A pdf of this Research Note can be found at the end.
The word privacy is the noun form of the adjective private. The word private dates back to the late 14th century; and is derived from the Latin privatus. Privatus actually meant, amongst similar meanings, “set apart, belonging to oneself (not to the state)[1].”
If we accept this derivation, then the concept of privacy means not belonging to the state. So how then, can the state legislate privacy? Does that, in and unto itself, violate the basic concept of privacy? However, absent the tolerance of anarchy, we find ourselves thinking of privacy for the “common” good of a community or society. (Ironically, the word common is derived from the Latin communis, mean of or for the public!)
Acquiescing to privacy at a communal level (privatus communis), what we need are privacy laws that are less personal, more generic and what the U.S. Federal Trade commission (FTC) calls “reasonable privacy.” In a recent white paper, by the International Association of Privacy Professionals, the study refers to 47 cases since 2002 in which the FTC has cited companies that have had data breaches, the FTC has developed a set of guidelines in which it defines what inadequate levels of “reasonable” privacy are.
The report is quick to conclude that the FTC’s guidelines presents companies with “neither a safe harbor from enforcement nor immunity” from security breaches.
“Reasonable” privacy is a moving target. Regretfully, the target is advanced as quickly or as much as malicious and criminal individuals and organizations push the envelope. Therefore, privacy can only be advanced at the level of “best effort”.
However, companies should not be discouraged or ignore the “best effort” standard. There are well documented best practices that all companies should follow. Absent these best practices, consumers should consider these companies ignorant, at best, and negligent, at worst.
As to the question of whether privacy can be legislated, ultimately, that will be a question for individual communities and societies to answer. Dismissing the traditional original of privatus and accepting privacy communis, Neuralytix suggests that regulated and standardized privacy directives would be beneficial to both enterprises and consumers alike. (Neuralytix is careful not to suggest anything needs to be necessarily legislated). It would once and for all provide a baseline against which companies (and individuals) can measure. Other standards setting organizations including the National Institute of Standard and Technology (NIST) in the U.S. and the International Standards Organization (ISO) may want to get in on the act to provide a global minimum standard for all companies.
For the consumers, organizations such as the Californian based Rose Foundation for Communities and the Environment has created a fund, called the Consumer Privacy Rights Fund, that is “advised by a volunteer funding board of individuals who possess tremendous expertise in the field of privacy rights,” who in turn reviews and issues grants to those who can help further consumer privacy rights.
These funds could be used to provide individuals and communities with technologies that can better protect their (collective) rights to privacy. These technologies may be as simple has education on the need for strong passwords, encryption, data masking and regularly changing access codes, to EMV chip card technologies used in Europe and other countries, and slowly being introduced into the U.S. for improved privacy when transacting using debit or credit cards.
Neuralytix believes 2015 is a pivotal year for the privacy discussion. There is no surprise that our dependency on technology, has exponentially increased. It does not matter whether you are an individual in the middle of the African continent using a traditional “flip” phone to purchase necessities, to the use of electronic wallets and digital currency, and other “essentials” such as wireless or internet access plans that can identify the websites each individual visits, a minimum or “reasonable” expectation of privacy should be mandatory.
[1] http://www.etymonline.com/index.php?allowed_in_frame=0&search=private&searchmode=none
[sdm_download id=”5449″ fancy=”0″]
This research note is sponsored by Informatica. All opinions are those of Neuralytix and its analysts.