Information and Knowledge Control Law

In addition to considering asset protection standards and contract law issues, there is considerable research in the field on information and knowledge control law issues; the following provides a summary of this research.

Whalen v. Roe²⁶³ established a new contextual definition of information privacy law. The US court established that people had a declared right to avoid the disclosure of personal matters – in other words, they had a right to control over their information. The right included the process of accessing and even analyzing personal information. Information control had evolved into a duty of data holders to respect the person’s confidentiality. In Whalen, Justice Stevens declared that “The right to collect and use (data) for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures … (I)n some circumstances that duty arguably has its roots in the Constitution.”²⁶⁴ For example in one case the police had access to computer databases that stored confidential patient data.

Justice Stevens further wrote that privacy cases actually had different interests. “One is the individual interest in avoiding disclosure of personal matters, and another is the interest in independence in making certain kinds of important decisions.”²⁶⁵The case applied the Fourteenth Amendment, thus the court must balance the interest in collecting the information and any infringement on the privacy right. Intermediate scrutiny rather than the principles of strict scrutiny was applied.²⁶⁶ The highest level of protection applied to medical information related to sex and essential corporate information. General medical and financial data involved mid-level protection.

263 Whalen v. Roe, 429 U.S. 589, (1977), at 600. (US) 264 Id. at 605.

265 Id. at 598-600.

266 Under US constitutional law, the court can apply three levels of scrutiny. The highest is strict which requires a compelling governmental interest, be narrowly tailored and be the least restrictive approach. The intermediate approach requires an action that furthers an important governmental interest. Rational basis is the lowest standard that reflects a legitimate interest like due process or equal right protection.

Data that was a matter of public record involved the lowest protection. Why some medical and corporation data involve higher protection than individual information remained unclear. This issue needs revisiting. The government’s (or data holder’s) interest must be established as legitimate, substantial, and compelling.

Neil Richard wrote on the way that the government avoided any judicial or constitutional standards. He noted that the government funded and then purchased data from private-sector firms. The scheme was not considered a state action,²⁶⁷ but in reality the government outsourced surveillance of citizens with legislative and constitutional immunity.²⁶⁸ Where entangled interaction existed, then any such behavior would be a state action.²⁶⁹ An alternative was to make both parties responsible for data protection and information privacy legal protections.

In Miller v. Taylor²⁷⁰Justice Yates delivered the judgement that was on point.

"It is certain every man has a right to keep his own sentiments, if he pleases. He has certainly a right to judge whether he will make them public, or commit them only to the sight of his friends."

Grant Hammond argued that legally, personal information was not relative or static.²⁷¹ The reality was that the issue was protecting personal information from government and business misuse. Mendes identified five types of potential privacy violations: “(1) aggregation (the "unauthorized collection of information" to create profiles of individuals); (2) intrusion (surveillance or tapping of transmissions);

267 Under US law, a state action is necessary for addressing the Constitutional rights of individuals.

268 Neil M. Richards, Reconciling Data Privacy and the First Amendment, 52 UCLA Law Review, 4, 1149 (2005), at 1158-1159.

269 See Norwood v Harrison 413 U.S. 455, (1973); Burton v. Wilmington Parking Authority, 365 U.S. 715, (1961). (US)

270 Miller v. Taylor, 4 Burr. 2303, 2379, (1769), at 2379. (UK)

271 R.Grant Hammond, The Misappropriation of Commercial Information in the Computer Age, 64 Canadian Bar Review 2, 342 (1986), at 352.

(3) misuse; (4) piracy (use authorization, usually for profit); and (5) unauthorized access.”²⁷²The focus of his thesis was on aggregation misuse.

Concerns regarding technology and privacy were not new. In looking at electricity in the nineteenth century, Carolyn Marvin wrote about concerns that the technology threatened the private secrets and public knowledge balance.²⁷³ Subsequent history showed the concerns warranted. On the other side of the debate were those that claimed that new information technology provided advantages to democracy.

Such technology provided better access and even networking of interested parties.

The Panel on the 1967 Privacy and Behavior Research Report by the President's Office of Science and Technology addressed the information privacy issue. The conclusion was that “The right to privacy is the right of the individual to decide for himselve how much he will share with others his thoughts, his feelings, and the facts of his personal life.”²⁷⁴

The concept of privacy as the right to be left alone was not just based on Warren and Brandeis.²⁷⁵The concept was a reference to McIntrye Colley’s Treatise on the Law of Torts.²⁷⁶

Ithiel Pool argued that "electronic technology is conducive to freedom …it is not computers but policy (law) that threatens freedom."²⁷⁷ Hope can be found in communication advances, individual rights, and pluralism.²⁷⁸

272 M. Mendes, Privacy and Computer-Based Information Systems, in Issues in New

Information Technology (Benjamin M. Compaine ed., Ablex Publishing 1988), at 193-264.

273 Carolyn Marvin, When Old Technologies Were New: Thinking About Electric

Communication in the Late Eighteenth Century, at 64 (Oxford University Press 1988).

274 Executive Office of the President - Office of Science and Technology, Privacy and Behavioral Research (Government Printing Office 1967), at 8.

275 Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harvard Law Review, 5, 193 (1890).

276 Thomas Mcintyre Cooley, Treatise of the Law of Torts: Or the Wrongs Which Arise Independent of Contract (Callaghan 1888).

277 Ithiel De Sola Pool, Technologies of Freedom: On Free Speech in an Electronic Age (Harvard University Press 1983).

278 Id. at 251.

In US Department of Defense v. Federal Labor Relations Authority, Justice Thomas wrote for the majority in the case involving the Federal Freedom of Information Act. Thomas argued that just because information may be made publically available, it does not mean that a person does not have a legal right to control dissemination of the information.²⁷⁹

Pricilla Regan defined privacy as a collective, not just an individual value. The value was based on the economic view of collective and public goods. One can not benefit from a collective good without others benefiting.²⁸⁰ Free riders, governmental or business, should not use information without legally obtaining consent and paying for it.²⁸¹

Oscar Gandy studied the issues of DPSIP protection. Gandy wrote that “it is in the area of private corporate action that the law is most in need of attention."²⁸²Powerful business forces had access to the inner halls of governmental power and opposed data protection and information privacy legal standards in the private sector.

Arguments in opposition of data protection included the alleged sanctity of commercial marketplace freedom, free commercial speech, and freedom from governmental restrictions. However, governmental regulations and restrictions exist for other social values and legal principles - some of which are related to privacy.

Violations should be subject to the legal principles of strict liability and the burden of proof should be placed on the defendant(s).

Without competent DPSIP laws and regulations, business organizations and marketers would draw their own boundaries. The boundaries were self-serving and

279 U. S. Department of Defense v. Federal Labor Relations Authority, 114 S.Ct. 1006, (1994), at 1015. Thomas generally supports business, then government, and rarely individual rights. (US)

280 Pricilla M. Regan, Legislating Privacy: Technology, Social Values, and Public Policy (University of North Carolina Press 1995), at 227.

281 Id. at 228.

282 Oscar H. Gandy, The Panoptic Sort: A Political Economy of Personal Information, at 178 (Westview Press 1993).

ignored privacy concerns with the exception of trade secrets. L. Graham Smith²⁸³ showed that business organizations did not take a proactive stance and only dealt with privacy concerns when confronted with organizational risks or threats. Those few organizations that showed some concern about the issues, relied on self-regulation, which lacked any systematic approach or consistency. The codes provided inadequate coverage, consumer awareness, and sanctions.²⁸⁴

Alan Vickery argued for information privacy and tort reform, based on breach of confidence. The tort violation included all "un-consented, unprivileged disclosure to a third party of nonpublic information that the defendant has learned within a confidential relationship."²⁸⁵ Contract and fiduciary legal principles were the basis for this UK tort.²⁸⁶ The purpose was to compensate those whose information was breached and experienced damage to reputation and some emotional distress. A very limited public's-right-to-know privilege existed, but enforcement and clarification needed to be stronger.

Susan Gerety proposed an information privacy definition based on information control. "Privacy will be defined here as an autonomy or control over the intimacies of personal identity."²⁸⁷

When an employer released employee Social Security Numbers (SSN) to a third party, the Ohio Supreme Court ruled that the release violated information privacy legal standards. The court in Beacon Journal Publishing v. Akron ruled that:

Thanks to the abundance of data bases in the private sector that include the SSNs of persons listed in their files, an intruder using an SSN can

283 L. Graham Smith, Impact Assessment and Sustainable Resource Management (Longman Scientific and Technical 1993).

284 Ann Cavoukian & Don Tapscott, Who Knows: Safeguarding Your Privacy in a Networked World (Random House of Canada 1995).

285 Alan B. Vickery, Breach of Confidence: An Emerging Tort, 82 Columbia Law Review 1426 (November, 1982), at 1455.

286 Susan M. Gilles, Promises Betrayed: Breach of Confidence as a Remedy for Invasion of Privacy, 43 Buffalo Law Review, 1 (Spring, 1995).

287 Tom Gerety, Redefining Privacy, 12 Harvard Civil Rights–Civil Liberties Law Review 2, 233 (1977), at 236.

quietly discover the intimate details of a victim's personal life without the victim ever knowing of the intrusion.²⁸⁸

Business practices that used covert data collection, matching, and profiling, without the person’s consent was found unlawful. The marketplace of ideas theory did not apply to private data.

As early as 1941, Zechariah Chafee argued that information privacy was a significant social value similar to free speech. The value was so important that only critical national needs should be a legal balance. The harm or damages were not just individual but related to the social value of data protection and information privacy.²⁸⁹

Alan Westin advocated the need for individuals to have control over their personal information. He argued that free societies recognize a personal information privacy right. Only extraordinary exceptions should trump this right.²⁹⁰

Gary Melton argued that information privacy involved the “maintenance of active decisional control over the disclosure of personal information contained in documents or known by other parties."²⁹¹The law must provide "protection from nonconsensual examination of such information."²⁹²

DPSIP principles have been violated and the person(s) involved were damaged by a number of events. David O’Brien argued that causal and interpretive access compromises privacy.²⁹³ O’Brien also argued that the law should provide "limitations on the accumulation and disclosure of information

288 70 Ohio St. 3d 605, (1994), at 611. (US)

289 Zechariah Chafee, Free Speech in the United States (Harvard University Press 1941).

290 Alan Westin, Privacy and Freedom, at 42 (Atheneum 1967).

291 Gary B. Melton, Minors and Privacy: Are Legal and Psychological Concepts Compatible?

62 Nebraska Law Review, 455 (1983), at 459.

292 Ibid.

293 David M. O'brien, Privacy, Law, and Public Policy, at 18 (Praeger 1979).

about an individual … In most situations, privacy is valuable.”²⁹⁴

William Parent maintained that information privacy was "the condition of not having undocumented personal information about oneself known by others."²⁹⁵ Such information did not belong in the public domain. Parent showed that "privacy is control over when and by whom the various parts of us can be sensed by others."²⁹⁶

Bruce Schneier made a strong case that security and privacy are not opposites. These legal and policy issues are not a zero-sum game. Police states provide security but there are no major immigration trends to those states.²⁹⁷ He further explained that the two must work together.²⁹⁸ Anti-privacy security tactics do not significantly improve security and often do harm. Government claims for security are wrong or address fake cases.²⁹⁹ The issue is one of a false dichotomy based on fear. The reality is that “There is no security without privacy. And liberty requires both security and privacy.”³⁰⁰Data mining efforts were secret and had no legal controls.

The issue was not one of individual rights against the great communal good but one of maintaining everyone’s freedom from interference and governmental – business control. Everyone, including the body incarnate, had the right to structure the terms on the use of personal information held by third parties. The principle should apply to governmental and business parties.

294 Ibid.

295 William A. Parent, A New Definition of Privacy for the Law, 2 Law and Philosophy 3, 305 (1983), at 306.

296 Id. at 281.

297 Bruce Schneier, What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites (2008, January 24),

http://www.wired.com/politics/security/commentary/securitymatters/2008/01/securitym atters_0124?currentPage=all (last visited on 24 January 2012), at 4.

298 Id. at 6.

299 Id. at 8.

300 Id. at 12.

Colin Bennett and Rebecca Grant argued that privacy was a fundamental right to retreat.³⁰¹ A second issue was “the right to control information about oneself, even after divulging it to others.”³⁰² Jean Camp agreed that people had a right to control their information.³⁰³ Research conducted by Cathy Goodwin indicated that people were concerned about the collection of personal information and its secondary use.³⁰⁴

Anita Allen identified a couple of market failures associated with information privacy law based on personal control over the information. Many people shared personal information with little knowledge or awareness of the consequences. Thus, information privacy laws must include an informed consent requirement prior to third parties doing anything with the data.

Significant constraints must be on governments and business organizations that used data mining or shared data without meaningful informed consent.

Individuals did not have the resources to track the uses of their personal data.

Information privacy law must re-allocate economic structures, relationships, power, and social structures.³⁰⁵

Businesses take personal information claiming that it has no value and works against legal personal privacy control protections. Yet, when the same businesses use the information for profit, the businesses claim that the information has economic value and demand protection of business privacy and secrets. The businesses do not pay any type of asset taxes on the data.

301 Colin J. Bennett & Rebecca Grant, Visions of Privacy: Policy Choice for the Digital Age, at 101 (University of Toronto Press 1999).

302 Ibid.

303 L. Jean Camp, Web Security and Privacy: An American Perspective, 15 The Information Society 4, 249 (1999).

304 Cathy Goodwin, Privacy: Recognition of a Consumer Right, 10 Journal of Public Policy and Marketing 1, 149 (1991, Spring).

305 Anita L Allen, Privacy as Data Control: Conceptual, Practical, and Moral Limits of the Paradigm, 32 Connecticut Law Review 3, 861 (2000); Anita L. Allen, Privacy in American Law, In Privacies: Philosophical Evaluations (Beate Rossler ed., Stanford University Press 2004).

After carefully reviewing a hundred years of privacy law, Ken Gromley found four major concepts and needs for protection. The concepts include privacy as (1) "An expression of one's personality or personhood, focusing upon the right of the individual to define his or her essence as a human being." (2) Linked to "autonomy - the moral freedom of the individual to engage in his or her own thoughts, actions, and decisions" (3) "Citizens' ability to regulate information about themselves," and (4) a "mix-and-match approach” of specific issues.³⁰⁶

David Richards saw information privacy as essential to the democratic experiment in that it supported self-governing. Having control over personal information is a form of self-government that protects the individual against more powerful forces.³⁰⁷ Ruth Gavison argued that DPSIP laws help to protect free societies by aiding autonomy, liberty, human relationships, and selfhood.³⁰⁸ While some argued that public policy and social interests may trump information privacy, the argument ignored the “functions privacy has in our lives.”³⁰⁹

Sissela Bok made a necessary bifurcation of privacy and secrecy. "Privacy need not hide, and secrecy hides far more than what is private."³¹⁰Privacy is "the condition of being protected from unwanted access by others."³¹¹Bok maintains that secrecy is

"intentional concealment."³¹²

Communications Canada examined the issues of informational privacy. The study found that in terms of telecommunications, privacy was “protection against unwanted intrusion that is the right to be left alone and not to be

306 Ken Gormley, One Hundred Years of Privacy, 1992 Wisconsin Law Review, 1335 (September/October, 1992), at 1337.

307 David A. J. Richards, Liberalism, Public Morality, and Constitutional Law: Prolegomenon to a Theory of the Constitutional Right to Privacy, 51 Law and Contemporary

Problems 1, 123 (1988), at 138.

308 Ruth Gavison, Privacy and the Limits of Law, 89 Yale Law Journal 3, 421 (1980), at 423.

309 Ibid.

310 Sissela Bok, Secrets: On the Ethics of Concealment and Revelation, at 11 (Pantheon 1982).

311 Id. at 10.

312 Ibid.

monitored; the ability to control information about oneself and one's activities;

the right to remain anonymous."³¹³

In the US, collecting personal information practices, starting with the Nixon administration, has increased. Personal information has been obtained by the government without probable cause and a warrant. Such actions were a violation of the Fourth Amendment. The collection of some personal information was actually self-incrimination, under the Fifth Amendment.

Chief Justice William Howard Taft (former President of the US) modified the application of the Fourth Amendment in the 1928 Olmstead v. United States³¹⁴case. He changed the Fourth and Fifth Amendments legal analysis.

Telephones could be legally wiretapped as there was, in his mind, no search or seizure. The injustice of Taft’s Olmstead ruling changed with Justice Potter Stewart’s writing for the Court in Katz v. United States.³¹⁵ The case brought forth the concept of privacy away from space, to a self-defined expectation of privacy, the right to decide what to reveal, reasonable expectations, and eventually to information control.

Justice Thurgood Marshall’s dissent in Smith v. Maryland laid the ground for further privacy rights. He wrote that “Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.³¹⁶

Oscar Ruebhausen and O. G. Brim³¹⁷ addressed information privacy concerns with research studies and technology. They rejected the view that technology was the problem. The law and policy related to information privacy

313 Communications Canada, Telecommunications Privacy Principles, at 5 (Supply and Services Canada 1992).

314 277 U.S. 438, 478 S. Ct. 564. 66 ALR 376, 72 L.Ed. 944, (1928). (US) 315 389 U.S. 347, 88 S.Ct. 507, 19 L.Ed.2d 576, (1967). (US)

316 442 U.S. 735, (1979), at 749. (US)

317 Oscar M. Ruebhausen & O. G. Brim, Privacy and Behavioral Research, 65 Columbia Law Review 1, 1184 (1965).

was the problem.³¹⁸ The authors argued that information privacy involved the right to select with whom information would be shared and the timing of information sharing. One has the right to determine “the extent to which his attitudes, beliefs, behavior and opinions are to be shared with or withheld from others.”³¹⁹

From this discussion it is clear that DPSIP laws should establish very clear standards. Furthermore, data controllers must recognize asset protection standards. Ownership of personally identifiable data rests with the person to whom the data relates.

In document Comparative data protection and security : a critical evaluation of legal standards (Page 182-192)