Blogging is inherently fraught with privacy issues. So is email. So, for that matter, is anything and everything done on the Internet.
So what?
I don’t walk to talk about identity theft. I just want to rant about privacy. Not the lack of it, either. Just what the heck is it and why does it matter? And that comes back to what you say online (blogs, email, social networking sites, discussion lists, dating sites, job hunt sites, etc.), at work (e.g. email) or just your general habits (online surfing activity, search strings, etc.). All of these things reveal something about you. So the question is, do you control that information once it gets “out there”? And if you don’t, who does?
There are two classic definitions for privacy: (1) the right to be left alone; and (2) the ability to control information about oneself. I would argue that American notions of privacy hinge on the first (reasonable protection from search or seizure) while the ROTW notion of privacy stand instead on the latter.
It might surprise Canadians to learn that the American notions of privacy do not apply to us (thanks to TV we are often “told” it does). In simple terms, the American “right to privacy” just means the “right to be let alone.” Naturally, this applies to Canadians (thanks to Article 8 of the Charter of Rights). But in terms of privacy, Canada is whole hog ahead of America.
This is because the American right to be let alone has more to do with Fourth Amendment guarantees from seizure or search of property than control over one’s privacy. However, the Fourth Amendment only protects against searches and seizures conducted by the government. Invasions of privacy by persons who are not “state actors” must be dealt with under private tort law. “Tort”, based on the Latin word for “wrong”, just means any accidental or intentional wrong against which individuals can launch civil suits. In civil law, as opposed to criminal law against the state, a court may award money damages to the injured party so that they will “suffer the pain” caused by their action.
So, if we are talking about the American federal government then, yes, America has a Privacy Act that protects information held by the federal government (though the Patriot Act has certainly weakened even this). However, if the information is controlled (there’s that word) by a company, the issue is not backed by this law and is relegated instead to tort law.
Clear as mud?
In point of fact, it is precisely because America does not have a comprehensive privacy protection law, that it has the most privacy laws of any country in the world. The reason is that every time a new privacy issue emerges (health, banking, Internet, etc.), a new statute results, targeted at the recent major public scandal.
So America has the Privacy Act, the Federal Trade Commission Act, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Cable Communications Policy Act, the Cable Privacy Protection Act, the Electronic Communications Privacy Act, the Computer Matching and Privacy Protection Act, the Tax Reform Act, the Right to Financial Privacy Act, the Video Privacy Protection Act, the Telephone Consumer Protection Act, the Drivers Privacy Protection Act, and the Children’s Online Privacy Protection Act.
Sound comprehensive?
It isn’t.
It is frequently said that one of the fastest growing professional designations in the corporate world is “Chief Privacy Officer”. This is true of America as it is elsewhere. Would it surprise you then to learn that America doesn’t have a Privacy Commissioner? Neither at the federal or state level. In contrast, Canada has both. I am in Ontario, for instance, and there is not only a provincial Information and Privacy Commissioner (Ann Cavoukian) there is also one at the federal level (Jennifer Stoddart).
So what?
Well, for one thing, if you are American, are you more concerned with governments invading your privacy? Private organizations invading your privacy? Or both?
The correct answer, I’m sure you will agree, is “both”.
Enter the value of codifying “Fair Information Principles” into an omnibus privacy law at the federal level. “Fair Information Principles” refers to privacy principles developed successively by the OECD in the eighties and the CSA in the nineties. Almost all privacy laws today stem from these. So, in that sense at least, Canada has been at the vanguard of privacy initiatives.
Yet oddly, I would say Canadians generally know much less about their privacy rights than Americans. Whereas it is clear that Americans must fend for themselves, in Canada individuals have the right to inspect and correct their personal information federally and provincially and must have some recourse should their access or privacy rights be violated. But do people know this? And more importantly, do people know what this means?
Why it matters is quite simple, really. I think Maher Arar would most definitely liked to have been able to access the information the Canadian government had on him and, subsequently, corrected it.
So the way in which Canada and America approach privacy differ fundamentally at the conceptual level: in America, it is a “sectoral approach”: each industry sector gets its own privacy law protecting personal information, e.g. financial, health care, video rental records. In contrast, Canada, the EU and APEC take a “comprehensive approach” and establish laws that treat privacy as fundamental human right. Period. Full stop.
This is one of the biggest differences between privacy in the States and the ROTW: protection based on the “right to privacy” is not the same as protection based on quasi-constitutional “ability to control information about oneself”.
To better understand this, we should go to the really philosophic people: the Germans. German law has nicely captured this in the phrase, the “right to informational self-determination” (in German, recht auf informationelle selbstbestimmung). Remember that phrase. If your attitude toward privacy is like mine, you’ll come back to it later.
Based on the German Constitution(Articles 1 & 2, sections 1), the “right to informational self-determination” means that, in Germany at least, every collection of personal data unauthorized by those who are subject to it violates civil rights and is thus unconstitutional except in those cases when it is in the “prevailing general interest”, is regulated by law and proportional.
The upshot of all this is that Germans felt such protection was necessary and proper. Why? And why don’t the Americans? I submit that it was in part due to the unique violations of privacy that Germans endured at the hands of Hitler and co. that have left a singular and indelible imprint on the German mindset. People who have lived in a totalitarian society fequently attest that what often felt most oppressive was precisely the lack of privacy. I get this because when I lived in Japan I noticed that the Japanese were equally alarmed at being monitored and extremely suspicious of online transactions. This ultra-scepticism never made sense until I started looking into the German concept of privacy. Viewing privacy attitudes in Japan today against the backdrop of its total lack during WWII is a helpful way for me to see it.
At this point, I think it is helpful to step back and review this word “privacy” more closely. If the distinction between “right to privacy” versus “right to control one’s information” is not clear, it might be helpful to discard the notion of “privacy” altogether. Privacy is vague and ill-defined. More often than not, it is an experience one has, not a state of data. One only truly understands privacy when, ironically, one loses it. That is why some of the most ardent proponents of privacy protection are public figures who, really, have very little of it. The rest of us can just go on blogging our merry little hearts out.
What is privacy then? A better way to think of it may be as “genres of disclosure”: the expectation to disclose this information but not that, under these conditions but not those, to this but not that person, and to use information in this but not that way.
In this sense, privacy is more about patterns of managing information than anything else. And I think that gets a little closer to the truth: privacy is nothing more than use. That’s it. Simple. Privacy for an individual (and especially the lack of it) is an experience, as I have said. But for the organization, privacy is use. No more, no less.
By the way, does it surprise you to learn that privacy is not security? True, you can’t have one without the other. But the term “privacy” subsumes a much broader spectrum of protections that extend beyond security alone.
Look at it this way: of the ten Fair Information Principles referenced above, only one directly references security:
1. Accountability
2. Consent
3. Limiting use, disclosure, and retention
4. Safeguards
5. Individual access
6. Identifying purposes
7. Limiting collection
8. Accuracy
9. Openness
10. Challenging compliance
To put this in perspective, I mentioned before that the newest rising profession was Chief Privacy Officer. Well, what is the difference is between a Privacy Officer and a Chief Security Officer? Whereas the Security Officer seeks to optimize organizational control, the Privacy Officer seeks to maximize personal control. See the difference in emphasis?
Coming back to the idea of use, privacy really means how information gets used by an organization. Are they collecting too much of it (using too much) ?Are they giving it to others inappropriately (using it inappropriately)? Did someone hack into the system and steal (use it criminally)?
I predict the future is all about privacy and organizations as well as individuals will have to become much more prepared to answer such questions as:
Why are you asking for this information?
How will my information be used?
Who will be able to see my information?
Will there be any secondary uses?
How can I control my data?
Finally, I want to address the importance of having a privacy commissioner here in Canada. It doesn’t matter that the commissioner’s order are not binding on courts: the sole purpose of a commission, like a Chief Privacy Officer, is to raise awarenss and champion the personal privacy rights of individuals . First and foremost, the commissioners should be helping citizens be aware of their right to informational self-determination.
To this end, the Ontario privacy commissioner has done a fairly good job in doctor’s offices. Each time you sit in the waiting room, invariably you see a poster explaining your rights. This is progress. But I think they could and should be doing FAR more when it comes to government and universities.
Second, the Privacy Commissioner is the avenue for recourse that can authorize investigations into privacy breaches. This is extremely important since consumers now have a fairly hefty threat.
So having a privacy commissioner is not the final answer. In some ways, it is yet another figure head in the bureaucratic maelstrom that is government today. But, if nothing else, the commissioner’s office offers a valuable avenue for recourse. And without doubt she is a powerful player on the minds and consciences of businesses that fall under her purview.