard the, implementation of that standard though company policy may be drastically different. This difference in how the standards are applied will lead to confusion among the end user. The confusion can be seen in the number of privacy statements the average user comes into contact with over the course of a year. In fact, according to Masnick (2012), it would take the average user agrees to 250 hours or 30 working days worth of reading to read all the EULA they come into contact with over the course of a year. There needs to be work performed to standardize these policies so end users are able to have a clearer understanding of how their data is and will be used.
Technology companies need to work together with government regulators to establish a set of agreed upon enforcement standards that can be implemented on both a national and international level. The Safe Harbor agreement, which served as the foundation for the seven principles, attempted to serve as that document, however, it was ruled invalid by the European Court of Justice (Seth, 2018). The fact that this agreement has failed to be upheld by a court of law demonstrates the need to establish a more uniform and robust set of data privacy standards for the industry. In 2016 the European Union took the first steps in establishing a set of standards for data collection and data privacy when it passed the General Data Protection Regulation (GDPR) (Meyer, 2018). The goal of the GDPR, according to Meyer (2018), is to both protect the data privacy of citizens of the European Union and to provide a standard for data privacy laws across the EU. By simple virtue that the GDPR exists, demonstrates that the seven global privacy principles are simply not enough to ensure consumer’s data privacy. This is further demonstrated are there are now large the United States based technology companies who are also calling for a standardization of data regulation (Meyer, 2018).
The seven principles of the global privacy may have been effective when big data was in its infancy, but as the industry has evolved the need to have the standards which regulate the collection of data evolve has become apparent. Standardization will make data the concerns that the seven global standards aim to address easier for the consumer to understand and makes enforcement of the standards easier to achieve as well. While the standards provide a foundation for the handling of consumer data, these standards need to change to keep pace with big data’s evolution.
References
Masnick, M. (April 22, 2012). To Read All of the Privacy Policies You Encounter, You’d Need
to Take a Month Off From Work Each Year. TechDirt. Retrieved from: https://www.techdirt.com/articles/20120420/10560418585/to-read-all-privacy-policies-you-encounter-youd-need-to-take-month-off-work-each-year.shtml
Meyer, D. (November 29, 2018). In the Wake of GDPR, Will the U.S. Embrace Data Privacy
Fortune. Retrieved from: http://fortune.com/2018/11/29/federal-data-privacy-law/
Minelli, M., Chambers, M., & Dhiraj, A. (2013). Big Data, Big Analytics: Emerging Business
Intelligence and Analytic Trends for Today's Businesses. Hoboken, NJ: John Wiley & Sons, Inc
Seth, S. (August 31, 2018) Safe Harbor Agreement. Investopedia. Retrieved from:
https://www.investopedia.com/terms/s/safe-harbor-agreement.asp