Privacy is a notoriously slippery topic. Even the word "privacy" has eluded universally accepted definition. Yet information privacy (aka data protection) law is really pretty straightforward, even if the implications of these laws are counter-intuitive for some. A degree of ignorance of privacy law has led to some infamous missteps. Here I'm going to review data privacy law, and look at how some of the big Internet brands continue to misunderstand privacy technicalities, at their peril.
There can be endless arguments about the meaning of privacy. Not only is it intensely personal, it also ranges across philosophy, human rights, civil liberties and politics.
Sometimes people try to analyse privacy rights through the legal frameworks of copyright or even data ownership, but these are not fruitful approaches. Copyright of course is a thorny issue; intellectual property rights are controversial in cyberspace and they seem to only complicate privacy. As for "ownership", well philosophers are still working out what they can even mean for data. In practice, far too much personal data is now collected behind our backs, via algorithms few are aware of, for ownership to operate. Big Data outfits may indeed claim ownership of the fruits of their proprietary processes. So we need a privacy frame that affords individual reasonable rights regardless of who "owns" the data in question.
Australia's Privacy Act, like most such information privacy and data protection law worldwide, neatly side steps the moral and philosophical minefields.
Paradoxically but helpfully, the contested words "private" and "public" don't even figure in Australia's Privacy Act. Instead the focus is on Personal Information -- namely any information or opinion about an individual where their identity is "apparent or can reasonably be ascertained" -- and how it is handled. Note that the definition captures a lot more than personal details expressly provided by forms and questionnaires; it includes any data at all associated with an individual.
Consultants often advise that privacy and security are different things. And so they are, but more even importantly, privacy is only partially related to confidentiality and secrecy. Privacy is really all about control. It may be counter intuitive but anonymity is not necessary for privacy; and by the same token, neither does having details about oneself in the public domain mean that data escapes all privacy regulations. For information privacy, simply stated, is a state where organisations respect the knowledge they have about you, and are restrained in what they do with it.
All information privacy or data protection law (in jurisdictions that have it) centres on the following principles, among others:
― The Collection [Limitation] Principle means a business generally cannot gather (or acquire or even generate) Personal Information if it is not required for a defined business function, and without the individual's consent (even if the data in question is collected from the "public domain"!)
― The Use & Disclosure Principles (also known as Purpose Specification) mean that information gathered (or created) for one purpose cannot be used for unrelated secondary purposes without consent, nor can it be disclosed to unrelated parties.
― The Access & Correction Principles mean that an individual usually has the right to be given access to all Personal Information held by a business about them, and to have any errors fixed.
Some of the implications may be surprising, especially for technologists.
Privacy law is blind to how information is collected. It basically doesn't matter how Personal Information comes to be in your business; even if Personal Information is generated internally from audit logs, traditional evaluative processes or the newer Big Data wizadry, once you have it, you are deemed to have collected it according to privacy law and as such, you are accountable for it. Moreover, even if Personal Information is collected from the public domain, it may still be subject to privacy law.
In that respect, I like to point out the little known crime on many statute books of "Theft By Finding". In some jurisdictions, if you lose something valuable, you do not lose ownership. In Australia for instance, if I accidentally drop a thousand dollars and someone picks it up, then it is still my money. There have been prosecutions of people who find valuables and fail to hand them in to police. Likewise, from a legal point of view, if my valuable Personal Information is accessible "in public" it does not automatically follow that anyone else is free to pick it up and use it without my permission.
Technologists may find many laws counter-intuitive, but you know what they say about ignorance being no excuse.
[Update Feb 2013: A couple of more recent cases have highlighted also the difference between anonymity/secrecy and privacy. In many places and especially Europe, privacy is much more about granting people control over how their Personal Information is used, than it is about keeping all information secret. Therefore when anonymity is occasionally lost, individuals still have rights and legal recourse should their information be abused. The best example is that European regulators found Facebook's facial recognition processes to breach the Collection Limitation principle and had Facebook shut it down. The lesson is: big data processes or biometrics may give technologists fabulous powers to re-identify anonymous or 'public' data but those powers cannot be used willy-nilly. Another potential test case is that of the 'DNA hacking' reported in early 2013 where bioinformaticians cleverly used genealogical data from public websites to re-identify anonymous DNA donors. And then we have Google Glass which will inevitably generate boundless identification of people and objects captured on video in your daily walk through life. "Boundless" that is if Google disregards the Collection principle. See also my recent post "The beginning of privacy". ]
An important recent case is Google's collection of Wi-Fi data from open home networks by StreetView cars. Some argue it's careless for people to not encrypt their wireless setups, but the fact is that data gathered by sniffing networks is subject to the Privacy Act if it relates to individuals that can be identified (and with Google's vast linked databases, working out identities is assumed to be within their powers). A person has not agreed to the exploitation of their information merely because they might be lax with their security.
Some say privacy law hasn't kept up with technology. For the most part, established principles-based information privacy law does work well in cyberspace, for it is fundamentally all about the rights of individuals to have some control over who knows what about them. Information privacy principles are a powerful and straightforward way to analyse personal rights even in dynamic and complicated settings like online social networking. So conventional information privacy law is being used in Germany and elsewhere to curtail the more excessive practices of Google (collection of personally identifiable Wi-Fi transmissions) and of Facebook (generation of biometric templates from photo tagging and re-use of those templates to identify people in images data).
Yet networking technology does challenge privacy principles. We all know why Facebook, Twitter, Google and LinkedIn offer such fantastic services for free: it's because they're generating vast commercial value from the network information and Big Data they're amassing. Information privacy law requires that individuals be informed as to why Personal Information is collected about them and how it's going to be used. But if sophisticated data analytics and ever increasing networks of information lead to discoveries that aren't apparent until critical mass is reached, then it's actually impossible to inform members up front about the precise collection purpose. Instead, businesses should share more of the spoils of social networking with their customers, who typically gladly opt in if properly rewarded for participating in what is still a great big experiment.
This fundamental clash with the Collection Principle is the only case I know of where technology really has outstripped information privacy law.
[Update Feb 2013: I have subsequently started to research new ways for Big Data processes to embrace privacy; see my Constellation Research work on "Big Privacy" and the recently published paper The collision between Big Data and privacy law. ]
Good clarification on the definitions. I always use the analogy that Private information isn't necessarily confidential - my salary, health, family information etc is (or can be) private, but my bank details are confidential. One is a personal choice, the other is a must.