Updated: Oct 1, 2020
Note: This post is the first of a series. Over the following weeks, Commissioner White will explore each of the Mid-Atlantic Privacy Compass Points in greater detail.
Bermuda sits at the crossroads of the Atlantic physically, culturally, and economically. This has long been to the island's benefit, claiming the best of multiple worlds to create a prosperous and successful community.
From a data protection standpoint, there are two schools of thought on each side of the Atlantic Ocean, or so the stereotypes go. Europe calls for respect for individual rights to privacy, while the United States encourages a free-market, business-friendly approach. Many organisations and even countries now appear to find themselves in the position that Bermuda has been in, so often throughout its history, of being forced to choose a side.
But Bermuda has shown that this is a false dichotomy. As has happened so often before, instead of choosing a side we must look to forge a new path, taking the best of both worlds. This may mean embracing flexibility and, at times, a certain sense of uncertainty as we work through novel issues. Following a different way, the middle way, has the potential to succeed in the spirit of both ideologies. This is the goal of Mid-Atlantic Privacy, a guiding philosophy that I have been developing since my earliest days as Privacy Commissioner.
We are often confronted with questions asking which is more important: Business or privacy? Innovation or individuals? Prosperity or rights? We must reject the narrative of “or” and seek win-win solutions. Instead of zero-sum games, we must focus on “Privacy and….” We must find a way to give the highest respect to individual rights to privacy—but do so in a business-friendly way, that shows the work’s value to both individuals and organisations.
Why should we choose between business success and rights? Particularly in the field of data protection, the two are intimately linked, with many organisations seeing the harvest of personal data as a way to make a quick buck (or euro). But in addition to the moral imperative of implementing a privacy program, for most if not all organisations, doing so will help the business become more efficient and mature in how it operates. Its data stores will become more organised and more lean, narrowly tailored to the goals they wish to achieve, and thereby reducing excess risk of harm to people and to the organisation’s solvency.
Standing between the competing—though converging—privacy ideologies on both sides of the Atlantic, there is still a wide swath of common ground. How can businesses identify practices that are universally useful for compliance and the true goal of reducing risk? By focusing on this common ground, organisations can rest assured that the time and effort they invest will serve them in good stead no matter which regulator may come inquiring. They can reduce their compliance costs by not duplicating efforts, even if it means going beyond what is legally required by the more lax of the regulations. By focusing on the commonalities and the true risks involved, we cut to the heart of the matter: protecting the rights and respecting the preferences of individuals.
As a regulator and in society more broadly, we must ask what may be the best methods to promote good, responsible behaviour in organisations that are stewards of data. In what ways should we challenge them to continue their useful and socially-beneficial innovation while respecting privacy? Despite everyone’s natural resistance to limitations, challenges are in fact the best tool for creativity: nothing is more daunting than the “blank page,” but place a speck on it and an artist can craft an entire world. Our brains are built to respond to puzzles and challenges, so how can we structure incentives and other mechanisms to trigger that genius?
Privacy is critical to the success of our modern societies, but we must remember that in and of itself, privacy is not necessarily the goal. Privacy helps our democracies to function by protecting freedoms of assembly and secret ballots. It enables our economies by helping us trust one another in online or other marketplaces where we do not know the other party. And as we all get shown more and more "personalized content" or advertisements, we may be getting completely different information than other people. Privacy supports the very integrity of our minds and decision-making.
These are complicated matters. As we keep learning in the world of data protection, there is not, and could never be, a manual for every situation and context. And we cannot simply act as a balloon and blow wherever the wind may take us. Instead we should build a sail that can harness those winds, and turn to a compass to help us navigate them.
With all these thoughts in mind, I have developed the Mid-Atlantic Privacy Compass, whose cardinal and ordinal points highlight critical considerations. These directional points serve as guide markers for organisations, oversight groups, and society generally, in support of industry standards like Fair Information Practices (FIPs) and Privacy by Design principles. As data protection practices become more mature in the level of specificity with which procedural actions must be taken, the Compass can provide a broader view and a tool to inform strategic decisions.
I acknowledge that it is hardly novel to say that an organisation must act ethically, or that they must prioritize individuals. My aim is that the framework of the Compass, and the way its points bleed and blend into each other like the four winds, will give organisations a better conception of how to frame their goals. These philosophies will be the guiding tools for my office as we set sail with privacy in Bermuda.
To borrow a well-travelled phrase: privacy is a journey, not a destination. It is our road map for reaching our goals. My greatest hope is that the Mid-Atlantic Privacy Compass helps you navigate to yours.
Alexander McD White
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.