This week, the 34th International Meeting of Data Protection & Privacy Commissioners, is taking place in Punta del Este, Uruguay. The meeting brings together leading decision-makers and stakeholders from all over the world to discuss and [at least attempt to] resolve pressing privacy-related issues. The week kicked off with the Public Voice meeting, hosted by civil society representatives and canvassing a breadth of public policy issues.
One matter of interest that was explored during a highly informative panel on civic participation and e-voting, raised the question of whether public sector Privacy Impact Assessments should include a mandatory public consultation stage. The argument in favour, of course, being that it leads to greater transparency and engagement at the development stage of a program as opposed to at the fait accompli stage. The argument against being a quite sensible one — that it may undermine what is currently an effective tool by discouraging state entities from including comprehensive explanations in PIAs. Indeed, the moment a PIA process becomes adversarial, the entire dynamic of the interaction may well change. Disclosure may become less robust, and recommendations may be viewed with a much more sceptical eye.
On the other hand, it is undeniable that incorporating some form of public input into the PIA process will enhance public engagement. Often this will come at a critical formative stage of the process, before harmful elements become entrenched so deeply into a program that circumnavigating them becomes a problem. On this premise, the PIA process employed by the UK includes an early stakeholder outreach stage, where a background paper is prepared and shared with relevant stakeholders for discussion and envisions a PIA consultation group constituted of relevant stakeholders.
Of course, the UK PIA process itself is voluntary, so it is not clear to what extent the need to publicize a project at its early stages might act as a deterrence to conducting one altogether. This may soon change, as the EU is in the process of adopting a mandatory PIA process into its update of Directive 95/46/EC, its core privacy framework. Articles 33-34 of the proposed update will make PIAs mandatory. It further mandates data protection authorities to make public a list of any and all PIAs under review for presenting specific risks to the rights of individuals (Article 34.2(b)).
The Canadian PIA process is already mandatory for any proposed government program that raises significant privacy risks. However, there is no formal stakeholder input phase to the Canadian process whatsoever. Indeed, the only mandatory public element of the Canadian PIA comes at the end of the process, which obligates Government agencies to publish a summary of the completed PIA on its website. As it operates on a recommendations basis (the OPC has no power to compel any changes to a give program, only recommend), the more adversarial process that might result from an injection of stakeholders might be less desirable in this context (absent the power to compel compliance, of course).
In spite of this, should thought be given to updating our PIA process? If not the full UK measure of infusing stakeholder consultations as a mandatory component of the PIA process, is there potential benefit to the half-measure envisioned by the EU revisions? A PIA registry, for example, would greatly enhance engagement by making stakeholders aware of what potentially invasive programs are being planned. This can then form the basis for further engagement through follow-up inquiries or by the use of access to information tools.