The rate of growth in privacy laws around the world is accelerating. Malcolm Crompton says that privacy legislation itself isn’t the problem, but rather the response to it by business.

I have just seen the re-emergence of BOTPA – Because Of The Privacy Act – in an online debate elsewhere. It is time to take a cold drink of water, recall some history, then look in the mirror.

Generally speaking, it isn't privacy legislation that's the problem so much as the boneheaded response to it by business over many years that so often leads to apparent difficulties with privacy law here in Australia and worldwide. One of the remarks I saw talked about 'bureaucracy gone mad', but it is best directed at the bureaucracies in businesses and the poor professional advice that they obtain.

This has been going on so long that back in 2008 the Australian Law Reform Commission noted the over-use of 'BOTPA'.  See for example the following observations in the Executive Summary of ALRC report 108:

"The BOTPA excuse: 'Because of the Privacy Act'

"Interestingly, a range of callers to the National Privacy Phone-In argued that sometimes there may be 'too much privacy'—or rather that 'privacy' is all too often trotted out as an excuse for inaction or non-cooperation. Among privacy professionals, this has become known as the 'BOTPA' excuse, since people are told that their reasonable requests cannot be accommodated 'because of the Privacy Act'. For example, the ALRC heard complaints from people who, 'because of the Privacy Act', were unable to:

  • access or correct their own personal information held on a government or corporate database;
  • assist an elderly relative or neighbour with their banking, or in dealing with a public utility or government agency—even where that person had written authorisation or held a valid power of attorney; and
  • urge their church congregation to pray for a named individual who was unwell and in hospital."

Where this hasn't been the commercial response, the response has instead too often ignored or obfuscated customer preferences. This is why the digital tracking and marketing business is in so much bother globally. It isn't listening. 

Hence the accelerating rate of growth in privacy law around the world: of the 99 countries that had adopted a comprehensive national data privacy law by June 2013, eight did so in the 1970s, 13 in the 1980s, 21 in the 1990s, 35 in the 2000s and 22 in the first three years of the 2010s. This is all BEFORE the Snowden revelations and is a direct political response to consumer concern – politicians generally do not introduce these kinds of laws unless they are responding to community pressure.

There would have been NO need for this if the commercial sector hadn't been so cavalier in how it collected, stored, used and exchanged personal information over the last 10-15 years.

If you want even more proof, I suggest you also read "The Privacy Paradox, a Challenge for Business" on the BITS pages of The New York Times by Steve Lohr, 12 June 2014, then go on to look at the superb supporting EMC graphic. It seems that out of the 15 countries surveyed, Australians are among the most reluctant to trade privacy for greater convenience and benefits online. Indeed globally, only a quarter of those surveyed are willing to make such a trade. 

Commerce is at last beginning to twig to this, but very slowly. Snapchat for example allows the EPHEMERAL exchange of images which has given Facebook a real fright, because the Facebook model is based on PERMANENT exchange (you can partially 'hide' but not fully 'delete'). Or another example: Shopping malls and large retail chains are introducing MAC address tracking in order to target customers via mobile devices but Apple's iOS8 will counter this with random MAC address broadcasts to sniffing wifi repeaters.

In short, some businesses are learning that even though the obfuscation and treatment of customers like mushrooms has worked for a while, it won't work forever and in fact its efficacy is coming to an end.

So don't blame others. We should all look to our own business models and plan for the future. The AICD's "Privacy Governance: A Guide to Privacy Risk and Opportunity for Directors and Boards" isn't a bad place to start.