Managing Privacy through Accountabilityy A lso by Daniel Neyland NEW DIRECTIONS IN SURVEILLANCE AND PRIVACY ( co-edited with B. Goold ) (2009) ORGANIZATIONAL ETHNOGRAPHY (2008) PRIVACY, SURVEILLANCE AND PUBLIC TRUST (2006) Managing Privacy through Accountability Edited by Daniel Guagnin Technical University of Berlin, Germanyy Leon Hempel Technical University of Berlin, Germanyy Carla Ilten Technical University of Berlin, Germanyy I nga K roener Lancaster University Management School, UKK Daniel Neyland Lancaster University Management School, UKK and Hector Postigo Temple University, USA Selection and editorial content © Daniel Guagnin, Leon Hempel, Carla Ilten, Inga Kroener, Daniel Neyland and Hector Postigo, 2012 Individual chapters © the contributors 2012 Softcover reprint of the hardcover 1st edition 2012 978-0-230-36932-0 All rights reserved. No reproduction, copy or transmission of this publication may be made without written permission. No portion of this publication may be reproduced, copied or transmitted save with written permission or in accordance with the provisions of the Copyright, Designs and Patents Act 1988, or under the terms of any licence permitting limited copying issued by the Copyright Licensing Agency, Saffron House, 6–10 Kirby Street, London EC1N 8TS. Any person who does any unauthorized act in relation to this publication may be liable to criminal prosecution and civil claims for damages. The authors have asserted their rights to be identified as the authors of this work in accordance with the Copyright, Designs and Patents Act 1988. First published 2012 by PALGRAVE MACMILLAN Palgrave Macmillan in the UK is an imprint of Macmillan Publishers Limited, registered in England, company number 785998, of Houndmills, Basingstoke, Hampshire RG21 6XS. Palgrave Macmillan in the US is a division of St Martin’s Press LLC, 175 Fifth Avenue, New York, NY 10010. Palgrave Macmillan is the global academic imprint of the above companies and has companies and representatives throughout the world. Palgrave® and Macmillan® are registered trademarks in the United States, the United Kingdom, Europe and other countries ISBN 978-1-349-35045-2 ISBN 978-1-137-03222-5 (eBook) DOI 10.1057/9781137032225 This book is printed on paper suitable for recycling and made from fully managed and sustained forest sources. Logging, pulping and manufacturing processes are expected to conform to the environmental regulations of the country of origin. A catalogue record for this book is available from the British Library. A catalog record for this book is available from the Library of Congress. 1 0 9 8 7 6 5 4 3 2 1 21 20 19 18 17 16 15 14 13 12 Contents List of Tables and Figures vii Preface viii Acknowledgements x Notes on Contributors xi Introduction 1 D aniel Guagnin, Leon Hempel, Carla Ilten, Inga Kroener, Daniel Neyland and Hector Postigo 1 T he Meaning of ‘Accountability’ in the Information Privacy Context 15 C harles Raab 2 T he Accountability Approach to Privacy and Data Protection: Assumptions and Caveats 33 C olin J. Bennett 3 T he Accountability Principle in Data Protection Regulation: Origin, Development and Future Directions 49 J oseph Alhadeff, Brendan Van Alsenoy and Jos Dumortierr 4 T he Challenges of Working Out Surveillance and Accountability in Theory and Practice 83 D aniel Neyland 5 B ridging the Gap: We Need to Get Together 102 D aniel Guagnin, Leon Hempel and Carla Ilten 6 P rivacy and Trust in Socio-technical Systems of Accountability 125 P riscilla M. Regan and Deborah G. Johnson 7 M aintaining Sovereignty over Personal Data in Social Networking Sites 143 E sma Aïmeur, Sébastien Gambs and Ai Ho 8 ‘ Cold Intimacies’: Community Notification, Satellite Tracking and the Ruined Privacy of Sex Offenders 165 M ike Nellis v vi Contents 9 E lectronic Health Records – The Case for Accountability in Hospitals 188 A lexander Dix 10 Accountability and System Responsibility: New Concepts in Data Protection Law and Human Rights Law 193 P aul De Hert 11 A ccountability and Independence of Data Protection Authorities – A Trade-Off? 233 P hilip Schütz 12 BeyondAccountability, the Return to Privacy? 261 Raphaël Gellert and Serge Gutwirth Index 285 Tables and Figures T able 5.1 Dimensions of ethical branding 117 Figures 7.1 Architecture of PrivacyMarker 157 7.2 Watermarking and encryption process 159 7.3 Decryption process 159 11.1 Regulatory governance 241 11.2 The regulatory state 243 vii Preface As the editors of this collection, we feel that our EU-funded project PATS1 (Privacy Awareness through Security Organisation Branding) was fortunately timed with regard to the currently emerging discourse about privacy and accountability. The main focus of the PATS project has been to analyse the privacy practices of security organisations (mainly service providers and technology producers) and to assess the opportunities to encourage self-regulation of these organisations by establishing privacy protection as a component of competitive market environments. The results of our empirical research suggest that the majority of actors involved in the security realm tend to shift responsibility for data protection and privacy issues. Manufacturers and producers of surveillance systems hold end users responsible for privacy protection. Furthermore, the argument that there is simply no demand for Privacy Enhancing Technologies (PETs) is regularly put forward. There is also a residing view that the public are willing to exchange their right to privacy for the benefits of cheap online services or products through rebate marketing. Along the same lines, arguments are put forward that citizens are willing to exchange their right to privacy for security and safety. These findings emerged in parallel with the publication of the Article 29 Working Party Opinion 3/2010: ‘On the Principle of Accountability.’ The accountability principle described seemed to uphold the idea of self-regulation while trying to take into account the problematic gap between a kind of idealised theory and far messier practice of data protection through self-regulation. While the idea of ‘regulated self- regulation’ is not new, and the principle of accountability has also been discussed for some time, it seemed clear in the Article 29 Working Party Opinion that there was a need for change – and a need for a concept that could help bring this change about. We felt that bringing account- ability to the fore held great promise, both analytically, for thinking 1 PATS is funded within the FP7 from 2009 to 2012. The project is a joint effort of six partners in Europe, Israel and the US. For more details, see www.pats-project.eu. viii Preface ix about new ideas of data and privacy protection, and for bringing the community together in a renewed discussion. We decided to use our PATS project conference to provide a space to discuss ‘Privacy and Accountability’. The discussions which took place at the conference established some of the central tenets of this collec- tion. The fact that Priscilla Regan, Charles Raab, Colin Bennett, and Paul de Hert did not hesitate to give keynote speeches when invited and then also developed their ideas into chapters for this book convinced us that we were indeed on the right track. We hope that providing these contributions in one volume will add to the current debate on account- ability and the management of privacy.