icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an  ongoing web column edited and published by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

Let's close in on privacy crimes

About the sudden naivety of special data protection laws

How to cite this article?
Longo, Brunella (2014). Let's close in on privacy crimes - and leave data collections to libraries and archives. About the sudden naivety of special data protection laws. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 3.2 (February).

How to cite this article?
Longo, Brunella (2014). Let's close in on privacy crimes - and leave data collections to libraries and archives. About the sudden naivety of special data protection laws. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Online)], 3.2 (February).

March, 4 2014 - In a recent article Craig Mundie states that "the current approach to protecting individual digital privacy and civil liberties, focusing on limiting data collection and retention, is obsolete. The time has come for a new approach focused on controlling data use" (Privacy pragmatism. Focus on Data Use, Not Data Collection, Foreign Affairs, March/April 2014).

I could not agree more - though Mundie works for Microsoft and writes against the backdrop of a possible imminent new american law on cyber security (CISPA), whereas my views are essentially from a data engineering perspective, aimed at making the most of data assets without waste of other important resources.

After the halt to the new European Data Protection Regulation and pause for reflections last autumn (that followed the new OECD privacy guidance), it seems to me that the very idea of having Independent Authorities governing with special laws the collection and treatment of electronic archives of personal data has reached its tipping point - a point in which it has revealed all its naivety.

It sounds bitter, surprising news, that I came to such thoughts. In fact, I have been in many ways an advocate of special data protection legislation since 2003. About ten years ago, I remember myself giving passionate talks to sceptical marketing people about why data protection legislation should be a matter of basic education about treatment of personal data in electronic forms, as a way to build trust and develop rapports in the digital market-spaces.

The same belief has underpinned my work on how to prevent and early detect distorted usages of personal data within corporate crime scenarios and how to develop robust data policies for cyber security.

But, to be sharply frank as per the prerogative of this column, the idea that we could govern collection and treatment of personal data through general rules given by special laws and with Independent Authorities issuing guidelines and fines, well… it suddenly seems to me just aleatory and utopian.

That perfect cybernetic world does not exist. There is no independent super power able to govern an inevitably global jungle of mistakes made by employees and users along the digital supply funnel, whilst gangs of organised fraudsters deliberate fake errors for the most incredible "immaterial" (though very real) online frauds.

We are all in the digital data soup together: everybody should be accountable on his or her decisions about data exactly as it happens in respect of the use of other material personal belongings - like your car, bike or passport.

Many recent cases surely influenced my perception of the effectiveness of the current data protection laws. For instance:

But what really made me think we should completely change approach to data protection legislation is the evidence I had that in innumerable circumstances the Information Commissioner Office is unable to intervene and stop chain of misuses of personal data, considered in some circumstances ahead of the regulations and in others simply legally irrelevant (i.e., formally correct, even if substantially abusive).

False accounts, wrong associations and inferences, malicious mis-representation of people through notes made in their medical records, for instance, or through mistakes recorded in public databases, and even misleading search engines references (as I wrote in Those Brunellas are Google's delusions) can destroy the public image of a person, a brand, a company. We should always ask ourselves ‘Cui prodest’?

False representations are particularly damaging when we mostly need to rely on our own personal data because we are changing country, community, career, job, bank or surgery or we undertake any other personal important step. Chains of recurrent mistakes in a person's digital records follow a fabricated fraudulent pattern that is always strongly evident from the side of the victims and their communities while the criminals remain behind the curtains of digital anonymity and lack of certainty of computers' authentication mechanisms. There is absolutely anything that an independent authority can do to prevent the misuse of personal details at this level.

Conversely, there is a farcical possibility that privacy crimes remain hidden behind the foggy configuration of emotional offences (such as cyberstalking, 'wounded feelings', internet trolling, family feuds or other interpersonal quarrels). In such scenario, independent authorities risk to become engulfed with instrumental complaints, fabricated for the only purpose to confuse possible investigations and to feed the media.

"Proper disclosure and the organisation of proper arrangements for disclosure - I am quoting Arlidge & Parry on Fraud, 4th ed, 2014 - will advance the interests of justice to all the parties to the trial rather than hinder it by burying the real issues beneath mountains of paper, accompanied by satellite skirmishing, is fundamental".

So, all in all, I asked myself if it is not the case that a collective cognitive fallacy led us to believe that Independent Data Protection Authorities with their innocuous and mostly unread tidy codes of practices could govern the immensely complex maze of electronic records containing representations of people lives and interests. It seems so naive after all.

Time has come for privacy laws and authorities to afford the world of adulthood. Institutions, organisations and individuals are responsible for the usage they have made, they make and they could make of personal data within a certain context. If something is intentionally mismanaged or goes unintentionally wrong, both individuals and organisations must be accountable.

Malfeasance and wrong usages of personal data should be brought to the ordinary courts and not to special tribunals nor special commissioners, whilst collection and treatment of data should be matters - as it has always been - for archivists, librarians and historians.