Two significant events took place in Washington DC on 16 and 17 March 2010 and I was privileged to attend them both.
The first was a celebration of the tenth anniversary of the founding of the International Association of Privacy Professionals. It was broadcast from the National Press Club of America and featured a panel of distinguished speakers debating "The Future of the Privacy Profession". The celebration also launched a new IAPP publication, "A Call for Agility: The Next-Generation Privacy Professional".
The panellists each drew out different aspects of a surprisingly unified view on what will happen over the next ten years.
That view was that the amount of personal information collected about each of us was going to increase rapidly, be managed in much more complex supply chains (including cloud computing based services), used and reused more imaginatively and that all of this was going to cause increased community concern. This in turn would lead to additional layers of legislation and stronger accountability obligations on organisations but it would probably not lead to clear harmonised global framework. As a consequence, the privacy professional was going to have a tougher job!
Members of iappANZ can also log onto iiappANZ.org and see a video of the panel discussion.
The panel was moderated by Peter P. Swire, CIPP who is Special Assistant to the President for Economic Policy, National Economic Council and Former Chief Counsellor for Privacy, U.S. Office of Management and Budget, 1999 – 2001.
The Panellists were:
- Bojana Bellamy, Director of Data Privacy, Accenture.
- Nuala O’Connor Kelly, CIPP, CIPP/G, Chief Privacy Leader & Senior Counsel, Information Governance General Electric Company.
- Marc Rotenberg, Executive Director, Electronic Privacy Information Center (EPIC).
- Jennifer Stoddart, Privacy Commissioner of Canada, Office of the Privacy Commissioner.
The second day comprised the Third Roundtable on privacy convened by the US Federal Trade Commission. This too is available as a webcast and is well worth watching, via the link from the Roundtable Home page. The first substantive speech was given by retiring Commissioner Pamela Jones Harbour. She pulled no punches: business had not done enough to protect personal information and should do better straight away.
Harbour gave a starting point that was so obvious you might wonder why it isn’t in place already, but given the current state of affairs, was ripe for government intervention. And it was: encrypt message transmission using SSL as the default.
The panels after that again contained a lot of insight and some were quite controversial. But it was Panel Session 1 that really grabbed my attention. The last third of the panel was taken up with each of the panellists putting in place one building block or another that would deliver user centred and user controlled ID management. This included two significant initiatives launched at the RSA Conference 2010.
One was the contribution by Microsoft to trusted, pseudonymous transactions discussed in my previous blog. The other was the launch of the Open Identity Exchange. This will formalise the reliance by Third Parties on a claim authenticated by another entity, for example a bank relying on a government issued credential or the recent Obama Administration indicated that it wanted to be able to accept non government issued claims such as those using OpenID.
The FTC has been very careful to say that it is currently listening not talking, but that will change. Even to this point, its Chairman has indicated that something has to be done about the US version of ‘notice and choice’ which is widely recognised as not working.
There will be more talk, but by the end of the year we may well have a view emerging on what is needed. And the reverberations will be felt well beyond the borders of the United States. Will the new developments in the US and Europe require re-thinking of the recommendations of the Australian Law Reform Commission and the Government response? If yes, then what will we do here, especially if legislation to implement its recommendations have not yet passed in to law?