Information Privacy in theDigital Age – Introduction

Spring 2016Dr. Tal Zarsky[University of Haifa – Faculty of Law]

Introduction to Introduction:

Various privacy problems addressed in the public debate and technological discourse

Strive to address both theory and practice Will map out main issues here addressed

Why Privacy is “Exploding” Now• Collection:

Omnipresent, Quantity leap, Quality leap

• Analysis:Digital environment, easy to “warehouse”

• Use: Narrowcasting, tailored content and the “feedback loop”

The Challenge of Identifying Privacy ProblemsPrivacy concerns:• Privacy is a “tricky” concept• Three “mega” problems stemming from the

collection of personal data:(1) Fear the data will be used by government, or passed on to it(2) Fear of the collection of personal data per se (collection on its own is bad enough)(3) Fear of the specific detriments stemming from the use of personal data (the “so what?” approach)

Identifying the problems – Fear of Collection per se Specific concerns:• Loss of control over data, self-

monitoring, conformity, inability to form intimacy, loss of autonomy

Overall response – social adaptation

Identifying the problems:Metaphors we live by The powerful metaphors (and the

problems they cause): “1984” Kafka (“The Trial”, “The Castle”) “Brave New World” Bentham’s “Panopticon”

Common responses to “Privacy claims” Privacy creates:• Social costs: reputation, search

expenses (waste)• Security costs (inability to track

terrorists, criminals, diseases)• Free Speech Arguments (Sorrell)

Identifying “actual” problems• Abuse• Discrimination:

(1) In general(2) Problematic Factors(3) Based on prior patterns of behavior

• Autonomy and Manipulation

Autonomy: Difficult and problematic concept “insight” into the users preferences

allows content providers to effectively manipulate them

On the other hand, autonomy possibly compromised when personal data analyzed without consent.

Overview of solutions (1) “The Right of Privacy” (1890) Torts – the Four Privacy Torts (Prosser, 1960): Intrusion,

Disclosure of Private Facts, False Light, Appropriation – garden variety of rights

The EU Directive – and overall perspective (understanding secondary sale & secondary Use; Opt In vs. Opt Out)

The Fair Information Practices – Notice, Access, Choice, Security and Enforcement In the EU – also purpose specification, minimization, proportionality.

The U.S. Patchwork – Protected realms - Health (HIPPA) Protected Subjects - Children (COPPA) Protected forms of Data (“Sensitive Data”)

Overview of solutions (2) Why Torts (usually) fail – and the realm of today’s

data collection Example: DoubleClick and “cookies”

The contractual and property perspective (for example: default and mandatory rules) The technological solution (P3P, Lessig)

The shortcoming Market failures (high information and transactional

costs) – people are happy to sell their privacy for very very cheap!

Negative externalities (inferences from one group to another, and from group to individual

Loss of Benefits (loss of subsidy to start ups, loss of data derived from analysis)

Classic Privacy Themes Theories of Privacy and their Critiques The Privacy Torts/Privacy and/in the

media Privacy and the Government

Digital Surveillance, National Security Using Private Data Sets/Data Mining

Privacy in the Commercial Realm Online Privacy/Behavioral

Marketing/Privacy by Design

Classic Privacy Themes (2) Anonymity, Pseudonymity, Identity and

Transparency Data Security, Cyber-security, Cyber Crime Social Networks and Online Social Networks

Uniqueness of exposing a social graph Medical Privacy

The curious case of genetic information Privacy in the Workplace (monitoring,

evaluating, recruiting)

Data Protection and the EU 1995 – the EU adopts the Data

Protection Directive A Directive sets a minimal standard.

Broad spectrum of levels of adoption throughout the continent.

Directive premised on FIPPs. Sets jurisdictional boundaries and relies

upon the work of DPAs.

Foundations of EU Privacy Law European member states adopt data

protection laws. EU Charter of Rights now includes

privacy and data protection. Therefore court can strike down

Directives. Digital Rights Ireland.

ECJ – relevant court Growingi set of case law.

Regulating Data Transfers Data may not be sent beyond the EU –

unless specific exceptions apply: Specific agreement (safe harbor) Adequate country (Israel, Canada). Consent Internal compliance programs.

And other options… Faces substantial challenges in the

age of cloud computing.

Next for the EU – the GDPR Regulation vs. Directive Subject to substantial lobbying

pressures. Enhanced Jurisdiction Additional provisions. Substantial fines.

Extending the EU’s Influence EU Market is substantial

Yet effects firm’s outside the EU. International firms apply a uniform

standard – the EU standard. Difficult to explain to domestic

consumers why they are worse off. A new form of colonialism?

Yet some countries push back.

US/EU Safeharbor (cancelled) U.S. received special “treatment”:

U.S. firms registered and were supervised by the FTC.

In Schrems, the agreement was struck down. Argument: insufficient redress w/r/t the

risk of government surveillance. Important lesson regarding the power of the

individual.

Shield Agreement Yet to be approved. Supplemented by laws providing

redress by EU citizens towards the USG. Main complaint against Safeharbor – too

lax enforcement by the FTC: Lack of incentives. Lack of manpower.

Discussions as to how this could be corrected.

Next Steps on the International Level GDPR compliance Agreements in Asia

Additional European Sources Council of Europe (CoE) OECD documents. ECtHR rulings (based on the HR

charter).