'Hero or Villain: The Data Controller in Privacy Law and Technologies' by Claudia Diaz, Omer Tene and Seda F. Guerses in
Ohio State Law Journal (Forthcoming)
argues that
Constitutional privacy law in Europe and the United States establishes the right to privacy as freedom from government surveillance. It is based on suspicion of power and distrust in the state, which can unleash ominous intrusions into the private sphere to crush dissent and stifle democratic discourse and free speech. Over the past forty years, an additional legal framework has emerged to protect information privacy. Yet unlike the constitutional framework, information privacy law provides little protection against the risk of surveillance by either governments or private sector entities. Indeed, such organizations are assumed by law to be trusted entities acting as stewards of individuals’ rights, essentially “information fiduciaries.”
This Article demonstrates that an analysis of the assumptions and principles underlining privacy enhancing technologies (PETs) highlights the gap between the constitutional and information privacy frameworks. It argues that by embracing PETs, information privacy law can recalibrate to better protect individuals from surveillance and unwanted intrusions into their private lives. Conversely, if the law continues on its current trajectory, emphasizing organizational accountability and marginalizing data minimization and transparency, PETs would become unviable and individuals subject to increasingly stifling digital oversight.
The term “PETs” has been used loosely to describe a broad range of privacy technologies. In this Article, it is restricted to technologies specifically aimed at enabling individuals to engage in activities free from surveillance and interference. PETs allow individuals to determine what information they disclose and to whom, so that only information they explicitly share is available to intended recipients. They are based on three common objectives: eliminating the single point of failure inherent in any trusted data controller, minimizing data collection, and subjecting system protocols to community based public scrutiny.
This Article shows that while PETs are aligned with the objectives of the constitutional framework, they are not in tune with all of the assumptions, principles and goals of the information privacy framework. Over the past two decades, the information privacy framework has shifted to imposing information stewardship (“accountability”) obligations on data controllers, who act as custodians of personal data. The notion of the data controller as a trusted party is ill at ease with the anti-surveillance gist of constitutional privacy and PETs. In fact, the technological community researching PETs departs from a diametrically opposed perception of a data controller, that of an adversary. Under this approach, information disclosed to a data controller is compromised and can no longer be viewed as private. Proponents of this view point-out that after disclosure, it is almost impossible to control how personal information is used, concluding that PETs should limit information disclosure.
This Article asserts that policymakers should recognize and expand by appropriate regulatory measures the role of technologies that enable individuals to enforce their right to privacy as freedom from surveillance. Given that the legal framework is focused on the roles and obligations of data controllers, this Article categorizes PETs depending on the degree of data controller involvement.
The first category consists of PETs that require active implementation by a data controller. This includes PETs, such as private information retrieval or zero-knowledge protocols, which enable a data controller to provide a service that takes as input private user information without the controller becoming privy to such information. Yet if the controller does not invest in a privacy enhancing architecture, individuals would not benefit from privacy protections. The second category comprises client-side software deployed by a user within a service offered by a data controller. These include encryption tools that maintain the confidentiality of the contents of emails or social networking posts, including vis-à-vis the data controller. Here, controller implementation is not required; yet data controllers can (and actually do) try to limit deployment of PETs. The third category consists of PETs, which are collaborative applications without a data controller. For example, the Tor network relies on a decentralized architecture to enable users to communicate anonymously. Service providers can try to restrict users’ access to their service through Tor, thereby impeding the growth of its network.
After classifying the PETs and providing examples of their trust assumptions, design principles, objectives and strategies, this Article assesses the policy considerations involved in reforming the legal framework to tolerate, facilitate, or indeed mandate their use. This Article concludes by arguing that the current information privacy framework fails to adequately address surveillance concerns. By embracing PETs, it can recalibrate to focus on core concerns that have underlied the genesis of information privacy law on the ruins of totalitarian regimes in 20th century Europe.