Privacy, Data Protection and Security Balance
The United States is in the midst of a dramatic refashioning of how we handle "personal" information. An energetic and effective political move is occurring to create laws that mandate control of so-called "personally identifiable" data. This is not a "privacy" issue in the traditional sense. It is an issue of data control. More important, while there are aspects of this movement that are valuable developments in the information age, a balance needs to be drawn that in the present political environment, is sometimes ignored. That balance is between your "right" to control use of information about you, and my "right" to speak and to use knowledge obtained other than under a confidentiality promise.
Traditional privacy law in this country emphasized protection against intrusion by the state and limited protection against intrusion by private parties for truly private information, all as counterbalanced by First Amendment rights. In stark contrast, data protection laws focus on the relationship between private parties as to data that is often neither confidential nor truly private, and aggressively create rights of control and obligations of care. This is based on a position that, regardless of actual harm or embarrassment, an individual should have a right to control information about that person even when that information is voluntarily given to or created with another person. In practice, the person on whom obligations are placed is often a business or a professional enterprise. The image of the protected party is that of a consumer.
The ideas behind data protection law often come from concerns of personal autonomy ("I have a right to control what is said about me"), risk of loss ("Data may be stolen or misused in the form of identity theft or other crimes"), mistrust ("Companies and governments know too much about me."), and fair practices ("Companies should tell me what they are doing with "my" information."). Each of these has value, although we could debate about how much value or risk is involved and what trade-offs are made.
But there are offsetting values and, for each new rule, some costs that need to be considered during the rush to a data protection world. Consider, for example, the idea that medical data should not be disclosed without consent. That is simple enough, but how far does it go? A Ms Lindquivst in Europe discovered one day that it was strong enough for her to be sanctioned for posting on a church news website the fact that a co-worker had an injured foot and was on half-time leave. In the United States, a law creating such a result should be precluded by the First Amendment. The foot injury was neither a secret, nor an embarrassing fact. One's right to speak certainly offsets another's right to prevent speech in many cases.
U.S. law has allowed free use of non-confidential information properly obtained. In effect, we have long viewed each person who knows the information as a type of owner of it with the right to use the information for lawful purposes. That premise should not be readily discarded because to do so may result in a restriction of the flow of information and discussion typical of free societies, and result in costs or denied benefits and prevented innovation that often will outweigh the data protection gain. Consider the following example:
A parcel delivery service makes available an online parcel tracking service. The company stores on its website signatures obtained from persons who receive parcels. By keying in a Parcel ID number, the person making the shipment or expecting to receive it gains access to information about where it is, delivery status and, once delivery is completed, the recipient's electronic signature. Although the company may allow recipients to sign on paper (which some want to do), drivers require electronic signatures (e.g., on the driver's hand-held pad).
The system provided ready verification of the delivery and protected the data absent abuse. The Canadian privacy office decided that the system violated that country's data control law in that the electronic signatures were not required to fulfill explicitly specified and legitimate purposes of the company (even had the company disclosed the intended use of the signature to the signing party). As to the purpose for collection, indicating receipt of a parcel could have been fulfilled by other means-- a signature on paper.
There is also an inherent tension between control (preventing use and disclosure) on the one hand, and preventing fraud on the other. For example, a California rule that requires notification to individuals of any security breach in a data system containing certain information identifiable to particular individuals had one immediate impact in my life. Shortly after the law was passed I received a notice of a breach affecting my CitiBank account. The fact was that I had no such account and the notice was an attempted fraud playing off the California law.
Data protection rules, to the extent that they give rights to an individual, place commensurate restraints and costs on other party and the transactions in which the two parties engage. This does not mean that the costs are excessive in all cases, but the costs and behavioral effects must be considered. In many cases, the evolution of the digital society will be better served by taking no action to dislodge the core assumption that factual information obtained properly can be freely used or not used by each person who knows the information or possesses it.