The Data Bill of Rights
-
In the US we have the Bill of Rights attached to our consitution that seeks to protect the rights of its citizens by limiting the powers that the government has to pass laws. These various amendments to the Constitution were passed
Maybe we should have a data bill of rights that protects the information about us out there. The past few decades have seen a tremendous growth in the data stored on various computer systems around the world, much of it because of the new uses for data that we have developed as our systems have advanced.
But for every legitimate or positive use of data, there is also a negative one. We have more and more data getting collected and more and more creative ways developed every day to misuse it. It's important that protections are in place to ensure that our rights to digital information and for digital information about us are as protected as those in the real world.
This seems like it will require a whole new set of treaties between countries to handle the different needs of each government, just as those physical rights are handled differently.
If only now we could get the world to start agreeing on digital rights, maybe it would be a starting point for getting similar real world rights for everyone.
Steve Jones
-
Issue raises when our real world rights are constanly threatened by the great butchers. Human factor is stucked around
-
Countries in the European Union have had 'Data Protection' laws since 1998 to combat the misuse of personal data. The reason the US has not had this, as it was explained to me, is that American citizens fear misuse of data by the government more than they do misuse by corporate institutions...
-
An effective stop-gap would be to strike together some laws to handle misuse of data, and make the keepers of the data libel for any loss incurred through its loss and subsequent misuse. If you could sue your credit card company, for example, when they stupidly lose your personal information leading to identity theft, I can guarantee they would be more careful with it, and share it less. It is the last point that usually leads to problems, because corporations sell that ifnormation to anyone who seems legiitimate, and the the chain of custody is problematic after that.
-
Like a lot of other good intentions that we pave our current American road with, I suspect that this one would turn out just like the rest. Piling another SarbOx-type stack of costs on corporations (not to mention the not-for-profits, universities, hospitals, etc) seems ill-advised to me. Even if we could devise legislation that didn't have a high front-loaded compliance cost, the likelihood of Mom & Pop organizations (and other scarier fly-by-nights) would be as likely to comply with this law as they are to comply with all the others that they ignore now. We already have laws about the use of Social Security Numbers that are routinely ignored – until somebody sues.
The Law of Unintended Consequences being what it is, we might even see a bigger offshore shuffle of companies to avoid a Privacy Bill of Rights than we already seen to hide corporate profits and provide a liability shield… Steve is right to posit that it "seems like it will require a whole new set of treaties between countries" to enforce this. And what sort of remedy for data compromises could the nations of the world agree upon? The same nations who cannot seem to agree on basic human rights – and whether they're being violated in Darfur, Tiananmen or Waco! The only time we can seem to get them all to agree on something, like a copyrights treaty, is when Disney funds the whole schmear.
I would (personally speaking) like to see the destruction of certain data-driven industries, such as magazine subscription hijackers, all junk mail (by snail courier or electrons) and stupid IT lapses that cause backup tapes to fall off the back of the truck taking them offsite (that happened) or the MBA program at a major university that I applied to getting hacked because they're systems weren't patched up (this just happened)... but my degree in political science leaves me very skeptical about whether we can fix any of that with legislation (without killing legitimate transfers of data) when we can't even seem to enforce our existing immigration laws or enact reasonable legislation to support autism research.
-
With the current SIG system of govt we've built, the corportations almost always win when it comes to legislature. If we were to build a digital bill of rights, it would have no teeth thanks to the huge amounts of money that groups such as the RIAA would throw at knocking out anything that might interfere with their ability to track people, and habits. (oh, no, another debate)
-
In the UK we've had the Data Protection Act since 1984. A replacement Act was passed in 1998, coming into force a few years later in around 2002/03, which mainly broadened the scope of the original Act. (For example, the original Act applied only to computer Data, but the new act covers all data, including those stored in manual paper-based filing systems. The only qualifiers are that the data are personal (able to be linked to a living individual - any unique identifier satisfies this) and they are in an organised filing system.) CCTV is even covered by the Data Protection Act.
This gives several basic protections to the data subject:
- The information can only be used for fulfilment of its original purpose. For example, if you placed an order with Amazon, and gave them your address for delivery, they can only use it to deliver the products. They may, for example, disclose your address to the courier legally, but only because it's necessary in fulfilling their obligation. They cannot use it, for example, for marketing without your express consent. Most forms have a box to tick to opt in and out of personal data being used for marketing.
- The information must be disposed of after a certain amount of time, depending on its use. (Usually 5 years I think.) Data can be kept indefinitely for statistical purposes but only if they are stripped of all information that can link it back to an individual.
- It is a criminal offence to use the information for anything other than its original purpose without consent of the subject, and it is also an offence to disclose the information to a third party unless necessary for the execution of the original purpose or without consent from the subject.
- As a subject you can request to view all personal data held about you by a company for payment of an admin fee, the maximum amount chargeable being set in law (currently £10 I think). You can then require them to correct any incorrect information and they must do so in a reasonable time. Failure to do so is an offence.
- This applies to all government departments and agencies also. There are, however, some exemptions. Police, intelligence agencies and so on do not have to release personal data on request - for obvious reasons ("Hello MI6, my name is Osama bin Laden and I'd like you to send me every bit of information you have about me, please!"). Any organisation must release information on request to law enforcement agencies on request for the purposes of prevention or detection of crime.
It works quite well. A direct sales call can be ended very quickly, without getting any return calls, by asking where they got the number... if they got the number legitimately, you can say "please don't call me again" at which point they legally can't, because you've revoked any consent to the use of your data in this way.
The DVLA (Driver and Vehicle Licensing Agency), a government agency, has recently come under fire under the Data Protection Act for releasing details of vehicle owners to clampers on supply of their registration numbers. This is being investigated, and the policy clamped down (excuse the pun), showing it seems to work for government agencies also.
I've often wondered why such a (IMO fundamental) law has never been passed in the US.
-
I can tell you why in the US. Because of business. We are a nation or marketeers and so many businesses have been built on it that their lobbying efforts outweight the opposition.
-
Very true. I think the added advantage we have too is that it was introduced back in 1984 when there were nowhere near as much data, and the large volumes of data now have grown with these protections in place already. To introduce it from scratch now, for any developed country, would put a massive burden on corporations (and even small/medium businesses) to comply.
It may, of course, come naturally. If US consumers start demanding clearly set out privacy policies offering more or less the protection of similar legislative protection elsewhere in the world, and voted with their feet if those demands weren't met, more and more companies would provide this so as not to lose out on business.
Whether or not they adhered to it, however, without the legislative back up, is another matter!
Finally, if anyone is interested in more information as to how this works in the UK, the Information Commissioner's website is here.
-
I think we do have Data Bill Of Rights and it is called the US Constitution. Specifically 4th amendment:
Amendment IV The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. it says explicitly that people have rights to be secure against the unreasonable searches. There is no mention searches by whom, so people have to be secure agains all searches of their effects which may include their info in the databases.
Regards,Yelena Varsha
-
Prof. Lessig specifically addresses this in his books. That clause has been interperted differently and whether the police can access your computer, which it's on the Internet, which is comparable to your door being open, it unclear.
-
Steve,
Prof. Lessig may be right, if you put something with the door open, it is sort of public.
Another consideration: The quote from the constitution 4th Amendment does not explicitly specify searches by whom: by police or by members of public. It does not say you have to secure your things. It just say you have the right to be secure without specific implementation guidelines. So, theoretically the Bill (the right to be secure) is there, but practically the implementation guidelines have to be created.
Regards,Yelena Varsha
Viewing 12 posts - 1 through 11 (of 11 total)
You must be logged in to reply to this topic. Login to reply