This document discusses balancing privacy, security, business interests, and other values. It notes that recent Western experience shows promoting security over privacy can hurt industry by reducing consumer confidence, and that lack of privacy protection can impact business profits from data usage. The document suggests China could learn lessons from this experience, and that global trends show strengthening, not weakening, privacy is important to maintain trust and enable digital innovation.

1. IT Law: the Middle Kingdom
between East and West
Lilian Edwards
Professor of E-Governance and Director,
Centre for Internet law and Policy
University of Strathclyde

2. http://www.strath.ac.uk/internetlaw/ Lilian.edwards@strath.ac.uk

3. Privacy as a Middle Kingdom
Security
Privacy
Business
profits
Freedom of
speech
Consumer
convenience

4. Lessons for China?
• Privacy vs security – recent Western
experience
• Impact of lack of privacy on profit –
recent Western experience
• Does limiting privacy law in favour of
other values work?
• What can China learn from this?

5. Privacy vs security

6. Richard Hannigan, Director
GCHQ, 3 November 2014
• Calling for technology firms such as as Facebook and Google to
share personal data of users more readily with security service s
eg by not supplying stronger encryption to consumers in the wake
of Snowden
• Tech firms “little more than “command and control networks of
choice for terrorists and criminals”
• “GCHQ is happy to be part of a mature debate on privacy in the
digital age. But privacy has never been an absolute right and the
debate about this should not become a reason for postponing
urgent and difficult decisions.”

7. Privacy and profit

8. OBA: data as “the new oil” of the
economy
• “Advertising based on the observation of the behaviour of individuals over
time. Behavioural advertising seeks to study the characteristics of this
behaviour through their actions (repeated site visits, interactions,
keywords, online content production etc) in order to develop a specific
profile and provide data subjects with adverts tailored to match their
inferred interests” (Art 29 WP 2/2010)
• Online advertising now largest sector in UK (since 2009) c 30% – bigger
than TV, radio, newsprint etc. c 59% spend of this on search ads , mainly
AdWords (Google revenues).
• IAB: Social media revenues - advertising delivered on social platforms, inc
social networking and social gaming -> rose by 58% H1 2014. Mobile
revenues increased 76%.
• Wired: “every industry that becomes digital eventually becomes free”
(Anderson, 2008)
• Failure to find other business models for digital world?

9. Big data
• “If information wants to be free, data
wants to merge” (Grossman)
• UK Government Information Economy
Strategy 2013: 90% of global data
generated in the last 2 years ->
“business sectors across the economy
have the potential to be transformed
by data, analytics and modelling”
• “..UK Government will continue to drive
and influence EU …to ensure that
growth opportunities are not inhibited
by new or existing levels of regulation”
• ? Challenges DP princs of data
minimisation and purpose specification
(Tene and Polonetsky, 2013) – “fishing
expedition”

10. Big bureaucracy?
• Considerable opposition by both UK and US to enactment of
General Data Protection Regulation to improve data privacy in EU –
not “business friendly”
• HMG Seizing the Data Opportunity 2013 : “the GDPR does not strike
the correct balance between ’privacy and innovation.. we should be
careful about overly prescriptive regulation that increases red tape
and costs for businesses, the public sector, and for regulators”
• Similar earlier reactions by industry to new laws on cookies consent
2009-2011 – OUT-law “Please kill this cookie monster to save EU
websites”
• And to the “right to be forgotten” (Google Spain), HL, 2014:
“..judgment of the Court is unworkable. It does not take into account
the effect the ruling will have on smaller search engines which,
unlike Google, are unlikely to have the resources to process the
thousands of removal requests they are likely to receive.”

11. Privacy and consumer enjoyment
C4, May 2010

12. From virtual to real world “sharing”: consumers gain?
Smart meters

13. Privacy and freedom of expression

14. How does the law protect informational
privacy?
• International human rights law eg ECHR, UNDHR
• Specific international guidelines/treaties/supranational law
– OECD guidelines on personal data,1980
– Council of Europe Convention on Automatic Processing of
Personal Data 1981
– EC Data protection law – required minimum in EU states -
taken up as “gold standard” in many overseas states
– US : no similar omnibus protection of personal data – but some
strong sectoral laws eg health, financial info, kids data
– China : no omnibus “DP” law but increasing legal protection in
Internet related sector
• What lessons can China learn from current concerns about
balancing privacy, security and profit?

15. Data Protection Principles – DP Directive 95/46/EC
1. Personal Data shall be processed lawfully and fairly (“collection
limitation”).
2. Personal Data shall be obtained only for one or more specified
and lawful purposes, and shall not be further processed in a
manner incompatible with those purposes (“purpose /use
limitation”).
3. Personal data shall be adequate, relevant and not excessive in
relation to the purpose for which it was processed (add “data
minimisation” principle? – DP Reg)
4. Personal data shall be accurate and kept to date if necessary
(“data quality”).
5. Personal data shall not be kept for a longer time than it is
necessary for its purpose. (“retention”)
6. Personal data can only be processed in accordance with the rights
of the data subjects (“openness”)
7. Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing (“security”).
8. Data export principle
PLUS – independent regulator/watchdog + some degree of
bureaucracy for business?

16. Global adoption of DP law (or DP+)as a
standard for privacy rights?
• Greenleaf 2012 – not EU v US anymore
• DP laws fast becoming a comprehensive global
standard – 89 such laws 2012, growing fast
• Only just over half are in European states (56%)
• 2/3 of APEC members have data privacy laws in private
or public sector
• Some new laws exceed current EU DP norms, rts of
interoperability, privacy by design, etc – “third wave”
• Remaining outliers among “digital” nations – China and
the US!

17. Privacy vs security OR loss of privacy ->
loss of profit?
1. Does promoting security over privacy help industry?
Snowden – loss of consumer confidence in both B2C and B2B markets in EU
• Evidence from EU industry
– Information Technology & Innovation Foundation report, 2014 – US cloud providers may lose
10-20% of their EU market share = $35 billion over the next three years
– Cloud Security Alliance report,10% of 207 non EU companies had cancelled contracts with US
cloud cos since Snowden
– NTT Comms report: c 25-30% of IT decisionmakers in Germany, France, UK “wanted to keep
data in own country”
– AWS setting up German data centre
– “"Right now, there are many customers who don't want to buy American -- or to buy from a
NATO country in general," F-Secure
– Impact on government procurement -
• Evidence from non-EU states
– Election officials in India canceled a deal with Google to improve voter registration.
– In China, sales of Cisco routers dropped 10 percent (Huffington Post)
– Russia ban on user data being stored in US -> possible ban on all Apple products (
• Reaction from UK industry and government-
– Plea for ethical codes and MORE privacy restraints/supervision for industry not LESS
– “Addressing consumer confidence in the Digital Economy” – DP plus ethical approval for new
big data products, security by design, privacy by design – IEC committee
– “A Unified Ethical Frame for Big Data Analysis” , industry, lead by Hewlett Packard

18. Privacy vs consumer convenience?
• Do consumers care about privacy after all? Not just about
business attitudes?
• Citizen attitudes towards data privacy – EuroBarometer 201
• People disclose personal data, including biographical
information (almost 90%), social information
(almost 50%) and sensitive information (almost
10%) on these sites.
• 70% said they were concerned about how companies
use this data and they think that they have only
partial, if any, control of their own data.
• 74% want to give their specific consent before their
` data is collected and processed on the Internet.
• Privacy affecting if not ending data market – cf rise of
Snapchat, Whatsapp, Ello – privacy as a feature not a bug

19. Conclusions
• Privacy is seen as a value which may be damaging to
other more crucial societal goals such as (crucially)
national security, business profits
• These are both concerns to legislatures in China and
the EU/UK
• However recent history shows that downgrading
privacy protection in the name of security and profit
may be counter productive
• And the global trend is in fact to greater privacy
protection – by both soft and hard law as well as
“code” - to restore business and consumer trust and
confidence