Home
| Databases
| WorldLII
| Search
| Feedback
University of New South Wales Law Journal |
[2] In this article, I examine the relationship between the concept of
privacy and data protection laws.[1]
In particular, I question the almost universal consensus that data protection
legislation exists largely to protect the ‘privacy’
of individual
persons. This depiction of the rationale of data protection legislation tends to
be accepted without serious analysis
of its veracity. It is my contention that
it is somewhat flawed.
[4] The failure to define privacy in data protection laws undoubtedly reflects the notorious difficulties that have plagued attempts to give privacy a precise, analytically serviceable and generally accepted meaning. At the same time, this failure is not necessarily a weakness in data protection laws: it can provide room for flexibility in their implementation. Further, the apparently inherent vagueness of the privacy concept enables it (and thereby data protection law) to assimilate and address a range of fears related to increasingly intrusive data-processing practices. Indeed, this characteristic undoubtedly helps to explain the protracted prominence of the privacy concept in data protection discourse. Moreover, data protection advocates have probably found it useful to adopt, in the words of Freund, ‘a large concept in order to offset an equally large rhetorical counter-claim: freedom of inquiry, the right to know, liberty of the press’ and so on.[3]
[5] Nevertheless, the failure to define privacy in data protection laws has a cost in so far as it detracts from the capacity of those laws for prescriptive guidance. A further cost is that it perpetuates the vulnerability of the privacy concept to the criticisms that it is incapable of definition, has no independent, coherent meaning and should be subsumed by other concepts.[4] This cost is difficult to tolerate for persons (such as myself) who see privacy as denoting a distinct value that is not adequately delineated by other notions, and who believe, accordingly, that normative discourse would be impoverished should this concept fall into disuse.
[6] Notwithstanding the above remarks, the concept of
privacy remains open to numerous definitions and an extensive debate has raged
over which definition is the most
correct.[5] Before examining the
various definitions, it is important to note that such a debate carries with it
various dangers, including underplaying
the multidimensional character of
privacy and overlooking the fact that law and policy do not always need to
operate with precise
definitions of values. Furthermore, the debate is difficult
to resolve conclusively because it rests to a considerable extent on
intuitive
assessments of how privacy should be commonly understood.
[8] At the same time, it is important to note that data protection laws rarely give persons an absolute right to dispense with data about themselves as they see fit. Thus, the laws are better viewed as manifestations of an interest in informational co-determination as opposed to self-determination. Furthermore, conflating privacy with control might serve to rob privacy of its conceptual uniqueness, and thereby detract from the force of privacy advocacy in the long run. Witness, for instance, the considerable criticism of United States (‘US’) case law on the constitutional right to privacy, in which that right has been used to address issues that essentially concern autonomy.[9]
[9] A further two groups of definitions characterise privacy in terms of non-interference and limited accessibility respectively. The non-interference definition gained prominence largely in the wake of the famous Harvard Law Review article by Samuel Warren and Louis Brandeis, who argued that the right to privacy in Anglo-American common law is part and parcel of a right ‘to be let alone’.[10] A leading example of the characterisation of privacy as a condition of limited accessibility is Ruth Gavison’s definition. According to Gavison, this condition consists of three elements: ‘secrecy’ (‘the extent to which we are known to others’); ‘solitude’ (‘the extent to which others have physical access to us’); and ‘anonymity’ (‘the extent to which we are the subject of others’ attention’).[11]
[10] Concerns about non-interference and limited accessibility can be found in numerous data protection provisions, especially those restricting the amount of personal information that can be gathered, the secondary uses to which the information can be put and the classes of persons and organisations to which the information can be disclosed.[12] Implementation of these provisions restricts the ability of people and organisations to gain access to information about others. It can also decrease the chance of persons being asked to supply information on themselves and can thereby decrease the extent to which they suffer interference or attention from information gatherers. The same can be said for provisions requiring that measures be taken to safeguard or improve information quality.[13] Implementation of such provisions lessens the risk of a decision being made about a person on the basis of inaccurate or irrelevant information. This, in turn, lessens the risk of the decision maker then taking, say, unwarranted investigative action which interferes with or disturbs that person.
[11] The fourth class of definitions relates privacy exclusively to those aspects of persons’ lives that are ‘intimate’ or ‘sensitive’. Julie Inness, for example, defines privacy as ‘the state of possessing control over a realm of intimate decisions, which includes decisions about intimate access, intimate information, and intimate actions’.[14] According to this view of privacy, not every disclosure of information about a person will amount to a loss of privacy; there will only be a loss when ‘sensitive’ or ‘intimate’ personal information is disclosed.[15] This conception of privacy is relatively unpopular in data protection discourse mainly because intimacy-oriented definitions of privacy are unable to anticipate and capture the process by which detailed personal profiles of individuals are created through combining disparate pieces of ostensibly innocuous information. By ‘innocuous’ information I mean information that, on its own, is not sensitive or intimate. The aggregation of such information currently constitutes one of the major methods of creating detailed and intimate personal profiles. As administrative systems in both the public and private sectors become increasingly integrated, such aggregation is likely to occur on an even larger scale. Any conception of privacy which does not capture or reflect this process is of relatively little utility for present and future appreciation of data protection issues.
[12] Accordingly, few direct manifestations of
intimacy-oriented conceptions of privacy are to be found in the provisions of
data
protection laws. The ambit of such laws is generally not limited to
information of a particular, predefined quality about
persons.[16] Nevertheless, direct
manifestations of intimacy-oriented conceptions of privacy do occur in the
provisions that place extra restrictions
on the processing of certain categories
of especially sensitive, personal
data.[17]
[14] First, the protection of privacy serves a large range of other values and interests, the safeguarding of which must accordingly form part of the rationale and agenda of data protection law. Important examples of such values are personal autonomy, integrity and dignity. These values can be summed up as being largely concerned with ‘achieving individual goals of self-realization’.[18] At the same time, such values, along with privacy, are not only relevant to the well-being of individual persons – they also have a broader societal significance. Their protection helps to constitute a society infused with civility, stability, pluralism and democracy.[19] Realisation of these general societal values must, therefore, also be recognised and treated as an integral part of law and policy on data protection.
[15] Secondly, data protection instruments are expressly concerned with setting standards for the quality of personal information. While adequate information quality can serve to secure the privacy of individuals, it breaks down into a multiplicity of interests (including concern for, inter alia, the validity, integrity, availability, relevance and completeness of data) that have little direct connection to privacy-related values.[20]
[16] Thirdly, data protection laws are also concerned with ensuring that individuals and organisations are able to process information about others for various legitimate ends. Indeed, data protection laws generally do not attempt to assail most established systems of administration, organisation and control of information; rather, they tend to seek to manage these systems in a manner that makes them more palatable to (and, hence, legitimate from the perspective of) the general populace.[21]
[17] Extending this point, it can be argued that data protection laws have
much the same aim and function that policies of ‘sustainable
development’ have in the field of environmental protection. Data
protection laws seek to safeguard the privacy and related
interests of data
subjects at the same time as they seek to secure the legitimate interests of
data controllers in processing personal
data just as policies of
‘sustainable development’ seek to preserve the natural environment
at the same time as they
allow for economic growth. Both policy concepts promote
a belief that the potential for conflict between these respective sets of
interests can be significantly reduced through appropriate management
strategies. Concomitantly, both policy concepts can be used
to create an
impression that the interests of data subjects and the natural environment are
adequately secured, even when their respective
counter-interests are also
secured.
[19] This consensus also runs the risk of underplaying the fact that the focus and agenda of data protection laws are constantly developing. These changes are sometimes reflected in the text of the laws themselves,[22] and sometimes in the range of decisions and actions taken by data protection authorities, especially when the latter are given broad discretionary powers.[23]
[20] Finally, the
view that data protection is essentially privacy protection runs the risk of
obscuring the fact that data protection
laws benefit not only individuals
qua individuals but society as a whole. The insight that privacy
safeguards have broad societal benefits is not something that can be
taken for
granted. Much of the discourse on privacy and privacy rights has tended to focus
only on the benefits these have for individuals
qua individuals, and
therefore to see such rights as essentially in conflict with the needs of
‘society’.[24] This has
been accompanied by a considerable literature seeking to highlight various ways
in which privacy rights detract from the
common
good.[25] These tendencies can have
the unfortunate consequence of leading to a skewed appreciation of the societal
benefits of privacy rights,
thus hampering advocacy for strong(er) data
protection laws.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/UNSWLawJl/2001/6.html