Asian Privacy Scholars Question ‘Easy Privacy’ at Conference by Andrew A

ANALYSIS

Asian privacy scholars question ‘easy privacy’ at conference By Andrew A. Adams and Kiyoshi Murata . n 10 and 11 July 2014, mem - c^qebo obnrfobp ^ `elf`b Ó government regarding potential revi - bers of the Asian Privacy qlibo^kq m^qbok^ifpj sions to Japan’s lacklustre data protec - Scholars network (APSn) Using computer systems allows and tion regime (proposals reviewed by Oonce again convened for a wide-rang - may even require making many choic - Professor Graham Greenleaf in PL&B ing conference at Meiji University in es. Information ethics analyses have International August 2014 , pp. 23-25). Tokyo. Professors Adams and Murata long valued “informed consent” as a There was some surprising agreement of Meiji’s Centre for Business Informa - gold standard of personal information between Professor Foster and privacy tion Ethics hosted the event, in the processing principles. Starting from activists on some aspects, most notably impressive venue of the Kishimoto historical ideas of paternalism (acting on vesting data protection authority in Tatsuo Hall on the 23rd Floor of Meiji’s to curtail the autonomy of another in a single body and providing clearer Liberty Tower building, which over - the best interests of that person or of guidance on accepted practices. There looks the Imperial Palace in Tokyo. society as a whole) and tolerance was less agreement on whether that Under the high domed ceiling, watched (accepting aspects of others, including body should be a proactive data pro - by portraits of the University’s their choices, which one finds objec - tection commissioner as in the EU or a founders, 20 scholars from around the tionable to some extent), Floridi tried reactive consumer protection world presented, and more than 30 to identify whether it is possible to be commissioner as in the US. more debated, pressing issues of pri - both paternalistic and tolerant at the Wan-Ping Li presented a back - vacy and surveillance in the Asia- same time. In a detailed philosophical ground and current evaluation of the Pacific region. The stated theme of and logical analysis, he presented Taiwanese Personal Information Pro - Easy Privacy wove a subtle thread paternalism and tolerance not as binary tection and Administration Systems, in through many of the talks rather than a on/off concepts, in which they may be which again there was a call for a more strong explicit theming. Ten of the pre - seen as oppositional values, but as coordinated data protection authority senters were also involved in meetings measures of the level of interference regime. These calls were echoed by on joint academic research over the fol - with free choice. The “nudge” Professor Kyung-Sin Park from Korea 1 lowing days. APSn now has 80 mem - approach of allowing a selection University, in his review of the para - bers, involving researchers from most deemed “negative” but making it more doxical nature of the Korean Resident countries in Asia and those from out - “expensive” to choose than the pre - Registration number with respect to side the region engaged in Asian pri - ferred “positive” selection, he analysed privacy and citizen security. One of the vacy issues. This was the fourth APSn as moderately paternalistic and moder - failings of the system to help protect Conference since 2010, and past con - ately intolerant. Defaulting to the most citizens from misuse of their data has ference chairs form an ongoing common selection where that is known been the lack of coherence between advisory committee. to be harmful to the individual (or government departments in their treat - Each day of the event began with a society), Floridi claimed, was moder - ment of organisations under their keynote speech consisting of multiple ately tolerant but moderately non- purview for data protection issues. juxtapositions. Professor Luciano paternalistic. In the end, though, he Professor nohyoung Park, also of Floridi of the University of Oxford claimed that a middle ground exists Korea University, who chaired a ses - presented an academic and philosophi - whereby the maximum amount of tol - sion at the APSn conference, had cal analysis of the problem of helping erance and paternalism can peacefully argued at a seminar the previous individuals make better choices, pre - co-exist. This is embodied in the evening on Japan’s proposed reforms senting his solution to the question of “required choice” model whereby that Korea’s Personal Information Pro - whether tolerant paternalism can exist information is made available (but tection Commission did not in fact and what use it might be in the infor - choosers are not required to avail constitute as much of a centralised (or mation age. Mr naoto Bessho, a senior themselves of it) about the conse - effective) data protection authority as it executive of Yahoo! Japan (a separate quences of each selection and a strictly seemed at first sight. So there was a corporate entity from Yahoo! in the positive choice is required. consensus that Asian countries needed US), provided a Japanese legal and clearly-established and effective data business view of the right to be forgot - ^pf^ Jm ^`fcf` mbopmb`qfsbp protection authorities. ten. Yahoo! Japan is one of the most Various speakers presented some single Professor Gehan Gunasekara took visited websites in the country and as nation-oriented reports. Professor Jim us South for an initial exploration of such has watched with keen interest the Foster from Keio University gave a the privacy notices on the websites of recent CJEU decision regarding this US-business-oriented perspective on major new Zealand firms, concluding issue (see p. 27 ). consultations by the Japanese that there was much work to be done in

making these policies reflect new tion law, highly relevant to at least reported, despite their major open pres - Zealand law, best practices and the actual Japan, which has strong developing ence at Misawa airbase. The lack of operations of those companies’ sites. industries in these cutting-edge press coverage of Snowden’s revelations technology areas. in Japan is particularly strange, he brolmb^k fjm^`q lk ^pf^ J believes, given that Snowden himself m^`fcf` mofs^`v qeb pe^alt lc pkltabk was based in Japan for a number of The EU, when taken as a single coun - The revelations by Edward Snowden of years and was well-known online for try-like entity, is the largest economic the activities of the US nSA, the UK his enthusiasm for living there. bloc in the world. Its regulatory GCHQ and other intelligence agencies approach, particularly when it differs around the world was a strong theme `lk`irpflk substantially with that of the US (with again this year. Professor Kiyoshi The 20 presenters and 31 other atten - only a slightly smaller economy), can Murata presented some startling differ - dees made this a lively and vibrant have major impacts around the world ences between the attitudes of Japanese event. Privacy Laws & Business spon - and the EU’s data protection regime is university students and their compatri - sored the conference dinner, as it has clearly one of those areas in which ots in Spain regarding Snowden’s since its inception. The APSn events impacts are considerable. Accordingly, actions. In particular it was heartening are succeeding in bringing together pri - a number of speakers included a Euro - to see so many young Spaniards fol - vacy scholars to present their findings pean flavour in this Asia-Pacific lowing up their evaluation of the right - to each other, and in bringing policy - focused conference. Gertjan Boulet ness of Snowden’s actions with a claim makers from various Asian countries from the Free University of Brussels that they would follow the same path (particularly from Thailand this year) presented exploratory work on mutual themselves in similar circumstances. to listen and to engage in these debates. recognition of sanctions between data Less heartening was the Japanese stu - protection regimes as a way of improv - dents’ unwillingness to take any risks AUTHORS ing cross-border protection but also and in particular “not to stick their Andrew A. Adams is Professor of Informa - easing cross-border trade, featuring neck out for anyone”. Professor tion Ethics at Meiji University, Tokyo. EU Member States’ approaches Andrew Adams provided a philosophi - Kiyoshi Murata is Professor of Manage - amongst others. Professor Greenleaf cal and practical guide to why so many ment Information Systems at Meiji then compared the activities of data (including himself) are outraged by the University, Tokyo. Emails : [email protected] protection penalty-application bodies scope, targets and intensity of the [email protected] between the EU and Asia-Pacific, in nSA’s and GCHQ’s operations. He terms of their power to levy such focused on the chilling effects for penalties and their track record of democracy of such all-seeing eyes, and INFORMATION doing so. Lachlan Urqhart highlighted the degradation of everyone’s personal This article covers only a portion of con - the challenges for the development of security that lack of privacy brings. Dr ference presentations. More details can ubiquitous computing devices and David Murakami Wood completed the be found on the conference website www.kisc.meiji.ac.jp/~ethicj/APSN4/ services of complying with current and Snowden session with questions about including slides for many presentations. proposed reforms of EU data protec - why nSA activity in Japan is so little

CNIL issues public warning to Orange France France’s Data Protection Authority, inspection on Orange and its subcon - the breach and Orange’s defence of its the CnIL, has sanctioned the mobile tractors, XL Marketing and Gutenberg position, and giving the company a telephone company, Orange France, networks, working on its promotional month to comment on it draft decision, for a data security breach. The public email campaigns. The CnIL found the DPA issued a public warning. warning, issued on 25 August, follows gaps in data security, and initiated the The CnIL considers that Orange a security breach which jeopardised enforcement proceedings. should have had sufficient financial and personal data of more than one million According to the CnIL, the com - human resources to manage these customers. Information stolen in a pany claimed to have taken all neces - problems. cyber attack included customers’ sary measures to fulfil its data security names, email address, mobile and land - obligations, but had not conducted a • See www.cnil.fr/linstitution/actualite/ line phone numbers and dates of birth. sufficient security audit before using a a article/article/la-societe-orange- Back in April, Orange notified the certain technical solution for sending sanctionnee-pour-defaut-de-securite- CnIL of the breach of personal data email campaigns. des-donnees-dans-le-cadre-de- related to a technical failure by one of The CnIL has a fining power of a campagnes/ its providers. All publicly available EU maximum of 150,000 euros, and where For the CNIL’s detailed decision, see electronic communications services are similar previous offences have been www.cnil.fr/fileadmin/documents/ obliged to report data breaches to the committed, up to 300,000 euros. It can approfondir/deliberations/Formation_ regulator. also issue an injunction to stop process - contentieuse/D2014-298_ In May, the CnIL carried out an ing. In this case, after giving details of avertissement_ORANGE.pdf