CFP'93 - The Proper Face of Privacy
by Robert Ellis SmithPublisher, Privacy Journal
Contrary to what newcomers to the issue often claim, privacy is a well defined concept in the information age. It is not the nebulous, subjective concept they would have you believe.
Privacy in the information age is the claim of individuals to determine for themselves when, how, and to what extent information about them is communicated to others. Virtually all privacy specialists agree on this.1
The complaint that data-privacy protections restrict free speech is similarly overstated. Clearly, news coverage of private individuals is restricted when we protect the privacy of those individuals. In addition, the ability of all of us, whether part of the news media or not, to say absolutely anything we want is restricted to the extent that an individual denies us facts about himself or herself - or sues us for an invasion of privacy after the fact. But it is not true that the regulating of credit or financial or medical information about individuals is a denial of "free speech" in the same way that censorship of political expression is. The Supreme Court has said that.2 "Commercial speech" has traditionally enjoyed a significantly diminished recognition under the constitution, as distinguished from political expression or "pure speech."
Restricting the dissemination of facts and figures about individuals in commercial data bases does not restrict the right of people who own those data bases to express their opinions freely, without governmental interference. It simply regulates their processing information concerning others.
Critics of privacy come from both directions now. There are, on one side, the libertarians saying that privacy ought to be governed by market forces, by the rules of contracts. On the other side, there are the information mongers, saying that any information collection ought to be legal, that the only people who care about privacy are those with something to hide.
I fail to see how the "contract" theory covers most privacy situations. It is occasionally appropriate in cases of insurance companies, retail stores, and employers gathering information. Theoretically, we have a right to negotiate, to shop around for the company that respects our privacy the most. (Let's be clear that this is usually only a theoretical right; in practice, it's difficult for a lone individual to negotiate with large companies on auto insurance, health care, education, and similar necessities.)
The idea doesn't work in most privacy contexts. For a contract to be binding, there must be a mutuality of interests between the parties, what lawyers call "privity." There is no such mutuality between a credit bureau and the consumer; the consumer has no leverage with the credit bureau, unless a state or federal law creates it. Nor is there any mutuality between a private citizen and a news publication. How far do you think you would get arguing that a newspaper violated some contract with you by disclosing intimate details of your life? And how far would you get arguing that a government agency had to negotiate contractual terms with you before creating a computerized criminal history on you? How far would you get insisting that an information broker breached a contract with you by selling your Social Security number to a client?
Like it or not, it is laws, regulations, and Constitutional provisions that protect our privacy, except in limited commercial contexts where the contract theory makes pragmatic sense.
And how about the information brokers, who claim that they should not be restricted in any way in gathering and disseminating personal information about us? They reject most attempts by individuals to prevent information dissemination without consent. They reject legislation that sets ground rules for fairness.
Would any of us want to live in a society where there were no rules at all about selling personal information about ourselves? This would mean that virtually any fact about us was on record somewhere, in the hands of strangers - in the hands of strangers with sophisticated electronic resources for storing, merging, telecommunicating, marketing, and manipulating the data. (Why is it that sophisticated high-tech is rarely put to use to keep personal information secure and accurate?)
As Alexander Solzhenitsyn has written: "As every man goes through life he fills in a number of forms for the record [that become like invisible threads]. Every man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads."
If that becomes the situation in the United States of the future, each of us as citizens will be deterred from taking risks, from making mistakes, from doing unorthodox things, from using our full creative energies (for fear of doing something that would be perceived later as embarrassing or anti-social). We have seen societies like this - either in Orwellian literature or in reality - and we know that they are not creative, constructive, or humane societies.
I for one would not care to live in a society where everyone around me "kept his nose clean" for fear that information "on the record" someday would deprive him of insurance, or credit, or a job, or a decent reputation.
There is a reason for privacy. It protects those areas of our lives where we need elbow room - and a shield from strangers - in order to grow and to experiment. Nothing worthwhile, whether a flower or a human being, grows into a healthy organism without some period of incubation in darkness.
That is privacy.
(Paradoxically, increased secrecy and solitude for individuals enhances free expression, by allowing for the nurturing of new ideas to express.)
But data-protection and privacy is costly, we are told. It retards technology and it increases the costs of goods and services, they say.
In fact, the studies of database privacy over the years have shown that when privacy restrictions are included in the design of new systems the costs are minimal. In fact, there can be a cost savings. When privacy protections are designed to assure more accurate files and to establish meaningful contacts with customers or other data subjects they bring about more efficient data management, at a savings.
It is when systems have to be retrofitted to accommodate consumer privacy demands that the costs run up. Government agencies and corporations are slow to learn this lesson. Look at the aft-backwards ways that the FBI built its Computerized Criminal Histories network or the credit bureaus "designed" their networks or the federal National Driver Registry was set up or the telephone companies have had to redesign their Caller ID offerings.
What then is the appropriate way to accommodate the demands of personal privacy and information management?
One way is to look at a personal data bank precisely in the way that the language tells us: as a bank.
Assets (whether information or money) may be borrowed from a bank. That is what a bank is for. The borrowers are obligated to return the assets (whether information or money) when finished using them. Borrowers are obligated to take care that the assets are not lost, or diminished, or used in ways that were not stated when they were borrowed. Borrowers expect that during the terms of the loan their use of the assets will be carefully monitored by the owner of the assets. (In the case of a data bank, this would assure data subjects that information about them is being used properly.)
Borrowers are obligated to pay for using the bank's assets (whether we call the payment royalties or interest). The original owner of the assets (the person who is the subject of the data file or, in the case of money, the individual who lends it to the bank) is entitled to payment after the bank deducts its share.
In the case of data banks, the royalties paid could be in the form of barter or discounts on other services or special considerations. Requiring the payment of a royalty for the use of information would serve to limit marginal requests for personal information. It would serve to notify the individual of uses of personal data. It would serve to expose data uses to the light of day and thereby permit timely opportunities for correction of erroneous information in the data bank.
This proposal to apply the banking concept to personal information does not mean that we must create one huge data bank - or even several. It merely means that we apply the principles of lending and borrowing to personal data wherever it is currently stored.
A variation on this idea envisions the individual himself or herself carrying his or her private information on a chip or other media, thereby controlling day-to-day who borrows it.
Organizations that do not want to pay royalties nor to abide by banking principles would simply be unable to sell, rent, or otherwise disclose personal information; they would be free to use the information only internally for the purpose for which it was gathered.
In looking at commercial and government data banks in this way, we in a sense create a contractual relationship. And we come to understand that people concerned about their privacy do not necessarily have something to hide. They simply want to participate in the profiteering. That is another way of saying that they want to gain some measure of control over when, how, and to what extent information about themselves is communicated to others.
1 Notably Alan F. Westin, in Databanks in a Free Society, quoted in The Law of Privacy in a Nutshell by Robert Ellis Smith.
2 Dun & Bradstreet v. Greenmoss Builders, 472 U.S. 749 (1985).
Return to the CPSR home page.
Created before October 2004