With the heart of the summer vacation season upon us, it seems like a good time for some reflection. Here, it comes in the form of excerpts from an essay by privacy maven, Deborah Hurley. The one time Director of the Harvard Information Infrastructure Project at Harvard University, she has been thinking and writing about privacy issues for two decades. Her entire essay can be found in the book, Privacy in the Modern Age, and this excerpt is provided with her permission:
The Universal Declaration of Human Rights (UDHR), the founding document of the modern human rights era, was adopted by the United Nations General Assembly in 1948 without a single dissenting vote. The UDHR, along with the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights, both from 1966, are called the International Bill of Human Rights.
The International Bill of Human Rights is one of the most successful legal regimes in the history of the world. More than 160 countries are parties to these conventions. The adoption and ratification of the main human rights instruments by so many nations underscore the high degree of international consensus on the principles of human rights.
Traditionally, US law recognized four invasions of privacy: intrusion on the right to be let alone; public disclosure of private facts; depiction in a false light; and commercial appropriation of personal information. Modern data protection and privacy laws contain core elements:
- notice to the individual of use of her personal data;
- choice by the individual with regard to its use;
- consent by the individual in its use; identification of the purpose for which the personal data is to be gathered;
- collection of only personal data required for the stated purpose; and use of the personal data only for the stated purpose.
A quarter-century after the UDHR, the United States was continuing to set the global pace for protection of personal data and privacy. The United States adopted the 1974 Privacy Act and encouraged the adoption around the world of rules to protect personal data and privacy. Today, over 100 countries have data protection and privacy legislation. Not only is protection of privacy and personal data widespread, there is broad agreement about the principles that undergird the modern right of privacy.
Yet, the US progenitor became the outlier of this 40-year, strong global trend. The 1974 Privacy Act covered part of the federal public sector. As information and communication technologies advanced, with uptake throughout society, other countries adopted and amended data protection and privacy legislation to include the private sector and the rest of the public sector. The United States did not keep up with these developments, with the result that Americans have less protection for their personal data than people in many other nations. It is ironic that US companies, which operate in countries with broadly-based data protection and privacy laws, provide a higher level of personal data protection for residents of those countries, than they do for the personal data of Americans.
To the same degree that liberty and freedom are defended from tyranny and oppression, how best to instantiate protection of personal data and privacy, shelter it from inevitable forces of depredation, and deploy the mutually-reinforcing means of laws, technological design, standards, and norms? There already exists a world-wide body of law and institutions. The lag is in implementation and enforcement. This is the easier part of the task, since the legal framework is already in place. As far as additional legislation, clearly the biggest change would come from US adoption of comprehensive federal legislation to protect personal data and privacy, a welcome return to a leadership role. India already has a bill. Its passage would bring over one billion people under the privacy protection umbrella. China presents a harder case, but the prize of another billion people makes it an attractive challenge.
And so at the end we come back to where we began and to what we have known all along. Privacy is a human right. Each government, company, and individual, as well as all other non-state actors, has an affirmative duty to safeguard it. The protection exists. The hard work is done. But, there are severe lapses in implementation and enforcement. Privacy is important for the individual and, arguably, even more vital for the democratic community and its maintenance of vibrant, robust civic participation and social and economic discourse. The locus of ownership and control of personal information must lie with the individual. Technology can reinforce and actualize this principle. As personal information proliferates and will be everywhere, the need to adhere to this standard becomes increasingly acute.