Sovereignty and the Need for Consensus Around “Data Privacy,” Part II
Privacy Plus+
Privacy, Technology and Perspective
Sovereignty and the Need for Consensus Around “Data Privacy,” Part II. This week, let’s continue our discussion on better ways to balance the needs of people and businesses in the privacy space. If you didn’t catch Part I of this post, you can read it by clicking on the following link:
How much time do you have for “notices?” We all make spur-of-the-moment, near-instant decisions in every personal encounter, and on every website, about how much time and attention we’ll devote to it. Not many of us spend our time studying cookie and privacy notices. In fact, most of us have almost no time for these “notices.” Accordingly, we don’t carefully decide how much consent we’ll grant for the processing of our personal information. Instead, what matters is the default condition of the website. Whatever data the data collector has decided to collect is what we must agree to. If we want to visit the website, we have no real choice about how it will process our information. So realistically, we never provide meaningful consent.
What should be the “default condition of privacy?” Since privacy is fundamentally about people, we offer that the focus should start with people – how people actually behave and what they want, need, and especially expect in a given encounter. Shouldn’t what people expect and want be the cornerstone of privacy protection?
What people want and expect, however, changes constantly. We may start the day bright-eyed, happy to read every cookie notice, only to be tired of it by lunchtime. Or our level of interest may change by subject matter or when people we care about might be affected. It may change with time or as we grow. The fact is that what we want and expect is in constant motion and flux, according to circumstances that are so varied they can’t be regulated in detail.
A consensus – along the lines of principles – can still be reached. Privacy scholars have studied to articulate “fair information privacy principles” at least since the end of World War II. Many versions exist, but we suggest it’s time to take a fresh look back at detailed regulatory schemes and take a new look.
What do people want and expect, generally speaking? We suggest:
· (Where appropriate) to have (readily) available – but not required, e.g., as a gateway to entry onto a website – an understandable explanation of what data is being gathered, how it’s to be used, how it may be corrected, and how it may be controlled; and
· For data collectors/users to gather only the information they need for purposes the data subjects approve and would expect to use it only for those purposes (and those which would follow, like security, anti-fraud, carrying out the goals, etc.), to hold it securely while they have it, and to dispose of it responsibly when the purpose(s) are fulfilled; and
· For there to be predictable exceptions for public health, safety, law enforcement, etc.
This is only a start toward a consensus and doesn’t begin to reach questions like governance or enforceability models. Nor does it take account of cultural or historical differences in different sovereignties, such as the role of America’s Bill of Rights versus the European experience. Nor does it consider different issues in different sectors – health information, children’s products, or finances, to name a few. We see a long season of frustration still ahead as we struggle to reach a consensus on what we want out of data privacy. But we are hopeful.
A “magic word?” To translate such a consensus into practical guidance, which would allow those basic principles to apply with less friction to every day’s million vicissitudes, a literary “lubricant” would be needed – a magic word. Is there such a word?
Yes: a magic word, handy for regulating future conduct which can’t even be predicted, managed, or controlled before it arises. The word is already used in leases and other complex or long-term contracts to bridge gaps, adjust to new situations, and even permit experimentation and improvements amidst rapidly changing times.
The word?
“Reasonable.”
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.