Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
So the last talk of this session will be from Carson keen, a fellow Analyst, a young member of our group here. Actually, he's a lawyer. We had some debate last time, but, and he's going to discuss past privacy. We have heard a lot, lots of things where we may actually think, well, are we still in the procession of our personal data? So here's the answer. We'll see. Thank you. The pointers.
Ah, thank you. Well, post privacy, this is not easy to catch. So I thought, why not start with a picture? I think most of you know, this picture in the internet, no one knows you are a dog. I think this is quite what we felt back then in 1993, when this first came up and I think it made the round, then some years later in 2007, another picture here privacy already was declining. When we look back on what the cartoonist said there on Facebook 207, 3 people know I'm a dog, the rest can only see my limited profile. So there is some limitations already.
Two exposure, not only not because of any laws, not because of any pressure, but just because the doc felt this was a good option for him to choose. What is the future gonna bring? Is privacy maybe even going to be lethal, lethal because of what those two folks discuss here, a new kid like you once arrogant Kocher though he didn't need to join a social network. Then one day he just stop existing. That's quite scary. Are you only there?
If you are at the right place, if you are online, if you're in social networks, if you lose your privacy, if you abandon your privacy or is this not gonna be the option we are going through? This is what I was wondering. And please allow me to first go back to what actually's privacy, because if we want to understand what really can be, could be already is post privacy. Then we first maybe should understand and get a common understanding a bit of what is privacy.
Actually, it's a pretty short story, but it started quite a while ago in the late sixties in the us, the right to be alone was created. And also in Europe at the same time, some first ideas of privacy were coming up. It was a fundamental recognition in very basic laws in most of the European countries coming up to the seventies when there was first regulations of privacy laws, especially in Germany, there was one, but it was not even on a federal level. That was very, very only on spots to be found. And we didn't have anything like today, like a covering regulation of privacy loss.
The focus was very, very different at the time. Actually it was more the citizen versus public authorities. It was less a citizen that had the feeling to maybe protect its privacy against anyone coming from the private sector. So that was completely different. The re regulatory approach in Europe then was actually a very strict one. And I think we are struggling from that today. We have a complete ban of handling personal data with a preset reservation.
So everything that not for the particular case is allowed will be forbidden using data, sourcing data, finding data, anywhere, gathering it together, putting it anywhere, using it for some other purpose. Then the sub data subject would expect it to be so all of that usually is nothing we may do by law. We are doing it.
And we just heard before, we're doing a lot of things that are not supposed to be that way from a legal perspective, but we all have to realize that all the data handling that we face every minute, every second, by using mobile devices, by using different softwares, by using especially applications in the mobile sector. In most cases, I would state that in very few cases, only things go according to the law. In most cases, we do not follow what we have to decide in the seventies, the ban of handling of personal data with only a permit as an exception. So the first laws had smaller challenges.
We had a pre dominating analog setting and then analog data processing. We didn't have the big interest in data. And of course the data processing itself was almost an exception. This makes it so very well understandable that we thought a ban of handling data was a good idea, a good concept. And then only as an exception, data could be treated because there was so few data handing on a digital level or on automatic level, at least not in daily lives. That was so much implemented that of course the law has that picture and it still has that picture.
Privacy today is something that we all possess from a very fundamental legal perspective. It's a natural law. Privacy can at no point be violated because you just have it. You just possess privacy. When you get up in the morning, it's always there. You can't abandon it. You can't cut it off. So the discussion on post privacy from a legal perspective really hits this point. If you think about somebody, maybe inventing your privacy, that is of course legally possible, but it cannot be taken away from you at any time because you possess it just as being part of your lovely self.
The data protection laws are the results of threats to privacy. This is our understanding. We have the privacy with the fundamental laws and we have the data protection side to it that carries out what privacy says. So it's complimentary. The privacy just gives us the idea of what I just said. You have it and it's gonna be there. And the data protection regulations make something out of it or are supposed to make something out of it.
So having threats to privacy and threats to the basis, of course, data protection legislation in order to proceed with a common and modern understanding of privacy must volute having those threats. And the rise of threats is enormous in these days as the amount of data is growing. And the way we treat data is changing a lot socially as well.
Of course, actually data protection regulation must change, and we have seen some changes, but what has just pointed out before the understanding and the basic concept of data, privacy has not changed in the words of law. So this is what we really have to see when we discuss post privacy, we are way back there with our ideas of the seventies, when it comes to fundamental privacy question, what is the nature of privacy? How do we feel about it? How important is it in order to exercise other fundamental rights? For example, we have a cross interest here and it all combines together.
So when we discuss post privacy and the discuss discussion has not yet gone so far, we are so busy mistreating data protection loss that we don't even find the time to discuss what it makes with us and what, what it makes with privacy.
Then we have to see that the privacy legislation at some point is still remaining in the seventies, eighties with some changes here and there, but not with a fundamental breakthrough and a fundamental change that has given all of us the chance to adapt to the new environments we have in short words, words, additional offenders and offenses, which is of course the private sector that has found out that data mining is something that supports the business. Not only, but it makes the business. It's not only just doing something with data. It is the concept of business in many times.
And of course it's something we all know, but the data protection laws don't really realize that yet. So public authorities as well have accepted data to be an investigative target. When we think back off the eighties, early eighties, eighties, there was manifestations demonstrations against new action of anti privacy. So felt back then in Germany, especially, and we haven't heard anything like that till the early beginning of our century. So there was not happening much in the understanding of privacy, but there was happening a lot at the time with the surroundings of privacy.
And that should be all passed. Now is the old idea of privacy, something we just should overcome. This is actually the question of post privacy, not being in those fundamental rights anymore. In the environment of having the idea, even to protect privacy. It was actually something that we can read in a scientific science fiction novel in the 1970s, early 1970s, there was the first time the word of post privacy making the round.
And I, I just can't imagine that at this, at this time, it was really scary for people to read, but at the same time, not very realistic. So post privacy has been around for a while, but the discussion has really moved only. Now for the last few years with this term, the cons the definition therefore has not been evoluted much. We just have some key ideas of what post privacy actually could be and could be in the future. And what it could bring to us, the major ideas are that self-determination. And this is a core fact of our today's legislation, at least in Europe is not granted.
It's not needed anymore. And it's hindering my data is everyone's data. This is the idea of most post privacy writers and most post privacy followers, transparency and freedom of speech are supposed to overcome privacy. It's not a question for extreme post privacy fellow followers to have a combination of some privacy and some post privacy.
No, it's a complete change of setup. The transparency of, and freedom of speech is the new thing. And there's no alternation. And there's no idea of finding a balance. What's our idea right now, so that what just wanna set on the freedom of speech and the absolute freedom of information, which means that data can be P can be sent around used for any purpose can be gathered. So actually post privacy.
And this part is just no more regulation and no more privacy in the sense of legislation and in the sense of daily life, which is my understanding, the threat to society is something that we have to discuss here before I was talking about the threat, the threat to the legislation when it comes to new techniques, but the threat to society, I think is enormous. I don't wanna say this is an all bad idea, but it's got extreme power behind it. If you think about it, because now we are whining sometimes a bit. We are the data protection experts and data protection officers.
We're whining a bit about that. Nobody hears us, but I think we have to, to strip that down to the core idea. I think if we change, if we have a complete fundamental provide change here, then we are at post privacy. We all have to understand that if we are argumenting post privacy, that there is no more privacy to what post privacy experts say here. Freedom is not privacy protection by law. This is something old fashioned in the words of post privacy, but the right to collect use and pass on information. In any case, even if it's indurated, we haven't discussed yet much about business data.
So from my understanding, this is what post privacy means as well. Because if you have individual related data, it's really hard to make a cut to where it starts business data. Now. So if we are deciding for post privacy and we are deciding to get rid of privacy in a way, then we must understand that this has an enormous impact on our businesses, because information is even less proprietary. You cannot say, this is mine. You cannot say this is yours. So post privacy has it yet. Is it yet to come or has it even already arrived? As I pointed out, privacy is a natural law. It's just there.
So post privacy in today's European constitutional sense is not even thinkable. It cannot be there from a legal standpoint because you just have it. It's part of your human being. So an abandoning is not an option. We needed to change our fundamental rights. If we really wanted to go for post privacy, even if this ride will remain, it is possible to not make use of it. You can perfectly have your privacy and act as if it wasn't there. Sure. That's possible. We see that. We see that not only in businesses, we see that in private lives, people open their hearts and they open their lives.
And they, a lot of times say, I don't have anything to hide and things are easy for me because people are following me anyhow. And there's so much information. They maybe even forget what I said in 10, 10 years ago or five years ago. So they have a really different understanding from that. And I think all of us have some parts of that understanding in us sometimes a bit more, sometimes a bit less. So this is a good image of that. You can get rid of privacy, even though it's still there. I still have it. I can still get back to it and use it again.
If I feel like it, this is our situation like now we are in a transitory phase, I believe because we really need to have some changes, which I wanna discuss a bit later, but we need to, to imagine also, if there was no privacy at the end, we didn't have the choice as we have it today. It's very comfortable to say, okay, a privacy it's it's hindering me and doing my business is it's hindering me in having my most relaxed way in order to organize my life. It's very nice to have a little ential interest in privacy and very easy, very comfortable, but this wouldn't be possible anymore.
If privacy was overcome and post privacy would be the new thing. So as we don't have a perfect understanding of what post privacy is yet, I have, I, I want to try to understand what it would really mean. If post privacy would be exercised if post privacy means that privacy is not granted anymore due to any violation, which can happen at all times, even though privacy, we remain still post privacy will not arrive until we really have this drastic change.
And if imagine, if you, what it just, just pointed out before, have no more privacy, you maybe not have don't have any more rights on your business data as well. So we need to have really new structure, legally speaking on very different concepts of law, not only the privacy, but also our understanding of copyright laws. They really grab into that. If post privacy means that one might decide not to make use of privacy, then this is already there. It's part of the conception. It's easy. It's self-determination, it's already here.
So in, if that was the understanding, we wouldn't even need post privacy because we already have the choice following a legal understanding. However, post privacy had not has not yet arrived from a legal, from a non-legal standpoint, we have to understand that this is something completely different from what I just pointed out around the legal perspective, post privacy to my understanding seems to be both already arrived, but still difficult to reach. It's not that it was an aim to, to, to go for post privacy from my perspective.
But even if you wanted to reach that as a, as an individual or as a society, I think that's, that's hard to have as we are so busy in our moments in our daily lives and our daily businesses, we are so busy in digesting all that has happened in the last decades to our technical environment. So compared to 10 years ago, our daily life of course is somewhat post private. That's no question. If you would've told those people in the eighties that have been going to the street, what happens now to our data? They would've said this is no more privacy whatsoever.
It's a complete all world, all world dimension. So it's just to go to the profound sense of the word post private post privacy is something that really is difficult to catch in that. I think it's a question of how do you feel now about it? I'm sure when we were discussing post privacy in 10 years, probably things will have gone a little bit more narrow, even a different understanding of privacy.
Probably we will be there, but I'm sure we will have still an understanding of privacy and there won't be a switch and we are going to post privacy and maybe we will even discuss when will this post privacy finally arrive? When is really nothing left of what we once had understood to be privacy. So we have, this is, this is the, the key point here from my understanding, we have a tremendous change of mindset here, and this really drives our, our behavior towards post privacy. Even though everyone has a connection to what pros privacy means for himself or society, we hardly ever discuss it.
It's just there. It's so comfortable to use the iPhone as just pointed out before it's so comfortable to use any product of a competitor.
Of course, it's the, the, the very sudden opportunity that makes it really nice for me to work with everything that destroys my privacy. And I'm a bit blind as a, as a citizen of 2013 towards my privacy rights. And I don't even notice in many times, of course, that it's already vanished or aggressed.
However, post privacy is not there yet to my understanding. And I think we will be waiting for it, but the tremendous change of mindset will go on. And at the same time, let's focus on what I started with. Let's focus on the legal perspective on it, to my clear understanding, we have a crisis crisis of the concept of privacy. As we know it today, we have a legislation that is somewhat looking at the back. Of course we have the regulation coming up on the European level, but to be honest, I think this again is something that will not be enough.
We now are basically in a very national understanding, even though of course we have European regulations, but we are in a very national understanding of privacy right now. And now finding the European set, of course, it's an advantage, but again, I think it still will not solve our province. It's a nice first step. But what I understand of privacy in the future is what we really need is a common understanding in the world because it's really not really helping the businesses, the data flow, where it should go.
And I will under where I understand that we have as individuals don't many times don't even have a problem, the data to flow there. Sometimes it can't go, the data just can't go because there is legislation, there is a complete different understanding of privacy. So I think the crisis of the concept of privacy is a lot about boundaries and boundaries of legislations, the ideas and tools of back then seventies, eighties are still there. If you look at the data protection regulations, very short, it's very much cemented from what we felt back then. It's very much analog. It's all of that.
And even in the new regulation, I see a lot of that. Again, I see a lot of German data protection laws in the new European regulation. And I see the same idea of ban of data flows as the general rule, and then find an exception to flow the data. I think we need to discuss that. And I think we need to find out if this complete ban to start with of data flow is really what we need and is really what we want because with every data flow to be examined, we really have to work through all of that.
And of course we are, we would be busy at all times just to find out what should the data flow be like if I, if I go to a, just a very daily business scene, you use your computer for any action you use any software for, for a very good chance, the data somewhere, if it's, even if it's not in the cloud, it's somewhere else. Somebody else can look in there. I don't even know.
I, I don't even have the right to exercise my laws here. I don't, I can't do it because I don't understand. So it's very nice to have all those rights, but they're in exercisable at the moment they are too international.
They're, they're not international enough and they're too too difficult to understand, and they're too complicated. So this is the crisis of privacy that I see here. They are also very abstract. When I talk to business partners, partners, they don't in many times even have the common understanding of what this law is about and what it should protect. So it's something that is under enforced and therefore not, not present yet. And I think it will stay that way.
If we continue to walk on this old wood data protection loss to my understanding are not only to, to abstract and that incorporate for, for no reason, the technical development. This is something that we are missing a lot there too. We have a lot of nice mindsets how to find a dogmatic approach to data protection, but there is no aid. There is no understanding of the technical development here in the law. You don't see any, any bigger expertise of how technique is, of course that's the, the idea laws are in many cases supposed to, or most cases supposed to be abstract.
That's the idea of the law, but I believe for the data protection environment, this approach is not the right approach. There should be more guidance, more, more clearer understanding, and there should be a clear case analysis by the governments in order to also find a good data privacy solution for the current technical development. The core point of the crisis that I see is that we don't differentiate differentiate enough between nice to have and must have protection. The line is not even clear in many cases, as we are with a complete ban. So very restrictive.
I think this really drives us apart even more, but then the old fashioned data protectionist and the, the ones that are going for the techniques and the businesses, I think in order to get back to common road, again, we need to find clearer rules and we need to find of course, a better differentiation, but we really must have protection for my sake. We could lower it, even in order to get it more understandable and easier to follow, because now it's so very complicated that it slows down the development of techniques.
If you are following it, this can't be our understanding of privacy that you have to decide either for the business or for the privacy. We need to combine it. And this is I think an option that we have to support, at least not only by the privacy laws, but of course, by joining forces between the ones that are going for techniques and the lawyers. So the core protection is something we need. We don't need the, the outer skirts of data protection that find solution that no one understands at the end. And I find a lot of cases. Imagine also very, very simple example.
If you are facing the fact that in most intranets, you have pictures of your fellow colleagues in order to find out who's new. What does he or she look like if you live somewhere and work somewhere else, this is quite helpful. So most people don't realize this is something you can't in, in most jurisdictions in Europe, even realize you can not realize a legal way to put pictures in the internet at, especially in Germany. This is very difficult as you have no justification for it in the law, which would be one option to get it listed.
And on the other hand, you don't have the, the possibility to ask your employee. You can ask him and he, or she can say yes, but this is nothing worth in front of the law. As the employee is not even allowed to say yes, that is okay because our labor courts understand this to be an action of pressure for the employee. No one understands that everyone says I can't, I can't have that. And this is not my understanding of privacy. It's hindering me. It's a very simple example, but I think we really need to understand that this is really nothing we need today.
The practical enforceability is very, very low. We have heard about that today. The enforceability in the countries of your, in the member countries of Europe is very low and the enforcement on the transporter basis is to my understanding even lower. In many cases, there is just not the time and the manpower to go through all the laws for all the data flows. So that makes it very evident for me to reduce the complexity of laws in order to find a more practical way of enforcement.
Because if we don't start enforcement one day, we will not be able to, to get, come to a, a core privacy in our society. At the end, I believe we need to enforce to man in order to maintain the core idea of privacy. Whereas data flows are international data protection masks mainly remain in the idea of single jurisdictions. That's something that, that I just pointed out already. If we compare from the perspective that I just pointed to what somebody very eager to protect privacy, the old fashioned way. If we compare that, then he would say data protection laws are binding fact.
They're abstract as any other law. It's the data collectors obligation to apply it. So go for it and implement the necessary measures. And it preserves the balance between all our proper tar proprietary, common goods, the individuals and society. We just need it. So go for it. But I think we, we really need to find a way that this is not done the way right now. We need to change that in order to preserve the rest of privacy. So what now does it make sense to just that go of the privacy doctrine? I believe no.
I think publishing everything in the sense of post privacy will at the end limit our Freeman. I think we are hardly realize that, but if we give everything free, we will lose the last borders in order to find the privacy that we need. No confidentiality, no free speech is my understanding. The post privacy experts say, well, it's the other way around privacy hinders freedom of speech and freedom of speech is supposed to overcome privacy. We know that if there is no confidentiality, you don't feel like speaking out the truth.
We know that since the confessional secret was enforced in, in the 13th century, I believe post privacy aims at preventing the misuse of data. I think if we are going for an extreme point and extreme way of post privacy, then the misuse is more likely. If data is used not a fun as a fundamental privilege of the data subject. I think the more post privacy we have, the more misuse of data is likely. I have short suggestions, data protection must become less abstract data protection regulations must become more feasible and affordable.
It's a question of money and many times to implement for businesses right now. It feels many times that more, it's more a question of whether to either fully go for privacy or ignore it completely. I think this is a very big sign of helplessness, and I think that more moderate laws, more understandable laws will be more attractive. You can start to do something, but you're not out of the picture. Completely legal barriers for data uses are necessary.
They, they must be reshaped. We need to differentiate between nice to have and must have protection. And we need to go back to a core protection. And of course, a better enforcement and as data flows are international, a common international approach, which we already face with the regulation. But as I pointed out, I understand this not to be sufficient yet from the geographical factor is the best possible and the best possible international prosecution, which we are completely missing at the time should be the aim.
Thank, thank you very Much. Thank you. So I would have welcomed very much to discuss this with a business perspective, for example, with Mr. Curl or with Mr. Post from a government perspective for the sake of time of, unfortunately we are 10 minutes over already. I think we need to postpone that for maybe a discussion in the coffee break.
Just one, one very quick question. I, I feel that this, all this topic actually is very much related, not being a lawyer, of course, to the topic of information ownership. So in my view, privacy has two aspects as a, as a physical aspect, which some people call it's the right to be left alone. And there's an informational tech.
It, it related aspect. And I think the, the basic concept we have today is that as, as individuals, we have the right, at least in a European environment to control our data.
So we, there, there's, there's an underlying assumption that we are the owner of the data that is collected about us. Whereas another legal environment, my understanding is while the information is the ownership of those people that actually did have the burden to collect the information. So it's kind of a reward for the work that they've done.
My, my view is that unless, and this is by the way, this is very much related also to access governance and through topics like information security it's related to topics like having, I, I skipped that. It takes too long for the break. What's your view on this connection is information ownership, a concept which is legally meaningful. Is this something that should be addressed? It's something we don't feel by now when it comes to personal information, when it comes to information which relates to an individual person, a living person, we don't know that at all.
We don't know that anywhere yet. And of course this is heavily discussed. I think we should find some limits to that. It's a very good idea. This is what I also would summarize under find a more core data protection and less the basic ban and exceptions. I think we should incorporate this idea into a new privacy concept, and we should understand where this is not possible, and we should understand where this is possible. And I think more in terms of intimacy privacy, the core privacy of every human being, being should, of course be kept out and maybe another layer around that.
And I think when it comes to information that is more possible to be used in, in, in big data surroundings in, in, in non so very sensitive surroundings. Then this, this is something that really would fit nicely into what we already have. Thank you much again, Carson Keens.