I have spent a lot of time over the last few weeks talking about privacy in a variety of contexts. You have witnessed me move towards a more European view of privacy, actually. The problem we have with discussing the protection of privacy is a fundamental one – what the heck is privacy, anyway. If we can’t define what we are trying to protect, all of our protection mechanisms are doomed to failure.
I am going to spend this post trying to define what I think privacy is, and why the U.S. differs from Europe. I am not disregarding the rest of the world in this discussion. I just see these two jurisdictions representing two totally different ideas on why privacy should be protected. Next week I will expand on the difference between commercial privacy rights and governmental privacy rights and why you should stop reading Judge Brown’s decision that you don’t have an expectation of privacy when you leave your phone on.
Europe and U.S. – First Thoughts
I find it humorous, in an intellectually curious way, that it is not the United States that where privacy is enshrined as a human right. The United States was founded on the idea of individual liberty and freedom, so where did we go wrong, assuming we are getting it wrong and Europe is getting it right.
In the White House’s January 2012 whitepaper Consumer Data Privacy in a Networked World, they recognized that “[c]itizens who feel protected from misuse of their personal information feel free to engage in commerce.” Therein lies the U.S. basis for protecting privacy. There is one other aspect of personal privacy and that is from the government. Because privacy is not a fundamental human right in the United States, it is protected differently whether you are a governmental entity or whether you are a business. Despite the most recent PRISM-gate, most of the privacy handwringing has been around commercial privacy misuse.
Europe on the other hand does not follow the almighty dollar (euro, in their case) to the exclusion of other interests. In fact, Ms. Isabelle Falque-Pierrotin, head of the France’s data protection agency says it best – “In Europe, we consider privacy a fundamental right. That doesn’t mean it is exclusive of other rights, but economic rights are not superior to privacy [emphasis added].” (Source – NY Times Article, November 11, 2012 – Guarding a ‘Fundamental Right’ of Privacy in Europe)
Even Article 12 of the United Nation’s Universal Declaration of Human Rights declares that ‘[e]veryone has the right to the protection of the law against such interference or attacks,” on their “privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” As more and more nations become part of the global economy, I think the U.S. notion of why we protect privacy will slowly become a smaller and smaller minority.
Privacy is in the Eye of the Beholder
I talked way back on April 18, that Creepy is in the Eyes of the Beholder. That was back in the days when I agreed that privacy was the grease that helped lubricate the wheels of commerce. I don’t know if I agree with that anymore, so going back to first principles, what the heck is privacy anyway. As defined by dictionary.com, privacy (noun) is:
- the state of being private: retirement or seclusion
- the state of being free from intrusion in one’s private life or affairs: the right to privacy
Sorry, dictionary.com, this is a most unhelpful definition for our problem and is a bit circular, don’t you think. Don’t be discouraged, privacy as a concept is “exasperatingly vague and evanescent,” according to Arthur Miller. Hyman Gross declared “privacy is infected with pernicious ambiguities.” As Daniel Solove (one of the true pioneers in this space) wrote in ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy that the “collection and use of personal information in databases [present] a different set of problems than government surveillance.” In the United States he is absolutely right. This is the problem with looking a privacy as a grease for commerce. Your privacy from the government is one thing, but what privacy you get from companies is only what they give to you. Apart from very specific areas, there is actually nothing wrong with a company telling you that they will collect everything they can about you, sell it to whoever walks in the front door, and use it for whatever purpose they want. If you look at privacy as a fundamental human right, you get a more unitary way of looking at it.
We are still left with the fundamental question of what are we trying to protect. Here lies the problem. What is private to me, is not private to you and is not private to someone else. Put 50 lawyers into a room and ask them this question, and you are apt to get more than 50 answers.
So let’s start with the whole universe of everything that described us. Name, gender, DNA, credit card transactions, location information, online behavior, etc. While Solove does state that birth data, gender, address, marital status, etc. are not particularly sensitive, for some people it is. Should those people be forced to disclose it and it be used because it isn’t sensitive to most people. For some people almost everything can be public, including their medical condition and the treatment to overcome it. Should all that information be allowed to be used because some think it’s not sensitive. I do not want to be bound by what you think is private, because it is not private to me.
The Three Legged Chair of Privacy
It comes down to control. One of the legs on my three-legged chair of privacy which also included value and notice.
- Value – provide me value for the information that I not only share, but that you use. We all understand that Facebook is earning revenue by the sharing of our information. Should I get more value from Facebook because their advertisers know more about me, or can target me more explicitly. See Facebook’s Custom Audiences. Perhaps.
- Notice – well-stated and complete notice of what information is collected and how it may be used, both now and in the future. Well-stated means in plain language, so that your users understand, not your lawyers. If your users don’t understand what you told them, you are failing.
- Control – Proper notice allows the user to exert control at the beginning of the information exchange, and an equitable value exchange makes it palatable to the user. This also includes control over downstream uses at a time after the initial collection. If you are going to sell my marital status to someone 6 months after I told you, I should be told.
We Have Gotten Nowhere
Trying to define privacy is like trying to define consciousness. We will spend days on it, get nowhere and be tired. Understand that everyone is different, and that control for the user is what you should be thinking of. Society is changing. The Internet is causing a sea-change in attitudes about privacy and publicness. In a few decades our notion about what is private and what is public will have changed. However, individual user control is what will matter then, and it matters now. That is the only way it all works, both for human rights and as a grease for commerce. By being given control, I have trust, and by gaining trust of users, providers get respect, relationships and revenue. Hey, another triumvirate, or hat trick if you live in Minnesota.