The IAPP’s recent webinar on privacy harms looked at the classification of privacy harms, why courts, at least in the U.S., have been reluctant to recognize them, as well as how the Federal Trade Commission conceptualizes harms in its enforcement actions against unfair and deceptive practices.
In "Understanding harms in privacy and data protection," Panelists Ryan Calo, law professor at University of Washington School of Law, former FTC Commissioner Terrell McSweeny, and Future of Privacy Forum’s Policy Counsel Gabriela Zanfir-Fortuna examined how the European approach to privacy as a fundamental right influences how European courts interpret privacy harms.
Calo’s theoretical construct, laid out in his article, “The Boundaries of Privacy Harm,” considers harm to consist of two interrelated, essential facets: one subjective and one objective. Subjective privacy harm is the perception of being observed, which makes us feel uncomfortable or threatened. It is the kind of harm that comes from living in a society that is overly observed. Calo likened this harm to the assault tort, where the harm comes from the feeling you get from the imminent anticipation of someone touching you in a way that is harmful or offensive. Objective privacy harm consists in a material, adverse consequence, such as when someone uses your information against you to charge you a higher price, deny you an opportunity, or embarrass or blackmail you. For lawyers, Calo offered the battery tort as an analogy.
Calo explained, however, U.S. courts have entirely rejected the notion of subjective harm and been “very, very stingy” as to what constitutes objective or material harm. To prevail in a consumer privacy case or Privacy Act litigation, you practically have to be “hurt in the wallet or pocketbook.”
As the discussion shifted from the role of courts to that of the FTC in addressing privacy harm, Former Commissioner Terrell McSweeny explained the difference between the FTC's "deceptive" and "unfair" authority, noting that the FTC has tended to focus on deception, or a company's "failure to disclose what is being collected from consumers."
In deception, when a representation or omission is likely to mislead a consumer who is acting reasonably and the consumer would have chosen differently if not for the deception, then an injury is presumed to have occurred.
Moving across the pond to the EU, where privacy is enshrined as a fundamental human right, Gabriela Zanfir-Fortuna explained that the EU's "threshold is low" for identifying harms when the right to privacy or data protection is violated. She also pointed out that the Article 47 of the EU Charter of Fundamental Rights, which protects the right to effective judicial remedy, further bolsters efforts to seek redress for violations related to the rights to privacy and data protection.
The panel also offered insights into the question of whether a standardized list of privacy harms is achievable or desirable. Surprisingly, said Calo, while cases involving consumer harm on a massive scale (i.e., data breaches) have generally not panned out, there have been "astronomical" million-dollar recoveries under the "intrusion upon seclusion" tort for individuals who have been secretly video-taped. He also noted that, compared to other areas of law, such as copyright, privacy feels "exceptional" in its lack of concreteness. Ultimately, Calo said this problem could be remedied through more standardization, particularly in cybersecurity, as suggested by scholars Danielle Citron and Daniel Solove.
Considering prior FTC enforcement actions, McSweeny enumerated a list that would include: direct financial loss; financial injury from identity theft; intrusion into seclusion; unwarranted health and safety risks; exposure to stalkers and other bad actors; threats of harassment, embarrassment, and psychological injury, as in revenge porn cases; and harms to personal life, such as divorce or suicide, as in the Ashley Madison data security case.
Given the relative ease with which EU individuals can currently prove a privacy harm, Zanfir-Fortuna indicated that a standardized list would actually make the EU legal framework less effective in this regard.
How can autonomy, dignity, reputation be reflected in policymaking?
The concluding discussion addressed the questions of: "How can harms to core values that privacy protects, such as autonomy, dignity, and reputation, be better accounted for in policymaking?" and "Who can make the biggest impact: lawmakers, DPAs, courts or privacy professionals?"
McSweeny said the answer to the latter is "all of the above," and also suggested, in recognizing the limitations of the right to privacy, that lawmakers, DPAs, courts, and privacy professionals should expand the conversation to include other core and fundamental values, such as free speech and other policy measures that can affect the quality of democracy, such as regulation of political advertising.
Calo suggested a return to the original understanding of consumer protection law in the U.S., which was to redress the emerging power/information asymmetry between consumers and corporations. Today, companies are capable of new ways of extracting the social surplus and manipulating consumers, which has generated feelings throughout society of increased personal vulnerability and susceptibility to control.
McSweeny agreed and suggested one of the areas where more resources should be invested is to identify harms involving manipulation and sophisticated targeting, an area not yet fully understood.
Finally, Calo added that the paradigm is shifting from a world where information is used to match people with their preferences, to a world where information is used to make people pay more or channel them in directions that are not beneficial to them.
If you want to comment on this post, you need to login.