Lisa M. Austin, Associate Professor, University of Toronto
Faculty of Law
Consent is often seen as the heart and soul of models of
privacy protection. These regulate personal information, not private
information (information about you). A very large amount of info is potentially
regulated by these kinds of regimes, and the dominant idea is that it’s up to
you to figure out how much you want to share.
If you think privacy is complex, contextual, varying among people, this
looks incredibly promising because we don’t predefine what private is. “Self-determination” or self-management
models.
We should be very skeptical of these models. Standard problems: people can’t read policies,
don’t read them. But her problems are deeper/more structural. Cautionary tales
from Canada. Pay attention because one
might think Canadian privacy law is comprehensive and strong. Our legislation covers public sector and
increasingly the private sector as well; privacy commissioners are dedicated
regulators; easy to make complaints; not just procedural but substantive—consent
doesn’t matter, you can only collect info for reasonable purposes. Situated in broad constitutional framework
including a right to privacy, which rejects the third-party doctrine.
Reasonable expectation of privacy standard is normative, not descriptive.
Problems: First, designed to regulate relationship between
individual and a service. Certain model
of fair and appropriate in that info flow. But internet companies are
intermediaries—they mediate multiple relationships, including interpersonal:
platforms for interaction, deeply bound up with their own business
practices. Second, collect so much
information about us that they’ve become treasure troves for state
agencies. Those things affect the
structure of privacy.
If you see the benefits of consent based model as individual
self-management, that reflects very individual, subjective view of privacy. But
implemented as law that invokes two pressures: other competing interests. It can’t just be up to the individual to do
what’s best for her—law enforcement/national security push back, as well as
business interests. No matter how implemented, you find various places where
that balancing is in play—proportionality analysis, objective standard.
Pressure is to move away from individual self-determination.
Also, people who have to obtain consent are now under
obligations—they need to seek out information about the user’s consent. If the
collection involves really private information, maybe it has to be opt in; less
private, maybe implied consent works. Once that categorization is occurring, we’re
not doing individualized subjective preferences any more. Retreat to ideas of
privacy as sensitive information occurs, narrowing the scope of what we’re
protecting. Retreat to accounts of social/reasonable expectations of privacy,
but very different from the constitutional version. Social norms instead of normatively
reasonable expectations. Both work to undercut the promise of this type of
privacy law.
Recent privacy decision about FB: should you be able to opt
out of targeted ads? Initially targeted
marketing was considered a secondary use, and required another consent. If true in retail context, why not in FB context? Answer: no!
Accepted that FB’s business model was based on ad revenue, and business
interests had to be balanced with privacy.
Defaults make a huge difference. The charge made was that
they should be more restrictive than FB sets, which would then force people to
think harder about their privacy settings.
Privacy commissioner rejected this too.
Why? Commissioner said, people join FB to share information. The idea
that it can’t be deeply sensitive because you’re there to share information—privacy
as secrecy, sensitive information. Also
influenced by expectations of FB users that this was reasonable within the
community—but no discussion of how this was a shift from general cultural expectations
formed independent of something like FB to descriptive account of expectations
of FB users within an architecture that was formulated based on the business
model. Intermediaries participate in shaping social norms but are not noticed
to be doing so.
Multiple courts have upheld warrantless access to subscriber
info. Usually about child porn, which makes courts reluctant to touch this. But
also they say that the legislation creates carveouts so that they don’t violate
statute when sharing information with law enforcement without consent. Could
say, re: the carveouts: Not up to ISP to vet the credentials of LEO/whether
they need a warrant. Could still have
separate inquiry into whether warrant was required. State might still need a warrant under
Canadian law because the third-party doctrine isn’t part of Canadian law. But
instead: courts say that the legislation permits sharing, thus you have a
diminished expectation of privacy. And the contracts with subscribers vaguely,
buried deep, have a clause that say that they can share info with law
enforcement, diminishing reasonable expectation of privacy. Terms imposed by
company in standard form contract now alter relationship between individual and
state, and the courts keep saying this.
To think that consent mediates all this is mistaken, not
just for regular problems of reading the forms but because consent as a concept
facilitates broad collection of info and easy access by law enforcement in a
disturbing way.
What to do? Analytic framework: privacy is no longer that
helpful; lost analytic rigor. There are
two lessons from privacy’s roots in trespass that are underappreciated and that
could be reappropriated/revised. (1) The “power to” view: trespass is not an
injury based tort. Always looking for
the harm of privacy violations leads to trouble—so diffuse, balanced against
very pressing concerns. When we can’t
find specific harms, we discount it.
Property law is often not about protecting people from injury but about
giving people powers to do what they couldn’t otherwise do—e.g., transfer
property after death. Law as
facilitative, not just obligations/remedies for injuries.
What’s the legal architecture we need to facilitate privacy?
What do we think privacy norms allow us to do?
Audience norms of tact: pretending not to notice something that we
do. That could help us think about FB’s
obligations beyond securing consent—it too could be required to exercise tact.
(2) Public context—early search and seizure cases are
trespass cases. Some accounts of
trajectory of privacy say that we went from protecting property to protecting
more. But early trespass cases aren’t
merely upholding private property; they were about concerns over arbitrary
exercise of state authority/rule of law. Explicit focus on rule of law can be
helpful in getting us off focus on individual (consenting or not) to the
surveilling party—who’s exercising power and how can we constrain it so it’s
exercised in an accountable/transparent matter. That’s the central Q, not a
side show. That helps explain what’s wrong with the standard form contracts
nobody reads. We each have roles in holding each other and the state
accountable.
In earlier privacy debates there was a lot of debate about
practical obscurity—records on you held in paper file cabinet are different
because they’re harder to access and link to other information. Paperless = loss of practical obscurity. (Pseudonymity is one way of restoring that,
at least as against other individuals!) Similar phenomenon going on with law
enforcement. Police require cooperation of community in so much; you need
trust. We all know what happens when a community stops trusting the police. RCMP built trust with community and got tips
that led to apprehension of people who planned terrorist attack. That requires responsible action by law
enforcement. We all exercise judgment
about when to act (call in the police) or not. This plays a role in practical
constraints on police action. When info is no longer held in community, but by
an intermediary with different rules about sharing, we need to think about what
accountability looks like.
Growing scholarship in rule of law: not just about
constraining state authority, but also about constraining private actors. Is rule of law consistent with administrative
state? Information law is another major shift in the nature of the state, and
we need more than privacy to think about it.
Consider other legal vocabularies about the nature of law.
Moderator: Tanya
Cooper, Assistant Professor of Clinical Legal Instruction and Director of
Domestic Violence Law Clinic, The University of Alabama
The poor have no power over their privacy. We see this in
family law, disproportionately affecting racial minorities. Example: child welfare/dependency
courts where children are adjudicated abused/neglected. Families routinely
invaded by state actors/agencies, lawyers, judges. Their information is
collected and used against them. No meaningful consent/ability to opt out
because the countervailing interest is protection of children. Irony: these
courts are closed to the public. They use privacy as an umbrella term for
confidentiality—mask a wide array of abuses against due process and families
are routinely separated forever. So she
likes thinking not about consent but about power. So what to do? How would we apply your concepts about
power?
Austin: one possibility: disclose facts without personal
details. Program in Canada to train judges to voluntarily redact information in
their judgments, because they throw in all sorts of unnecessary details. Get them to reflect on what they can and should
put in the judgments as explanation for the reasoning versus what should be
left out, like a house address.
Sarat: was there a golden age for consent, when it was
meaningful? Likes idea of obligations
imposed on intermediaries; empirically, on what basis would you believe that
society as a whole would endorse this view of affirmative obligations. The way in which US citizens think about
these problems is almost entirely about consent, even when the consent wasn’t
meaningful.
A: there was no golden age.
Looked at privacy commission findings over a number of years about
consent. Striking result: every example
was basically resolved on the logic of business interest—reasonable purpose got
interpreted as reasonable business interest, and then consent was implied;
consent didn’t do any work. Need more
normative discussion to have any bite.
Sarat: if I was a consent advocate, I’d say we need to get
away from implied consent.
A: has philosophical concerns. What does it mean to consent to give up
privacy, if privacy is about consent? What
are you consenting to give up? There must
still be some independent concept of what it is that you’re giving up when you
consent.
In Canadian human rights law, we impose affirmative
obligations to reasonably accommodate religious views, disabilities, etc. up to
the point of hardship. Completely
accepted now, with lots of debate over what reasonable accommodation/hardship
means, but the basic principle is now grounded.
People accept the ethical settlement.
Unthinkable to build a new building that wasn’t wheelchair
accessible/build curbs without curb cuts.
Positive obligations around privacy could also be built into infrastructure—a
building code for privacy.
Sarat: draw on analogies in American law to obligations that
prisons have to prisons: social relationships they create based on dependency;
remove the effective capacity to opt out.
Posts
No comments:
Post a Comment