Week 3 - Privacy Law

The human right to privacy is quite simply “the right to be let alone”. There are two aspects to this right: Decisional Privacy and Informational Privacy. Decisional privacy is the right to be let alone with respect to how we live our lives – who we partner with, how we raise our children, what medical treatment we accept, and reject etc. Historically this right is most affected by government actions that attempt to restrict the full expression of privacy by citizens. For example, attempts by states in the U.S.to restrict the right to reproductive freedom for women raise the issue of the right to privacy and because these cases are about government restrictions, they concern the right to privacy as it is protected in the U.S. Constitution.

Informational privacy is the right to be let alone with respect to information or data that reveals knowledge about us. Sensitive information such as social security numbers, race, gender, religion, health data, including fitness levels, genetic data…. All of this information reveals a part of who we are.

Outside of constitutional protections against government actions that restrict our privacy most of the law that protects privacy, particularly informational privacy, is protected by sector in the U.S. There is not one overarching rule that otherwise protects individuals from having their information accessed, used or shared without their consent. Instead, the statutes protects sectors of information and so there are laws to protect our health data, financial data, student data, credit data and even our genetic data from being accessed, used and shared without our permission. The limitation of these laws is that they are specific. For example, the Genetic Information Privacy Act protects against access, use and sharing genetic information by employers and insurance companies. HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information and regulates covered entities that have access to that information.

In the context of new technologies such as data analytics and AI, these existing laws will need to get stretched in their application. So, for example, can one argue that a data broker is a “covered entity” under HIPAA that needs to follows the specific rules about how to manage individual medical information? And if they fail to do so, there will be a fine and other remedies for the individual whose medical information was mishandled.

Finally, in the U.S., there is common law that protects privacy in an area of law called torts. Tort law protects individuals from wrongs committed by another that cause physical, financial and emotional harm. When a person or organization intrudes into areas where we have a reason to expect privacy, or accesses and shares personal information that we expect to be able to keep personal, then there may be a civil lawsuit claiming damages for that harm.

All this said about privacy law in the U.S., the current story of U.S. privacy law is arguably considered by Americans to be more of a privilege than a right. The willingness of individuals in the U.S. to share forward their information – in transactional exchanges online, in fitness challenges at work, and on social media like Facebook, snapchat and dating sites, suggests that there is an evolution in how we consider information that is intimately personal to us. What happens, however, when we come to learn that all of this personal data is being accumulated to create what privacy scholars like Daniel Solove call “digital biographies” about us, and all of the sudden technologies are having a hand in defining the very persons that we are? Because we are so willing to share our information, it becomes harder to argue we had an expectation of privacy in that data at the outset.