The following is a discussion of the Consumer Data Privacy in a Networked World:
A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, (hereafter referred to as the Privacy Framework) is a fifty-two page treatise published by The White House on February 23, 2012 that presents the President’s imitative in this area. While the Personal Data Collation applauds the Administration’s acknowledgement that privacy is an issue of major concern, we are concerned that they have overlooked one of the fundamentals – that privacy is more than keeping secrets, it is also about the protection of property.
Note: The terms data and information are often interchanged.
Information is an ordered sequence of symbols (data) that can be interpreted as a message or provides some meaning. For purposes of this discussion, both are considered one in the same. Also, since we believe that personal data must be also considered as personal property, we will not be commenting on Section III through the end of the document.
Think “property owner”, not “consumer privacy”
Privacy violation, as defined in the Privacy Framework, is the misuse of data that can be connected to an individual.
It does not mention the misuse of data as also the misuse of property. Consequently, this limits the scope and confuses the nature of information-based privacy. The result is a profusion of confusing and difficult to implement administrative policies, practices and procedures. If privacy and (personal) property were to be linked, then we believe that they would (collectively) come under protection to the U.S. Constitution, making enforcement clearer, cleaner and simpler. One does not enter a man’s house without a warrant not because it is a bad policy, but because is against the law. We don’t take his property because it is not ours to take, plain and simple. We respect on the rule-of-law where the rules are based on individual’s rights (the Bill of Rights) and not the desires of the end users. As a U.S. citizen, the individual, the owner of his or her personal data, should have the ultimate control and not the businesses and other parties that only use it.
We cannot protect our rights for privacy (as it relates to our personal data) without also examining our right to protect our personal property as provided by the 4th Amendment of the U.S. Constitution. Like bacon and eggs, privacy and property go together. They are the ying and the yang of protecting personal data.
One cannot be considered without the other, which is why we continue to have problems arriving at the workable solution to the increasing abuse of individual privacy in the Information Age. There is no better proof of statement than the discussion of what is known as the third party doctrine. As reported by Timothy Lee on techdirt.com, third party doctrine is the legal principle that says, in effect, “you lose your Fourth Amendment rights when you relinquish information to a third party.” Lee goes on to state that the “doctrine has become increasingly important with the rise of modern technology because we now entrust a host of private data — including our email, cell phone calling data, credit card transactions, and more — to private companies, and the third party doctrine would seem to suggest that Fourth Amendment protections would not extend to such information.” Lee is against extending the use of the third party doctrine. In his words, “(S)ticking with the third party doctrine would make the Fourth Amendment less and less relevant as technology changes because more and more private information to be held by third parties. If we want the Fourth Amendment to continue to be an effective protection for peoples’ privacy, and we think we do, it needs to be continuously updated to reflect changing technological realities.” The Personal Data Coalition could not be more in agreement.
Continuing the current Oligarchy:
The focus of the White House’s Privacy Framework conforms to the Oligarchy view and is limited to the commercial aspects as viewed from a company or business perspective. While part of the Privacy Framework dialogue includes a “discussion of how to protect privacy in a networked society involving public and private, industry and commercial, academic and governmental players”, its narrow scope focuses only on one the many ways we use our personal data. We already have the (frustrating) experience of adding privacy provisions in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191 that delayed its implementation for five years. Will we have the same problems with commerce? What about the IRS or the Social Security Administration? Without the rule-of-law, the end will never be in sight.
Information as Property and the Rule-of-Law
We wonder how different the Privacy Framework would be if it was written from an individual ownership and personal property point-of-view. We also wonder if it included a wider spectrum of users. We are sure that if we were talking about a book, song, invention or some other “physical” form of creative work, the information as property argument would be much easier to make.
But we don’t always get things right the first time. In 1776 the Continental Congress crafted the Declaration of Independence. Followed by the Articles of Confederation in 1781, it created a weak central government and thirteen individual states, each with their own sovereign powers to create such things as their own currency, stamps, laws, etc. It did not work and by 1789 the Articles were replaced by the much more workable U.S. Constitution and, most importantly, the Bill of Rights.
The Bill of Rights is the secret sauce of what we were to and have become as a great nation – the rule-of-law with the protection of the rights of the individual citizens as the start point. They were, perhaps, the first “codes of conduct” and have been with us for over two centuries. They already exist. They work, and in doing so, eliminate the need to write new ones for privacy and property. We can just adapt them to what we already have – the 4th Amendment – keeping privacy protection simple and within our already existing legal framework. Likewise, the Bill of Rights doesn’t discriminate by industry or affiliation, so why should we start now? Personal data, privacy, and property are fundamental to the individual and agnostic to governments, associations, businesses, and organizations in their many forms. We should keep it that way.
The President, in his cover letter of February 23, 2012, sets the stage for privacy, provides a brief history, alludes to its legal and personal values, discusses the impact of the information and technology, and concludes with the stirring statement that “we must reject the conclusing that privacy in an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.” He is spot-on to this point, but then ignores history. He wants to create a new document, a new process, a new Consumer Privacy Bill of Rights. The Personal Data Coalition can only wonder if this is wise or even necessary. We have the Constitution; why not use it for this issue as well?
Comments on the Consumer Privacy Bill of Rights Objectives
The following is a commentary on the specific objectives of the Framework.
1. Individual Control: The Privacy Framework states that the consumers have a right to exercise control over what personal data companies collect from them and how they use it. On this we agree but wonder why consumers (owners) do not have rights concerning who can collect their personal data in the first place. Unless there is a legal right under the law (i.e. driving record, arrest warrant), the process should be “opt-in”, not the current opt-out. If we, by law, have the right to access to our credit reports, why don’t we have the same rights to access all of our personal data such as criminal/driving records, health, insurance, academic, and so forth? All the time and for free!
2. Transparency: We would like to add “who gave them consent” to the list of requirements. We would also add “in accordance with the 4th Amendment.”
3. Respect for Context: Consumers must have the right to not only willingly provide the personal data (expect where required by the law) but have a way to verify that the data is being used as permitted. It is the consumers (as owners) who should be in primary control (not the end user companies), as they are the ones who suffer the greatest consequences from misuse.
4. Security: We would add “as with any other form of personal property.” The focus of this Objective is on the data, not the person (owner). It should be the other way around. Again, it is the consumer (owner) that has the most to lose.
5. Access and Accuracy: This provision, though well written, does not go far enough. The consumer (owner) should at all times have the ability to monitor who is using their personal data, on whose authority (including 3rd party usage) they have access, what are the legal rights and limits, and for what purpose. Also, since a person’s data is literally everywhere, only the consumer (owner) can determine if is the single version of the truth, which is to say, its accuracy
6. Focused Collection: Why only reasonable limits on the personal data companies collect and retain? Data is the personal property of the consumer (owner). Its use should only be governed by the relevant laws or by the owner’s consent.
7. Accountability: We would change ‘adhere to the Consumer Privacy Bill of Rights’ to ‘the U.S. Constitution.’
Information and Data as Property
We would also add an 8th Objective: Ownership. In this object we would define personal data, its status as property, its ownership, and how it is the same or different from other forms of property. We make this recommendation because the Framework is limited to the business context and only “applies (the) comprehensive, globally recognized Fair Information Practice Principles (FIPP’s)…” The 4th Amendment makes no such distinction, which causes us to examine (question) the specific provisions from a personal property and well as privacy point-of-view. Conversely, FIPP’s seem to not acknowledge personal information as property.
We also note that the focus is on developing a single set of privacy rules to be followed by companies. The focus is on companies and the Federal Trade Commission. The tone is voluntary. It assumes all personal data are the same. The problem is that our personal data, data that is or could be used by companies, is also the same data that is used by other entities, government or private, for a wide variety of reason. As nice as it sounds, person data cannot be that easily parsed. It is just not possible to develop a workable set of rules for every situation from a multitude of users. Privacy itself, as a concept, is just too vague. This is why personal data as property make more sense. Property rules, supported by the Constitution, are much more concise, reflect the rights of the individual (human) owner, and have withstood the test of time.
A statement starting in the middle of page 6 acknowledges the inconsistent standards resulting from the confusion and complexity of Federal data privacy statues as they apply to specific sectors and that the Administration supports extending protections to the sectors that existing Federal statues do not cover. Our thought is “are we making things worse?” Again, why are we treating personal data only through the ever-expanding morass of privacy regulations and codes of conduct without resolving the personal property issue? We can’t make a rule for every possibility. We need to “reverse the telescope”, focus on the individual at the Bill of Rights, and then move forward. To do otherwise will encourage businesses and other organizations to continue to “game the system.”
What is missing is any discussion of personal data as property. The footnote on page 12 of the Framework uses the term “personally identifiable information (PII)” as information that is linkable to a specific individual. It goes on to say that PII is not anchored to any single category of information…that rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.”
The Framework, through footnotes on page 5, stresses that it is “concerned solely with how private sector entities handle personal data in commercial settings.” Footnotes not withstanding, the U. S. Constitution still comes first. The Personal Data Coalition has no object as long as what is being done is constitutional. We do not believe this to be the case. Merely stating that when it comes to privacy that personal data is not personal property does not count.
We are at the crux of the issue…is our personal data our property? Can the protection of our privacy be achieved without constitutional protection? Is “consumer privacy” any different than any other privacy? Will the third party doctrine prevail? These are the key points and they must be resolved before proceeding, before any practical solution can be reached. They are just too fundamental to ignore.
The co-consideration of privacy and property, and the technology to implement it already exists in a working “proof of concept” – HIPAA. Originally designed to facilitate electronic portability of employee medical records between employers, accelerate the reimbursement cycle by eliminating paper, and reduce errors and administrative overhead, it was not fully enacted until 2001 when provisions for data security and individual privacy were added. Thus HIPAA set the stage for maintaining the privacy and protection of personal data on a national basis — where privacy and personal data issues are safeguarded in a single technical solution.
Violations of property are protected by our Constitution and therefore dealt with the rule of law, the courts, and our current law enforcement infrastructure. Attaining privacy and protecting individual rights through voluntary consensus as proposed by the White House’s framework on personal data privacy is little more than “privacy by committee.” There ought to be a simpler way to resolve this issue within our existing legal (and international) framework.