Who Killed Privacy?

[Straits Times]

It is more than a decade since the former CEO of Sun Microsystems infamously declared that privacy was dead, urging the reporters who had asked him about the subject to “get over it”.

That was before the launch of Facebook, Google’s Street View, the iPhone, and a proliferation of other tools that many saw as driving nails into privacy’s coffin.

As Singapore prepares to adopt a new Personal Data Protection Act, it is telling that the word “privacy” does not appear once in the draft legislation. This might be dismissed as a typically wary approach to rights by the government, but Europe is also reviewing its data protection regime in a way that renders privacy a marginal rather than central concern.

So who killed privacy?

The desire to keep certain aspects of one’s life private has ancient origins, but the assertion of a legal “right” to privacy is actually quite recent. Often traced to late-nineteenth century developments in the United States, it was a response to the rise of sensationalistic journalism, the invention of the handheld camera, and changing views on the proper role of mass media. At the heart of this early conception of privacy was the right “to be let alone”.

The latter half of the twentieth century saw a second phase in the evolution of privacy. Prescient warnings were issued in the 1960s about computerisation increasing the amount of information available to governments and other actors. Much information that one might consider private — aspects of one’s family life, finances, medical records, for example — had long been effectively protected through the difficulty of locating and analysing specific records. When the same records are computerised and stored in a form accessible by a variety of actors, this practical obscurity may disappear.

But computers didn’t kill privacy.

In the United States, these concerns were addressed piecemeal as they arose. In Europe, a more thematic approach was adopted, linked to the protection of human rights that became a priority after the atrocities of the Second World War. Across Asia, the absence of European-style rights meant that, until recently, an ad hoc approach was taken — or, as in many jurisdictions, the matter was either left to the market or ignored.

The early years of the twenty-first century saw another shift in the way in which data are used and the beginning of a third phase.

The popularity of social networking sites like Facebook has radically increased the number of organisations with which individuals share personal data. Name, contact details, birthday, relationship status, and the contents of updates are shared with nominal “friends” and frequently with anyone able to access the Internet.

One measure of the transformation underway is that Facebook overtook Google to be the most visited Web site in 2010 — perhaps marking the point at which sharing information became as popular as searching for it.

But Mark Zuckerberg didn’t kill privacy.

Such trends and the cookies and spyware — not to mention our “smart” phones — mean that the amount of personal data being collected has grown to the point where it is becoming harder and harder to stop that collection.

This explains the turn to personal data protection rather than privacy as such, recognizing that the key problem is not preserving a sphere of life isolated from the public gaze, but regulating the flow of information.

* * *

For Singapore, the driving force behind reform differs from the United States and Europe.

Like the European model, the hope is to have a principled rather than piecemeal regime. But the principles relate less to the shifting boundaries of one’s nominal “private life” than they do to adopting standards that will allow participation in and seamless integration with global economic and business networks.

There have been two rounds of consultations on the proposed data protection regime and the Do Not Call registry. In March, the Ministry of Information, Communications and the Arts (MICA) took the unusual step of publishing draft legislation for additional comments.

That process — and the obvious efforts to demonstrate sensitivity to industry concerns — suggest that the new law is intended to facilitate rather than impede commerce. (Public agencies are excluded from the law entirely, though the government didn’t kill privacy either.)

The basic obligations under the draft legislation are that collection, use, and disclosure of personal data are permissible only with the actual or deemed consent of an individual, or where required by law.

Actual consent means that you must be informed of the purpose for which your data are being collected, used, or disclosed. An organisation cannot require your consent to wider disclosure than is required for the product or service. For example, you shouldn’t need to give your NRIC number to take part in a lucky draw.

A lingering question is whether consent may be presumed if an individual has failed to “opt-out” of a data collection scheme. The legislation presently limits “deemed” consent to circumstances in which an individual voluntarily provides the personal data and it is reasonable that he or she would provide the data.

This is important. As most of us know, it is hard to keep up with Facebook’s ever-changing privacy policies or the iTunes terms and conditions (presently 17,000 words and counting).

Indeed, the inclusion of a “reasonableness” requirement may address one of the most basic problems confronting data protection globally: the illusion of consent.

In theory, consent can be used to regulate the appropriate flow of personal data. But in practice that is not what happens — either because consumers do not understand the options or companies do not give them a meaningful choice.

In theory we could refuse to accept this situation. But in practice we scroll past the pages of legalese and click “I accept”.

And this highlights the central contradiction of privacy: most people claim to care about privacy and yet carry on their lives in a way that is radically inconsistent with that view.

So who killed privacy? We all did, of course. Accidentally, perhaps.

Or maybe, like the fairies in Peter Pan, privacy only lived as long as we continued to believe in it.

The writer is the dean of the National University of Singapore Faculty of Law.

Published in the Straits Times on 26 May 2012.