Ngh2zyfb 1370868226

The law is not enough to protect our privacy - businesses must act

Asking politely isn’t enough. hyku

The law is not enough to protect our privacy - businesses must act

Asking politely isn’t enough. hyku

Recent news of widespread phone and internet surveillance by the National Security Agency (NSA) has raised serious questions over the ethical and legal obligations private companies face to protect the privacy of individuals. To what extent is it ethically acceptable for companies to assist in legal surveillance of innocent individuals?

Telecommunications companies are caught between the rights of individuals to protect personal data about themselves and governmental demands for personal information under the guise of national security. The fundamental problem is that individuals place trust in companies to protect their privacy, while companies are legally required to pass this data on at the request of the government under increasingly broad interpretations of laws permitting surveillance.

The NSA has obtained near “blanket approval” of requests for personal data made to the Foreign Intelligence Surveillance Court. And the definition of personal data has been interpreted broadly enough to allow for the collection of metadata, which can potentially identify individuals and create a means for retroactive surveillance, without external oversight. These examples suggest current legal protections in the US are insufficient to protect personal data from the government, even when evidence or suspicion of wrong-doing is lacking.

No safe haven for the EU

The weakness of current data protection legislation is a problem in the EU as well, due in part to many major internet companies complicit in the surveillance being located in the US. The right to protection of personal data is a fundamental right in the EU. The forthcoming General Data Protection Regulation is intended to replace fragmented data protection legislation with a unified approach which protects EU citizens against abuses, particularly those arising from online activity.

The regulation restricts the collection and processing of personal data within the EU. But it does little to protect against international surveillance beyond requests to foreign governments and companies to comply with EU data protection provisions as a prerequisite to receiving personal data collected within the EU.

Even if foreign bodies comply, the provisions of the regulation offer ambiguous protection against surveillance at best. Personal data can be processed and held without the awareness of its “owner” so long as it is within the “legitimate interests” of the individual.

Data must be deleted once it no longer serves a purpose, but companies and other bodies holding the data are free to define usefulness and “legitimate interests” as they please. Personal data cannot be used to “profile” individuals through “automated processing”, but this does not limit manual profiling. Individuals can request their personal data be deleted, but this depends upon knowing who holds what data, and where to make the appropriate request.

Is legal surveillance ethical?

The emerging picture is that citizens of the EU are in a relatively weak position to protect against domestic and foreign surveillance. It could be argued that this sort of surveillance is part of the world we live in, and that we should get used to it. After all, the argument goes, surveillance helps sort the guilty from the innocent and make the world a safer place. If we have nothing to hide, why should we be hesitant to share details of our activities and social networks with the government?

This line of reasoning diminishes the significant ethical harm resulting from indiscriminate surveillance. Privacy is key to leading a life which is guided by individual values and free from the scrutiny of others.

Beyond losing control over our personal data, broad surveillance interrupts how we behave privately — we can no longer “be ourselves” with the knowledge that someone is always watching, collecting data about us. Even if the extent and effects of surveillance are never made apparent to citizens, the hidden decisions and categorisations made about them on the basis of personal data diminish the choices available in leading a free life.

A person’s digital presence is a central component of modern living. Communication and social interaction have come to rely upon phone and internet communication, allowing people to connect with each other across great distances of space and time. Our reliance on these technologies for basic, everyday interactions makes the information held by telecommunications companies increasingly valuable.

Pieces of seemingly innocent data, such as who you call, where you call from, the websites you visit, from where and for how long - even without knowing the subject matter of a specific phone call or e-mail - can be used to create an invasive profile of a person’s social life and behaviour.

Responsibility to protect

In this climate, the responsibility of telecommunications companies to protect the right to privacy of its customers is paramount. Although private companies are obliged to act within the law, this does not absolve them of ethical responsibility towards their customers. Crucially, they are not obliged to make surveillance easier for the government, as appears to be the case now. Reliance on current legislation is clearly not enough if we value privacy as a fundamental human right. The pervasive surveillance undertaken by the NSA demonstrates the potential to use existing technologies to indiscriminately violate privacy rights under the guise of legality.

The world we live in can be characterised by the erosion of fundamental human rights, such as privacy, in the pursuit of safety against uncertainty and terrorism. In seeking greater security, we risk destroying the right to lead a private life free of suspicion.

Fortunately, the opportunity remains to create stronger privacy protections in the EU through revision of the forthcoming regulation prior to ratification in 2014. Empowering individuals with direct control over appropriate uses of personal data, enacted through unambiguous data protection provisions which can only be overridden in compelling cases of wrong-doing, is the best response to the panic and anger of recent days.