Keynote: Accountability for Privacy in Cloud Computing: Is this a new Problem?
Colin J. Bennett, Department of Political Science, University of Victoria, Victoria, BC. Canada www.colinbennett.ca
The notion of "accountability" is a currently fashionable within the community of scholars, regulators and activists concerned with privacy and data protection. At one level, it has always been a central principle within these laws and policies, and is implicit if not explicit in every attempt to make organizations more responsible for the personal data they collect and process. At one level, there is nothing new. At another level, however, accountability has come to represent a distinct policy approach to the vexing problem of the regulation of international personal data processing, in the past termed "data exports" or "transborder data flows". Over the last few years, the debate on international data protection has become somewhat polarized between those who would continue to support the EU approach, essentially a prohibition on transfers to countries which do not have an "adequate level" of data protection, and the "accountability approach" which focuses more on the protection afforded by individual data controllers.
Scholars of public administration have spilled a lot of ink over the many meanings of the word "accountability". However, there seems to be a consensus that the process must involve being called "to account" by some authority for one's actions. Accountability implies a process of transparent interaction, in which an external body seeks answers and possible rectification. That external agent is presumed to have rights of authority over those who are accountable including the rights to demand answers and impose sanctions if the organization's "account" is not accurate or complete. If there is no possibility of external compulsion to change practices, there can be no accountability. Thus, there must be a common understanding of who is accountable, for what and to whom. The recent policy discussions about accountability and privacy protection, especially in the context of cloud computing, have not been precise with the result that the word has been expanded and distorted to serve a variety of political and economic interests. Nobody can be against "accountability" in the abstract. But when the concept becomes framed in political discourse, there are a number of questions that need to be raised about its meaning and its relationship to the central goal of protecting privacy. How policy problems get framed shapes how they will be resolved. In this talk, I first review briefly the history of trying to regulate international flows of personal data, with a view to understanding how the "accountability" approach arose. I then review some of the assumptions (implicit and explicit) upon which this current emphasis on accountability seems to be based, and with particular reference to another imprecise phenomenon "cloud computing".
Colin Bennett received his Bachelor's and Master's degrees from the University of Wales, and his Ph.D from the University of Illinois at Urbana-Champaign. Since 1986 he has taught in the Department of Political Science at the University of Victoria, where he is now Professor. From 1999-2000, he was a fellow at Harvard's Kennedy School of Government. In 2007 he was a Visiting Fellow at the Center for the Study of Law and Society at University of California, Berkeley. In 2010, he was Visiting Professor at the School of Law, University of New South Wales. He is currently a Visiting Professor with the Law, Science, Technology and Society Centre at the Vrije Universiteit in Brussels.
His research has focused on the comparative analysis of surveillance technologies and privacy protection policies at the domestic and international levels. In addition to numerous scholarly and newspaper articles, he has published six books: Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Cornell University Press, 1992); Visions of Privacy: Policy Choices for the Digital Age (University of Toronto Press, 1999, co-edited with Rebecca Grant); The Governance of Privacy: Policy Instruments in the Digital Age (The MIT Press, 2006 with Charles Raab); The Privacy Advocates: Resisting the Spread of Surveillance (The MIT Press, 2008); Playing the Identity Card: Surveillance, Security and Identification in Global Perspective (Routledge, 2008 co-edited with David Lyon); and Security Games: Surveillance and Control at Mega-Events. He has completed policy reports on privacy protection for the Canadian government, the Canadian Standards Association, the Privacy Commissioner of Canada, the European Commission, the UK Information Commissioner and others. He is currently the co-investigator of a large Major Collaborative Research Initiative grant entitled "The New Transparency: Surveillance and Social Sorting."