A report co-authored by OII Professor Viktor Mayer-Schönberger together with Professor Fred Cate of Indiana University) and Peter Cullen (General Manager, Trustworthy Computing Governance, Microsoft) and made public today (6 December 2013) through the Oxford Internet Institute sketches out core principles to protect information privacy in the age of Big Data.

The Data Protection Principles for the 21st Century report is based on a drafting workshop hosted by the Oxford Internet Institute, and co –chaired by Professors Mayer-Schönberger and Cate in January 2013.

Viktor Mayer-Schönberger, OII Professor of Internet Governance and Regulation, co-convener of the workshop, pointed at the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data that were first issued more than three decades ago in 1980 as an early and important framework of privacy principles. In the age of Big Data, however, these principles need to be augmented and improved to ensure that they remain relevant. “The OECD Privacy Principles served us well for the first decades of the digital revolution, but now they need updating, so that we can ensure effective privacy protection in the future – while enabling the many benefits (including for society) that Big Data promises to bring.”

The report offers five priorities in revising and updating the existing OECD principles, including:

• Reduce the focus on data collection and the attending notice and consent requirements, and focus more on a practical assessment of the risks (and benefits) associated with data uses.
• Eliminate or substantially reduce the role of the Purpose Specification and Use Limitation principles, which require a specific, articulated purpose for collecting personal data usually at the time of collection and restrict data uses to that purpose or related, “not incompatible” purposes.
• Restore the balance between privacy and the free flow of information that was the original goal of the OECD Guidelines, and avoid suppressing innovation with overly restrictive or inflexible data privacy laws.
• Make data users more accountable for the personal data they access, store, and use, and hold them liable when harm to data subjects occurs.
• Adopt a broader definition of the “harms” that inappropriate uses of personal data can cause, and put in place practical frameworks and processes for identifying, balancing, and mitigating those harms.

The report is the most recent in a series of initiatives designed to make privacy protection more workable and more effective that began with global data protection dialogues convened in 2012 by Microsoft in Washington, D.C., Brussels, Singapore, Sydney, and São Paulo for small groups of leading regulators, industry executives, public interest advocates, and academic experts.

These events culminated in a global privacy summit in Redmond, Washington, at which Microsoft convened more than 70 privacy and data protection experts from 19 countries on five continents to consider the future of data sources and uses and practical steps to enhance privacy protection. The summit called for reexamination of the OECD Fair Information Privacy Principles in today’s report as well as the examination of data uses and impacts that is discussed in a companion report released today by Center for Applied Cybersecurity Research (CACR) at Indiana University. That report, too, is co-authored by Professors Cate and Mayer-Schönberger as well as Microsoft’s Peter Cullen and available online.

The next step in this reconsideration of privacy protection is a series of events focusing on assessing and managing risks surrounding the use of data. CACR hosted one of those events—a tutorial on risk management for data protection experts—in November and will be hosting another—a workshop to help create frameworks for identifying and assessing risks presented by data uses—in late spring 2014. Both events have been funded by The Privacy Projects.

Notes

1. F. H. Cate, P. Cullen, V. Mayer-Schönberger (2013) Data Protection Principles for the 21st Century: Revising the 1980 OECD Guidelines. Microsoft Corporation.