12 May 2021

Privacy

'Comparing Constitutional Privacy and Data Protection Rights within the EU' by David Erdos comments 

Although both data protection and the right to privacy (or respect for private life) are recognised within the EU Charter, they are otherwise generally seen as having very different constitutional histories. The right of privacy is often seen as traditional and data protection as novel. Based on a comprehensive analysis of rights within EU State constitutions, it is found that this distinction is overdrawn. Only five current EU States recognised a constitutional right to privacy prior to 1990, although approximately three quarters and also the European Convention do so today. Subsidiary constitutional rights related to the home and correspondence but not honour and/or reputation are more long-standing and this helps link the core of privacy to the protection of intimacy. Constitutional rights to data protection emerged roughly contemporaneously and were often linked to a general right to privacy but are still only found in around half of EU States. There is also no clear consensus on specific guarantees, although around half of the States which recognise these do include rights to transparency and a slightly lower number right to rectification. This could suggest that data subject empowerment over a wide range of connected information is an important emerging particularity tied to data protection as a constitutional guarantee.

'Outsourcing Privacy' by Ari Ezra Waldman in (2021) 96 Notre Dame Law Review comments 

An underappreciated part of the narrative of privacy managerialism—and the focus of this Essay—is the information industry’s increasing tendency to outsource privacy compliance responsibilities to technology vendors. In the last three years alone, the International Association of Privacy Professionals has identified more than 250 companies in the privacy technology vendor market. These companies market their products as tools to help companies comply with new privacy laws like the General Data Protection Regulation, with consent orders from the Federal Trade Commission, and with other privacy rules from around the world. They do so by building compliance templates, pre-completed assessment forms, and monitoring consents, among many other things. As such, many of these companies are doing far more than helping companies identify the data they have or answer data access requests; many of them are instantiating their own definitions and interpretations of complex privacy laws into the technologies they create and doing so only with managerial values in mind. This undermines privacy law in four ways: it creates asymmetry between large technology companies and their smaller competitors, it makes privacy law underinclusive by limiting it to those requirements that can be written into code, it erodes expertise by outsourcing human work to artificial intelligence and automated systems, and it creates a “black box” that undermines accountability.