To many, the EU's 1995 Directive has failed. While the global trend toward adopting laws similar to the Directive suggests that many nations value privacy rights, commentators and empirical studies reveal significant shortcomings. The Directive is simultaneously over-inclusive and under-inclusive. It outlaws harmless activities while allowing exceptions that threaten to swallow the rule. Edward Snowden revealed a disrupting example showing that national governments enjoy wide latitude to collect and use personal information under the guise of national security.
The problem of protecting private information is exacerbated by technology that continues to leapfrog. Information privacy is made continually more difficult with each new app and innovation. The Internet of Things is more probable than speculative. Everyday objects — thermostats, garage doors, beer mugs — communicate with the Internet through sensors. Radio-frequency identification is a predicate to computer identification and assimilation of everyday physical objects, enabling the use of these objects to be monitored and inventoried by computers. Tagging and monitoring objects could similarly be accomplished by other technologies like near field communication, barcodes, QR codes and digital watermarking, raising the legitimate argument that informational privacy — at least as envisioned in the 1995 Directive’s absolute terms — is impossible.
Informational privacy cannot be accomplished by declaring it a fundamental right and outlawing all processing of personal information. To legally realize and enforce a privacy right in personal information, incremental, graduated, and practical legislation better achieve the goal than sweeping proclamations that have applications to actions unrelated to the harms associated with the absence of the right. With information privacy in particular, a capacious claim of right to all personal information undermines legal enforcement because the harms attending lack of privacy are too often ill-defined and misunderstood. This paper reviews the shortcomings of the EU Directive, reviews new privacy challenges posed by the Internet of Things, and posits a regulatory regime based on risk of harm.