Vol. 9 No. 10 (October 1999) pp. 436-439.
VISIONS OF PRIVACY: POLICY CHOICES FOR THE DIGITAL AGE by
Colin J. Bennett and Rebecca Grant (Editors). Toronto:
University of Toronto Press, 1999. 287 pp. Cloth $60.00.
Paper $22.95. ISBN 0-8020-8050-2.
Reviewed by Robert Brookshire, Computer Information Systems
and Operations Management Program, James Madison
University.
Through advances in technology, the development of
large databases, the global reach of the Internet, and the
ubiquity of computers in homes, corporations and government
offices, during the last decade of the twentieth century
the potential for invasions of privacy has increased
dramatically. National and international laws protecting
the privacy of individuals have failed to keep pace with
these changes. In some countries, especially the United
States, privacy protections have never been particularly
strong.
Colin J. Bennett and Rebecca Grant have assembled a
volume of papers that document how serious the problem is,
how we have arrived at this situation, and what directions
policy makers and activists should take to address this
threat. VISIONS OF PRIVACY began as a collection of papers
written by academics, privacy advocates and government
privacy regulators, presented at an international
conference on privacy held in 1996 in Victoria, British
Columbia. Through the judicious selection of papers and
careful organization the editors have put together a volume
that is much more than a group of disparate essays.
VISIONS OF PRIVACY is an effective and comprehensive
introduction to the entire domain of privacy issues arising
with the advent of advanced digital technology.
The volume is arranged into five sections. The first,
"Ethical and Value Choices," surveys the history of
privacy, sets forth some general principles of privacy
ethics, and discusses general approaches to privacy
protection. The second section, "Technology and Regulatory
Choices," focuses on various new electronic privacy-
enhancing technologies that provide powerful new tools to
allow individuals to control access to their personal
information. In "Market Choices," the essayists explore
market-based techniques that would encourage corporations
to respect the privacy of their customers. "Global
Choices" addresses the problem of the flow of information
across borders in an environment of nonequivalent national
privacy rights and protections. In the final section,
"Choices for Privacy Advocates," the authors address the
challenges that privacy advocates and policy makers face in
increasing the salience of privacy protection with the
general public, politicians and government bureaucracies.
David H. Flaherty, Information and Privacy
Commissioner for the province of British Columbia, leads
off the volume with an overview of the state
Page 437 begins here
of privacy at the end of the second millennium. In
his view, privacy has been threatened throughout history in
the West, either by a pervasive surveillance ideology in
society (e.g., Puritan New England), or by advances in
surveillance technology. Compounding the problem today,
most people have no idea of the extent to which their
privacy is threatened when they consume government services
or enter into transactions with corporations. He concludes
that there is a critical need for the expansion of privacy
protections, especially in the private sector.
In "Ethics for a New Surveillance," Gary T. Marx of
the University of Colorado at Boulder offers an expanded
set of principles of fair information practice. The
current set of standards, which have been evolving since
the early 1980s include several principles. These
principles hold that organizations collecting data (1)
should be accountable for that data, (2) should identify
the purposes for which data is collected, (3) obtain the
informed consent of the individual, (4) keep data
collection to minimum, (5) not disclose data without
consent, (6) retain the information only as long as
necessary, (7) maintain the data's accuracy, (8) secure the
information, (9) be open about its data practices, and (10)
allow individuals to access and correct data about them.
Marx proposes replacing these ten principles with twenty-
nine questions that address the methods used to collect
information, the context of the data collection, and the
goals of the collection process. These include such
questions as, "Does the data collection technique cause
unwarranted physical or psychological harm?" "Are
individuals aware that data is being collected?" and "Is
there an appropriate balance between the importance of the
goal and the cost of the means?" Through this expanded set
of principles, Marx hopes to preserve the dignity of the
individual in the face of privacy threatening technologies.
In the third essay in the section on ethical choices,
Charles D. Raab of the University of Edinburgh challenges
the doctrine that privacy protection should be a balance
between safeguarding individual privacy and satisfying
social, political or economic goals. The idea of balance
implies that privacy rights are opposed to other rights or
societal ends. If privacy is a fundamental human right,
then the notion of balancing it against other societal
needs is an affront to human dignity. Raab advocates a
paradigm of "steering" instead of balance that would
encourage regulators to drive policy in a desired direction
rather than merely accommodating competing interests. It
is not entirely clear how this would result in vastly
different privacy protection policies, as Raab admits. He
does raise provoking questions about the foundation of
privacy protection policies that reveal the source of at
least some of our current problems.
Janlori Goldman of Georgetown University introduces
the notion of giving individuals technological tools to
assist in maintaining their privacy. These privacy-
enhancing technologies (PETs) would give people control
over the collection and use of personal information. This
is opposed to the current standard for most of the private
sector in the United States under which persons must
specifically "opt out" or object
Page 438 begins here
to the collection or reuse of data about their lives.
Otherwise, the collector is free to use the data as he or
she wishes. Goldman gives few specifics about what these
technologies would look like, but some of these are
discussed in the following two essays.
Ann Cavoukian's chapter concentrates on the
application of PETs in health care information. Few
patients realize how widely their health records are
distributed, and how weak are the legal protections for
this type of data. Cavoukian, Privacy Commissioner of
Ontario, calls for the incorporation of PETs in the design
and construction of health care information systems,
including sophisticated digital signatures for
authentication and encryption for biometric data. These
technologies would enhance personal privacy while
preserving access for legitimate health care uses.
Robert Gelman, former chief counsel to the
Subcommittee on Government Information of the U.S. House of
Representatives, also focuses on health care records. He
describes the many challenges facing policy makers and
privacy advocates seeking to protect health information.
Although the principle of informed consent nominally guides
the collection of most health data, in practice patients
have almost no control over personal information being
shared among health care workers, insurers, government
agencies and researchers. PETs can offer some protections
but may not be able to withstand pressures that facilitate
or demand access to health data, such as a health care
identification number or genetic treatments that affect not
only the patient but also the patient's offspring.
Mary J. Culnan and Robert J. Bies author the first
essay in the section on privacy and business. In "Managing
Privacy Concerns Strategically: The Implications of Fair
Information Practices for Marketing in the Twenty-first
Century," they argue that marketers who follow fair
information practices, such as those described by Marx,
will gain the trust of consumers. These trusting consumers
are less likely to defect and more likely to help attract
new customers through word of mouth. Businesses should
protect customer privacy through enlightened self-interest.
In "Toward Property Rights in Personal Data," James
Rule and Lawrence Hunter propose the creation of a new
property right over the commercial exploitation of personal
data. Following the work of Kenneth Laudon and others,
Rule, of SUNY Stony Brook, and Hunter, of the National
Library of Medicine, present a forceful argument in favor
of individuals exploiting the use of their own personal
information, much like mineral or intellectual property
rights. Companies who use these data should pay royalties
that would be collected by a central agency, much as BMI
and ASCAP collect royalty payments for musical works. This
would allow individuals to control the use of their
personal information.
Rene Laperriere, of the University of Montreal at
Quebec, describes the approach Quebec has taken to the
protection of privacy. Quebec is the only jurisdiction in
North America
Page 439 begins here
that protects privacy in both its basic law and civil
code and that extends the protection of privacy to both the
private sector and the public sector. Unfortunately,
Laperriere concludes, Quebec's law, far reaching though it
may be, is still inadequate to cope with the challenges
posed by global information technology.
In "American Business and the European Data Protection
Directive: Lobbying Strategies and Tactics," Priscilla M.
Regan of George Mason University examines the approaches
American businesses used to influence the development of
the European Union's effort to protect privacy. U.S.
businesses were successful in modifying the European
Union's directive because the complexity and length of the
decision process allowed firms multiple access points and
plenty of time to marshal their forces. This success
underscores the global nature of privacy protection issues.
Fordham University's Joel R. Reidenberg emphasizes the
global reach of privacy legislation in his paper. He
maintains that the data protection standards established by
the European Union will ultimately become the norm for the
United States as well, and American firms will adjust their
practices to conform to those of their trading partners and
markets.
Privacy activists write the two final essays in the
book. The first, by the Executive Director of the British
Columbia Civil Liberties Association, John Westwood,
describes two cases in which the BCCLA was involved. The
first case was the creation of a province-wide data bank of
drug prescription information, while the second case
concerned the videotaping of police calls. The BCCLA was
also involved in cases affecting workplace drug testing,
criminal record checks, and data matching by government
social service agencies. Westwood concludes that the
BCCLA's mixed record of success in these cases is due at
least in party to citizens and policy makers placing other
interests ahead of privacy protection.
The final paper is by Simon Davies, Director General
of Privacy International. Davies surveys the state of
privacy activism worldwide. He argues that although
governmental and corporate challenges to privacy are
formidable, the increasing expertise and sophistication of
privacy advocates have resulted in increased visibility for
the movement. He concludes that it may be possible for
privacy advocates to counter the success of anti-privacy
interests.
Bennett and Grant have put together a highly readable
set of essays on the challenges to privacy in the
information age. Collectively, the authors in this volume
agree that current privacy protection legislation has not
kept up with advances in technology and that the public is
largely unaware of the extent to which privacy is
threatened. Opportunities exist for policy makers and
privacy advocates to address these problems, and this
volume contains some guides for these efforts. It should
be of interest to students, researchers, policy makers and
privacy advocates who are involved in this rapidly changing
mix of law, technology and ethics.
Copyright 1999