Lisa M. Austin (University of Toronto - Faculty of Law) has posted Enough About Me: Why Privacy is About Power, Not Consent (or Harm) (Forthcoming in Austin Sarat, ed., A World Without Privacy?: What Can/Should Law Do) on SSRN. Here is the abstract:
Most contemporary approaches to privacy regulation, including comprehensive privacy legislation, are based upon Fair Information Practices. Solove has called this the “privacy self-management model” because a central concern is to give individuals control and choice with respect to the collection, use and disclosure of their personal information. In this paper, I argue that despite many of the perceived advantages of this model, it is deeply flawed. I suggest an alternative view, based upon ideas of power rather than consent or harm.
Recent scholarship has pointed to some of the problems surrounding the ability of individuals to make rational choices regarding their information. However, I argue here that the problem is more deeply structural. The promise of the self-management model is that it regulates “personal information” rather than “private information”. Instead of defining what is private, we leave it up to the individual to decide. The advantage is that we do not have rely upon ideas of informational privacy that are often rooted in notions of the harms involved in disclosure of intimate and sensitive information, and seem unsuited to deal with contemporary information practices. Despite this advantage, I argue that the self-management model necessarily falls back on some other idea of informational privacy when operationalized in legislation and in doing so undercuts its ability to deal with current privacy problems.
This is not just a theoretical argument, but reflects the Canadian experience. Canada has had comprehensive private sector privacy legislation since 2001 that is very much based upon a self-management model. Despite this, the idea of a reasonable expectation of privacy is central to many aspects of the interpretation and application of the legislation. Although the legislation has largely succeeded in protecting consumer privacy in relation to on-line transactions, I argue that it has been quite unsuccessful in addressing some of the most pressing privacy issues of our time concerning private sector data collection – privacy in relation to user generated content and the relationship between the private sector and law enforcement (including the intelligence establishment).
We need an alternative paradigm, but I argue here that the way forward is not through developing a new approach to consent or to the avoidance of harm. Instead, we need to draw upon a set of lessons that I take from constitutional law and that are rooted in property law. Constitutional privacy protection in jurisdictions such as the United States and Canada is based upon the guarantee of freedom from unreasonable search and seizure and the early iconic cases were trespass cases. I propose here to draw two important lessons from this.
First, trespass is not about harm. Trespass liability protects the control powers of the owner. I argue that this suggests that we should attend more carefully to the idea of legal powers and the facilitative dimensions of law that are usually bound up with legal powers. By this I mean that law sometimes exists in order to allow us to do things that we wouldn’t otherwise be able to do (rather than protect us from harms). We need to understand informational privacy in relation to the facilitative function of law.
Second, the trespass cases show us that search and seizure law is concerned with upholding the rule of law. The rule of law has been traditionally concerned with constraining power. Although constitutional jurisprudence regarding privacy sometimes loses sight of this, constraints on law enforcement discretion are deeply embedded in this area of law.
A focus on power in this twin sense can provide a new way of looking at privacy regulation and provide a superior way of understanding what privacy law should demand in an age where the explosion of user-generated content online and the private sector/law enforcement relationship have combined to create strikingly pervasive surveillance.