History: Codes associated with such names as Menes (ancient 3000 BC Egyptian first pharaoh of the early dynastic period), Hammurabi ( of Babylonia, and the greatest ruler in the first Babylonian dynasty) , Moses, Draco (ancient Athens, Greece), Solon (Athenian statesman, known as one of the Seven Wise Men of Greece) and Manu (Hinduism) outline standards of conduct for fairly homogenous groups within limited territorial jurisdictions; international law not yet born. Many great religions are precursors of human rights in their requirements to treat fellow humans with dignity and help provide for each other's needs as the basis for a good community Important / Relevant Enlightenment Period thinkers for the topic: Hobbes /Leviathan (1651) Locke / Two treatises of Government (1690) Montesquieu / The Spirit of Laws (1748) – Structure of Government / Separation of Powers Rousseau /Social Contract 1762 (Legitimacy of Government – consent of governed by election = contract Voltaire / Philosophical Dictionary (1769) - injustices of the Catholic Church, which he sees as intolerant and fanatical. At the same time, his work espouses deism, tolerance and freedom of the press. Kant (On the relationship of Theory to Practice in Political Right (1792) -Man's freedom as a human being, as a principle for the constitution “Individualism” No-one can compel me to be happy in accordance with his conception of the welfare of others, for each may seek his happiness in whatever way he sees fit, so long as he does not infringe upon the freedom of others to pursue.
From a legal perspective the early development can be attributed to “Western” world and the starting point is typically taken to be the Magna Carta (1215)
Manual Era: For example, East German police (STASI) for example employed 500,000 secret informers, 10,000 of which were needed just to listen and transcribe citizen's phone calls
Attention Economics The rapid growth of information causes scarcity of attention: "...in an information-rich world, the wealth of information means a dearth of something else: a scarcity of whatever it is that information consumes. What information consumes is rather obvious: it consumes the attention of its recipients. Hence a wealth of information creates a poverty of attention and a need to allocate that attention efficiently among the overabundance of information sources that might consume it" [ [i] ] The fundamental idea behind the attention economy is to facilitate a marketplace where consumers agree to receive services in exchange for their attention. The ultimate purpose is of course to sell something to the consumer, but the selling does not need to be direct and does not need to be instant. The most important factor in attention economy is relevancy. The more one knows about consumers the more relevant and hence successful one can be in the attention economy. [i] Herbert Simon, “Designing Organizations for an Information-Rich World” 1971 pp 40-41.
Right to be let alone, profound influence on privacy law in US, privacy = right not merely a ground for tort (~civil law) lawsuit. This concept fails to provide much guidance about what privacy entails, as it does not inform us about the matters in which we should be let alone. The concept is vague and broad. Individual’s desire for concealment for being apart from others. This concept is seen as an increased sophistication of (1). The concept (2) has been advanced (Haag) Privacy = exclusive access of a person (or legal entity) to a realm of his own. This right, entitles one to exclude others from a) watching, b) utilizing, c) invading a private realm. Limited access is invaluable in furthering liberty, autonomy and freedom. Short comings; This concept does not consider any notion of individual’s power to make certain choices about revealing aspects of her self to others. Since Privacy involves one’s relationship to society, in a world without others (~ society) this type of privacy does not make much sense. Risk that this concept treats access to personal information narrowly, e.g. data processing, collection storage and processing are activities that do not need to result in violation of concealment, but this privacy concept risk adopting a narrow view of access (risk-bias) to safe-guard against potential violations from data processing. Secrecy ; is a limited subset to concept (2) because secrecy involves only one dimension of access to the self e.g. concealment of personal facts. This concept fails to recognize that individuals want to keep things private from some people but not others. Selective-Secrecy which is an upgrade o Secrecy concept (3), understands privacy as invasion caused by disclosure of previously concealed information. Privacy is more than avoiding disclosure of personal information it also must entail assurance that disclosed personal information is used purposefully as intended by the individual. Control over personal information: maybe the most predominant theory of privacy today. Privacy is: “the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others. ..”the ability to control the circulation of information relating to them. The concept is seen as “technology” centric as it focuses on information and excludes aspects about privacy which are not information related, e.g. individual's right to make decision about one’s body, reproduction, family, etc. Also it fails to define types of information which individuals should have control over. It is also narrow in the sense that it focuses on information that individuals want to retain control over, but privacy is simply not the matter of individual prerogative it is also an issue of what society deems appropriate/essential to protect. The concept (4) has been elaborated by some to be seen as a property right e.g. a person’s right to decide. (based on John Locke) Extending personal information to property concepts has difficulties. (e.g. compare with intellectual property in info/digital world) and also does not capture to societal/public good dimension of privacy. Personhood: a development of concept (1). The concept refers to those attributes of an individual which are irreducible in his selfhood. It differs form concept 1-4 around a normative end of privacy (e.g. policy end) namely the protection of the integrity of personality. It also borrows concepts from 1-4. It explains well WHY privacy is important and WHAT aspects of selfhood should be limited, or WHAT information we should have control over. Protection against conduct demeaning to individuality. Critics: This concept of privacy is really about liberty and autonomy NOT about privacy, e.g. it conflates privacy with autonomy. Intimacy: the concept focuses on the relationship between an individual and the society., what aspects of life we should be able to restrict access to or what information we should be able to control. The theory rests heavily on the definition of intimacy and risks to be to narrowly defined because of the conception of intimacy which is also subjective and contingent (societies, cultures, religions) Conclusions Risks: Too broad too vague conceptualization: privacy conflates distinct privacy problems despite significant differences > not targeted /specific enough fails to recognize specific problems Too Narrow: Reductionist a too narrow approach reduces privacy to narrow one dimensional issues > in adequate privacy protection that fails to address legitimate privacy violations.
Different “camps”, (academic, legal, policy and culture) approach the concept of privacy with different basic assumptions regarding the right to privacy. Below you find explanations of these concepts taken to its extremes with the purpose to explain the difference between them. Universal view makes the claim that right to privacy applies to “all and every”, “all time”, “under all conditions”, and “all circumstances” of human dealings that may somehow imply risk of violations of the right to privacy. The risk of such an broad view is that right to privacy becomes everything and hence nothing. This perspective also comes with the risk of framing the regulatory framework in very broad and yet quite imprecise objectives (what ends to pursue). Particular : this view takes to focus on privacy from a particular perspective/aim; “the right to be let alone” or other views and this particular view then tries to fit into situations that come up where the right to privacy with this particular view is being violated. This approach risk becoming to narrow and inflexible. Absolute : This approach claims that the right to privacy has always and in all circumstances a superior position vs. other rights and or obligations. Not only can this view become destructive when at some point other benefits societal and/or economical are at odds, it also struggles when different categories of rights are at odds with each others. (Freedom of Speech – Privacy) Relative : This approach strives to be contextually sensitive, but comes with the risk of being to accommodating and hence can result in continuous subordination of the right to privacy to other benefits or gains. (economic, social, cultural)
Each of the dimension can be seen in a continuum whit an “extreme” absolutistic value PROGRESS at any cost/price not worth while pursuing ! NO progress come with social distress Maximization of individual rights (scope) = unsustainable entitlement/well fare state limits progress/technology, No individual rights = progress at any price, technology fanatics' Maximization of the needs of society; Minority Report (Security), Bureaucracy that treats individuals as means,, STATE minimalism, anarchy no individual rights protected (the strongest way goes) Maximization of technology, progress with features without benefits, min technology, = limitation on societal and individual actions, a society/individual without the “wheel” can only achieve certain things.
Proxy for Progress: Competitiveness of Nations (World Economic Forum) Proxy of Technology Impact for present topic/ focus is Digitization (Booz)
Proxy for Progress: Competitiveness of Nations (World Economic Forum) Proxy of Technology Impact for present topic/ focus is Digitization (Booz)
Society has competing needs, some of which are described here, Needs depend on “maturity”, culture etc Needs to protect the society “minority report” Protecting Citizens as a group Distributing Benefits and Costs, > justices Individuals have of course different needs and wants, etc some of them highlighted, Such as Egalitarian aspirations, needs and motives, while others don’t (rightly/wrongly) don’t care Generational differences Digital Natives, vs.. other generations More/less Risk concerned/averse v.s. others Needs varying depending on stage in the lifecycle (pregnant women)
Some important effects of use of ICT technologies that have been identified [i] are: Multifactor productivity growth, which includes the impact of intangible investments such as organizational changes, new distribution and production processes, and new methods of doing business related to the use of ICT technology. For every 10 percentage point increase in broadband penetration the isolated economic effect on GDP growth is around 1% of GDP, with estimates varying between 0.5% - 2%. For every 1,000 additional broadband users, around 80 jobs are created, with estimates varying between 20 and 130. Doubling the average attained broadband speed for an economy increases GDP by 0.3% points. Over the coming years, ICT technology performance will increase further, rapidly fuelled by continued technology advances resulting in among other things in continued digitization of economies and the society. This will bring new opportunities for people and business to create, learn, sustain and innovate leading to a positive impact on our world. Ericsson calls this new emerging society “The Networked Society” . Ericsson believes that we are at an inflection point where a significant change in competitive opportunities of nations, industries, firms and cities is expected. The emergence of a Networked Society holds the promise of an economic shift and of significant societal benefits. [ii ] This will result in new preasures on existing regulatory frameworks [iii ] and in present context on the evolution of rights-based regulatory frameworks such as privacy regulation. [i] The literature is enormous for some prominent examples see; Wired For Innovation – How IT is Reshaping the Economy, Brynjolfsson and Saunders; MIT 2010. The Economics of the Digital Society, Soete and Wheel, 2005. The Rise of the Network Society, Second Edition, Castells 2010. Boston Consulting Group, Socio-economic impact of allocating 700 MHz band to mobile in Asia Pacific, 2010, EPC/Copenhagen Economics – The Economic Impact of a European Digital Single Market, 2010. ADL, Socioeconomic impact of broadband network investments, 2010. See also http://www.ericsson.com/news/1550083 Ericsson Press Release: “New study quantifies the impact of broadband speed on GDP”. [ii] To find out more about Ericsson’s Networked Society vision please visit: http:// www.ericsson.com/networkedsociety [iii] For more information: ICT Policy for the Networked Society – Progressing a Transformative Policy Approach, available on: http://www.ericsson.com/thinkingahead/the-networked-society-blog/2012/06/26/advancing-ict-policy-frameworks-for-the-networked-society/ Facilitation of the fulfillment of other classes of individual rights: In particular, in a rights-based regulatory context, digitization can increase the transparency of public and governmental affairs, increase individuals involvement in public matters and increase individuals ability to earn a better living (a mean to reach other human aspirations such as starting a family) etc. All these and other similar outcomes also contribute to increased satisfaction of individuals’ demand for other categories of human rights. Some of these outcomes cannot be reached by safeguarding privacy alone, e.g. safeguarding of privacy is a necessary but not sufficient condition to satisfying a wider set of different categories of human rights. The protection of individual rights and expansion of individual rights needs to consider the needs of the society as well, e.g. there is a point where protection of rights might become a barrier for the society to function effectively enough or becomes destructive for a society’s ability to progress (stagnation with consequential effects on stability, social unrest etc). At the same time the pursuit of economic prosperity at the expense of human rights /fundamental rights poses its own challenges.
The starting point of a data privacy regulatory framework, as in the case of any rights-based regulatory framework, must be fundamentally anchored in the recognition of a certain set of individual rights, data privacy protection rights in this case, and a commitment to protect these rights. In a networked and digitally interconnected environment, additional complications arise. The geographically contingent demands for legitimate data privacy concerns must be met with a progressive rights-based regulatory framework. This framework should encompass the following principles: Targeted & transparent Technology neutral Role specific Flexible Efficient Trans-border tolerant In addition to these principles, a progressive approach adopts a holistic view with the aim to conciliate and balance between the market-, the public- and the rights-based regulatory approaches [i ] . As the digital economy as well as the Networked Society conflates previously isolated situations into one common context, a singularly constrained perspective, be it with in the context of technology, business, service or regulation can no longer deliver efficient and sustainable outcomes. This does not however mean that individual rights should be made subordinate [ii ] but neither should one always assume that individual rights are superior relative for example public interest: “ ..the value of privacy must be determined on the basis of its importance to society, not in terms of individual rights. Moreover, privacy does not have a universal value that is the same across all contexts. The value of privacy in a particular context depends upon the social importance of the activities that it facilitates” [iii] A progressive approach must also recognize that promotion of market efficiency delivers outcomes which contribute to the fulfillment of a number of different fundamental rights, where right to privacy might be necessary but not sufficient factor to reach these outcomes. Hence a business friendly regulatory framework that stimulates; innovation, transformation, industry growth and commercial freedom is also desirable from a broader rights-based perspective as well as public interest perspective. Hence, a progressive approach aims to advance related national digital policy goals, which fundamentally aspire to further a society’s capacity for a structural change in societal, economical and individual terms in the most advantageous direction and with a maintained societal ability to preserve and increase the associated gains as the societal context changes. This means that a progressive approach explicitily refrains from a zero-sum preconception where technology progress almost automatically comes at the expense of loss in data privacy but neither adopts a lassie-fair stance on safeguarding privacy where increased utillity is all that matters. Nor is this approach singlulary focused on one particular individual right, but rather recognizes that ICT technology advancments are capable of delivering outcomes that contribute to increased satisfaction of individuals’ demand for a number of categories of human/fundamental rights. [i] A summary of different types of regulatory approaches is available: ICT Policy for the Networked Society – Progressing a Transformative Policy Approach, available on: http://www.ericsson.com/thinkingahead/the-networked-society-blog/2012/06/26/advancing-ict-policy-frameworks-for-the-networked-society/ [ii] As a good benchmark, UNESCO Universal Declaration on Bioethics and Human Rights, article 2d available: http://www.unesco.org/new/en/social-and-human-sciences/themes/bioethics/bioethics-and-human-rights/ “recognizes the importance of freedom of scientific research and the benefits derived from scientific and technological developments within the framework of ethical principals set out in the declaration and to respect human rights. [iii] Solve, Understanding Privacy, Chapter 1, Harvard Press 2008:
This is no way intended to suggest that this is the only way of describing the relationship or that there must be a link in every step. This slides intends to visual the approach and in particular the structuring of the topic . Nor does it follows that that Privacy can be reduced to Data protection only, rather Ericsson wants to focus on Privacy issues relevant for its domain of expertise/competence.
The Guiding principles of a progressive approach must provide a solution to privacy violation risks related to data protection. Before going into the details of guiding principles, it is important to put them into a context of key stakeholders, activities and data flows to identify crucial steps where data privacy might be compromised, such as one provided in Figure on the slide. The figure depicts the chosen basis to clarify and narrow down the scope of data privacy with the purpose to identify key guiding principles. This is done purposefully without the ambition to provide a complete practical data privacy implementation guide. The figure is an adaptation of Solve’s model [i ] which among others identifies key activities and stakeholders potentially posing risks to privacy and specifies and links a taxonomy (see Box 1) of socially recognized privacy violations to each activity. Based on the roles, activities, data flows and privacy violations, Ericsson has identified key privacy guidelines that should be considered in a progressive data privacy regulatory framework. IN THE FIGURE PLS HIGHLIGHT THAT CONTROLLER AND PROCESSOR MIGHT BE INTEGRATED/DEPENDENT OR SEPARATE/INDEPENDENT LEGAL ENTITIES , BUT IN ANY CASE THE LEGAL OBLIGATIONS FOR DATA COLLECTION; PROCESSING; USE MUST STAY WITH CONTROLLER; EG CANNOT BE OUTSOURCED. ONLY WHEN THE PROCESSOR GOES BEYOND THE PROCESSING OF THE CONTRACTUAL AGREEMENT BETWEEN THE CONTROLLER AND PROCESSOR CAN PROCESSOR BE HELD STATUTORY/LEGALLY DIRECTLY RESPONSIBLE FOR ITS ACTIONS. Privacy violation risks; 1) Surveillance ; is the watching, listening or recording of an individual’s activities; Interrogation ; various forms of questioning or probing information. 2) Aggregation ; combination of various pieces of data about a person; Identification ; linking information to a particular individual; Insecurity ; carelessness in protecting stored information from leaks and improper access; Secondary Use ; the use of collected information for a purpose different from the use for it was collected without the data subject’s consent; Exclusion ; the failure to allow the data subject to know about the data that is held by controller and processor. 3) Breach of confidentiality ; breaking the promise to keep a person’s information confidential; Disclosure ; the revelation of truthful information about a person that affects the way others judge her reputation; Exposure ; involves revealing another’s nudity, grief or bodily functions; Increased accessibility ; amplifying the accessibility of information; Blackmail ; the threat to disclose personal information; Appropriation ; the use of the data subject’s identity to serve another’s aims and interest; Distortion ; disseminating false or misleading information about data subjects. 4) Intrusion ; concerns invasive acts that disturb one’s tranquility or solitude; Decisional Interference ; involves incursion into the data subject’s decisions regarding her private affairs.
2.1 Targeted & Transparent A well targeted regulatory framework should be focused at the purpose with collection and the use of data. The basis for data collection must respect territorial requirements for lawful data collection. The basis for lawful data collection requires a clear definition of what constitutes personal data as well as what constitutes sensitive data e.g. restrictions on personal data collection. Furthermore, personal data should be relevant, accurate and kept up to date in relation to the purpose of collection while obtained with the knowledge and where appropriate with a clearly formulated consent from data subjects. Consent must be obtained prior the collection and subsequent uses. Secondary uses of the data must be limited to the fulfillment of the original consent or in line with authority of law or judicial order. In addition data controllers should provide clear and easily understood privacy notices which describe how organization will use and disclose personal information. Furthermore, a well target framework should support data subjects’ right of access, rectification, ‘do-not-track’ and erasure [i ] towards public and private data controllers, which should ensure clear contact points for data subjects to exercise such rights. Furthermore data controllers should provide an answer in a reasonable term which can vary upon the requests from the data subject concerned. However data controllers should be protected from frivolous and unreasonable requests as well as blanket regulations which could stifle new services and business opportunities. Practically data controllers could specify a system for making requests for records which precedes request for change. As already in use, it can involve an upfront nominal fee to cover administration costs which acts as a deterrent against frivolous claims.
A progressive framework should be conditionally technology neutral by treating, platforms, business models and business processes in a neutral way and hence does not lead to additional legal requirements focused on specific use of technologies. The principal condition of technology neutrality assumes that the choice of technology is not used to circumvent regulatory objectives of the framework. This principle is the flip side of a well targeted framework that focuses the regulatory objectives on the purpose of collection and the use of the data. Regarding any concerns specific to technologies and future developments please refer to section Efficiency below. A technology neutral principle includes the following: the legal and regulatory framework, the choice of regulatory instruments and the implementation strategy of regulatory instruments.
Principles governing responsibilities between data controllers and data processors should be clearly defined in statutory provisions. As such the legal concept of data controller and data processor under the EU (95/46/EC) Directive should be principally maintained in the EU and considered by policy makers elsewhere as this legal distinction promotes innovation and evolution of an open, responsible, dynamic and competitive information management value chain. However in certain cases there might be further need for clarification, in order to facilitate the often complex relationship between data controllers and data processers. In principle, the decisive factor in deciding the relationship e.g. roles and responsibilities should be the purpose for which personal data are processed.
Under the current EU directive, processors are directed by controllers on what to do with the data they are provided. They rely on the controllers‟ assertions and instructions related to the data and act accordingly pursuant to the terms of the contractual arrangement between them. With the new proposals, processors will no longer be able to rely on controller assertions related to the data. They will need to have independent knowledge of the data needlessly expanding the scope of persons with detailed knowledge of the data. Furthermore processors will no longer be able to rely on controllers‟ instructions related to the data as they will need to evaluate those instructions in relation to their obligations. Since there is more than one compliant way to treat the data, this will decrease legal certainty and undermine the trust in the controller processor relations. Processor obligations should continue to be controlled by and specified in contractual clauses between controller and processor. A clear distinction should be made between the liabilities of the controller and those of the processor. In practice it would become confusing if both parties are liable for the same obligations. Since the controller decides for which purposes the processing of personal data is done, he should be sole responsible for this. In his contract with the processor he should foresee the necessary guarantees to allow him to recover the damages that are due to the processor .
Inherent tension build in any regulatory framework between the need for flexibility to allow regulation to move with the technology and the demand for predictability and consistency 2.4 Flexible Policy makers and regulators are faced with a hard fact that there is an inherent tension build in any regulatory framework between the need for flexibility to allow regulation to move with the technology and the demand for predictability and consistency to grant regulated parties sufficient level of confidence. However, there are areas where a progressive framework needs to take further steps in relieving this tension and provide more room for maneuvering. 2.4.1 Sensitive Data Promotion of a flexible approach is necessary in dealing with certain key regulatory objects such as the concept of sensitive data, since the definition has strong national, historical and cultural connotations and hence is approached by policy makers differently. For example, the EU forbids registration of race and religion. South-Africa and Malaysia on the contrary requires employers to register race/religion in order to safe guard the rights of all races and religions. It this and similar cases, it should not be prevented for South-African or Malaysian companies to have a service provider in the EU performing HR-services for them. Competent authorities with appropriate framework guidance should be empowered to approve accommodating solutions that seek to reconcile between national contingencies without comprising territorial interests, e.g. circumventing national framework for lawful processing. 2.4.2 Alternatives to top down/hard law approaches A progressive framework should promote alternatives to a top-down implementation strategy e.g. an active policy encouragement to the development of co-regulation frameworks, industry code of conducts and company certifications producers. The main purpose for doing so is to allow a framework to continue to develop with the technology, to promote accountability seeking and to accommodate for global differences in conceptualizing privacy and between legal standards of existing national privacy frameworks while avoiding circumvention. 2.4.2.1 Accountability seeking Accountability and ex-post controls do not mean adding individual new obligations on top of already prescriptive rules, but instead would offer a more flexible and effective alternative to the proliferation of complex and potentially conflicting obligations. Accountability seeking legislation starts with a well targeted framework that focuses on the purpose with collection and use of data. The accountability dimension seeks to establish clear guidance on what needs to be achieved, instead of narrowly focusing on how to achieve this via prescriptive and administrative processes that do not necessarily accomplish the ultimate objective of increased data protection. In an ex-post accountability seeking system, data controllers and data processors are accountable for their handling of data instead of merely seeking legal compliance. Accountability is a concept that should underpin the entire framework, on how to look at data protection, and on how to enforce and supervise it. As such this optimization of a progressive framework should encourage and give incentives to organizations to be accountable and to have a recognized corporate objective the protection of the rights of individuals, while at the same time seeking and obtaining legal compliance. This will enable data protection to become a proactive part of business instead of a reactive compliance function. 2.4.2.2 Co-regulation and self regulation In addition to principles presented above and below accountable companies should develop, implement and enforce adequate tools such as: A company wide code of business ethics that includes ethical considerations, guidance and instructions regarding among others the ambition in dealing with data protection and safeguarding of privacy. A company wide information security policy specifying requirements, processes, roles and responsibilities ensuring security and integrity of information managed by the company in question. A company wide privacy requirement instruction describing requirements for protecting privacy of personal data including; end users, customers, employees and contingent workforce. This instruction should be supplemented with an implementation plan including specification of an owner, driver, purpose, target, action specification and follow up reporting including measurement and corrective actions. The purpose of such tools presented above is to create a robust corporate infrastructure including; values, competence, incentives, processes and technology allowing self-regulatory and co-regulatory regimes to become effective. In particularly, the self-regulatory concept of Privacy by Design (PbD), that aims to build in the safeguarding of data privacy as part of a company’s DNA is dependent on company specific tools described above. In addition, a company wide product and service privacy requirement instruction must establish how PbD should be integrated into the company’s ordinary product and service life cycle process including instructions such as privacy requirement safeguards, roles, and responsibilities
2.5 Efficient 2.5.1 Reduction of red tape A progressive framework should also promote the simplification of it self, by including mandatory provisions regarding reduction of administrative burdens and sunset provisions. It should also contain obligations for periodic policy reviews with the aim to keep the framework up to date e.g. to avoid a regulatory disconnect that decreases efficiency of the framework and ultimately may lead to a regulatory failure. This approach should aim to allow for periodic reviews that strive to minimize the cost to the public, consumers and business as well as increasing the certainty for regulatees by avoiding unexpected major framework revisions. Example: The EU (95/46/EC) Directive should be changed to ease the administrative burden for Groups of companies with extensive business activity in EU. The requirement to enter into data processing and data export agreements within Group of companies and to make DPA filings relating thereto should be abolished. 2.5.2 Security Breach Notification Data breach notification obligations should encourage data controllers to manage personal data securely and foster confidence in third-party data processing. The obligations should ensure that same rules consistently apply across different service providers coupled with a quick and efficient protection framework. Stringent notification requirement like the 24-hour notification of personal data breaches are both impractical and counterproductive and thus should be avoided. As not all breaches threaten user privacy the notification must focus on personal data breaches that are likely to have serious and negative consequences for individuals, rather than on all breaches. Controllers should be required to notify supervisory authorities and data subjects only when a breach is likely to lead to significant risk of substantial harm to the data subject and the data subject can be identified, and if no technical measures have been applied to render the data unintelligible. The breach notification provisions should also consider that not all providers have a direct relationship with the end user. Making a clear distinction between the controller and processor is therefore crucial, as processors are typically at least one step removed from individuals using the service and therefore should only notify the controller. Only the provider with the direct relationship (i.e., the controller) should notify the end user of any personal data breach. Any proposal for a horizontal breach notification system should be carefully crafted to prevent the issuance of immaterial notices, by adopting appropriate standards for triggering such notices. The right balance must be found between notification as a means to improve appropriate security measures versus remedial actions implemented in order to minimize harm, disruption and reputational consequences for organizations. 2.5.3 Enforcement In general, enforcement mechanisms aim to ensure compliance with regulatory frameworks and hence enforcement is an important element of a mature and efficient framework. In a progressive regulatory framework, enforcement measures take into account the accountability seeking principles which is more than just legal compliance seeking as well as the reliance on alternative top down implementation strategies which aim to develop the framework as context changes hereby keeping it up to date. Under these conditions a preferred enforcement mechanism should aim to encourage and reward responsible and accountable companies rather than set a penalizing tone by threatening companies with heavy fines. Deterrence e.g. a proportional fine may still be the ultimate enforcement tool but in between an error or a mistake that leads to a breach and a fine - there should be room e.g. some steps where companies can correct and improve without the imposition of a financial punishment from the regulator.
In general, enforcement mechanisms aim to ensure compliance with regulatory frameworks and hence enforcement is an important element of a mature and efficient framework. In a progressive regulatory framework, enforcement measures take into account the accountability principles which are seeking more than just legal compliance. They are also relying on alternative top-down implementation strategies, which aim to adopt the framework when conditions change, in order to keep it up to date. Under these conditions a preferred enforcement mechanism should aim to encourage and reward responsible and accountable companies rather than set a penalizing tone by threatening companies with heavy fines. In particular, undifferentiated reliance on "compliance by deterrence" comes with the threat of a risk of imposing hefty fines including for incidental and unintended breaches. It is more desirable that infrequent and incidental breaches committed by accountable companies are fore mostly detected, swiftly corrected and made to new learning opportunities for the entire industry. To incentivize rather than curb incident detection it is therefore highly desirable to differentiate the use of punitive sanctions and rather increase incentives to self-detect and self-correct. To increase the probability of self-detection and swift self-correction, a progressive framework should differentiate and limit the use of punitive sanctions. Further more, it should also incentivize and promote the development of an industry wide-code regarding whistle-blowing reporting and further facilitate such detections by enabling investigations of breaches and their cause. Learning's from such individual cases could be made anonymous and disseminated publically through out the industry, which is a powerful complement to the use of best practice benchmarks. Hereby, a progressive framework adopts a more constructive, participatory and most likely a more cost effective approach to prevention then a costly deterrence centric approach.
2.6 Trans-border Tolerant [RS1] Affordable end user services depend on economies of scale that require free and open trade in ICT equipment, services and data flows. This is particularly true for global collection, storage, distribution and use of information in order to operate efficiently. However data transfer rules, rightfully protecting citizens, and users often also result in significant administrative burdens and misguided implementations of legitimate policy objectives. A progressive framework welcomes international harmonization efforts between nations and regions that open up, expand and simplify trans-border data flows. However, steps in this desirable direction should strive to deliver de-facto harmonized outcomes preferably at all four levels; Legal framework level Regulatory instrument level including clear legal definitions of key regulatory objects (such as personal data), Regulatory implementation strategy and Enforcement measures, including sanctions Steps to further simplify international data transfers are important in reducing the administrative burdens on businesses and to strengthen international trade and the international competiveness of global businesses. Furthermore, streamlining data protection rules and facilitating data transfers is an essential element of a modern open trade environment, WTO activities on this subject are therefore highly relevant and deserve our attention. A progressive framework promotes open, liberal and simplified (minimizing administration/red tape) regulation of trans-border data flows including flows: within a group of companies or between independent legal entities across regulatory harmonized and non-harmonized territories, expanding the scope of countries & regions with harmonized open and simplified regulation of trans-border data flows, where harmonization cannot be realistically achieved or is expected to take a long time, expansion of similar concepts to the US Safe-Harbor Company certification, the EU concept of Corporate Binding Rules (CBR) or other such initiatives to allow accountable companies to fill the gaps between standards in national privacy laws to facilitate open and simple tans-border data flows. In parallel to strong consumer protection, data-protection rules must consider accountable business interests by safeguarding the flow of data internationally, rather than cutting them off or restricting them. Important is the simplification of the process for adopting BCR in order to facilitate the transfer of data between a Group of companies on a worldwide basis, as long as adequate safeguards are in place for the fair processing of the data. Processes to assess whether a third country can guarantee an adequate level of personal data protection should be carried out in a reasonable time, corresponding to the importance of international data exchange in the global economy. Groups of undertakings are obliged adopt strict contracts that need to be administered and controlled and are binding. These require an enormous amount of resources that hinder innovation and investment of resources into other data protection matters.
Data privacy protection is essential in order to safeguard the right to privacy as well as to cater for public and market needs with the aim to gain, grow and maintain the trust of end users. This is fundamental for the continuation of a prosperous and socially desirable transformation of the society. Over the coming years, ICT technology performance will increase further, rapidly fuelled by continued technology advances resulting in among other things in continued digitization of economies and the society. We are at the brink of the Networked Society which holds the promise of desirable societal benefits. But the rise of the Networked Society also comes with responsibilities. The starting point of a data privacy regulatory framework must be fundamentally anchored in the recognition of a certain set of individual rights and a commitment to protect these rights both by an adequate policy framework but equally importantly by proactive actions of responsible and accountable organizations. In a networked and digitally interconnected environment additional complications arise. For the foreseeable future we cannot realistically expect that there will be a global policy consensus on the conception of the right to privacy nor the balance to be struck in the regulation of privacy. One way to face this reality is to promote policies that aim to harmonize national and regional data privacy frameworks. In the light of the mentioned above, a progressive rights-based regulatory framework is the appropriate approach to safeguard data privacy. Above all, the main challenge for a progressive rights-based regulatory framework is to get the delicate balance right. To do so, policy makers should consider the following main principles; targeting, transparency, technology neutrality, role specificity, flexibility, efficiency and trans-border tolerance. Hereby, a progressive framework becomes at the same time flexible and adaptable to geographical contingencies, open to trans-border data flows, business and innovation friendly but also very importantly, aligned with national data protection policy standards.