Friday, September 14, 2007
As I've noted before, everyone has a right to privacy online -- and governments have an obligation to keep their citizens safe. Yet despite the international scope of even the most ordinary Internet activity, the majority of the world's countries offer virtually no privacy standards to their citizens and businesses. And even if every country in the world did have its own privacy standards, this alone would not be sufficient to protect user privacy, given the web's global nature. Data may move across six or seven countries, even for very routine Internet transactions. It is not hard to see why privacy standards need to be harmonized and updated to reflect this reality.
The problem of international data flow and privacy is not new. Potential problems were identified as early as the 1980s. At that time, the Organization for Economic Cooperation and Development (OECD) established the first "fair information principles." Twenty years after they were first established, OECD guidelines are now but one voice in a large chorus of local privacy standards.
There are a number of factors that contribute to the need for global privacy standards today more than ever before. First, globalization. Today, all business is potentially international business, and this scale calls for organizations and those within them to operate in multiple countries. As data crosses geographic boundaries, the policies controlling it change.
Third, technological development also contributes to the need for global privacy standards. As technology develops, more and more information travels around the world faster and faster each day. Development of this kind increases the productivity of business and consumer transactions, but can potentially endanger privacy protections.
In addition to these factors, new threats to individual privacy emerge everyday and, without global standards, solutions to these problems will continue to be fragmented and ineffectual. All of these factors contribute in making the status quo of localized policies no longer acceptable. Countries cannot and will not be able to write effective privacy legislation without global cooperation. And as long as there are no global standards for privacy protection, individuals and businesses will remain at risk as they operate online.
In light of this, Google is calling for a discussion about international privacy standards which work to protect everyone's privacy on the Internet. These standards must be clear and strong, mindful of commercial realities, and in line with oftentimes divergent political needs. Moreover, global privacy standards need to reflect technological realities, taking into account how quickly these realities can change.
Although this seems a tall task, we are luckily not without guidance in the creation of global privacy standards. To my mind, the APEC Framework is the most promising foundation on which to build. The APEC framework already carefully balances information privacy with business needs and commercial interests, and unlike the OECD guidelines and the European Directive, it was developed in the Internet age. Moreover, APEC involves countries with very divergent privacy traditions: from Peru to the Philippines, from New Zealand to Vietnam. Surely, if privacy principles can be agreed upon within the 21 APEC member economies, a similar set of principles could be applied on a global scale.