Understanding the dynamics of privacy protection
Peter Seipel
Rear-view
Automation and the law was the topic of the first two seminars arranged in Autumn 1968 by a newly created research division at the Faculty of law, Stockholm university. At the outset this research division named itself a ‘working party’. It was the origin of today’s Swedish Law and Informatics Research Institute, which now celebrates its 40th anniversary.
One of the two seminars focused on the consequences for the citizens’ privacy of the storing of large volumes of digital data that were beginning to become the practice of many public and private institutions. The other seminar dealt with automated legal decision-making and focused on available methods and possible future developments. Today, forty years later, the two opening presentations of this conference pay honour to these early efforts. They also bear witness to the long-lasting importance of issues of automation and the law.
What is automation?
The concept of automation needs clarification. Suffice it to emphasise three aspects: (a) There is a low end and a high end. The low end involves automation in connection with traditional manufacturing and work processes. The high end means automation in connection with planning, analyses, decision-making etc. in various activities in society. (b) High end automation intertwines with all kinds of message communication and forms a central part of what is today usually referred to as Information and Communica-tion Technologies (ICT). (c) In particular high end automation needs to be seen as a social phenomenon. One consequence is that the design of automated procedures often requires efforts that go far beyond purely technical concerns. A technical fault may be much less important than a social fault.
Not written in stone
A typical social fault could be the build up and use of an information system containing customer data that are used regularly for fine-grained marketing and selling efforts. However, the way people react to such ‘customer relation management’ (CRM) systems is not a question of a simple, once and for all binary choice: ‘Let me be alone’ or ‘I will be happy to take part’. The individual’s reaction is context-dependent and may also be difficult to foresee. In other words, any discussion of privacy protection calls for an understanding of its dynamics. For example, every individual seems to be constantly changing between two modes of mind or ways of feeling with regard to being private. Sometimes we prefer seclusion (to reload our batteries, to rest, to be ourselves etc.), sometimes we prefer inclusion (to be among like-minded, to share experiences, to stand out from the crowd, to communicate etc.). The forces that make up the dynamics also include the rational versus the irrational. Gut feelings play a role, sometimes an important role, and contribute to the shakiness of privacy protection politics. When people feel furious at being caged and under surveillance, they are not easily persuaded that their worry has no ground. The recent, heated debates on the activities of the Swedish signal intelligence agency FRA provide an excellent illustration.
A distant world
The environment where the first modern ‘data protection laws’ took shape differed enormously from the present-day situation. This was a time when it seemed meaningful for a nation to try and count the number of computer files containing personal data. It was a time when for most people computers were as distant and as foreign as nuclear power plants and so were, to a great extent, the dangers that they were said to bring about for the protection of privacy. The work on these early laws relied on a mix of traditional legal tools, such as human rights regulation, and new, general purpose data protection regulation combined with new special regulation of, among other things, particular types of data files (health data, financial data etc.) and particular activities (file matching, risk management etc.). Generally speaking, this early work was legalistic and relied on a relatively simple perception of automation and information systems. Now, the situation has changed and the traditional approaches – which are expressed in valid European data protection legislation – are being criticised as outdated and in need of reform.
Privacy by design
One of the key concepts for the emerging reform is ‘privacy by design’. Briefly, this means to complement traditional, regulatory measures with efforts to construct information systems in a privacy sensitive way. The basic assumption is that ICT is being used to create a new dimension of human life, a cyberworld, if you like. This cyberworld is not separate from the real world but rather an extension. Your home becomes a node in a global networked environment where, for example, your family photo album can be shared with an unknown number of people unknown to you. Noise from your living room may tell you that your children are at home but not that they are just visiting some dark alleys of human experience. In this expanded, surreal world how can individuals be made aware of the risks that they run? How can they keep control of their ‘privacy situation’ and decide themselves how to act and react, and what trails to leave behind? Such questions arise in the context of ‘privacy by design’. Its overall goal is a better understanding of the new ICT-based world so as to make it possible to shape its architecture in a privacy friendly or privacy enabling way. Among other things, the architecture should recognize the individual’s constantly changing needs for both seclusion and inclusion. To be let alone – the original meaning of the right to privacy – is not always the desired preference which may instead be, for example, to participate but only if I can now and then change my identity.
