Mid-Atlantic Privacy: Interoperability, or Why Bermuda is Not an Island
Note: This post is the last in a series on the Mid-Atlantic Privacy Compass and its Compass Points.
Thanks to the emergence of global platforms like the internet, privacy laws around the world have a kinship or descendancy, and have converged to present a consensus on international standards. Whether formally or otherwise, the regulations and guidance in foreign jurisdictions have a persuasive effect.
Both principles- and risk-based regulation require organisations to conduct a bespoke analysis of their actions and context. While regulatory compliance floors may differ, a focus on a neutral analysis that mitigates the true harms will most benefit individuals.
Organisations should focus on Interoperability with legal regimes, technological platforms, and even future developments. They should be encouraged to develop practices that apply regardless of jurisdiction or technology, as long as the goal is to support individuals' rights.
"No man is an island." John Donne wrote these words in 1624, only fifteen years after the Sea Venture encountered Bermuda. It's often said that Bermuda's founding shipwreck inspired William Shakespeare's The Tempest, and I like to think that Bermuda also inspired Donne. In my short time in Bermuda these past months, I've taken to adapting the phrase with an ironic bent to say that, paradoxically, "Bermuda is not an island."
As true as this philosophy was at the birth of the modern world, thanks to our technological advances the idea has never been more relevant. We are all interconnected. That's how each of us, even those who live on geographical islands, need to think of the world. Everyone is now our neighbour - capable of sending us a message, logging into our system, or observing our behaviour. No one can rely on obscurity as a protection the way they might have before, which can be a jarring notion.
The internet particularly is a global platform, despite recent trends to wall off portions, and its insertion into all aspects of our lives has enabled global uses of data. Over past decades, privacy laws have emerged organically from trade or governmental discussions to develop national and international standards behind what responsibilities any organisation that uses data may have. Hearteningly, there has been a remarkable consensus around the world to the structure of ideas like Privacy Principles.
Most privacy laws are based on these principles, suggesting the conceptual guidelines that an organisation must follow. To understand how these principles apply, each entity must conduct a bespoke analysis of its actions and their context. Since organisations must comply worldwide with laws based largely on the same principles, in many cases the analysis leads to consensus best practices across multiple jurisdictions. This is why, whether formally or otherwise, the regulations and guidance in foreign jurisdictions tend to have a persuasive effect.
A similar pattern emerges when laws, and organisations, focus on risk. As entities work to effectively mitigate risks specific to their organisation, the vast majority of those risks and actions are consistent regardless of their exact location or jurisdiction. They may face different regulatory compliance floors, but a focus on risk results in an inherently neutral analysis that mitigates the true harms.
Organisations should be encouraged to develop practices that apply regardless of jurisdiction - so long as they support the rights of individuals. This interoperable approach makes business sense, because it allows an organisation operating in multiple jurisdictions to develop a single business program instead of multiple regimes. This approach also supports a high standard of privacy protection for individuals: because organisations must still meet varied privacy regulatory requirements, the net result is a rising tide that lifts privacy rights.
As a regulator, my office will support this practice by identifying and endorsing guidance and best practices that allow organisations to meet these goals, and approaching regulatory action with understanding, if due diligence and a spirit of good intentions are present.
Organisations should also be encouraged to develop practices that apply interoperably to varied technologies. Often, businesses attempt to lock customers in to their ecosystem in an attempt to corner the market for their attention. In the long run, this approach will only benefit a business that achieves monopolistic proportions - which itself runs afoul of other public policy goals.
Instead, by incentivising organisations to make their products technologically interoperable, we encourage a healthy marketplace and competitive space, where individuals are in the best position to choose the products that meet their needs and to make informed choices about sharing, retrieving, and moving their data.
Organisations should make their practices interoperable in one other way: with the future. By preparing in advance for regulatory trends, technological developments, and the protection of individual rights, these entities can engage in future-proofing that allows them to remain in a position to succeed even as the global environment changes.
If we only focus on one jurisdiction or one technology, one right or one emerging issue, then we merely create a single patch of fabric. Instead, we need to focus on the entire sail. Weaving universal, interoperable business practices will allow us to better catch the wind and move ever forward. We can progress with a single, intact sheet or with a patchwork - if, like our approach, it is seamless.
Alexander McD White
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.