In the next few weeks, I will look to do a few posts about privacy and surveillance. Privacy has evolved into a sweeping concept including within its scope matters pertaining to control over one’s body, physical space in one’s home, protection from surveillance, and from search and seizure, protection of one’s reputation as well as thoughts. This generalized and vague conception of privacy not only comes with unwarranted judicial discretion, it also thwarts a fair understanding of the subject. Robert Post called privacy a concept so complex and “entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that [he] sometimes despairs whether it can be usefully addressed at all.” This also leaves the idea of privacy vulnerable to considerable suspicion and ridicule. Jonathan Franzen called it the Cheshire cat of values, not mush substance but a very winning smile. I will look to break down some of the ideas of how we can understand privacy in this series of posts.
In this introductory post, I will look at a specific aspect of privacy and personal data that has bothered me for some time. The ideas of privacy and data management prevalent can be traced to the Fair Information Practice Principles (FIPP). These principles are the forerunners of most privacy regimes internationally like the OECD Privacy Guidelines, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which is reflected in the Privacy Bill, 2014. All of these frameworks have rights to notice, consent and correction, and how the data may be used as their fundamental principles. What this system does is that it makes the data subject the decision-making agent about where and when his personal data may be used, by whom and in what way. The individual needs to be notified and his consent obtained before his personal data is used. In case, the scope of usage extends beyond what he has agreed to, his consent will be required for the increased scope. He should have the ability to access and correct his data after providing his consent. In theory, this system sounds fair. Privacy is a value tied to the personal liberty and dignity of an individual. It is only appropriate that the individual should be the one holding the reins and taking the large decisions about the use of his personal data. This makes the individual empowered and allows him to weigh his own interests in exercising his consent. This approach worked well when the number of data collectors were less, the uses of data was more narrow and more defined. However, with their being data collectors for every application or website used, and the data being shared with third parties and complex data sets being created, it is humanly impossible to exercise rational decision-making about the choice to allow someone to use our personal data.
A number of scholars seek a more paternalistic solution to this problem. Julie Cohen looks at the social value of privacy and argues that individual should not have the choice to waive their privacy in a number of cases. In this analysis, privacy exists not only to articulate an individual’s right to self determination, it also exists to perpetuate a certain kind of society. The outcome of such a solution, however, is to take the choice away from the individual. Give the fact that this choice is being exercised so badly, one may feel that it is not such a bad thing. However, often the outcomes of data processing have both positive and negative externalities and it seems unfair to restrict behavior in the absence of clear and demonstrable harm.
The impact of huge and self-defeating obligation of data self management on individuals has been commented upon widely in the last decade. The OECD appointed an Expert Group to re-examine the guidelines. Based on its recommendations, the OECD updated its Guidelines with import changes on accountability and security breach. However, the Expect Group preferred not to touch the basic principles of notice and consent. Later another group moderated by Viktor Mayer-Schönberger recommended more fundamental changes to the guidelines, particularly replacing the Collection Limitation Principles with a Collection Principles that puts greater obligations on the data controllers. Most reforms to the system suggested are centered around making privacy policies simpler and the implementation of an an ‘opt-in’ as opposed to ‘opt-out’ system using clickwrap arrangements instead of browse-wrap where the default is for greater privacy that you have the option of manually waiving. However, they only touch upon a limited aspect of the problem and are very difficult to mandate.