mark burdon m.sc. (econ) public policy (lon), llb (hons...
TRANSCRIPT
THE CONCEPTUAL AND OPERATIONAL COMPATIBILITY OF DATA BREACH NOTIFICATION AND INFORMATION
PRIVACY LAWS
Mark Burdon M.Sc. (Econ) Public Policy (Lon),
LLB (Hons) (London South Bank University, UK)
Submitted in fulfilment of the requirements for the degree of
PhD by publications Faculty of Law
Queensland University of Technology 2011
ii
Keywords
Data Breach Notification Law – Information Privacy Law – Data Protection – Contextualisation - Information Security Law
iii
Abstract
Mandatory data breach notification laws are a novel and potentially important legal
instrument regarding organisational protection of personal information. These laws
require organisations that have suffered a data breach involving personal
information to notify those persons that may be affected, and potentially
government authorities, about the breach. The Australian Law Reform Commission
(ALRC) has proposed the creation of a mandatory data breach notification scheme,
implemented via amendments to the Privacy Act 1988 (Cth). However, the
conceptual differences between data breach notification law and information
privacy law are such that it is questionable whether a data breach notification
scheme can be solely implemented via an information privacy law. Accordingly,
this thesis by publications investigated, through six journal articles, the extent to
which data breach notification law was conceptually and operationally compatible
with information privacy law.
The assessment of compatibility began with the identification of key issues related
to data breach notification law. The first article, Stakeholder Perspectives Regarding the
Mandatory Notification of Australian Data Breaches started this stage of the research
which concluded in the second article, The Mandatory Notification of Data Breaches:
Issues Arising for Australian and EU Legal Developments (‘Mandatory Notification‘). A
key issue that emerged was whether data breach notification was itself an
information privacy issue. This notion guided the remaining research and focused
attention towards the next stage of research, an examination of the conceptual and
operational foundations of both laws. The second article, Mandatory Notification and
the third article, Encryption Safe Harbours and Data Breach Notification Laws did so
from the perspective of data breach notification law. The fourth article, The
Conceptual Basis of Personal Information in Australian Privacy Law and the fifth article,
Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First Generation Information
Privacy Laws did so for information privacy law.
The final article, Contextualizing the Tensions and Weaknesses of Information Privacy and
Data Breach Notification Laws synthesised previous research findings within the
iv
framework of contextualisation, principally developed by Nissenbaum. The
examination of conceptual and operational foundations revealed tensions between
both laws and shared weaknesses within both laws. First, the distinction between
sectoral and comprehensive information privacy legal regimes was important as it
shaped the development of US data breach notification laws and their subsequent
implementable scope in other jurisdictions. Second, the sectoral versus
comprehensive distinction produced different emphases in relation to data breach
notification thus leading to different forms of remedy. The prime example is the
distinction between market-based initiatives found in US data breach notification
laws compared to rights-based protections found in the EU and Australia. Third,
both laws are predicated on the regulation of personal information exchange
processes even though both laws regulate this process from different perspectives,
namely, a context independent or context dependent approach. Fourth, both laws
have limited notions of harm that is further constrained by restrictive accountability
frameworks.
The findings of the research suggest that data breach notification is more compatible
with information privacy law in some respects than others. Apparent compatibilities
clearly exist as both laws have an interest in the protection of personal information.
However, this thesis revealed that ostensible similarities are founded on some
significant differences. Data breach notification law is either a comprehensive facet
to a sectoral approach or a sectoral adjunct to a comprehensive regime. However,
whilst there are fundamental differences between both laws they are not so great to
make them incompatible with each other. The similarities between both laws are
sufficient to forge compatibilities but it is likely that the distinctions between them
will produce anomalies particularly if both laws are applied from a perspective that
negates contextualisation.
v
Table of Contents
CHAPTER 1 - INTRODCUTION ...................................................................................... 11.1 DESCRIPTION OF THE RESEARCH PROBLEM .......................................................... 11.2 OVERALL OBJECTIVE OF THE THESIS ..................................................................... 41.3 SPECIFIC AIMS OF THE THESIS ................................................................................ 51.4 THE SIX JOURNAL ARTICLES .................................................................................. 61.5 LINKING THE ARTICLES: PROGRESSION OF RESEARCH ........................................ 71.6 STRUCTURE OF THE THESIS .................................................................................... 91.7 CONCLUSION ........................................................................................................ 10
CHAPTER 2 - LITERATURE REVIEW .......................................................................... 11
2.1 INTRODUCTION ..................................................................................................... 112.2 DATA BREACH NOTIFICATION LAW ................................................................... 112.2.1 US Data Breach Notification Laws .................................................................... 132.2.2 Australian Data Breach Notification Developments ......................................... 332.2.3 Other Jurisdictional Developments ................................................................... 41
2.3 INFORMATION PRIVACY LAW .............................................................................. 472.3.1 Conceptual Underpinnings ............................................................................... 472.3.2 Founding Legal Instruments & Legislative Developments ............................... 532.3.3 Key Contemporary Analyses ............................................................................. 63
2.4 SUMMARY – GAPS IN THE LITERATURE ............................................................... 70
CHAPTER 3 - STAKEHOLDER PERSPECTIVES ....................................................... 72
CHAPTER 4 - MANDATORY NOTIFICATION ......................................................... 94
CHAPTER 5 - ENCRYPTION SAFE HARBOURS .................................................... 111
CHAPTER 6 - CONCEPTUAL BASIS .......................................................................... 129
CHAPTER 7 - FIRST GENERATION LAWS ............................................................. 158
CHAPTER 8 - CONTEXTUALIZING TENSIONS AND WEAKNESSES ............ 209
CHAPTER 9 - GENERAL DISCUSSION .................................................................... 278
9.1 LINKING THE ARTICLES: LOGICAL PROGRESSION ............................................ 2789.1.1 Identification of Key Compatibility Issues ....................................................... 2799.1.2 Investigation of Conceptual and Operational Foundations ............................. 281
9.1.2.1 Data Breach Notification Law ............................................................. 2829.1.2.2 Information Privacy Law ..................................................................... 287
9.1.3 Synthesis of Findings ....................................................................................... 2929.1.4 Summary - Assessment of Compatibility ........................................................ 298
9.2 SIGNIFICANCE OF THE RESEARCH ...................................................................... 3009.3 LIMITATIONS OF THE RESEARCH ........................................................................ 3029.4 FUTURE RESEARCH DIRECTIONS ........................................................................ 3029.4.1 Revising Data Breach Notification Law .......................................................... 3029.4.2 Contextualising Information Privacy Law ...................................................... 3039.4.3 Recommendations for an Australian Data Breach Notification Law .............. 304
9.5 CONCLUDING REMARKS .................................................................................... 305
BIBLIOGRAPHY .............................................................................................................. 308
vi
List of Publications
♦ Lane B et al, 'Stakeholder Perspectives Regarding the Mandatory
Notification of Australian Data Breaches' (2010) 15(1) Media and Arts Law
Review 149;
♦ Burdon, M, Lane, B and von Nessen, P, 'The Mandatory Notification of
Data Breaches: Issues Arising for Australian and EU Legal Developments'
(2010) 26(2) Computer Law & Security Review 115;
♦ Burdon, M, Reid, J and Low, R, 'Encryption Safe Harbours and Data
Breach Notification Laws’ (2010) 26(5) Computer Law & Security Review 520;
♦ Burdon, M and Telford, P, ‘The Conceptual Basis of Personal Information
in Australian Privacy Law’ (2010) 17(1) Murdoch Elaw Journal 1;
♦ Burdon, M, 'Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of
First Generation Information Privacy Laws' (2010) (1) University of Illinois
Journal of Law, Technology and Policy 1; and
♦ Burdon, M, ‘Contextualizing the Tensions and Weaknesses of Information
Privacy and Data Breach Notification Laws’ (2010) 27(1) Santa Clara
Computer and High Technology Law Journal (forthcoming).
vii
Statement of Original Authorship
The work contained in this thesis has not been previously submitted to meet
requirements for an award at this or any other higher education institution. To the best
of my knowledge and belief, the thesis contains no material previously published or
written by another person except where due reference is made.
Signature: _________________________
Date: _________________________
viii
Acknowledgements
I love reading the Acknowledgements section of PhD theses because it provides a
glimpse of the amount of individual and community effort involved in completing a
thesis. So with that in mind...
I would like to thank my supervisors Sharon Christensen, Bill Lane and Evonne
Miller for their help and for their contribution to the research. I would also like to
thank Kerry Brown for her supervisory contribution in the early stages of the
research. I am also grateful for the support provided by QUT’s Information Security
Institute and in particular from Ed Dawson. Finally, I would particularly like to
extend my sincere thanks to Bill Duncan for his support throughout my research
and my time at QUT.
I would also like to thank my co-authors Bill Lane, Paul von Nessen, Evonne Miller,
Paul Telford, Jason Reid and Rouhshi Low and acknowledge their respective
contributions. I would particularly like to thank Paul von Nessen for sharing his
experience in relation to the tricks of the academic publication trade. I also extend
my sincere thanks to Jason for his valued expertise into the Encryption Safe Harbours
article and indeed our previous research of the last few years. Jason is one of the
smartest individuals that I’ve worked with and his commitment to research
integrity is inspiring.
Special thanks are obviously directed to my family both here in Australia and back
home in the UK. I’m grateful to Jan, Charlie, Jonah, Heather and John for their
continuous support and for their willingness to provide a listening ear.
It’s difficult to know how to thank my partner, Sally, in much the same way as it is
difficult to be grateful for oxygen or sunlight. I’m forever thankful, for everything.
Special thanks also go to our children. Tom was born in the first year of my PhD.
Watching him grow and his sheer fascination with everyday life has been an
inspiration to a budding researcher. Sophie was born at the very end of my PhD and
provided the most wonderful incentive to complete the research.
ix
Finally, I dedicate this thesis to my parents, Bill and Jean and acknowledge that it
would not have been possible without the love, support and dedication which they
have shown me throughout my life.
x
A Note on the Thesis
I believe that a thesis by publications should be strongly represented by its
publications. As such, I have, where possible, included the published versions of my
articles in order to retain their individual integrity, context and content. The
exception is Contextualizing Tensions and Weaknesses which was still in the
production process at the time of printing. Thus the final pre-print version of that
article is included. Needless to say, the inclusion of final articles has caused an issue
or two in terms of formatting, numbering and spelling.
I have not attempted to re-number the journal articles so consequently the thesis
chapters are numbered sequentially whereas the article chapters are not. Likewise, I
have not attempted to standardise the citation style between the thesis chapters and
the non-Australian articles. The thesis chapters adopt the Australian Guide to Legal
Citation whereas the journal articles use the journals requested citation style. Two of
my articles were also published in the US and hence spelling differences emerge
between the US and the other articles. Throughout Chapters’ One and Nine I
therefore refer to my article “Contextualizing Tensions and Weaknesses” with the US
spelling.
Finally, there is a degree of repetition between the various literature reviews
detailed in Chapter 2 and the articles. In particular, section 2.3.2 and section 2.3.3 is
replicated in First Generation Laws and Contextualizing Tensions and Weaknesses
respectively. The scale of the thesis required a replication of some key arguments
but I apologise to readers for any annoyance generated by coverage of the same
ground twice over.
1
CHAPTER 1 - INTRODUCTION
The opening chapter provides an introductory overview to the thesis and the six
published journal articles that comprise the main body of work. Section 1.1
describes the research problem examined. Section 1.2 details the overall objective of
the thesis and section 1.3 outlines specific aims. Both objectives and aims were
directed by one key research question and two supplementary research questions
respectively. Section 1.4 references the six journal articles and section 1.5
demonstrates how the six articles are linked together to form a coherent
investigation throughout the progression of the research. Section 1.6 briefly outlines
the structure of the remaining thesis and section 1.7 briefly concludes the
introduction.
1.1 DESCRIPTION OF THE RESEARCH PROBLEM
Governments, corporations and individuals are now dependent upon the provision,
collection and re-use of personal information for access to essential services. The
transition to the ‘Information Society’ has resulted in an explosion of personal
information collection. Corporate and government interest in the collection of
personal information has been manifest and vast commercial databases have been
developed that hold the personal details of millions of individuals. A concomitant
effect of both the transition and the increase of personal information collection has
been the enhanced commercial and social value placed on personal information. Put
simply, databases of personal information are now a valuable commodity as the
information they hold can be re-packaged and re-sold in many different forms.
The increased value of personal information has attracted unwanted attention from
criminal organisations. Stolen identities can be fraudulently transformed into cash
generating identity theft crimes. Such crimes generally occur in two ways. First,
criminals illegally acquire personal information, particularly in the form of
username, password, credit card details or other banking details that enables them
to access an individual’s bank account. Second, identifying personal information is
acquired, such as name, date of birth, address that is then used by criminals to open
new bank accounts or obtain new credit cards using the stolen identity. Vast and
sophisticated online criminal enterprises exist solely to sell stolen personal
information and exchange expertise on technological developments. Corporate and
2
government data holdings of personal information are therefore constant targets for
attack by criminally oriented computer hackers.
However, identity theft related attacks are not the only problem for corporate and
governmental organisations. Human fallibilities regarding the protection of
personal information appear to be inevitable and a constant headache for security
conscious organisations. Hence confidential files are accidentally left on commuter
trains by employees. Laptops or storage media that contain vast amounts of
personal information are lost or stolen. Outdated computer and copying equipment
are not decommissioned properly. Personal information is inadvertently published
on the Internet or is disposed of incorrectly. These types of incidents have
collectively become known as data breaches.
Data breaches would previously not have attracted the levels of media attention or
social dismay that they do now. However, the value of personal information has
increased and so to have the risks of unauthorised acquisition and misuse. These
environmental changes have forced renewed legal attention towards corporate and
governmental information security measures regarding the protection of personal
information. Legal requirements for organisations exist in the form of information
privacy laws. These laws provide protections for individuals in the form of limited
rights of involvement in the process of personal information exchange. Information
privacy laws therefore consign upon organisations legal obligations related to the
collection, storage and re-use of personal information. As regards data breaches,
organisations are required to implement adequate security measures to ensure that
personal information collected is kept secure. However, the ever-increasing
sophistication of computer hackers and the continuing fallibility of employees have
raised questions about the effectiveness of the security related elements of
information privacy law.
It is in this background that a new type of law was developed, predominantly in the
state-based legislatures of the United States (US). Mandatory data breach
notification laws are a novel and potentially important development that entail
organisational legal obligations to protect personal information. These laws require
organisations that have suffered a data breach of personal information to notify
those persons that may be affected, and potentially government authorities, about
the breach. The laws generally serve two purposes. First, to enable individuals to
3
mitigate against the risks arising from a data breach, particularly in relation to
identity theft crimes. As such, data breach notification laws promote an individual’s
right to know about the uses and misuses of their personal information. Second, to
provide a market-based incentive for the enhancement of organisational
information security measures in relation to the protection of personal information.
The laws recognise that individuals cannot protect their own personal information
that is held by organisations so the organisation must do it on their behalf.
The first law, California Civil Code § 1729.98(a), was enacted in 2003 and has been a
basis for further legislative developments throughout the US and in other
international jurisdictions. All but four US state-based legislatures have enacted
data breach notification laws and law reform proposals have been put forward in
many countries including Australia, Canada and New Zealand. Data breach
notification laws are therefore viewed as a potential remedy to address the multi-
faceted problems of personal information protection, inadequate corporate
information security measures and the rapid increase of identity theft crimes.
However, these are substantial aims for any law to achieve never mind a law that is
founded on a narrow objective of identity theft mitigation. It is not surprising
therefore that competing interests reside at the conceptual heart of data breach
notification law: consumer protections founded upon an individual’s right to know
versus the compliance cost issues for corporations related to notification. The
conceptual underpinnings and operation of data breach notification law is
consequently an important topic to examine given the role of the law as an adjunct,
or even a replacement for, information privacy legal frameworks.
Data breach notification laws flourished in the sectoral information privacy legal
framework of the US as a remedy to some fundamental failings of that framework.
Sectoral frameworks reject uniform approaches to information privacy and instead
create a myriad of different privacy related laws to remedy specific social problems
or regulate personal information in particular industrial sectors. Data breach
notification laws have been successful in unearthing a previous unknown and
significant social problem which has made the laws an attractive prospect for other
jurisdictions, including those that operate uniform or comprehensive information
privacy law regimes. These regimes differ to the US because they have one
4
overarching information privacy legal framework that applies to most organisations
regardless of their industrial sector or the type of personal information handled.
A greater understanding of the conceptual and operational bases for both laws is
therefore essential given the widespread uptake of mandatory data breach
notification schemes in all types of information privacy legal frameworks. Data
breach notification laws have only been developed within the last decade and
information privacy laws were only first implemented during the 1970’s and 1980’s.
Both laws therefore have relatively short histories and their effects are still being
fully understood. Moreover, the relationship between both laws has yet to be fully
realised. There are evident similarities between both laws as they are both intended
to provide legal rights related to the protection of personal information. However,
whilst there are apparent similarities between both laws there are also significant
differences between them. It is by no means clear cut therefore whether US data
breach notification laws, founded within sectoral information privacy law
frameworks, are compatible with comprehensive information privacy law
frameworks such as Australia. These are important issues given the uptake of data
breach notification laws throughout the world and their use as a means to mitigate
the ever increasing rate of identity theft crimes.
1.2 OVERALL OBJECTIVE OF THE THESIS
The overall objective of the study was to investigate to what extent US mandatory
data breach notification laws are compatible with information privacy laws,
particularly those found in comprehensive legal frameworks. As highlighted in the
previous sub-section, a greater understanding of the relationship between data
breach notification and information privacy laws is required, that goes beyond the
obvious correspondence to the protection of personal information. If data breach
notification laws are to become a part of information privacy legal regimes it is
important to identify both strengths and weaknesses of both laws and also their
differences and similarities. Accordingly, the overall objective of the thesis was
guided by a key research question, namely:
1. To what extent are US mandatory data breach notification laws compatible
with information privacy laws?
5
As the research progressed, it became clear that one of the fundamental differences
between both laws was the way in which they attempted to address the complex
issue of contextualisation. Information privacy laws generally attempt to
incorporate issues of social context within the application of legal frameworks
whereas data breach notification laws tend to negate a contextual application.
Contextualisation and the sectoral versus comprehensive origins of both laws
consequently became a flexible framework from which to investigate differences
and similarities. This in turn was developed from and prompted an iterative
examination of the conceptual underpinnings and operational application of both
laws as addressed by the aims of the thesis.
1.3 SPECIFIC AIMS OF THE THESIS
The thesis aims were developed as a platform to examine and address the overall
objective of the thesis as represented through the primary research question. The
aims therefore prompted an investigation to identify the key compatibility issues
between both laws and examine the conceptual and operational foundations of both
laws. The study was consequently guided by two supplementary research
questions, namely:
2. What are the key issues relating to the compatibility of US mandatory data
breach notification laws and information privacy law?
3. What are the conceptual and operational foundations of:
A. US mandatory data breach notification laws?; and
B. Information privacy laws, particularly comprehensive legal
frameworks such as Australia?
Key compatibility issues were identified in two ways: from the perspective of
Australian industry and regulatory authorities that have a vested interest in data
breach issues and from a critical analysis of the US literature on data breach
notification law with respect to both Australian and European Union (EU)
developments. The purpose of this thesis aim was to investigate key differences
between both laws that would lead to a further and deeper investigation into
identified areas of interest. Given the acknowledged differences between both US
and Australian information privacy law regimes, the perspectives of industry
6
participants were sought to confirm and clarify that some of the key issues
identified in the US literature were pertinent to the Australian situation.
A key subject which came out of the investigation into key issues of compatibility
was the general concern about whether data breach notification was itself an
information privacy concern. This issue prompted an examination of the conceptual
and operational foundations of both laws to critically investigate cornerstone
foundations that would further enable an assessment of compatibilities. The
identification and examination of conceptual and operational differences was again
conducted within a framework of contextualisation with specific reference to the
distinction between sectoral and comprehensive information privacy legal
frameworks. The focus of which highlighted some significant differences in
application between information privacy and data breach notification laws that
result in market-based compliance concerns and rights-based protections
respectively.
1.4 THE SIX JOURNAL ARTICLES
The six journal articles are listed below with their designated article number which
will be referred to during the remainder of this Chapter and Chapter Nine. All
journals are ranked under the Australian Research Council’s (ARC) Excellence in
Research Australia (ERA) program and the ERA rank is detailed at the end of each
reference in brackets. The articles largely follow chronological order and have been
numerically ordered to represent the progression of research.
1. Lane, et al, 'Stakeholder Perspectives Regarding the Mandatory Notification
of Australian Data Breaches' (2010) Media and Arts Law Review 149 (hereafter
‘Stakeholder Perspectives’) (B);
2. Burdon, M, Lane, B and von Nessen, P, 'The Mandatory Notification of Data
Breaches: Issues Arising for Australian and EU Legal Developments' (2010)
26(2) Computer Law & Security Review 115 (hereafter ‘Mandatory Notification’)
(B);
3. Burdon, M, Reid, J and Low, R, 'Encryption Safe Harbours and Data Breach
Notification Laws’ (2010) 26(5) Computer Law & Security Review 520 (hereafter
‘Encryption Safe Harbours’) (B);
7
4. Burdon, M and Telford, P ‘The Conceptual Basis of Personal Information in
Australian Privacy Law’ (2010) 17(1) Murdoch Elaw Journal 1 (hereafter
‘Conceptual Basis’) (C);
5. Burdon, M, 'Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of
First Generation Information Privacy Laws' (2010) (1) University of Illinois
Journal of Law, Technology and Policy 1 (hereafter ‘First Generation Laws’) (B);
and
6. Burdon, M, ‘Contextualizing the Tensions and Weaknesses of Information
Privacy and Data Breach Notification Laws’ (2010) 27(1) Santa Clara
Computer and High Technology Law Journal (forthcoming and hereafter
‘Contextualizing Tensions and Weaknesses’) (B).
It should be noted that article five, First Generation Laws, has two components: the
identification and classification of privacy invasive geo-mashups and a critique of
first generation information privacy laws in light of changing personal information
exchange relationships. Accordingly, not all sections of First Generation Laws are
relevant to this thesis. However, Part IV and Part V of the article are essential to the
overall progression of the research as it laid the foundation for further examination
of information relationships and contextualisation issues which were covered in the
final article, Contextualizing Tensions and Weaknesses.
1.5 LINKING THE ARTICLES: PROGRESSION OF RESEARCH
The progression of the thesis was guided by the research questions detailed above.
Accordingly, the articles are linked together in three different stages of research:
1. Identification of key compatibility issues in relation to data breach
notification and information privacy law as examined in article one,
Stakeholder Perspectives and article two, Mandatory Notification to address
supplementary research question two.
2. Investigation of the conceptual and operational foundations of both data
breach notification and information privacy laws. Mandatory Notification and
article three, Encryption Safe Harbours addressed the first part of
supplementary question three and article four, Conceptual Basis and article
five, First Generation Laws addressed the second part. The four articles
consequently addressed research questions 3A and 3B respectively.
8
3. Synthesis of research findings to examine compatibility issues between both
laws as outlined in article six, Contextualizing Tensions and Weaknesses to
address research question one.
The remainder of this section provides a brief overview of how the articles are
linked together which is outlined in greater depth at Chapter Nine. The text below
overviews how each research question is addressed in each journal article.
1. To what extent are US mandatory data breach notification laws compatible with
information privacy laws? The key research question of the thesis is addressed
by Contextualizing Tensions and Weaknesses which synthesises the research
findings from the previous five articles and provides a critical analysis of
whether data breach notification and information privacy laws are
compatible. Contextualizing Tensions and Weaknesses is therefore the core of
the thesis and explicitly develops the theme of contextualisation that tacitly
emerges from the previous five articles.
2. What are the key issues relating to the compatibility of US mandatory data breach
notification laws and information privacy law? Stakeholder Perspectives and
Mandatory Notification identify the key issues arising from the
implementation and operation of data breach notification law within the
ambit of information privacy legal frameworks. This is conducted from two
perspectives. The first, in Stakeholder Perspectives from the viewpoint of
industry and regulatory participants who encounter data breach issues in
Australia as part of their employment. The second, in Mandatory Notification
from a legal perspective that compares the use of data breach notification in
the US, the EU and in Australia. The findings of the first two articles
provided the basis for further analysis both in terms of data breach
notification law and information privacy law.
3. What are the conceptual and operational foundations of:
A. US mandatory data breach notification laws? Mandatory Notification and
Encryption Safe Harbours investigate the conceptual purposes and
operational application of data breach notification laws in the US and
in other jurisdictions. Mandatory Notification provides an analysis of
legal initiatives in the US, the EU and Australia which highlights
differences in approach between different jurisdictions. These
9
differences are investigated further in Encryption Safe Harbours by
examining how these different jurisdictions use encryption which
reveals significant divergences relating to market-based approaches to
regulation developed in the US and rights-based protections founded
in the EU and in Australia. These issues are explored in considerable
depth in Contextualizing Tensions and Weaknesses which examines the
differences between both laws from the perspective of sectoral versus
comprehensive information privacy legal frameworks and market-
based initiatives versus rights-based protections.
B. Information privacy laws, particularly comprehensive legal frameworks such
as Australia? Conceptual Basis and First Generation Laws investigate two
central elements of the conceptual rationale and operational function
of information privacy laws. Conceptual Basis investigates how
personal information is conceptualised in Australian privacy law. It
emphasises that contextualisation is an integral element of Australian
privacy law and is central to defining what personal information is.
First Generation Laws examines the social relationships that are
inherent to information privacy issues and uses a major data breach
involving publication of personal information on the Internet to
demonstrate the limits of first generation information privacy laws in
relation to information society developments. It again emphasises the
importance of contextualisation and forms a substantial basis for
analysis in Contextualizing Tensions and Weaknesses.
1.6 STRUCTURE OF THE THESIS
The remaining chapters of the thesis are structured as follows. Chapter Two reviews
the literature on data breach notification and information privacy laws. The
literature review focuses on the conceptual development and legislative application
of both laws with an emphasis on the US situation. The six articles are then inserted
in sequential order in Chapters’ Three to Eight respectively. In conjunction with the
requirements of a thesis by publications, Chapters’ Three to Six begin with a
statement by the author that confirms the author’s and co-author’s contributions.
Chapter Nine concludes the thesis and provides an in-depth overview of how the
six articles are linked together. The logical progression of the thesis is demonstrated
10
by the contribution made by each article within the three stage process outlined
above. Chapter Nine then demonstrates how each article contributes to the
resolution of thesis’s research questions and thus makes an assessment about the
extent to which both laws are compatible with each other. The significance of the
research is examined with reference to the literature and limitations are also briefly
highlighted. The thesis concludes with some potential future research directions and
some general recommendations for the development and implementation of an
Australian data breach notification law.
1.7 CONCLUSION
This thesis investigates the compatibilities between data breach notification and
information privacy law. US data breach notification laws have revealed many
instances of corporate and governmental failures to protect personal information.
Data breach notification laws are now being implemented throughout the world
and law reform has been strongly suggested in Australia. It is therefore important to
understand the conceptual and operational relationship between both laws because
there appears to be a general assumption amongst law makers that data breach
notification laws can be readily implemented in comprehensive information privacy
legal frameworks. However, the thesis demonstrates that this assumption needs to
be rigorously examined because although both laws entail the protection of personal
information, they both have different origins, conceptual foundations and
operational functions. As such, both laws are generally compatible but they contain
significant differences that push the boundaries of compatibility.
11
CHAPTER 2 - LITERATURE REVIEW
2.1 INTRODUCTION
Chapter Two reviews the conceptual basis and operational functionality of both
data breach notification and information privacy laws. Section 2.2 outlines the
development of data breach notification law principally from the perspective of US
initiatives. Australian and other jurisdictional developments are also covered at
2.2.2 and 2.2.3 respectively. Section 2.3 then provides an overview of information
privacy law. Section 2.3.1 highlights conceptual underpinnings and section 2.3.2
details founding legal instruments and the development of information privacy
legislation. The review of information privacy law ends with Section 2.3.3 and an
overview of key contemporary analyses. Finally, Section 2.4 concludes the chapter
with a brief summary of the gaps in the literature and the significance of this thesis
in relation to those gaps.
2.2 DATA BREACH NOTIFICATION LAW
A review of data breach notification law is heavily predicated on US developments,
particularly at the state legislature level as these laws have been responsible for the
notification of a seemingly endless number of data breaches. According to the
DataLossDB website, an unofficial chronology of US data breaches, the most
common type of data breaches were stolen laptops (20 percent), computer hacking
incidents (16 percent) and inadvertent publication on the Internet (13 percent).1
Further categorisations of data breaches have also been developed in the form of
different taxonomies to classify types of data breaches.2
1 Open Security Foundation, Dataloss Statistics (2009) <http://datalossdb.org/statistics> at 19 August 2010. See also A Jones, 'Lessons Not Learned on Data Disposal' (2009) 6(1-2) Digital Investigation 3 regarding data breaches involving decommissioned computers or storage media.
These classifications help to
2 See F J Garcia, 'Data Protection, Breach Notification, and the Interplay between State and Federal Law: The Experiments Need More Time' (2007) 17(3) Fordham Intellectual Property, Media & Entertainment Law Journal 693, 714-23; United States Government Accountability Office, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (2007) 19 <http://www.gao.gov/new.items/d07737.pdf> at 13 September 2010; and C M Curtin and L T Ayres, Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry (2009) 13 <http://web.interhack.com/publications/breach-taxonomy> at 29 April 2009.
12
demonstrate that different types of data breach incidents have the capacity to affect
a large number of individuals.3
The consequence of large-scale personal information leakage has produced an
increased legislative impetus to examine the problem of data breaches particularly
in relation to identity theft crimes. For the purposes of this research, identity theft
involves the situation where an individual’s personal information is acquired
without authorisation and is used to either access their bank accounts or to use their
identification to create a new fraudulent account or to obtain services.
4 Identity theft
crimes are therefore inherently linked to the unauthorised misuse of personal
information.5 Furthermore, identity theft through breaches of corporate security is
an attractive prospect for criminals as it relatively risk-free and difficult to prove.6
The quantification and extent of data breaches, and the relationship with identity
theft crimes, have been controversial elements of data breach notification law.
7
3 See L Rode, 'Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?' (2007) 43(5) Houston Law Review 1597; K Erikson and P N Howard, 'A Case of Mistaken Identity? News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Digital Records' (2007) 12(4) Journal of Computer-Mediated Communication 1229, 1237 estimating that nine records per adult have been subject to a data breach.
A
4 See D J Solove, 'Identity Theft, Privacy, and the Architecture of Vulnerability' (2003) 54 Hastings Law Journal 1227, 1243. See also K Zaidi, 'Identity Theft and Consumer Protection: Finding Sensible Approaches to Safeguard Personal Data in the United States and Canada' (2007) 19(2) Loyola Consumer Law Review 99, 101-2 outlining the forms of identity theft; and C J Hoofnagle, 'Identity Theft: Making the Known Unknowns Known' (2007) 21(1) Harvard Journal of Law & Technology 98, 100-4 outlining the identity theft crimes of new account fraud and account take over. 5 H K Towle, 'Identity Theft: Myths, Methods, and New Law' (2004) 30(2) Rutgers Computer & Technology Law Journal 237, 241. See, also, A E White, 'The Recognition of a Negligence Cause of Action for Victims of Identity Theft: Someone Stole my Identity, Now Who is Going to Pay for it?' (2005) 88(4) Marquette Law Review 847, 852-3 linking identity theft to the rise of digital dossiers consisting of individual’s personal information; K Kiefer Peretti, 'Data Breaches: What the Underground World of "Carding" Reveals' (2009) 25(1) Santa Clara Computer and High Technology Law Journal 375, 381 regarding ‘carding’ type crime that ‘involves the large scale theft of credit card account numbers and other financial information.’ 6 See, eg, Solove, above n 4, 1244; J T Graves, 'Minnesota's PCI Law: A Small Step on the Path to a Statutory Duty of Data Security Due Care' (2008) 34(3) William Mitchell Law Review 1115, 1126; A Draper, 'Identity Theft: Plugging the Massive Data Leaks with a Stricter Nationwide Breach-notification Law' (2007) 40(2) John Marshall Law Review 681, 683. 7 See, eg, S A Needles, 'The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law' (2009) 88 North Carolina Law Review 267, 272; A M Froomkin, 'Government Data Breaches' (2009) 24(3) Berkeley Technology Law Journal 1019, 1022. See, also, Hoofnagle, above n 4, 98 regarding the problems relating to the quantification of identity theft crimes.
13
comprehensive federal government register of data breaches does not exist and
record-keeping at state government level is not uniform. It is consequently difficult
to confirm the total number of data breaches, the number of persons affected by
those incidents and the number of identity theft crimes caused by breaches.8 Non-
governmental and industry surveys suggest however that the scale of the problem is
significant both in terms of the number of incidents and the numbers of people
affected.9 Accordingly, US state-based data breach notification laws appear to have
been an important legal instrument that highlighted the extent and breadth of data
breaches10 and it is therefore unsurprising that these laws have been adopted in
other jurisdictions.11
2.2.1 US DATA BREACH NOTIFICATION LAWS
The beginnings of data breach notification law are associated with US law despite
the fact that forms of data breach notification law were implemented12 before the
onset of the first, and most influential data breach notification law, California Civil
Code § 1789.29(a).13
8 See J J Darrow and S D Lichtenstein, '"Do You Really Need My Social Security Number?" Data Collection Practices in the Digital Age' (2008) 10(1) North Carolina Journal of Law & Technology 1, 20 regarding an overview of different quantitative sources.
The law was introduced to the California legislature as Senate
9 See, eg, Open Security Foundation, Dataloss DB (2009) <http://datalossdb.org/about> at 19 March 2010; Privacy Rights Clearinghouse, A Chronology of Data Breaches (2009) <http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP> at 21 March 2010; Ponemon Institute, National Survey on Data Security Breach Notification (2005); Ponemon Institute, 2009 Annual Study: Cost of a Data Breach (US) (2010); Verizon Business, 2009 Data Breach Investigations Report (2009); Computer Security Institute and Federal Bureau of Investigation, Computer Crime and Security Survey (2006). 10 See Open Security Foundation, Dataloss DB (2009) <http://datalossdb.org/about> at 19 March 2010. DataLossDB provides an unofficial chronology of US state data breaches based on media reports and disclosures to certain US state authorities which is where these statistics were derived from. In 2003, 24 incidents were notified but 725 incidents were notified in 2008 and 442 in 2009. See also P M Schwartz and E J Janger, 'Notification of Data Security Breaches' (2007) 105(5) Michigan Law Review 913, 917 regarding the role of the California law in creating evidence of the data breach problem. 11 See A Maurushat, Data Breach Notification Law Across the World from California to Australia (2009) <http://law.bepress.com/unswwps/flrps09/art11/> at 20 March 2010 regarding an overview of international laws. 12 See E Preston and P Turner, 'The Global Rise of a Duty to Disclose Information Security Breaches' (2004) 22 John Marshall Journal of Computer & Information Law 457, 465 highlighting that security breach notification in the EU came into force in 2002. 13 CAL CIV CODE § 1789.29(a) (West 2003). See J W Schneider, 'Preventing Data Breaches: Alternative Approaches to Deter Negligent Handling of Consumer Data' (2009) 15 Boston University Journal of Science & Technology Law 279, 283.
14
Bill 1386 (hereafter ‘SB 1386’) in February 2002.14 At its point of introduction, SB 1386
bore no resemblance to the data breach notification law that it would eventually
evolve into. Instead, it attempted to exempt the disclosure of personal information
under California freedom of information law.15 The next draft of the bill underwent
ruthless amendment and was re-introduced in March 2002. At this stage, SB 1386
simply stipulated existing principles founded under the Information Practices Act
(otherwise known as California Civil Code § 1789) that had to be adhered to before a
freedom of information request could be exempted.16
By June 2002, the bill had undergone a radical re-write and it was now directly
concerned with data breach notification as a means to mitigate identity theft. The
reason for the re-write of SB 1386 is detailed in the analysis of the bill produced by
the Assembly Committee on Judiciary of 18 June 2002.
17 The re-construction of the
new bill was motivated by a computer hacking incident at the Stephen P Teale Data
Centre, which is a data processing and storage warehouse maintained by the
California State Government.18 On 5 April 2002, an unidentified intruder gained
access to the Centre’s information systems and retrieved the personal information of
approximately 265 000 California public servants.19
The Senate’s Committee on Privacy held an informational hearing into the incident
on 6 June 2002.
20
14 See T H Skinner, 'California’s Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation' (2003) 10(1) Richmond Journal of Law & Technology 1 for further information.
Evidence was heard that the California Government did not
15 California State Government, Senate Bill No 1386 (Introduced) (2002) <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020212_introduced.pdf> at 4 May 2010. 16 California State Government, Senate Bill No 1386 (Amended Senate) (2002) <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020320_amended_sen.pdf> at 4 May 2010. 17 See Skinner, above n 14; J Simitian, 'How a Bill Becomes Law, Really' (2009) 24(3) Berkeley Technology Law Journal 1009. 18 Assembly Committee on Judiciary, Senate Bill No 1386 (Committee Report) (2002) <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_cfa_20020617_141710_asm_comm.html> at 4 May 2010. 19 See, eg, S Lee, 'Breach Notification Laws: Notification Requirements and Data Safeguarding Now Apply to Everyone, Including Entrepreneurs' (2006) 1(1) Entrepreneurial Business Law Journal 125, 131 highlighting that the breach also effected 120 California legislators; J Winn, 'Are 'Better' Security Breach Notification Laws Possible?' (2009) 24(3) Berkeley Technology Law Journal 1133, 1143 contending that California lawmakers wanted to get even by naming and shaming. 20 Assembly Committee on Business and Professions, Hearing Note SB1386 (2002).
15
become aware of the incident until a month later and did not notify its employees
until two weeks after it became aware of the incident. Evidence was also heard that
attributed several attempts of identity theft to the data breach. SB 1386 was radically
re-drafted as a consequence of the breach and was redesigned to impel
organisations to provide timely notification of data breaches to consumers.21
Mandatory notification was deemed necessary because organisations were reluctant
to notify anyone about a data breach due to fear of negative publicity and thus a
regulatory response was deemed appropriate.22
The California law was therefore intended to provide a form of protection for
individuals who may have been adversely affected by a data breach by giving them
an opportunity to mitigate themselves from the negative consequences flowing
from the breach, principally the losses occurring from identity theft.
23 In that sense,
the reporting of data breaches involving personal information is akin to the
common law duty to warn of dangers.24
21 Skinner, above n 14, 5.
That requires a party who has a superior
knowledge of a potential danger of injury or damage that could be inflicted upon
another person, by a specific hazard, to warn persons who lack such knowledge.
22 See Schwartz and Janger, above n 10, 928 regarding the ‘disclosure disincentive’; E Casey, 'Reporting Security Breaches - A Risk to be Avoided or Responsibility to be Embraced?' (2004) 1(3) Digital Investigation 159 about corporations favouring business continuity over disclosure; P N Otto, A I Anton and D L Baumer, 'The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information' (2007) 5(5) IEEE Security & Privacy, 15, 20; Winn, above n 19, 1144 highlighting the adversarial relationship between regulators and breached organisations regarding the handing over of information that will damage the organisation. 23 T J Smedinghoff, 'Security Breach Notification - Adapting to the Regulatory Framework' (2005) 21(12) The Review of Banking & Financial Services 1. See, also, K M Siegel, 'Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age' (2007) 111(3) Penn State Law Review 779, 784 regarding the link between inadequate data security and identity theft; R A Epstein and T P Brown, 'Cybersecurity in the Payment Card Industry' (2008) 75(1) The University of Chicago Law Review 203, 207 regarding risk allocation rules to minimise net costs of theft; J A Lazzarotti, 'The Emergence of State Data Privacy and Security Laws Affecting Employers' (2009) 25 Hofstra Labour & Employment Law Journal 482, 496; J A Chandler, 'Negligence Liability for Breaches of Data Security' (2008) 23(2) Banking & Finance Law Review 223, 299 focus of mandatory notification is on mitigation rather than deterrence of identity theft; Winn, above n 19, 1142 highlighting that identity theft was one the highest rising crimes in California. 24 T J Smedinghoff, 'Security Breach Notification - Adapting to the Regulatory Framework' (2005) 21(12) The Review of Banking & Financial Services 1. See also D A Bishop, 'To Serve and Protect: Do Businesses Have a Legal Duty to Protect Collections of Personal Information?' (2006) 3(2) Shidler Journal of Law, Commerce & Technology, 14; Winn, above n 19, 1144 defining the duty conversely as a ‘community right to know.’
16
However, as highlighted above, the link between data breach notification and
identity theft has been a controversial point of contention.25
The US Government’s Government Accountability Office (GAO) reported that
whilst data breaches of personal information occurred frequently, resultant
incidents of identity theft from data breaches were much rarer.
26 Other private
sector studies on the relationship between data breaches and identity theft have also
suggested that identity theft incidents are relatively rare.27 Romanosky et al found
that the impact of data breach notification laws on the reduction of identity theft
was marginal and accounted for approximately a two percent decline in the rates of
identity theft.28 Accordingly, the construction of data breach notification laws, in
relation to identity theft, has been criticised. Faulkner suggests that the classificatory
approach to regulated information in data breach notification laws is flawed
because combinations of personal information are not required to enable identity
theft.29 However, despite these criticisms, Regan highlights that notification can
have indirect and positive impacts upon the prevalence of identity theft by making
individuals more aware of the issue and more skilled in the use and monitoring of
their personal information.30
Despite these criticisms, the legislative purpose of data breach notification law is
inherently linked to the mitigation of identity theft. For example, the California law
requires any California business that has suffered a data breach, or believes that it
has suffered a data breach, which entails an unauthorised acquisition of
unencrypted and computerised personal information, to notify California residents
25 See M D Scott, 'The FTC, the Unfairness Doctrine, and Data Security Breach Litigation: Has the Commission Gone too Far?' (2008) 60(1) Administrative Law Review 128, 156-7 reviewing the claims of identity theft and data breaches in relation to harms or losses suffered by consumers. 26 United States Government Accountability Office, above n 2. 27 Javelin Strategy & Research, Data Breaches and Identity Fraud: Misunderstanding Could Fail Consumers and Burden Businesses (2006); Id Analytics, National Data Breach Analysis (2006). 28 S Romanosky, R Telang, and A Acquisti, Do Data Breach Disclosure Laws Reduce Identity Theft? (2008) Social Science Research Network <http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1268926> at 22 July 2009. 29 B Faulkner, 'Hacking into Data Breach Notification Laws' (2007) 59(5) Florida Law Review 1097, 1104. See, also, W Roberds and S L Schreft, 'Data Breaches and Identity Theft' (2009) 56(7) Journal of Monetary Economics 918, 920. 30 P M Regan, 'Federal Security Breach Notifications: Politics and Approaches' (2009) 24(3) Berkeley Technology Law Journal 1103, 1126.
17
about the incident.31 Affected individuals are to be notified within a timeframe that
is expedient and without reasonable delay.32 However, some states have also
instigated specific deadlines.33 Some states also require law enforcement agencies to
be notified of any security breach and other states also require notification to credit
reference agencies.34 Virtually all state-based laws have exceptions that allow
organisations to delay the notification of a data breach under certain circumstances,
such as whether notification would impede a criminal or civil investigation.35
Different laws also apply to different types of organisation.36
Notification can also take different forms. Almost all state laws expect that
notification should be provided in writing, either by letter, or by email, as long as an
individual has consented to receive notification by email and as long as it is in
accordance with federal law.
37 However, breached organisations can also provide
substitute notice in situations where the cost of providing individual notice amounts
to a certain sum or involves a certain number of persons, such as $US250,000 or
500,000 persons respectively under the California law.38
31 CAL CIV CODE § 1789.29(a) (West 2003). See, also, Garcia, above n 2, 704 highlighting the controversial elements of the California law; 1108 suggesting that the California law is a comprehensive remedy to resolve the problems of the US sectoral approach to information privacy.
In these circumstances,
32 See, eg, Faulkner, above n 29, 1111 stating that the purpose of expedient disclosure is to limit the opportunities of identity theft; S C Honeywill, 'Data Security and Data Breach Notification for Financial Institutions' (2006) 10 North Carolina Banking Institute 269, 300 regarding the importance of timely notification. See, also, Schwartz and Janger, above n 10, 949 and the ineffectiveness of early warning notification; S L Markus, 'Unfair Warning: Breach Notificaiton in the FCC's Enhanced Telephone Records Safeguards' (2008) 18 Cornell Journal of Law and Public Policy 247, 262 detailing reasons for the need for timely notification; Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1115 detailing notification to individuals as a ‘socially situated group’ thus maximising remedial impact and emphasising social harm. See, also, Kiefer Peretti, above n 5, 408 regarding the importance of swift law enforcement notification to enable prosecutions in relation to hacking data breaches. 33 See Garcia, above n 2, 709 outlining different approaches; M Turner, Towards a Rational Personal Data Breach Notification Regime (2006) 19 <http://www.infopolicy.org/files/downloads/data_breach.pdf> 8 August 2010 outlining the rationale of expedient notification. 34 See J Heitzenrater, 'Data Breach Notification Legislation: Recent Developments' (2008) Winter 2008-09 I/S: A Journal of Law and Policy for the Information Society 661, 672 regarding a brief overview of law enforcement notification. See, also, Faulkner, above n 29, 1109 regarding different notification requirements and the ambiguity that arises. 35 See, eg, Garcia, above n 2, 708. 36 See M G Bingisser, 'Data Privacy and Breach Reporting: Compliance with Varying State Laws' (2008) 4(3) Shidler Journal of Law, Commerce & Technology 1. 37 Smedinghoff, above n 24, 1. 38 See, eg, CAL CIV CODE § 1789.29(a)(3) (West 2003).
18
breached organisations can post a conspicuous notice on their website and notify all
major state-wide media outlets about the breach.39
Some data breaches are exempt from notification. If breached information is
publicly available then it is already deemed to be in the public domain so there is
little risk of identity theft materialising from the breach.
40 A general exemption also
exists relating to ‘good faith acquisitions’ of personal information by an employee or
agent of the breached organisation. Furthermore, state-based data breach
notification laws generally only require notification for unencrypted forms of
personal information.41 For example, the definition of personal information in
California Civil Code § 1789.29(a) states that notification is required if a California
organisation has suffered or believes it has suffered an unauthorised acquisition of
unencrypted and computerised personal information.42 The California law does not
define encryption.43 Other states have attempted to further extend the boundaries of
the California encryption exemption to include further elements.44
A key difference and point of contention between state laws regards notification
triggers. The notification trigger is the statutory requirement that indicates when
and in what circumstance notification is required from a breached organisation. A
majority of state-based laws are largely based on the California model
Other states have
also attempted to define encryption but have done so in different ways to different
effect.
45 but some
state laws have adopted different notification triggers.46
39 See, eg, CAL CIV CODE § 1789.29(a)(3)(B)&(C) (West 2003).
Jones adduced two types of
notification triggers following a review of 2007 developments. They were:
40 Skinner, above n 14, para 19. 41 See Honeywill, above n 32, 298 supporting the purpose of an encryption exemption. 42 See CAL CIV CODE § 1789.29(e) (West 2003). See also Lee, above n 19, 147. 43 Skinner, above n 14, para 46. 44 Lee, above n 19, 130 highlighting the addition of further statutory terms. 45 Honeywill, above n 32, 300. 46 See K E Picanso, 'Protecting Information Security Under a Uniform Data Breach Notification Law' (2006) 75(1) Fordham Law Review 355, 383 outlining states with a reasonable risk of harm trigger; M E Jones, 'Data Breaches: Recent Developments in the Public and Private Sectors' (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555, 571-2 detailing the use of risk based triggers in federal data breach proposals.
19
acquisition-based and risk-based triggers that represent differing approaches to
notification.47
Acquisition-based triggers, such as the California law, have a relatively low
‘triggering threshold’ that triggers an obligation to notify when an organisation has
suffered, or believes it has suffered a breach.
48 Accordingly, notification may be
required even when there is no actual evidence of personal information having been
acquired.49 Jones contended that data breach notification laws based on an
acquisition trigger are more consumer oriented because broad notification means
that individuals are made aware of potential data breaches and can therefore take
action to mitigate potential harms before they arise.50 Acquisition-based triggers
consequently set a minimum threshold for notification in relation to identity theft
risks.51 However, despite this greater amount of information dissemination,
notification only strategies have been subject to some criticism because they provide
limited remedies and can even conflict with damage mitigation from a data breach.52
Risk-based triggers, on the other hand, set a different standard as these triggers only
require notification in situations where a risk assessment determines that a risk of
harm exists to consumers.
53
47 Jones, above n 46, 562. See, also, Bingisser, above n 36 defining the distinction as ‘strict vs flexible’; Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1118 ascertaining that trigger choice has also been a political choice at least at the federal level.
Jones contended that risk-based triggers are business
oriented because they generally require the breached organisation to make a
48 See Jones, above n 46, 562; Schwartz and Janger, above n 10, 933 commenting the California law ‘is marked by a low threshold for notification.’ 49 Jones, above n 46, 562. See, also, B St Amant, 'Misplaced Role of Identity Theft in Triggering Public Notice of Database Breaches' (2007) 44 Harvard Journal on Legislation 505, 511 stating that the California law does not require an actual breach or an identity theft element to oblige notification. 50 Jones, above n 46, 563. See, also, Schwartz and Janger, above n 10, 913 regarding the role and purpose of ‘pure notification’ data breach laws predicated on an acquisition trigger. 51 See Lee, above n 19, 132. See, also, California Office of Privacy Protection, Recommended Practices on Notice of Security Breach Involving Personal Information (California Office of Privacy Protection, 2008) regarding persuasive application of the California law. 52 Schwartz and Janger, above n 10, 947-8. 53 See F H Cate, Information Security Breaches: Looking Back and Thinking Ahead (2008) 13 <http://www.hunton.com/files/tbl_s47Details/FileUpload265/2308/Information_Security_Breaches_Cate.pdf> at 19 March 2010; Turner, above n 33, 14; Jones, above n 46, 562 regarding risk based triggers that are deemed to favour corporate interests because the decision to notify or not is left squarely with the breached organisation.
20
determination whether a risk of harm will or is reasonably likely to arise.54 Different
standards exist as to what triggers notification under a risk-based assessment. For
example, some laws require a reasonable likelihood that harm may arise55 where
others require a significant or material real risk of identity theft56 or a reasonable
likelihood of substantial economic loss.57
The content and structure of notification triggers has been a significantly
contentious aspect of the literature. The distinction between an acquisition-based
trigger and a risk-based trigger goes to the heart of data breach notification law’s
rationale and it also signifies some major differences between different approaches.
Acquisition-based triggers employ the regulatory tool of reputational sanction.
Some risk-based triggers therefore operate
on higher standards for notification than others.
58
Notification is used as a threat held over the head of organisations to improve
information security measures or else suffer the embarrassment and humiliation of
public notification.59 Notification therefore fulfils both an ex ante purpose, through
the encouragement of adequate information security practices to minimise data
breaches before they arise,60
54 Jones, above n 46, 563.
and an ex post purpose to provide consumers with
55 See, eg, ARK CODE ANN § 4-110-105 (Michie 2005); FLA STAT § 817.5681 (2005); LA REV STAT ANN §§ 51:3071 (West 2005). 56 See, eg, KAN STAT ANN §§ 50-7a01 (2006); MD CODE ANN §§ 14-3501 (2008); MASS GEN LAWS 93H §1 (2007); MICH COMP LAWS § 445.72 (2007); OHIO REV CODE ANN § 1349.19 (West 2005); RI GEN LAWS § 11-49.2-1 (2005); UTAH CODE ANN §§ 13-42-101 (2006); WIS STAT § 895.507 (2006). 57 See, eg, ARIZ REV STAT § 44-7501 (2007). 58 Schwartz and Janger, above n 10, 947 regarding the role and failure of reputational sanction; Winn, above n 19, 1143 the shaming function of data breach notification is ‘direct and concrete.’ See, also, Rode, above n 3, 1621 in support of the failure of reputational sanction. See, however, Darrow and Lichtenstein, above n 8, 52 regarding the erosion of reputation and the inventive to improve security; Faulkner, above n 29, 1104; Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1126 notification as a deterrent that encourages organisational ‘culture change.’ 59 Schwartz and Janger, above n 10, 936-7 regarding the essential role of reputational sanction in acquisition-based trigger laws. See, also, Graves, above n 6, 1120 contesting that data breach notification law does not adequately deal with corporate information security measures; Schneider, above n 13, 285 claiming the reputational detriment has little, long-term practical impact upon corporations. 60 See S Romanosky and A Acquisti, 'Privacy Costs and Personal Data Protection: Economic and Legal Perspectives' (2009) 24(3) Berkeley Technology Law Journal 1061 regarding the ex ante role of security protections to reduce the numbers of future data breaches.
21
information in order that they can take action to mitigate themselves.61 The rationale
of acquisition-based notification thus makes in-built judgments about corporate
failures to secure personal information and the effectiveness of notification as a
remedy.62
A perceived benefit of risk-based triggers is to minimise the notification of data
breaches to those incidents which directly relate to the purpose of the law and thus
involve identity theft threats. To do otherwise, would penalise the breached
organisation and would serve little social benefit.
63 Accordingly, it is also argued
that risk-based triggers balance concerns which arise from extensive media
coverage. Such coverage and can have the effect of exaggerating the dangers of
notification and can thus overtly punish businesses who are victims of the breach
themselves.64
Despite this acknowledgement that breached organisations can be victims, other
authors have suggested that greater legal impositions should be placed on personal
information collectors. The mass collection of personal information carries with it
many risks in the Information Society and database operators should consequently
be deemed strictly liable for any lapses in security.
65
61 See ibid regarding an overview of information disclosure measures as an ex post mechanism in data breach notification laws; Rode, above n 3, 1605 regarding the reactive and proactive elements of data breach notification law. See, also, Graves, above n 6, questioning the effectiveness of the ex ante elements.
This point acknowledges that
corporations, rather than individuals, are the only bodies capable of making
62 See Darrow and Lichtenstein, above n 8, 50 in relation to the time and cost of repairing data breach damage; Honeywill, above n 32, 281-2 regarding the importance of consumer education in relation to identity theft; Graves, above n 6, 1128 detailing the limits of notification as a remedy particularly in light of compensatory issues. 63 Bingisser, above n 36. 64 Rode, above n 3, 1630. See, however, Erikson and Howard, above n 3, 1235 stating that data breaches put the onus on individuals rather than corporations to resolve data breach problems. 65 D K Citron, 'Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age' (2007) 80 Southern California Law Review 241, 286.
22
effective security decisions.66 Data collectors should therefore be liable for data
breaches which in turn would help to diminish the unnecessary collection of
personal information.67 However, other commentators argue that even if liability is
imposed on data collectors, it is reasonable to assume that data breaches are still
likely to occur because computer hackers will always find solutions to overcome
state-of-the-art security measures.68
The role of liability for data collectors has led some authors to examine the utility of
data breach notification laws particularly from the perspective of notification as a
remedy in its own right. It has been argued that a broad definition of what
constitutes a data breach could miss the crucial distinction between accidental data
loss and malicious data theft, thereby making the disclosure obligation meaningless
because of notification fatigue.
69 Notification therefore becomes so commonplace
that it is an ineffective remedy.70
66 Ibid. See also J T Soma, J Z Courson and J Cadkin, 'Corporate Privacy Trend: The "Value" of Personally Identifiable Information ("PII") Equals the "Value" of Financial Assets' (2009) 25(4) Richmond Journal of Law & Technology 1, 7 highlighting the unique position of corporations as protectors of personal information; Rode, above n 3, 1604 data breach notification as a ‘responsive social policy’ to encourage security; Garcia, above n 2, 714 regarding the duty of care placed on information brokers; S Ludington, 'Reining in the Data Traders: A Tort for the Misuse of Personal Information' (2006) 66 Maryland Law Review 140, 189 contending that a new privacy tort based on information privacy principles would better enhance information security protections; Froomkin, above n 7, 1040 suggesting that compensatory measures are required to overcome the limitations of notification; Winn, above n 19, 1147 highlighting the strict liability rationale of data breach notification.
Survey research by the Ponemon Institute,
regarding respondent reactions to notification letters, appears to support concerns
67 Darrow and Lichtenstein, above n 8, 51. See, however, Turner, above n 33, 11 suggesting that effective remedial action involves both corporation and consumer. 68 Honeywill, above n 32, 283. See, also, Lee, above n 19, 146 regarding notification as misfortune; Schwartz and Janger, above n 10, 928 where one organisation’s data breach can materially damage another organisation; Epstein and Brown, above n 23, 217 corporations face a ‘losing game’ against hackers; M Mannan and P C V Oorschot, Localization of Credential Information to Address Increasingly Inevitable Data Breaches, (2008) 2 <http://www.scs.carleton.ca/~mmannan/publications/nspw08-localization.pdf> at 28 April 2010 the evidently inevitable data breaches. 69 See F H Cate, Information Security Breaches and the Threat to Consumers (2005) <http://www.hunton.com/files/tbl_s47Details/FileUpload265/1280/Information_Security_Breaches.pdf> at 10 August 2010; Cate, Information Security Breaches: Looking Back and Thinking Ahead, above n 53. See, also, Darrow and Lichtenstein, above n 8, 53; A Cavoukian, A Discussion Paper on Privacy Externalities, Security Breach Notification and the Role of Independent Oversight (2009) 9 <http://www.ipc.on.ca/images/Resources/privacy_externalities.pdf> at 19 March 2010, detailing a sliding scale of notification letter effectiveness. See, however, Kiefer Peretti, above n 5, 409 stating that notification fatigue arguments have little applicability to law enforcement actions relating to data breaches that require notification and reporting. 70 Graves, above n 6, 1121.
23
about notification fatigue. The Institute reported that 39 percent of 9154 survey
respondents initially believed the notification received by an organisation that had
suffered a data breach was either junk mail, spam or a telemarketing phone call.71
Furthermore, 48 percent of respondents said that the notice was not easy to
understand, and over 49 percent of respondents believed that the notice did not
provide enough details. Actual notification letters themselves have therefore been a
point of concern. For example, a notification letter from a data broker to individuals
affected by a data breach attempted to sell consumers access to some of their
compromised information.72
Despite these criticisms of the effectiveness of notification, the actual effect of the
California law was immediate and this encouraged a dramatic impact on the uptake
of data breach notification laws in other state legislatures.
73 California’s data breach
notification law came into effect on 1 July 2003 and by the end of 2005, a further nine
states had enacted data breach notification legislation.74
71 Ponemon Institute, National Survey on Data Security Breach Notification (2005) 3.
By the end of 2006, 35 US
72 See S D Scalet, The Five Most Shocking Things About the ChoicePoint Data Security Breach (2005) CSO Online <http://www.csoonline.com/article/220340/The_Five_Most_Shocking_Things_About_the_ChoicePoint_Data_Security_Breach?page=1> at 14 May 2010. See, also, Schwartz and Janger, above n 10, 952-3; Otto, Anton and Baumer, above n 22, 21; K Z Oussayef, 'Selective Privacy: Facilitating Market-Based Solutions to Data Breaches by Standardizing Internet Privacy Policies' (2008) 14 Boston University Journal of Science & Technology Law 104, 116. 73 See Garcia, above n 2, 707-8 regarding the rapid proliferation of state-based data breach notification laws. See, also, S A Millar, 'Privacy and Security: Best Practices for Global Security' (2006) 5(1) Journal of International Trade Law & Policy 36, 38. 74 See ARK CODE ANN § 4-110-105 (Michie 2005); 6 DEL CODE ANN §§ 12B-101 (2005); FLA STAT § 817.5681 (2005); GA CODE ANN §§ 10-1-911 (2005); NY GEN BUS LAWS §§ 899-aa (2005); ND CENT CODE §§ 51-30-01 (2005); TENN CODE ANN § 47-18-2101 (2005); TEX BUS & COMM CODE §§ 48.001 (2005); WASH REV CODE § 19.255.010 (2005).
24
states had introduced 60 bills that resulted in 21 enacted laws. At present, 46 states,75
the District of Columbia76 and two territories (Puerto Rico77 and the Virgin Islands78)
have enacted data breach notification laws, of which, 23 are based solely on the
California model.79
Regardless of the apparent success of state-based data breach notification law, the
state laws have obvious parameters in terms of coverage as they generally only
extend protections to residents of an individual state.
Mississippi is the latest state to enact a mandatory data breach
notification which will come into force in 2011.
80 Not surprisingly therefore
the application of existing state-based laws versus the development of a new federal
data breach notification law has been a prominent point of discussion in the US
literature, particularly in conjunction with the different statutory requirements of
alternative state laws.81
Picanso called for the development of a uniform federal data breach notification law
and highlighted the compliance difficulties for nationwide businesses caused by the
75 CAL CIV CODE § 1789.29(a) (West 2003); ARK CODE ANN § 4-110-105 (Michie 2005); NC GEN STAT §§ 75-60 (2005); ND CENT CODE §§ 51-30-01 (2005); 6 DEL CODE ANN §§ 12B-101 (2005); FLA STAT § 817.5681 (2005); GA CODE ANN §§ 10-1-911 (2005); TENN CODE ANN § 47-18-2101 (2005); TEX BUS & COMM CODE §§ 48.001 (2005); WASH REV CODE § 19.255.010 (2005); NY GEN BUS LAWS §§ 899-aa (2005); COLO REV STAT § 6-1-716 (2006); CONN GEN STAT § 36a-701b (2006); IDAHO CODE § 28-51-104 (Michie 2006); 815 ILL COMP STAT 530/1 (2005); IND CODE §§ 24-4.9-3-1 (2006); RI GEN LAWS § 11-49.2-1 (2005); NJ STAT ANN § 56:8-163 (West 2006); KAN STAT ANN §§ 50-7a01 (2006); LA REV STAT ANN §§ 51:3071 (West 2005); MICH COMP LAWS § 445.72 (2007); MINN STAT § 325E.61 (2006); MONT CODE ANN § 30-14-1704 (2006); NEB REV STAT §§ 87-801 (2006); NEV REV STAT §§ 603A.010 (2006); OHIO REV CODE ANN § 1349.19 (West 2005); OKLA STAT § 74-3113.1 (2006); 73 PA CONS STAT § 2303 (2006); WIS STAT § 895.507 (2006); ARIZ REV STAT § 44-7501 (2007); NH REV STAT ANN §§ 359-C:19 (2007); HAW REV STAT §§ 487N-1 (2007); ME REV STAT ANN 10, §§ 210-B-1346 (West 2007); MASS GEN LAWS 93H §1 (2007); OR REV STAT § 646A.600 (2007); UTAH CODE ANN §§ 13-42-101 (2006); 9 VT STAT ANN §§ 2430 (2007); WYO STAT ANN §§ 40-12-501 (Michie 2007); IOWA CODE § 715C.1 (2008); MD CODE ANN §§ 14-3501 (2008); VA CODE ANN § 18.2-186.6 (Michie 2008); W VA CODE §§ 46A-2A-101 (2008); ALASKA STAT § 45.48.010 (Michie 2009); SC CODE ANN § 39-1-90 (Law Co-op 2009); MO REV STAT § 407.1500 (2009). 76 DC CODE ANN § 28-3851 (2007). 77 10 LAWS OF PUERTO RICO § 4051 et seq. 78 VI CODE § 2208. 79 Schwartz and Janger, above n 10, 924. 80 See Rode, above n 3, 1623 and the limits of this approach; Lazzarotti, above n 23, 500. 81 See Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1119-20 regarding an overview; Lee, above n 19, 143 regarding different industry perspectives to a national law.
25
use of different statutory language.82 However, as Picanso further pointed out,
federal proposals have not been immune from this criticism either.83 Rode contested,
with reference to the California law, that the use of vague language will ultimately
render the law useless in the face of continuing technological advances.84 This
criticism does not just apply to the California law but a majority of state-based laws
that are also based on the California definition of personal information. The use of
vague language created a tendency toward over-regulation because a breached
organisation is likely to be overly cautious in terms of who gets notified, due to legal
uncertainty and the technical difficulties in ascertaining those individuals that may
have been affected by a data breach.85
Compliance issues have therefore been a significant consideration
86 and proponents
of federalisation argue that concerns can be alleviated by the development of a
federal law.87 A federal law would lead to uniform definitions for the key elements
of data breach notification and thus ameliorate a major problem of US state-based
laws.88 It is further argued that the problem of inconsistent statutory language is
exacerbated by the infancy of data breach notification laws as the laws have yet to
be tested thoroughly through jurisprudential discourse.89 Moreover, it is contended
that a uniform federal law could also enable affected individuals to recover
statutory damages arising from a data breach which thus provides a solution to the
failures of existing case law.90
82 Picanso, above n 46, 382. See, also, Faulkner, above n 29, 1104; Epstein and Brown, above n 23, 222.
Federal legislation would therefore provide a major
benefit because it would pre-empt an inconsistent patchwork of state laws and thus
83 Picanso, above n 46, 382. 84 Rode, above n 3, 1622. 85 Ibid. See, also, Faulkner, above n 29, 1104. 86 Lee, above n 19, 136 regarding the patchwork state laws and the need for harmonisation; Rode, above n 3, 1632 regarding state and federal inconsistent approaches; Winn, above n 19, 1135 data breach notification laws impose high compliance costs to a small number of organisations and provide weak incentives for most businesses. 87 See, however, Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1131 regarding fears that a federal law will inevitably be watered down by vested corporate interests. 88 Faulkner, above n 29, 1108. See, also, Honeywill, above n 32, 290. 89 Faulkner, above n 29, 1108. 90 Darrow and Lichtenstein, above n 8, 53.
26
aid compliance with data breach notification regulations to ensure all US consumers
received the same level of protection.91
However, other authors assert that the development of state-based laws has many
positive attributes and are hesitant about undue federal interference. Schwartz
argued that state-based data breach notification laws recognised an area of
regulatory significance at a time when federal proposals remained relatively inert.
92
The laws were thus an ‘experiment to generate new ideas, testing the range of state
laws against the ongoing breaches’ and differences should therefore be
encouraged.93 As regards the use of different statutory language, the development
of state-based laws permitted the inclusion of additional data protection measures
through a process of layering.94 Thus states ‘have begun to layer affirmative data
protection obligations over notification laws, requiring businesses in their
jurisdictions to provide security measures for personally identifiable information.’95
The layering process consequently allows state legislatures to overlay additional
security measures over a core foundational centre which means that states can tailor
their data breach notification laws to align with flexible expectations regarding data
protection and consumer protection measures.96
Given the calls for federal action, it is not surprising that calls for a federal data
breach notification law have been prominent.
97 However, the situation at the federal
level in the US has some parallels to state-based law.98 First, there was an explosion
of interest in 2005 which lead to a proliferation of bills which has continued until the
present time.99 A total of 29 bills have been introduced in either the Senate or the
House of Representatives and 16 of those bills were introduced in 2005.100
91 Honeywill, above n 32, 294.
The
rationales of the bills vary because no consensus was ever formed regarding the
92 P M Schwartz, 'Preemption and Privacy' (2009) 118 Yale Law Journal 902, 917. 93 Garcia, above n 2, 726. 94 Needles, above n 7, 291. 95 Ibid 292. 96 Ibid 291. 97 See Heitzenrater, above n 34, 675 highlighting slow progress in federal law developments. 98 See Honeywill, above n 32, 293. 99 Faulkner, above n 29, 1114-15. 100 St Amant, above n 49, 510.
27
scope and purpose of a proposed law.101 Second, the proposed federal bills share the
underlying basis of state-based laws that the primary function of data breach
notification was to provide individuals with an opportunity to mitigate potential
adverse outcomes and thus assist with the prevention of identity theft related
crimes.102
Three previously unsuccessful bills were again re-introduced to Congress in 2009
and two of these bills made legislative progress.
103 California Senator, Dianne
Feinstien, resurrected the Data Breach Notification Act104 which in 2005, was based on
the California law, but now had a risk-based trigger. The Personal Data Privacy and
Security Act of 2009 was re-introduced by Vermont Senator, Patrick Leahy.105 Finally,
Illinois Congressman, Bobby L Rush, re-introduced the Data Accountability and Trust
Act of 2009106
However, whilst there is no federal data breach notification law as such, forms of
data breach notification currently exist in different laws and regulations. The Health
Information Technology for Economic Clinical Health (HITECH) Act is part of the
American Recovery and Reinvestment Act (ARRA) of 2009,
(DATA) to the House of Representatives. In December 2009, DATA
was the first data breach notification bill to be passed by either the House of
Representatives or the Senate and Senator Leahy’s bill was recommended by
committee for a full senate vote. It is therefore possible that a federal data breach
notification law could be enacted relatively shortly.
107 which was designed to aid
recovery from the global financial crisis. HITECH requires organisations that are
covered by the Health Insurance Portability and Accountability Act108
101 See Heitzenrater, above n 34, 663. See, also, Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1117 highlighting ‘turf wars’ amongst different committees; Lee, above n 19, 136 detailing the different committees handling data breach notification.
(HIPAA) to notify
regulable data breaches. Similarly, the Financial Services Modernization Act of 1999,
102 Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1120-1. 103 See Needles, above n 7, 300-1 regarding background information. 104 Data Breach Notification Act of 2009, S 139, 111th Cong (2009). 105 Personal Data Privacy and Security Act of 2009, S 1490, 111th Cong (2009). 106 Data Accountability and Trust Act of 2009, HR 2221, 111th Cong (2009). 107 American Recovery and Reinvestment Act of 2009, Pub L No 111-5, Div A, Title XIII, § 13402, 123 Stat 260. See Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1110. 108 Health Insurance Portability and Accountability Act of 1996, Pub L No 104-191, 110 Stat 1936 (1996). See Faulkner, above n 29, 1115-16 regarding notification requirements under HIPAA.
28
more commonly known as the Gramm Leach Bliley Act (GLBA)109 imposes duties on
financial organisations to protect consumer personal information through the
adequate implementation of information security measures.110 As a result of the
GLBA, the various regulators overseeing the Act, developed the Interagency
Guidance111 for financial institutions about how and when to notify a breach. There
is however a clear distinction between data breach notifications required through
the above laws and a data breach notification law. The former provide affirmative
duties on specific industries to protect personally related information whilst the
latter provide a lesser duty to notify data breaches.112
Smedinghoff has characterised the body of law generated by HIPAA and the GLBA
as playing a significant role in the development of a new field of law, information
security law.
113
1. The continuing expansion of the duty to provide security;
The basis of information security law is found in four legal trends:
2. The emergence of a legal standard for compliance;
3. A focus on security obligations; and
4. The notification of security breaches.114
A number of authors have also highlighted the inherent difficulties of regulating
corporate information security and have acknowledged the existence of a newly
developing law. Winn contended that information security problems are ‘complex
and multi-faceted’ which therefore require sophisticated regulatory responses that
go beyond notification.
115
109 Gramm-Leach-Bliley Act, 15 USC §§ 6801-6809 (2006). See Lee, above n 19, 127 regarding notification requirements under GLBA.
Graves also called for the development of an information
security law to ameliorate the limitations of data breach notification law and impose
110 Bishop, above n 24. 111 Office of the Comptroller of the Currency et al, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (2005). See Schwartz and Janger, above n 10, 916 regarding application of the Guidelines. 112 See Bishop, above n 24. See, also, Scott, above n 25, 174-6 regarding the role of the FTC as a regulator. 113 See, also, Solove, above n 4, 1251 defining the problem of inadequate security as a ‘an architecture of vulnerability’ problem. 114 T J Smedinghoff, The State of Information Security Law: A Focus on the Key Legal Trends (2009) 3. 115 Winn, above n 19, 1137.
29
a statutory duty of care in relation to corporate information security and the
handling of personal information.116
However, there are many practical difficulties in establishing a duty of care for
corporations to implement adequate information security measures particularly in
network-based societies operated by the private sector.
117 Furthermore, it has been
argued that the operational basis of information security law, which is dependent
upon the use of standards and organisation self-governance, provides too much
delegated discretion as to what should amount to adequate information security.118
Nevertheless, in the complex world of electronic transactions, Epstein and Brown
contended that voluntary contracts between multiple parties are the best methods to
allocate the risks of loss and the duties of prevention.119
Linked to the idea of information security regulation, the final federal government
action of note is enforcement actions pursed by the Federal Trade Commission
(FTC) against organisations that have suffered a data breach.
120 The FTC has held
companies to account for poor security practices on the basis that any privacy policy
which had been breached amounted to misleading or deceptive advertising.121 The
majority of FTC enforcement actions therefore involve false or misleading
representations made in the company’s privacy policy that became apparent
through the consequences of a data breach.122
116 Graves, above n 6, 1138. See, also, Skinner, above n 14, regarding the paradigmatic regulatory shift from hacker to corporation; Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30, 1114 stating that security rather than privacy was central to congressional debates on data breach notification and hence the emphasis on organisational strategies.
As a result, the enforcement actions
117 E Kenneally, 'The Byte Stops Here: Duty and Liability for Negligent Internet Security' (2000) XVI(1) Computer Security Journal 1, 6. See also A C Raul, F R Volpe and G S Meyer, 'Liability for Computer Glitches and Online Security Lapses' (2001) 6(31) Electronic Commerce & Law Report 849. 118 Schwartz and Janger, above n 10, 926. 119 Epstein and Brown, above n 23, 210. 120 See Siegel, above n 23, 782; Garcia, above n 2, 722. 121 See Scott, above n 25, 129 regarding FTC actions under section 5 of the Federal Trade Commission Act 15 USC §§ 41-58 (2000); Darrow and Lichtenstein, above n 8, 21-2. See, also, Oussayef, above n 72, 129 regarding the standardisation of privacy policies to mitigate data breaches; Soma, Courson and Cadkin, above n 66, 26. 122 Scott, above n 25, 144-51 regarding examples of FTC action.
30
provide an example of how the FTC interposed in disputes that involved data
breaches where no specific legal remedy existed for consumers.123
One of the reasons for the development of FTC enforcement actions has been the
persistent reluctance of US courts to award damages based on negligent handling of
personal information in data breaches. Negligence actions in US courts have been
unsuccessful for two principal reasons.
124 First, it has been difficult for plaintiffs to
show that any form of harm has actually occurred as courts have rejected ideas of
potential future harms and that damages should be awarded for the costs that could
arise from those harms, particularly in the form of credit monitoring.125 Second, in
situations where identity theft has arisen from a data breach, plaintiffs have been
unable to link the cause of the identity theft to the data breach.126 As such, various
courts have held that the unauthorised release of personal information, without
evidence of misuse, does not cause damage to the plaintiff.127 To counterbalance
these litigation difficulties, Chandler suggests that a deterrent based on the
imposition of statutory right of action for data breaches or the strengthening of
existing tortious principles may be required to correct market imbalances.128
The lack of a litigious remedy highlights the role of regulation in relation to market
forces which has also been a significant component of the US literature. The role of
the market in data breach notification regulation is central because it requires
corporate obligations to provide reasonable data security and thus represents a
123 Ibid. 124 See, eg, Winn, above n 19, 1134 stating that the failure of class actions have clarified the degree to which a right to damages does not exist. 125 See Chandler, above n 23, 232; Graves, above n 6, 1127; Darrow and Lichtenstein, above n 8, 30. See Forbes v Wells Fargo Bank, NA, 420 F Supp 2d 1018; Giordano v Wachovia Sec, LLC, 2006 US Dist LEXIS 52266; Randolph et al v ING Life Insurance and Annuity Co 2007 US Dist LEXIS 11523 (DC); Key v DSW, Inc, 2006 US Dist LEXIS 69887. 126 See Graves, above n 6, 1125-6; Lazzarotti, above n 23, 504-5; Schneider, above n 13, 286-8; Chandler, above n 23, 232. See Stollenwerk v Tri-West Healthcare Alliance, 2005 US Dist LEXIS 41054; Jones v Commerce Bankcorp Inc et al 2006 US Dist LEXIS 32067 (SDNY). However, see Bell v Acxiom Corp 2006 US Dist LEXIS 72477 where the plaintiffs were able to show causation. 127 Bishop, above n 24. 128 Chandler, above n 23, 273. See support for this proposition at J R Levenson, 'Strength in Numbers: An Examination into the Liability of Corporate Entities for Consumer and Employee Data Breaches' (2008) 19 University of Florida Journal of Law and Public Policy 96, 97; and Ludington, above n 66, 140 proposing a tortious remedy aimed specifically at information brokers. See, also, opposing arguments V R Johnson, 'Cybersecurity, Identity Theft, and the Limits of Tort Liability' (2005) 57 South Carolina Law Review 255, 260; L M Lopucki, 'Did Privacy Cause Identity Theft?' (2003) 54(4) Hastings Law Journal 1277, 1277.
31
prime example of delegated regulation in which regulators delegate important
regulatory decisions to those that are being regulated.129 A balance is consequently
sought between the application of traditional regulatory measures and market-
based corrections. Rode examined this balancing act and contended that data breach
notification law complemented the US self-regulation model on privacy through the
provision of greater incentives based on the infliction of business expenditure
associated with reputational sanction and the cost of notification.130 The threat of
regulatory costs provides motivation for companies to implement information
security measures within existing market-driven environments founded on
competition for customers. The threat of reputational damage alone therefore
provided a market incentive for corporations to avoid data breaches131 and market
forces supplied a more flexible alternative to regulation that can be tailored by
specific corporations and industries.132
Turner outlines that market damage inflicted on a corporation can be very broad
and can affect a number of areas that go beyond reputational sanction.
133
Conversely, the type of damage suffered by individuals, based on identity theft,
does little actual damage to the corporation and may thus provide an incentive to
undersupply notification.134 However, it should not be assumed that legislation
should be the automatic remedy to respond to data breach related market failures
and regulation should therefore “aim to make up the shortfall between an optimal
level of notification and what the market will provide.”135 Strong regulation could
thus have the counter-intentional effect of supplying over-notification where
unnecessary notification is provided and this can impact upon an individual’s
attention and thus capacity to take required actions.136
129 Schwartz and Janger, above n 10, 919 also highlighting that corporations do not have unfettered capacity to make decisions. See, also, Erikson and Howard, above n 3, 1235 referring to regulatory devolution.
Regulatory flexibility is
130 Rode, above n 3, 1631. 131 T M Lenard and P H Rubin, An Economic Analysis of Notification Requirements for Data Security Breaches (2005) 5. 132 Cate, Information Security Breaches: Looking Back and Thinking Ahead, above n 53. 133 Turner, above n 33, 12. For example, loss of existing and potential business; litigation costs and loss of customers of clients. 134 Ibid 13. 135 Ibid. 136 Ibid 14-16.
32
therefore required that accounts for the complex processes involved in data breach
notification which involve a number of different parties, motivations and interests.
St Amant, on the other hand, contended that forcible regulation is required
particularly in relation to the information brokerage industry.137 The prevention of
identity theft is a key element of data breach notification law and effective solutions
are required by government to ensure prosecutions based on sound evidential
processes. Corporations simply are not in the position to provide such solutions and
market-based incentives would not correct a corporation’s instinct to withhold
notice of a breach.138 The basis of market-based reputational sanction is therefore an
imperfect deterrent.139 Moreover, the risk of inadequate information security is a
‘negative externality’ for most corporations because individuals bear the primary
risk from a data breach.140
Accordingly, for proponents of stronger regulation, there is not a strong economic
incentive for corporations to protect personal information and data breach
notification laws do not do enough to shift the costs from the individual and back to
the corporation.
141 Without proper resource allocation for corporate information
security, the risk arises that notification of data breaches becomes a norm and hence
there is even less incentive for individuals to switch corporations.142 Furthermore, a
significant juxtaposition within data breach notification law is created as the law
makes no attempt to differentiate between corporations with sophisticated
information security processes and those that do not.143 Potentially, there is a greater
liability placed on the shoulders of corporations who have adequate systems in
place to identify data breaches as opposed to those that are ‘truly clueless’ and are
thus unable to identify a breach of corporate information security.144
137 St Amant, above n 49, 516.
138 Ibid 517. 139 Ibid. See, also, Froomkin, above n 7, 1036 regarding the lack of market-based incentives for government agencies to report breaches. 140 Graves, above n 6, 1126. 141 Ibid. See, however, Turner, above n 33, 12 contending that corporations do bear the cost of breaches in some circumstances. 142 See Schwartz and Janger, above n 10, 919; Chandler, above n 23, 227. 143 Winn, above n 19, 1149. 144 Ibid.
33
Finally, the literature recognised that the application of market or regulatory
incentives is not a trivial issue for corporations given the costs entailed in
notification. Several surveys and reports revealed that the cost of notification is
substantial. For example, the US Government’s Accountability Office (GAO)
estimated that the cost of a data breach to a breached organisation averaged $US1.4
million.145 The Ponemon Institute, which conducts an annual survey of data breach
notification costs146 estimated in 2009 that the average cost of a data breach to an
organisation was $US6.6 million or an average of $US202 per record.147 Similarly, the
seemingly simple loss of a laptop can also be an expensive exercise as it is estimated
to cost breached organisations an average of $US49 246 per lost laptop.148
2.2.2 AUSTRALIAN DATA BREACH NOTIFICATION DEVELOPMENTS
Currently, there is no obligation on Australian organisations to report data breaches
of personal information to law enforcement agencies or to persons whose data may
be compromised by the breach.149 However, both media reports and industry
surveys indicate that Australian data breaches are taking place particularly amongst
Australian banks.150 In 2007, Westpac cancelled thousands of credit cards because of
a security breach that related to a third party vendor.151 The National Australia Bank
mistakenly sent statements of 397 customers to the wrong persons due to a
computer processing error.152
145 United States Government Accountability Office, above n 2, 34.
A number of personally sensitive HSBC Australia
customer documents were also inadvertently left on a Sydney commuter train by an
146 See, eg, Ponemon Institute, National Survey on Data Security Breach Notification (2005); Ponemon Institute, 2007 Annual Study: Cost of a Data Breach (UK) (2008); Ponemon Institute, 2008 Annual Study: Cost of a Data Breach (US) (2009); Ponemon Institute, 2008 Annual Study: Cost of a Data Breach (Germany) (2009); Ponemon Institute, 2009 Annual Study: Cost of a Data Breach (UK) (2010); Ponemon Institute, 2009 Annual Study: Cost of a Data Breach (Australia) (2010). 147 Ponemon Institute, US Enterprise Encryption Trends (2009) 2. 148 Ponemon Institute, The Cost of a Lost Laptop (2009) 2. 149 M Black, 'Towards a Duty to Disclose Security Breaches' (2005) 8(7) Internet Law Bulletin 98, 101. 150 See, eg, N Miller, 'Data Leaks Under Review', The Age (Melbourne), 8 August 2006Computers, 1; K Dearne, 'Data in Danger', The Australian (Melbourne), 1 May 2007, Features, 1; K Dearne, 'Data Breach Hits 80% of Local Companies: Survey', The Australian (Melbourne), 22 October 2008, Features, 1. 151 L Tung, Westpac Accepts No Blame in Security Breach (2007) ZDNet Australia <http://www.zdnet.com.au/news/security/soa/Westpac-accepts-no-blame-in-security-breach/0,130061744,339280311,00.htm> at 8 June 2009. 152 Finextra, NAB Sends Customer Account Details to the Wrong People (2007) <http://www.finextra.com/fullstory.asp?id=16564> at 23 May 2010.
34
HSBC employee.153 Furthermore, several case notes issued by the federal Privacy
Commissioner indicate that lapses in security which involve personal information
have happened.154
Industry surveys also indicate that data breaches are taking in place in Australia. In
2006, ACNeilsen, on behalf of Australian police forces and Australia’s computer
emergency response team (AusCERT) conducted the Australian Computer Crime
and Security Survey.
155 Researchers surveyed 2024 IT Managers from 17 different
industry groupings in both public and private sectors about computer crime related
attacks and information security issues. The survey generated a 17 percent response
rate and 389 responses were received. The researchers concluded that 20 percent of
all industry respondents had detected some form of data breach and that the
average annual cost to organisations from computer crimes or unauthorised access
was AUS$241 000. Similarly, the Ponemon Institute has also conducted research into
Australian data breaches. In one study, the data breach experience of 16 companies
was analysed. The average organisational cost of a data breach was calculated to be
$AUS1.97 million and one data breach event cost an organisation $AUS4 million to
resolve.156 A further survey also confirmed that the use of encryption to mitigate the
extent of data breaches was relatively widespread.157
Given this background, it is not surprising that there have been persistent calls for
law reform. In August 2007, Senator Stott-Despoja of the Australian Democrats
presented a private members bill
158 to the Senate that would have implemented a
data breach notification scheme through the Privacy Act 1988 (Cth) (hereafter
‘Privacy Act’). 159
153 S Rossi, HSBC Australia Exposes Sensitive Customer Data (2007) <http://www.computerworld.com.au/article/179967/hsbc_australia_exposes_sensitive_customer_data/> at 23 May 2010.
The purpose of the Bill was to:
154 See eg OPC v Banking Institution [2005] PrivCmrA 11; Own Motion Investigation v Bankruptcy Trustee Firm [2007] PrivCmrA 5; Own Motion Investigation v Medical Centre [2009] PrivCmrA 6. 155 AusCERT, Auscert, Australian Crime & Security Survey (2006). 156 Ponemon Institute, 2009 Annual Study: Cost of a Data Breach (Australia) (2010) 3. 157 Ponemon Institute, Encryption Trends - Australia (2009). 158 Privacy (Data Security Breach Notification) Amendment Bill 2007 (Cth) available at Austlii <http://www.austlii.edu.au/au/legis/cth/bill_em/psbnab2007486/memo_0.html> at 23 May 2010. 159 Privacy Act 1988 (Cth) [hereafter ‘Privacy Act’].
35
[R]equire organisations and agencies [to] notify affected individuals of a
breach of data security where their personal information is accessed by,
or disclosed to, an unauthorised person, and for related purposes.160
The Bill was a hybrid of the California law and existing provisions of the Privacy Act
as reflected in the content of the notification trigger. Senator Stott Despoja stated
that the purpose of the bill was similar to US state-based data breach notification
laws as it was designed to reduce the risk of identity theft by giving individuals an
opportunity to protect themselves through notification of data breach incidents.
161
However, the Bill also left open the possibility of notification for data breaches that
go beyond identity theft issues as it defined a breach of security as an interference
with privacy in conjunction with section 13 of the Privacy Act.162
Senator Stott-Despoja’s Bill was unsuccessful but it laid the foundation for further
discussions on law reform based principally around the Australian Law Reform
Commission’s (ALRC) inquiry into the Privacy Act. In January 2006, the Attorney
General Philip Ruddock commissioned the ALRC to review the operation of the
Privacy Act to assess whether it continued to provide an effective framework for
privacy protection in Australia.
163 The ALRC’s review was the culmination of a
number of governmental inquiries since the inception of the Privacy Act which
examined its operation.164
160 See Commonwealth of Australia, Parliament Debates, Senate, 16, August 2007, 18 (Senator Stott Despoja).
One of the key elements of the ALRC’s review focused on
the impacts of new technologies including their effects on organisation practices
involving the handling of personal information. The issue of data breach notification
was consequently initially examined within this wider rubric.
161 Australian Democrats, Privacy (Data Security Breach Notification) Amendment Bill 2007 - Second Reading Speech (2007) <http://www.democrats.org.au/speeches/index.htm?speech_id=2260> at 23 May 2010. 162 Ibid. 163 Australian Law Reform Commission, Review of Privacy: Issues Paper, Issues Paper No. 31 (2006), 6-7 detailing the ALRC’s terms of reference. 164 See, eg, Attorney-General's Deptartment, Privacy Protection in the Private Sector: Discussion Paper (1996); Attorney-General's Deptartment, A Privacy Scheme for the Private Sector (2000); Legal and Constitutional References Committee, Department of the Senate, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005); Office of the Privacy Commissioner, Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector (1997).
36
The first part of the ALRC’s three stage review, the Issues Paper,165 briefly discussed
data breach notification and highlighted media reports about data breaches in
Australia and outlined the scope of the California law.166 At this stage in the ARLC’s
review, data breach notification appeared to have been an ancillary consideration.
The ALRC opened up the possibility of further review but data breach notification
was detailed in the Issues Paper as an indirect question about additional regulatory
mechanisms that could be used to protect personal information.167 However, data
breach notification was a more significant issue in the ALRC’s 2007 Discussion
Paper and it was reviewed within a separate chapter.168
The ALRC noted that data breach notification law was becoming increasingly
topical throughout the world. A brief overview of the US rationale for data breach
notification was identified as identity theft mitigation and the lack of market
incentives for notification was further outlined.
169 A theoretical framework founded
on Solove’s conceptualisation of data misuse problems170 in conjunction with
general approaches to regulation as specified by Baldwin and Cave was put
forward.171 The ALRC appeared to be heavily influenced by Solove’s data abuse
pyramid172 which attempts to categorise situations of data misuse, data leaks and
data insecurity.173
165 Australian Law Reform Commission, Review of Privacy: Issues Paper, above n 163, 188.
Misuses feature at the apex of the pyramid and represent
intentional acts to defraud through the use of personal information. Leaks occupy
the middle tier and entail situations where personal information has been
improperly released. Finally, at the bottom, insecurity entails breaches that arise
through inadequate information security measures. The ALRC noted that there was
currently no obligation to report data leaks and this lack of regulatory oversight
166 Ibid 188-9. 167 Ibid 554. See question 11-3(d) which states ‘should agencies or organisations be required to advise individuals of any misuse, loss or unauthorised access, modification or disclosure of personal information?’ 168 Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper No 72 (2007) 1293-1316. 169 Ibid 1296. 170 D J Solove, 'The New Vulnerability: Data Security and Personal Information' in Radin and Chander (eds), Securing Privacy in the Internet Age (2005) 111. 171 R Baldwin and M Cave, Understanding Regulation: Theory, Strategy, and Practice (1999). 172 Solove, above n 170. 173 Australian Law Reform Commission, Review of Australian Privacy Law, above n 168, 1309.
37
could increase the risks of identity theft to individuals.174 Accordingly, notification
would assist to minimise damage caused by a breach.175
The extent of reputational sanction was also highlighted along with differences in
approach principally based on the implementation of different notification triggers,
different exemptions and the form and content of notification. The market-based
notion of reputational sanction was rejected because it did not supply sufficient
incentive for notification.
176 Hence a mandatory notification scheme was required.
However, the ALRC contended that the tool of reputational sanction could be a
sufficient market-based incentive to improve information security measures which
would assist to minimise data breaches in general and insecurity type of breaches in
particular. Accordingly, notification would play an important role in keeping the
market informed of organisational privacy practices which would assist with the
functioning of competitive markets.177
The ALRC indicated that it had received a number of conflicting submissions for
and against a data breach notification requirement.
Data breach notification consequently
addresses information asymmetries.
178 Nevertheless it was noted that
the Office of the Privacy Commissioner (OPC) was in general support of a data
breach notification scheme implemented through the Privacy Act.179 However, the
OPC contended that a data breach notification law constructed on the California
model would not be appropriate because it was too prescriptive and
technologically-specific.180 Moreover, the OPC considered that the scope of
mandatory notification should be limited to situations where a data breach is
believed to give rise to a ‘real potential for serious harm to an individual’ and was
therefore consistent with the ALRC’s proposal.181
174 Ibid 1310.
Harm in this context went beyond
identity theft but it was constrained to the extent that breached organisations would
not be required agencies to notify less serious privacy breaches.
175 Ibid. 176 Ibid. 177 Ibid 1311. 178 Ibid 1306-7. 179 Office of the Privacy Commissioner, Submission to ALRC Review of Privacy DP72 (2007) 515-17. 180 Ibid 515. 181 Ibid 516.
38
Following on from the OPC’s submission, the OPC published, a set of voluntary
guidelines in 2008 entitled the ‘Guide to Handling Personal Information Security
Breaches.’182 The OPC Guidelines are similar to those published in Canada and New
Zealand as they are intended ‘to assist agencies and organisations to respond
effectively to a personal information security breach.’ The Guidelines specifically
identified those situations when notification to individuals was required.183 The
OPC Guidelines also used the phrase ‘personal information security breach’ instead
of the term ‘data breach’ in the interests of consistency with the language of the
Privacy Act. Whilst the examples provided in the Guidelines essentially address the
same issues as the US data breach notification laws, the underlying rationale for
notification is different to that of the US laws. The OPC Guidelines are not solely
concerned with the mitigation of identity theft related crimes. Instead, notification is
deemed good privacy practice on the basis that it can act as a reasonable security
safeguard whilst at the same time encourage enhanced transparency about
organisational privacy practices, thus restoring a degree of individual control over
personal information.184
The notification trigger adopted in the OPC Guidelines is higher than the one put
forward in the OPC’s submission as it requires a ‘real risk of serious harm to the
individual’ to trigger notification.
185 Although the Guidelines do not define a ‘real
risk of serious harm,’ the reason for the higher trigger appears to be the notification
fatigue argument expressed in the US literature.186 Following the implementation of
the Guidelines, the OPC subsequently confirmed that it had received notification
from both private and public sector organisations.187
In 2008, the ALRC released its voluminous final report.
188
182 Office of the Privacy Commissioner, Guide to Handling Personal Information Security Breaches (2008).
In relation to data breach
notification, the report concluded that there was general support for the
introduction of a mandatory national data breach notification scheme in Australia
183 Ibid 5. 184 Ibid 12. 185 Ibid 22. 186 Ibid 17. 187 Office of the Privacy Commissioner, The Operation of the Privacy Act: Annual Report 1 July 2008 - 30 June 2009 (2009) 29. 188 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (2008).
39
which, in its view, should be overseen by the OPC. The ALRC’s recommendation to
use the Privacy Act as the vehicle for a data breach notification obligation was based
on the view that the concept of data breach notification is consistent with the
general aims of the Privacy Act and it would encourage agencies and organisations
‘to be transparent about their information-handling practices.’189 That said, the
primary purpose of notification is the mitigation of damage caused by a breach,
rather than a regulatory mechanism of reputational sanction.190 The ALRC
acknowledged that reputational damage from notification can provide incentives to
improve information security but concluded that the risk of embarrassment was not,
in itself, a sufficient market control measure and that legislation was therefore
warranted.191
An agency or organisation is required to notify the Privacy Commissioner
and affected individuals when specified personal information has been,
or is reasonably believed to have been, acquired by an unauthorised
person and the agency, organisation or Privacy Commissioner believes
that the unauthorised acquisition may give rise to a real risk of serious
harm to any affected individual.
The notification trigger recommended by the ALRC provides:
192
Like the OPC Guidelines, the ALRC’s recommended trigger is based on a real risk of
serious harm. The ALRC acknowledged that this trigger is higher than the ‘any
unauthorised acquisition’ test of the California law but contended that the purpose
of a higher triggering threshold was to reduce the risks arising from notification
fatigue as well as to reduce the compliance burdens on organisations.
193 The ALRC
concluded that a higher triggering threshold would allow the data collecting
organisation ‘to investigate the data breach and make an assessment of whether the
unauthorised acquisition may give rise to a real risk of serious harm to an
individual.’194
189 Ibid 1688.
190 Ibid 1689. 191 Ibid. 192 Ibid 1688. 193 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, above n 188, 1691. 194 Ibid 1690.
40
The factors entailed in the assessment of ‘serious harm’ recommended by the ALRC
are not necessarily confined solely to identity theft issues but should also cover
wider concerns of discrimination from the release of personal information.
Additionally, organisations would be encouraged to decide themselves when the
triggering event occurs and to develop their own standards about what constitutes
‘a real risk of serious harm in the context of their own operations.’195
The ALRC’s recommended notification requirement is also ‘technology neutral’ as it
covers all unauthorised access to personal information, whether in computerised or
hard copy form. The existing definition of ‘personal information’ in the Privacy Act
would be substantially limited for data breach notification purposes.
However, a
degree of oversight was also envisaged on the basis that it would be preferable for
organisations to consult with the OPC about notification. The Privacy
Commissioner could also oblige notification if there was a belief that the
unauthorised acquisition of personal information could give rise to a real risk of
serious harm to any affected individual.
196 According to
the ALRC, such information is likely to include an individual’s name and address in
combination with other identifying information that could enable a person to
commit an ‘account takeover’ or ‘true name fraud.’197 However, the ALRC
acknowledged that the purpose of data breach notification was intended to extend
to harms beyond the mitigation of identity theft.198
195 Ibid 1691.
Finally, the ALRC recommended
that a civil penalty should be instigated against personal data collecting
organisations for a failure to notify the OPC of a reportable data breach and for
situations where organisations blatantly disregard the law. The Australian
Government, in its response to the ALRC’s report, has confirmed that the issue of
mandatory data breach notification is to be addressed in a second tranche of
196 Ibid 1693. 197 Ibid 1694. 198 Ibid.
41
proposed measures planned for late 2010 and will include an extensive consultation
exercise.199
2.2.3 OTHER JURISDICTIONAL DEVELOPMENTS
Other jurisdictions have also developed data breach notification schemes, including
the European Union (EU) and comprehensive guidelines or proposals have been put
forward in a number of other jurisdictions including Canada, New Zealand and the
United Kingdom (UK).
In the EU, data breach notification has thus far focussed on the telecommunications
sector, where existing breach notification requirements are already in place. The e-
Privacy Directive concerns issues relating to the processing of personal data and the
protection of privacy for publicly available services provided by the electronic
communications sector.200 Article 4 of the e-Privacy Directive regards security and
section 4(1) obliges a provider of a publicly available electronic communications
services to ensure that ‘a level of security appropriate to the risk presented’ is
provided. Article 4(2) regards breach notification. It states that a provider must
inform subscribers201 about a potential risk arising from a breach of network security
that is beyond the scope of the provider to resolve. Furthermore, a service provider
must notify the subscriber about possible remedies and provide an indication of the
likely costs involved.202
199 Cabinet Secretary Special Minister of State, Report on Australian Privacy Law and Practice (2008) <http://www.smos.gov.au/media/2008/mr_262008_joint.html> at 14 June 2009; Australian Government, Enhancing Privacy Protection: Australian Government First Stage Response to the Australian Law Reform Commission Report 108 (2009) <http://www.dpmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.pdf> at 15 October 2009.
200 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications, also known as the e-Privacy Directive), OJ L 201, 31/07/2002, 37–47. 201 The e-Privacy Directive does not define subscribers. Instead the definition of subscribers is to be found at art 2(k) of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a Common Regulatory Framework for Electronic Communications Networks and Services (Framework Directive) OJ L 108, 24/04/2002, 33-50. It states ‘subscriber means any natural person or legal entity who or which is party to a contract with the provider of publicly available electronic communications services for the supply of such services.’ 202 Article 4(2), e-Privacy Directive (2002).
42
The European Commission has recently put forward an updated e-Privacy directive
that has been formally approved by the European Council.203
Furthermore, a provider may also have to notify, without undue delay, a subscriber
or an individual about a personal data breach if the breach is likely to adversely
affect their personal data or privacy.
A new clause 4(3) will
be inserted in the e-Privacy Directive that will require a provider of publicly
available electronic communications services to notify a competent national
authority about a personal data breach and the notification shall be conducted
‘without reasonable delay.’ The addition of a new article 4(3) in the e-Privacy
Directive now focuses mandatory data breach notification on situations that (a)
relate to personal data (b) involve specified unauthorised uses of personal data and
(c) personal data is stored or processed in connection with a publicly available
electronic communications service.
204 However, a provider will not have to supply
notification if it can demonstrate to the satisfaction of a competent authority that it
has implemented appropriate technological protection mechanisms. Such
mechanisms would render data unintelligible and the measures were applied to the
personal data involved in the breach.205 However, a competent national authority
can require a provider to provide notification to a subscriber or an individual, upon
consideration of the likely adverse effects of the breach and in situations where the
provider has not already provided notification.206
The issue of whether data breach notification should be extended to other sectors
has been the source of much debate within the EU which is acknowledged in the
preamble of the Proposed Directive. The preamble represents a major debate that
has taken place within the legislative organs of the EU about the scope of proposed
legal reforms and the development of data breach notification rules. Initially the
European Parliament had insisted that amendments to the e-Privacy Directive must
203 Directive of the European Parliament and of the Council Amending Directive 2002/22/EC on Universal Service and Users' Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws [hereafter ‘new e-Privacy Directive’]. 204 Article 4(3) of the new e-Privacy Directive. 205 Ibid. 206 Ibid.
43
also take account of other sectors that are integral to information society services.207
The Parliament’s proposal also gained support from the Article 29 Working Party208
and the European Data Protection Supervisor (EDPS).209 However, both the
Commission and the Council of Ministers rejected the idea of wider coverage but
flagged the possibility of future extension.210
In Canada, the issue of mandatory data breach notification was prominently raised
in 2007 by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) based at
the University of Ottawa’s Faculty of Law.
211 The CIPPIC report provided an
overview of the Canadian legal framework in relation to information privacy and
reviewed US legal developments regarding data breach notification. A number of
recommendations were put forward including a specific amendment to the Personal
Information Protection and Electronic Documents Act (PIPEDA)212 for a data breach
notification scheme principally based on the California law.213 The notification
requirements however were much more stringent than US laws as notification was
to be made to a number of different parties that included the Privacy Commissioner
within a period of five days.214
During the same year, the Canadian Office of the Privacy Commissioner released
guidelines for organisations on how to prevent and report a privacy breach.
215 A
notification trigger was not specified but the definition of a privacy breach entailed
an unauthorised access to or collection, use or disclosure of personal information.216
207 See eg OUT-LAW News, European Parliament Abandons Plan to Extend Data Breach Notification Law (2009) <http://www.out-law.com/default.aspx?page=10010> at 20 October 2009.
208 Article 29 Data Protection Working Party, Opinion 1/2009 on the Proposals Amending Directive 2002/58/EC on Privacy and Electronic Communications (e-Privacy Directive) (2009). 209 European Data Protection Supervisor, 'Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council Amending, Among Others, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications)' (2008) (OJ C181 18.07.2008). 210 New e-Privacy Directive, para 59. 211 Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007). 212 Personal Information Protection and Electronic Documents Act, SC 2000 (Can). 213 Canadian Internet Policy and Public Interest Clinic, above n 210, 24. 214 Ibid 25. 215 Office of the Privacy Commissioner Canada, Key Steps for Organisations in Responding to Privacy Breaches (2007) <http://www.priv.gc.ca/information/guide/2007/gl_070801_02_e.pdf> at 10 August 2010. 216 Ibid 1.
44
However, one of the key elements of notification was the evaluation of risks
associated with the breach that included an assessment of the type of personal
information involved. Once this assessment was made, it should then be possible for
an organisation to determine how to respond to the breach and who to notify.217
Furthermore, the guidelines reiterated that if a privacy breach creates a risk of harm
to the individual then notification should take place promptly and the decision to
notify must be conducted on a case-by-case basis.218
In 2010, a wide ranging bill was put before the Canadian House of Commons that
included a proposed data breach notification scheme via amendments to PIPEDA.
219
Section 3 of the bill defines a ‘breach of security safeguards’ as ‘the loss of,
unauthorized access to, or unauthorized disclosure of, personal information
resulting from a breach of an organization’s security safeguards.’ Section 11 covers
the new data breach proposal. A new section 10(1) was proposed for insertion into
PIPEDA that would require a breached organisation to report to the Privacy
Commissioner ‘any material breach of security safeguards involving personal
information under its control.’ A series of factors to determine whether a breach of
security is material included: the sensitivity of the breached information; number of
individuals involved and the organisation’s assessment of the breach or whether the
breach is part of a pattern that indicates a systemic problem.220 Individuals were to
be notified upon a reasonable belief that the breach creates ‘a real risk of significant
harm to the individual.’ Significant harm was also defined and it is clear from the
definition that the proposed Canadian law goes beyond identity theft issues.221
Notification is also wider as it included individuals affected by a breach and a range
of potential government organisations.222
217 Ibid 3.
218 Ibid 4. 219 Bill C-29 2010 (Can). See also D T S Fraser, Breach Notification Amendments to PIPEDA Introduced in Parliament (2010) <http://blog.privacylawyer.ca/2010/05/breach-notification-amendments-to.html> at 17 June 2010 regarding an overview of the proposed amendments. 220 Section 10.2(1) Bill C-29 2010 (Can). 221 Section 10.2(2) Bill C-29 2010 (Can) includes ‘bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.’ 222 Section 10.3(1) Bill C-29 2010 (Can).
45
Similarly to Australia, the implementation of a data breach notification scheme
through information privacy law has also been on the law reform agenda in New
Zealand. The Law Commission of New Zealand embarked on a four stage review of
the operation of the Privacy Act 1993 (NZ). The final stage of the review addressed
data breach notification.223 The review follows the publication of guidelines in 2008,
based on the Canadian guide, regarding the provision of advice to organisations
that have suffered a data breach.224 The rationale for notification was predicated
heavily on an individual’s right to know about the misuses of their personal
information as a moral right rather than simply a means to mitigate identity theft.225
Moreover, notification can fulfil a societal benefit as it provides a greater level of
information about privacy and security in corporate environments that can
therefore assist policy development in these important areas. The Commission
stated that it had no firm view about the requirement for a mandatory data breach
notification scheme and set out a number of questions for further submissions to
enable them to make recommendations.226
Although the United Kingdom has also adopted voluntary guidelines,
227 the overall
approach to data breach notification law is different to the other jurisdictions
highlighted in this chapter. The UK perspective to data breach notification law is
somewhat paradoxical given the catalogue of large-scale data breaches that have
been reported in the United Kingdom (UK) during the last three years.228
Government agencies have been particularly prone to problems229 which resulted in
a review of public and private data sharing practices by members of the Information
Commissioner’s Office (ICO).230
223 Law Commission of New Zealand, Law Commission of New Zealand, Review of the Privacy Act 1993, Issues Paper No 17 (2010) 424.
The issue of data breach notification was reviewed
and whilst it was acknowledged that a data breach can give rise to significant risks
224 Office of the Privacy Commissioner New Zealand, Key Steps for Agencies in Responding to Privacy Breaches and Privacy Breach Checklist (2008). 225 Ibid 428. 226 Ibid 433. 227 Information Commissioner's Office (UK), Guidance on Data Security Breach Management (2008). 228 See, eg, S Saxby, 'UK Needs Stronger Regulation of Public Sector Data Policy' (2008) 24(1) Computer Law & Security Report 1; S Pritchard, 'Battle of the Sectors: Where is Your Data Safe?' 6(5) Infosecurity 23. 229 See, eg, BBC News, Previous Cases of Missing Data (2009) <http://news.bbc.co.uk/2/hi/uk_news/8409405.stm> at 17 March 2010 regarding other instances of security failures involving laptops and sensitive UK government information. 230 R Thomas and M Walport, Data Sharing Review (2008).
46
to individuals and because voluntary guidelines were already in place, the authors
concluded that it was unnecessary to implement an explicit statutory duty on
organisations to notify data breaches.231 A mandatory notification scheme would
add significant compliance costs burdens for organisations but it could also produce
notification fatigue with ‘the very real danger that people will ultimately ignore
notifications when there is, in fact, significant risk of harm.’232
The authors recommended that as a matter of good practice, organisations should
notify the ICO when a significant data breach occurs. However, it was also
recommended that the ICO should be able to impose penalties upon a breached
organisation for a failure to notify a data breach where there is a likelihood of
substantial damage or distress.
233 The Ministry of Justice responded to the report
and agreed with the recommendation that a mandatory data breach notification
scheme was not required.234 However, government agencies were now obliged to
notify the ICO of a data breach following a key review of government data
sharing235 and the ICO guidelines would provide guidance to the private sector on
how to respond. Nonetheless, the UK Government confirmed that it did not intend
to implement a data breach notification law based on the US laws as a law could
create ‘the same problems and mistakes that have occurred from the US
experience.’236 The main perceived failing of the US approach was that it contributed
little towards the security of personal information, and which in any event,
diminished utility over time.237 The response concluded that the UK Government
was committed to an approach that tackled the problem of data breaches but from
the perspective of a robust data protection framework that is more suited to UK
rather than US legal frameworks.238
As a result of the reviews and the continuing stream of UK data breaches, the ICO
was awarded new powers in 2010 to impose a penalty of up to £500 000 for serious
231 Ibid 65. 232 Ibid 66. 233 Ibid. 234 Ministry of Justice (UK), Response to the Data Sharing Review Report (2008) 19. 235 Cabinet Office, Data Handling Procedures in Government: Final Report (2008). 236 Ministry of Justice (UK), above n 233, 19. 237 Ibid. See also Cate, Information Security Breaches: Looking Back and Thinking Ahead, above n 53, which was referenced significantly as a basis for this conclusion. 238 Ministry of Justice (UK), above n 233, 19.
47
breaches under section 55(C)1 of the Data Protection Act 1998 (UK).239 The ICO now
has the power to impose a monetary penalty upon an organisation if it has
‘seriously contravened the data protection principles and the contravention was of a
kind likely to cause substantial damage or substantial distress.’240 The contravention
must have been deliberate or the organisation must or ought to have known that
there was a risk of a contravention but failed to take reasonable steps to prevent it.
The ICO will therefore only use this power as a sanction against organisations who
deliberately or negligently disregarded existing law.241
2.3 INFORMATION PRIVACY LAW
The second part of this chapter reviews the literature on information privacy law.
Section 2.3.1 examines the conceptual underpinnings of the law and section 2.3.2
outlines founding legal instruments and the development of information privacy
legislation. The review of information privacy law concludes at section 2.3.3 with a
brief review of key contemporary analyses.
2.3.1 CONCEPTUAL UNDERPINNINGS
Concepts and notions of information privacy are intersected with other differing,
and sometimes competing, concepts of privacy. Both the concepts of privacy and
information privacy have consequently been difficult to define from a legal
perspective. For example, Post has commented that the notion of privacy is so
complex that it cannot be usefully conceptualised because it is heavily entangled
with competing and contradictory dimensions.242 Allen sees privacy as an
inalienable right that should be considered as a pre-conditional foundation of a
liberal egalitarian society,243
239 Information Commissioner's Office (UK), Report Data Breaches or Risk Tougher Sanctions, Warns the ICO (2010) <http://www.ico.gov.uk/upload/documents/pressreleases/2010/data_breaches_260110.pdf> at 23 July 2010; Information Commissioner's Office (UK), Data Breaches to Incur up to £500,000 Penalty (2010) <http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf> at 23 July 2010.
whereas Beaney doubted whether it is possible to define
240 Information Commissioner's Office (UK), Information Commissioner’s Guidance about the Issue of Monetary Penalties Prepared and Issued under Section 55C (1) of the Data Protection Act 1998 (2010) 3. 241 Ibid 4. 242 R C Post, 'Three Concepts of Privacy' (2001) 89(6) Georgetown Law Journal 2087, 2087. 243 A L Allen, 'Coercing Privacy' (1999) 40(3) William and Mary Law Review 723, 745.
48
a ‘right of privacy.’244 Privacy has also been conceptualised as ‘concern for limited
accessibility’ which provide barriers and limits regarding the extent of what is
known about us and physical access to us.245 Rosen highlighted the importance that
privacy has regarding the intimacy of the individual.246 Schwartz contended that
privacy is integral as it forms the basis of experimental development of intimate
thoughts and anonymity is a key determiner of the maturity of personhood,
especially in a world increasingly dominated by instant communication and
access.247
The concept of information privacy is most generally associated with control
theories of privacy that relate to an individual’s choice regarding the disclosure of
their personal information.
248 One of the first and most influential representations of
the control theory is Westin’s ‘Privacy and Freedom.’249 Westin did not use either the
term ‘right’ or ‘control’ or even ‘information privacy’ in his description of an
individual’s required claim for information privacy.250 Nevertheless, his work has
been perceived as the provision of individual rights of control over personal
information.251
244 W M Beaney, 'The Right to Privacy and American Law' (1966) 3(2) Law and Contemporary Problems 253, 255.
In Privacy and Freedom, Westin determined four basic states of
245 R Gavison, 'Privacy and the Limits of Law' (1980) 89(3) Yale Law Journal 421, 423. 246 J Rosen, 'The Purposes of Privacy: A Response' (2001) 89(6) Georgetown Law Journal 2117. 247 P M Schwartz, 'Privacy and Democracy in Cyberspace' (1999) 52(6) Vanderbilt Law Review 1609. 248 See H T Tavani, 'Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy' (2007) 38(1) Metaphilosophy 1, 7 regarding an overview of key authors and theoretical applications; see, eg, L Austin, 'Privacy and the Question of Technology' (2003) 22(2) Law and Philosophy 119, 125 stating that individual control of personal information has been a key tenet of information privacy laws and has been a significant driver of conceptual development.; C J Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (1992) 14 regarding the analogous links between ‘data protection’ and Westin’s information privacy. 249 A F Westin, Privacy and Freedom (1967). 250 See however ibid 7 regarding Westin’s ‘right of individual privacy’ which is defined as ‘the right of the individual to decide for himself, with only extraordinary exceptions in the interests of society, when and on what terms his acts should be revealed to the general public’. 251 See, eg, R Wacks, Personal Information: Privacy and the Law (1993) 14 noting the influence of privacy and freedom in relation to privacy as control definitions of privacy; J Waldo, H Lin and L I Millett, Engaging Privacy and Information Technology in a Digital Age (2007) 60 highlighting Westin’s role in the development of the concept of information privacy; J B Rule, Privacy in Peril (2007) 22 regarding the influence of Westin’s work and the need to regulate organisational data systems in the late 1960’s and early 1970’s.
49
individual privacy: solitude; intimacy; anonymity; and reserve.252
[C]reation of a psychological barrier against unwanted intrusion; this
occurs when the individual’s need to limit communication about himself
is protected by the willing discretion of those surrounding him.
The latter state,
reserve, is of most interest regarding information privacy as it requires the:
253
The need for barriers is necessary as the communication of the self is always
incomplete. Individuals are required through their ongoing involvement in society
to retain some information about them which is too personal for other persons or
organisations to possess.
254 This mental distance, the space generated by choosing
not to declare everything about one’s self, therefore requires an individual to have
the ability and control to withhold or to disclose personal information. The ability of
choice over our own information is consequently the ‘dynamic aspect of privacy in
daily interpersonal relations.’255
Westin also adduced four specific functions of privacy that reflect the value or
purpose of privacy within society. They are: personal autonomy; emotional release; self-
evaluation and limited and protected communication. Again, the latter function is of
relevance and it has two facets. The first, limited communication sets interpersonal
boundaries for the exchange of personal information. The second, protected
communication, ‘provides for sharing personal information with trusted others.’
256
Privacy is the claim of individuals, groups, or institutions to determine
for themselves when, how, and to what extent information about them is
communicated to others.
It
is the state of reserve in conjunction with limited and protected communication that
is inherent in Westin’s definition of information privacy
257
Information privacy law is therefore founded on the notion that individuals have
rights relating to control over their personal information,
258
252 Westin, above n 249, 31-2.
or at least, have rights
253 Ibid 32. 254 Ibid. 255 Ibid. 256 See S T Margulis, 'On the Status and Contribution of Westin's and Altman's Theories of Privacy' (2003) 59(2) Journal of Social Issues 411, 413. 257 Westin, above n 249, 7.
50
pertaining to who can access their personal information259 or a combination of
both.260 However, the ‘privacy as control paradigm’261 is not without its critics.
Schwartz highlights that whilst the control model has benefits because it seeks ‘to
place the individual at the centre of decision-making about personal information
use’262 it nonetheless suffers from several major flaws because it pays little
consideration to information asymmetries. 263 Regan also states that Westin’s work is
applied from an individualistic perspective which leads to the conclusion that
Westin regarded ‘privacy as fundamentally at odds with social interests’264 when
that is clearly not the case.265
258 See, eg, C Fried, 'Privacy' (1968) 77 Yale Law Journal 475, 482 stating that privacy regards ‘the control we have over information about ourselves’; A R Miller, 'Personal Privacy in the Computer Age: The Challenge of a New Technology in an Information-Oriented Society' (1968) 67 Michigan Law Review 1091, 1107 ‘the basic attribute of an effective right to privacy is the individual’s ability to control the flow of information concerning or describing him’; R P Bezanson, 'The Right to Privacy Revisited: Privacy, News and Social Change, 1890-1990' (1992) 80(5) California Law Review 1133, 1135 advancing a ‘concept of privacy based on the individual’s control of information’; J Kang, 'Information Privacy in Cyberspace Transactions' (1998) 50(4) Stanford Law Review 1193, 1203 referring to an individual’s control over the processing of personal information; P M Regan, Legislating Pivacy: Technology, Social Values, and Public Policy (1995) 9 commenting that privacy, in regard to US governmental collection of personal data, was defined as the ‘right of individuals to exercise some control over the use of information about themselves’.
Moreover, criticism is levelled at privacy as control
259 See, eg, Gavison, above n 245, 423 contending that privacy is a concern of accessibility that includes physical access by and the attention of other individuals; Rule, above n 251, 3 ‘let me define privacy as the exercise of an authentic option to withhold information on one’s self’; D J Solove, 'Conceptualizing Privacy' (2002) 90(4) California Law Review 1087, 1110 stating that information privacy as the right to ‘control-over-information can be viewed as a subset of the limited access conception’; D Archard, 'The Value of Privacy' in Erik Claes, Antony Duff and Serge Gutwirth (eds), Privacy and the Criminal Law (2006) 13, 16 stating that the concept of limited access to a specified personal domain is the most plausible notion of privacy. 260 See eg J H Moor, 'Towards a Theory of Privacy in the Information Age' (1997) 27(3) Computers and Society 27 outlining the restricted access/limited control approach to privacy. 261 P M Schwartz, 'Internet Privacy and the State' (2000) 32(3) Conneticut Law Review 815, 820. 262 Ibid 822. 263 Ibid 830 regarding privacy as control as the ‘commodification illusion.’ 264 Regan, Legislating Pivacy: Technology, Social Values, and Public Policy, above n 258, 28. See also C J Bennett and C D Raab, The Governance of Privacy: Policy Instruments in Global Perspective (2nd and updated ed, 2006) contending that Westin undertook a functional view regarding his investigation of privacy for an individual; Margulis, above n 256, 413 stating that Westin’s work takes an individualistic perspective about the societal role of information privacy. 265 Regan, Legislating Pivacy: Technology, Social Values, and Public Policy, above n 258, 220.
51
from the seemingly tautological perspective that privacy as control is either too
broad or too narrow.266
Allen also contends that there is a fundamental disconnect between what can be
considered as having control over personal information and the requirements of a
sufficient state of privacy because the former is not necessarily a constituent element
of the latter.
267 Instead, privacy as control directs attention to issues of consent and
choice about uses of personal information that connote an element of inaccessibility
separate from privacy considerations.268 Finally, the control aspect of information
privacy has also been subject to criticism.269 Simitis contends that privacy
considerations no longer arise out of individual problems but they instead express
conflicts that affect everyone. Information privacy is consequently not simply a
problem of individual control over information.270
Another key element of Westin’s work that has been subject to much criticism is the
equation of information privacy with property ownership. Westin states:
[P]ersonal information, thought of as the right of decision over one's
private personality, should be defined as a property right, with all the
restraints on interference by public or private authorities and due-process
guarantees that our law of property has been so skilful in devising. Along
with this concept should go the idea that circulation of personal
information by someone other than the owner or his trusted agent is
handling a dangerous commodity in interstate commerce, and creates
special duties and liabilities on the information utility or government
system handling it.271
266 See Solove, above n 259, 1112 contending that privacy as control is too vague due to the failure to define the types of information that individuals should control whilst other theories overcompensate and becoming too limiting.
267 See A L Allen, 'Privacy as Data Control: Conceptual, Practical and Moral Limits of the Paradigm' (2000) 32(3) Conneticut Law Review 861, 867-8 regarding the differences between physical and informational privacy. 268 Ibid 869 stating that informational privacy involves information in a state of inaccessibility. 269 See Austin, above n 248, 125. 270 S Simitis, 'Reviewing Privacy in an Information Society' (1987) 135(3) University of Pennsylvania Law Review 707, 709. 271 Westin, above n 249, 324-5.
52
Other authors have attempted to develop this idea further.272 Information provision
by an individual is based on what economic interest can be derived from the supply
of their personal information to an organisation. Information is supplied within the
context of protecting the individual’s most prized asset – their reputation.273
1. The value of the information when disclosed exceeds the value of the pure
privacy preference of the individual; and
The
decision about disclosing personal information becomes a cost-benefit-analysis
which is decided by balancing the impact of disclosure against the damage to
reputation. As such, ‘an initial model of informational privacy could be to permit
disclosure if and only if:
2. Permitting disclosure will not distort or eliminate the information in future
transactions.’274
Privacy rules are viewed by Murphy as implied contractual terms. Re-use issues are
governed by the means in which personal data is collected and the value that is
assigned to a person’s personal information. The notion of privacy as property
ownership characterises personal data as wealth that can be stolen. Individuals
should therefore be given effective instruments to protect their information assets,
and in doing so, protect themselves.
275
The idea of privacy as property is very much grounded in the American literature.
276
While it seems to have relevance at face value, a closer inspection of underlying
concepts reveal that is has limited application as a resolver of information privacy
problems because the concept focuses on a single, notional characterisation of the
problem.277
272 See, eg, L Lessig, 'Privacy as Property' (2002) 69(1) Social Research 247; R S Murphy, 'Property Rights in Personal Information: An Economic Defense of Privacy' (1996) 84 Georgetown Law Journal 2381.
The protection of intellectual property has also shown that the overt use
of piracy surveillance by companies seeking to protect copyright ‘has inverted the
relationship between privacy and property, subordinating the protection of privacy
273 Murphy, above n 272, 2385. 274 Ibid 2387. 275 C Prins, 'Property and Privacy: European Perspectives and the Commodification of our Identity' in Lucie M C R Guibault and P B Hugenholtz (eds), The Future of the Public Domain, Information Law (2006) 223, 223. 276 J Litman, 'Information Privacy/Information Property' (2000) 52 Stanford Law Review 1283. 277 J E Cohen, 'Examined Lives: Informational Privacy and the Subject as Object' (2000) 52(5) Stanford Law Review 1373, 1391; Prins, above n 275, 246.
53
to the protection of property.’278 It could be argued that the protection of individual
information privacy has taken a back seat in comparison to the protection of
company intellectual property. Privacy as property emphasises the notion of a
market-based approach to information privacy and personal information can be
subject to market exchange.279 These views place the economic interests of a free
market information economy above the requirements of the individual.280
2.3.2 FOUNDING LEGAL INSTRUMENTS & LEGISLATIVE DEVELOPMENTS
Despite these trenchant criticisms, the concept of privacy as control has been used as
the basis for information privacy legislation281 and the development of what we
recognise as ‘data protection’282 or ‘information privacy’283 laws. Three legal
instruments, developed in the 1970’s and 1980’s, have been integral to the
development of information privacy law as it is known today.284
In 1973, the US Department of Health, Education and Welfare produced a report
entitled Records, Computers and the Rights of Citizens (the HEW Report). The
HEW Report’s central apprehension was the relationship between individuals and
recordkeeping organisations in relation to the ‘growing concern about the harmful
consequences that may result from uncontrolled application of computer and
telecommunications technology to the collection, storage, and use of data about
individual citizens’.
285
278 S Katyal, 'Privacy vs Piracy' (2004) 7 Yale Journal of Law & Technology 222, 228.
The Report attempted to find a balance between the
organisational benefits arising from the enhanced efficiencies of automated personal
data processing and the potential infringement of personal liberties from impersonal
279 Cohen, above n 277, 1381. 280 A C Raul, Privacy and the Digital State: Balancing Public Information and Personal Privacy (2002). 281 Bennett and Raab, above n 264, 8 commenting that the policy problem of ‘privacy’ settled on the concept of information privacy. 282 See eg, Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data; Data Protection Act 1998 (UK). 283 See eg, Information Privacy Act 2000 (Vic); Information Privacy Act 2009 (Qld). 284 See Rule, above n 251, 25-7 regarding the effect of the three instruments on the overall development of information privacy law; Bennett, above n 248, 95-101 regarding the development of fair information principles through different international legal instruments. 285 Advisory Committee to the Secretary of Health, Records Computers and the Rights of Citizens (1973).
54
data collection.286 The balance was achievable through the concept of mutuality and
by providing a degree of individual control over the collection of, access to, and
disclosure of, an individual’s personal information.287
The Report concluded that existing laws provided inadequate protection of
individual privacy against potential record-keeping abuses and recommended the
establishment of a Federal ‘Code of Fair Information Practice’ for all automated data
systems.
288 The HEW Report’s recommendations led to the enactment of the Privacy
Act 1974 (US)289 which established the recommended Code of Fair Information
Practice for Federal Government agencies.290
1.
These five core principles of fair
information practice are the:
Notice/Awareness principle
2.
requires organisations to give an individual clear
notice about information practices before personal information is collected;
Choice/Consent principle
3.
provides an individual the opportunity to consent to
secondary uses of their information;
Access/Participation principle
4.
ensures that an individual is able to access data
about themselves to ensure that data is accurate and complete;
Integrity/Security principle
5.
obliges an organisation that collects personal data
to take reasonable steps to ensure that the data is accurate and is held in a
secure environment; and
Enforcement/Redress principle
During the same period, the Council of Ministers of the Council of Europe adopted
two resolutions that concerned the protection of individual privacy arising from
personal information held in private and public sector databases.
provides an individual with the means to
enforce a breach of the principles.
291
286 See R Gellman, 'Does Privacy Law Work?' in Philip Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape (1997) 193.
The resolutions
were the instigator of a more substantial legal instrument to ensure adequate
287 Advisory Committee to the Secretary of Health, above n 285. 288 Gellman, above n 286, 195. 289 Privacy Act of 1974, 5 § USC 552a. 290 See D J Solove, M Rotenberg and P M Schwartz, Information Privacy Law (2nd ed, 2006) 577. 291 Council of Europe, Committee of Ministers, Resolution 73(22) on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Private Sector; Council of Europe, Committee of Ministers, Resolution (74) 29 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector.
55
individual protections whilst enhancing the free trade of member countries.292 In
1981, the Council of Europe formally adopted the Convention for the Protection of
Individuals with Regard to Automatic Processing of Personal Data293 that extended the
ambit of the previous Council Resolutions. The Convention was intended as a
catalyst to encourage and guide state legislative initiatives rather than to provide a
readily implementable set of data protection rules and regulations,294
1. Collected and processed in a fairly and lawful manner;
as exemplified
by the generality of the Convention’s principles, namely, that personal information
is to be:
2. Only stored for specified purposes;
3. Only used in ways that are compatible with those specified at the point of
data collection;
4. Adequate, relevant and not excessive in relation to the purpose of data
collection;
5. Accurate and where necessary kept up-to-date;
6. Preserved in identifiable form for no longer than is necessary;
7. Kept adequately secure; and
8. Accessible by individuals who have rights of rectification and erasure.295
Fourteen years later the European Community adopted the
Directive on the Protection
of Individuals with Regard to the Processing of Personal Data and on the Free Movement of
Such Data296 to create an EU wide regime that sets governance rules for member
states to follow.297
The Organisation for Economic Cooperation and Development’s (OECD)
Guidelines
on the Protection of Privacy and Transborder Flows of Personal Data298
292 R Jay and A Hamilton, Data Protection Law and Practice (3rd ed, 2007) 8.
crystallised
transnational concerns in 1980. The OECD recognised that the 1970’s were an
293 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), opened for signature 28 January 1981, ETS No 108 (entered into force 1 October 1985). 294 L A Bygrave, 'Data Protection Law: Approaching its Rationale, Logic and Limits' (2002) 10 Information Law Series 34. 295 See Jay and Hamilton, above n 292, 8-9. 296 Directive (95/46/EC) on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data [1995] OJ L281/31. 297 See Bygrave, above n 294, 58. 298 See OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).
56
intensive period of legislative investigation and activity about the protection of
privacy with respect to the collection and use of personal information. Member
countries of the OECD had a common interest in the protection of individual
privacy and in the reconciliation of fundamental and competing values involved in
automatic data processing and transborder flows of personal information.299
For this reason, OECD Member countries considered it necessary to
develop Guidelines, which would help to harmonize national privacy
legislation and, while upholding such human rights, would at the same
time prevent interruptions in international flows of data. They represent a
consensus on basic principles that can be built into existing national
legislation, or serve as a basis for legislation in those countries which do
not yet have it.
300
As with the HEW Report, and the Council of Europe Convention, the OECD
Guidelines were concerned with the maintenance of balance. On this occasion, the
balance was between the harmonisation of different legislation to protect privacy
and to preserve the integrity of transborder flows of personal information. The
Guidelines were therefore an attempt to reduce the restrictions that inhibited the
transfer of personal information and to strengthen the free information flow
between member countries.
301
[I]t is possible to identify certain basic interests or values which are
commonly considered to be elementary components of the area of
protection...
The OECD considered that this balance was
achievable because:
Generally speaking, statutes to protect privacy and individual liberties in
relation to personal data attempt to cover the successive stages of the
cycle beginning with the initial collection of data and ending with erasure
299 See R Clarke, The OECD Data Protection Guidelines: A Template for Evaluating Information Privacy Law and Proposals for Information Privacy Law (1989) <http://www.anu.edu.au/people/Roger.Clarke/DV/PaperOECD.html> at 3 March 2010. 300 OECD, above n 298. 301 See Clarke, above n 299.
57
or similar measures, and to ensure to the greatest possible extent
individual awareness, participation and control.302
The Guidelines provided eight core principles of data collection, storage and use for
application by member countries,
303
1.
namely the:
Collection limitation principle
2.
which guarantees that the collection of personal
data is within lawful and fair means, and where appropriate is conducted
with the knowledge and consent of the individual;
Data quality principle
3.
which requires data collectors to collect personal data
for relevant purposes only and to ensure that collected data is accurate,
complete and up to date;
Purpose specification principle
4.
which states that the purpose for which
personal data is to be used must be stated at the time of collection and
subsequent use must be limited to that purpose, unless individuals are
notified of additional uses before that re-use takes place;
Use limitation principle
5.
which states that personal data should only be
disclosed or used in accordance with the consent of the individual or by
authority of law;
Security safeguard principle
6.
which requires that personal data must be kept in
reasonably secure conditions;
Openness principle
7.
which states that organisations should implement a
general policy of openness about data collection developments, practices
and policies;
Individual participation
8.
principle which confirms that an individual should
retain certain rights over the collection, storage and use of their information;
and
Accountability principle
The HEW Report, the Council of Europe Convention and the OECD Guidelines
have been at the forefront of the development of first generation information
privacy laws. There are obvious similarities between the three documents that first
, which confirms that a data collecting organisation,
should be accountable for complying with the above principles.
302 OECD, above n 298. 303 Clarke, above n 299.
58
generation information privacy laws reflect.304 The HEW Report was directly
responsible for the instigation of the Privacy Act 1974 and the Convention eventually
founded the European Union’s Data Protection Directive. Furthermore, the OECD
Guidelines have had a significant impact as a foundation for national legislation,305
including Australia306 and Canada.307 All of these laws have organisational oriented
controls founded on the privacy principles or fair information practices developed
in the previous decade.308
Bygrave has adduced eight core legal principles that reflect the fundamental aims of
first generation information privacy laws.
309 The primary principle is that personal
information is to be ‘processed fairly and lawfully’ and this concept manifests
throughout the remaining principles.310 The lawful element is apparent, that
organisational personal information collection practices must be within existing law,
but the fairness criterion is more abstract in nature, particularly because general
agreement about what is fair will change over the course of time.311 In general, the
notion of fairness requires data collectors to take account of the interests and
expectations of individuals who provide personal information to them.312
304 See M Rotenberg, 'Fair Information Practices and the Architecture of Privacy' (2001) Stanford Technology Law Review 2.
Personal
data collection organisations are therefore obliged not to pressure individuals when
305 See Bygrave, above n 294, 32. 306 See G Tucker, Information Privacy Law in Australia (1992) regarding a brief history of the Act’s development and the relationship with the OECD Guidelines. 307 The Privacy Act 1983 (Can) was developed from the OECD Guidelines with reference to public sector privacy protection only. See Austin, above n 247, 123-4 referring to the impact of the OECD Guidelines on the development of Canadian privacy law in general and the PIPEDA in particular. 308 See, eg, V Mayer-Schonberger, 'Generational Development of Data Protection in Europe' in Philip Agre and Marc Rotenberg (eds), Technology and Privacy: the New Landscape (1997) 219, 221. 309 See Bygrave, above n 294, 57 referring to data protection rather than information privacy laws; S Davies, 'Re-Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity' in Philip Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape (1997) regarding a critical distinction between the data protection and information privacy; P M Schwartz, 'Privacy and Participation: Personal Information and Public Sector Regulation in the United States' (1995) 80 Iowa Law Review 557 regarding a more positive view of data protection as the enhancement of participation in informational and political processes. 310 See Bygrave, above n 294, 32. 311 Ibid 58. 312 Ibid.
59
they provide their personal information and to ensure an individual provides
consent for the provision.313
The minimality principle directs data collecting organisations to ensure that the
collection of personal information is ‘limited to what is necessary to achieve the
purpose(s) for which the data are gathered and further processed’.
314 Under this
principle, organisations are required to collect personal information only for a
relevant purpose.315 Linked to minimality, the purpose specification principle
dictates that personal information is only collected for specified, lawful or legitimate
purposes and can only be used within these bounds.316 Bygrave states that the
principle is essentially a cluster of three related sub-principles, namely that the data
collection purpose is: (1) specified; (2) lawful and/or legitimate; and (3) that further
personal data processing is compatible with the data collection purpose.317
The information quality principle ensures that personal information is accurate,
both in terms of its content and context, and with regard to the purpose of
information collection and processing.
318 The principle ensures that personal data is
valid because it describes unambiguously what it pertains to and it is relevant and
complete with respect to the purposes of intended processing and use. Information
quality requires the participation of individuals to ensure that information held is
up to date. Accordingly, the individual participation and control principle is pivotal
because it ensures that persons have a measure of influence over the processing of
their personal information by organisations and individuals.319 However, most first
generation information privacy laws do not refer to the principle directly. Instead,
legislation implicitly acknowledges the principle in legal rules that govern the
collection, storage and use of personal information in accordance with individual
knowledge and consent.320
313 Ibid 59.
Likewise, first generation laws rarely state the disclosure
limitations principle directly but implicitly require data collecting organisations to
restrict the disclosure of personal information within the confines of how data is
314 Ibid 32. 315 Ibid 59. 316 Ibid 32. 317 Ibid 61. 318 Ibid 62. 319 Ibid 63. 320 Ibid.
60
collected, and within the consent provided by individuals or by the authority of a
given law.321 The two remaining principles, information security322 and sensitivity323
The historical development of first generation information privacy laws highlights
that the collection, storage and use of personal information by data collecting
organisations was the dominant concern of lawmakers and solutions to emergent
problems lay in the construction of information privacy principles or fair
information practices.
protect the integrity of personal information through the provision of adequate
methods of security, particularly regarding sensitive information, which may
require controls that are more stringent.
324 However, the implementation of information privacy laws
has taken essentially different tracks despite the fact that their genesis resorts from
similar foundations. That in itself is not surprising. A right to privacy is not
perceived as an absolute right and thus the interpretation of what weight an
individual’s right to control their personal information is in competition with other
social rights and interests.325 The application of information privacy legal regimes is
therefore always likely to be a matter of contestable discussion amongst different
legislative jurisdictions.326 As such, information privacy laws are manifestations of
political processes which have implications for the implementable scope of such
laws.327
321 Ibid 67.
Jurisdictional information privacy laws consequently reflect the wider
322 Ibid. 323 Ibid 68. 324 See Solove, Rotenberg and Schwartz, above n 290, 578. 325 Bennett and Raab, above n 264, 13 stating that privacy is not an absolute right and is balanced against other community rights and obligations. 326 See, eg, C Raab, 'From Balancing to Steering: New Directions for Data Protection' in Rebecca A Grant and Colin J Bennett (eds), Visions of Privacy: Policy Choices for the Digital Age (1999) 68, 68 regarding the limited role of a right to privacy which does not take precedence over all uses of personal information; Regan, Legislating Pivacy: Technology, Social Values, and Public Policy, above n 258, 16 regarding privacy protection in the US as the balancing of individual and political interests. 327 Bennett and Raab, above n 264, 125 contending that information privacy law is ‘an exercise of the power of the state in regulating the processing of personal data.’
61
social, legal and policy values of individual jurisdictions.328
The sectoral approach
The US attitude towards
information privacy law is a reflection of this point.
329 to information privacy in the US has been characterised as
‘sporadic’330 and ‘reactive.’331 The regulatory focus of US information privacy law is
the general curtailment of government powers in combination with laws that
govern industry-specific practices or various types of sensitive information.332 The
existence or non-existence of information privacy regulation at the federal level is
specific to particular circumstances or sectors. For example, the Privacy Act333
provides a range of fair information practices that US Government agencies must
comply with regarding the handling of personal information. The Gramm Leach
Bliley Act334 (GLBA) creates privacy protections for personal financial information
within the specific remit of the financial services sector. As highlighted in the
previous section, HIPAA335 consigns legal protections in relation to identifiable
health information held in the medical and health insurance sectors. In a different
vein, the Children’s Online Privacy Protection Act (COPPA)336
Alongside these sector-based laws, there are a collection of other laws that have
been developed to provide a remedy for specific issues which have become
governs restrictions on
the collection of online personal information from children under the age of 13.
328 See Bennett, above n 248, 242-3 regarding the effect of different political philosophies on the implementation of information privacy legislation; P P Swire and R E Litan, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (1998) 153 contending that different approaches to privacy protection reflect unique jurisdictional approaches. 329 See Gellman, above n 286, 195 describing sectoral as ‘no general privacy laws, just specific laws covering specific records or record keepers’; Schwartz, above n 92, 902 US information privacy laws ‘regulate information use exclusively on a sector-by-sector basis.’ 330 J R Reidenberg, 'The Globalization of Privacy Solutions: The Movement Towards Obligatory Standards for Fair Information Practices' in Rebecca A Grant and Colin J Bennett (eds), Visions of Privacy: Policy Choices for the Digital Age (1999) 217 also stating that the lack of a coherent and systematic approach to information privacy protection in the US ‘presents an undesirable policy void’; Soma, Courson and Cadkin, above n 66, 1 stating that US privacy regulation is best described as ‘a haphazard set of industry specific regulations ... which frequently overlap and are often contradictory’; Gellman, above n 285, 195 describing the legal structure for US privacy protection as a ‘patchwork quilt.’ 331 See Bennett and Raab, above n 263, 37 regarding reactivity as a weakness of sectoral regimes. 332 See, eg, Reidenberg, above n 330, 217. 333 The Privacy Act of 1974, 5 USC § 552a. 334 Financial Services Modernization Act of 1999 15 USC §§ 6801-9 (1999). 335 Health Insurance Portability and Accountability Act of 1996 45 CFR §§ 160, 162 and 164 (1996). 336 Children’s Online Privacy Protection Act 15 USC § 6501–6 (1998).
62
sufficiently politicised to warrant legislative action.337 The Drivers Privacy Protection
Act (DPPA)338 was enacted to restrict the disclosure of driver license information by
state authorities following the murder of actress Rebecca Schaeffer, in which, an
assailant used publicly available driver license information to stalk and then murder
Ms Schaeffer.339 The requirements of the DPPA have also been instrumental in
restricting the sale of driver license information by state agencies to commercial
entities.340 The Video Privacy Protection Act341 was enacted following a controversy
involving Supreme Court nominee Robert Bork when details of his video watching
habits were gained by the media.342
The myriad of information privacy legislation has also been replicated at state
level.
343 Some states have implemented laws to provide general statutory rights of
privacy that are akin to tort law protections and thus govern areas such as common
law invasions of privacy.344 Other state laws, like their federal counterparts, have
also enacted a number of sectoral based laws, aimed at certain industry practices.
For example, in addition to federal laws, some states have specifically legislated
laws relating to the use of personal information in relation to certain information,
such as video rental records, as highlighted above.345
337 Bennett and Raab, above n 264, 37; Regan, Legislating Pivacy: Technology, Social Values, and Public Policy, above n 258, 199 stating that congressional privacy legislation was based on various critical events which opened up a policy window; P Regan, 'The United States' in James B Rule and Graham Greenleaf (eds), Global Privacy Protection: The First Generation (2008) 50, 51.
Accordingly, Schwartz
contends that a duopoly exists between federal and state laws in which federal laws
338 Drivers Privacy Protection Act of 1994 18 USC § 2725 (1994). 339 See eg, D J Solove, Understanding Privacy (2008) 69 regarding the distinction between public and private data in the Schaeffer case; Garcia, above n 2, 693 stating the ‘Schaeffer case is credited with sparking the passage of the Drivers’ Privacy Protection Act’; Regan, Legislating Pivacy: Technology, Social Values, and Public Policy, above n 258, 207 regarding the use of state driver license information to harass pregnant mothers who visited abortion clinics. 340 See, eg, Froomkin, above n 7, 1029; Garcia, above n 2, 715 highlighting state revenues based from the sale of driver license information; Regan, 'The United States', above n 337, 50 summarising the development of the DPPA. 341 The Video Privacy Protection Act of 1998, 18 USC § 2710. 342 See Schwartz, above n 92, 935-6 providing a comprehensive overview to the development of the law including details of congressional outrage. 343 See J R Reidenberg, 'Privacy in the Information Economy: A Fortress or Frontier for Individual Rights?' (1992) 44(2) Federal Communications Law Journal 195, 221 commenting that state-based protections suffer from incompleteness and that vary from state to state. 344 Ibid 228. 345 See Schwartz, above n 92, 919 regarding state variants on the VPPA.
63
deliver specified benchmarks which allow state laws further room for experimental
development.346
Comprehensive legal frameworks, on the other hand, adopt a different approach to
sectoral regimes. They establish information privacy rights for individuals and
define obligations for data collecting organisations regardless of industrial sector.
Comprehensive frameworks have universal notions of the type of information that
is covered by information privacy laws, typically defined as ‘personal data’
347 or
‘personal information.’348
Enforcement mechanisms operated by comprehensive information privacy regimes
are also different to those found in sectoral regimes. Most comprehensive
frameworks employ specific supervisory authorities with given sets of legislative
powers to protect the rights of individuals and impose compliance obligations upon
organisations and are seen as a necessary condition of an effective information
privacy regime.
Moreover, the type of data covered by these laws is
generally context dependent which means that different types of information can be
personal information at different times depending upon the context upon which it is
used. The context dependent approach is a significant difference to sectoral laws
that have a restrictive outlook of the type of information that will constitute
personal information. Hence sectoral information privacy laws have developed
context independent approaches related to the classification of personal information
that reflect the restricted aims of industry or information specific legislation.
349
2.3.3 KEY CONTEMPORARY ANALYSES
The issues of context-based analysis and the sectoral and comprehensive divide
have been important elements in recent critical analysis of information privacy
law.350
346 Ibid.
These are briefly overviewed in the final sub-section.
347 Council Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. 348 Privacy Act 1988 (Cth) s 6(1). 349 Bennett and Raab, above n 263, 113. 350 There is not scope within this chapter to cover all key works in depth and notable absentees from this review include: S Gutwirth, Y Poullet and P De Hert, Reinventing Data Protection? (2009); J B Rule, Privacy in Peril (2007); and J B Rule and G Greenleaf, Global Privacy Protection: The First Generation (2008).
64
One of the fullest critiques of information privacy law, from a legal and political
perspective is provided by Bennett and Raab in their 2006 book ‘The Governance of
Privacy: Policy Instruments in Global Perspective.’351 Bennett and Raab’s work
examined the politics of privacy in relation to the legal protections of personal
information that were developed during the preceding decades. The authors make a
number of powerful contentions that involve the historical development of
information privacy law, strengths and weaknesses in application and highlight key
controversial areas. One important aspect that emanates from their work is that the
content and provision of a privacy right is inherently dependent on the context of
social application and is thus applied subjectively by individuals to their own
circumstances.352 The authors therefore situate the ongoing development of
information privacy law within a much wider sphere than that which is assumed by
the traditional privacy paradigm founded upon basic liberal notions.353 The general
application of privacy law consequently involves deeper societal disputations that
involve power relationships in the form of class, gender and race as well as other
social categories.354
Information privacy legal protections are accordingly a matter of social policy.
However, the constituent elements of information privacy law do not match the
inherent complexities of social life regarding relationships involving the provision,
collection and use of personal information. Information privacy laws therefore have
some in-built weaknesses about how the role of individuals and data collecting
institutions are constructed. These legal constructions ‘lay down the tramlines’
about how organisations understand their legal obligations and individuals
understand themselves in relation to these organisations.
355 As such, information
privacy laws and legal regimes are too heavily institutionalised and focus too much
upon the regulation of typified institutions rather than the governance of
information relationships.356
351 Bennett and Raab, above n 264.
352 Ibid 9. 353 Ibid 17. 354 Ibid. 355 Ibid. 356 Ibid.
65
The enervating perspective of the first generation of information privacy laws is also
significantly addressed by Zittrain in his article Privacy 2.0.357
Legal remedies designed in the 1970’s and 1980’s, may consequently provide
ineffective and rigid solutions to personal information exchange problems in
modern personal information sharing environments. The once clear cut boundaries
of personal information provision have been blurred to the extent that Internet
personal information users are no longer just organisations but are now inchoate
collections of far flung individuals, who coalesce in different groups to use and
share their own and other individual’s personal information.
Zittrain has two
principal criticisms about the ineffectiveness of first generation information privacy
laws in newly, evolving Internet structures. The first regards the new information
exchange relationships that emerge from the Internet which are more complex than
the traditional personal data collection pathways of the previous decades. The
second contends that individual, as well as organisational actions, can now give rise
to an equal number of privacy concerns. New technological developments and
social structures mean that individuals now have the same capacity to infringe the
privacy of individuals as organisations once did.
358
The fundamental analytical template of first generation information privacy laws
regarded ‘both the analysis and suggested solutions speak in terms of institutions
gathering data, and of developing ways to pressure institutions to better respect
their customers' and clients' privacy.’
Contrast that to the
concerns of first generation laws in which monolithic organisations collected
personal information for specific purposes, largely direct from the individuals
themselves and who’s subsequent re-use of personal information was mostly
predictable.
359 This basic template has shaped the
development of privacy legislation during the last three decades but has not
effectively made the transition from ‘a functional theory to a successful regulatory
practice.’360
357 J Zittrain, 'Privacy 2.0' (2008) The University of Chicago Legal Forum 65.
First generation fears accordingly focused on powers arising from the
358 Ibid 100. 359 Ibid 69. 360 Ibid citing pressures arising from law enforcement and commerce as significant reasons for these failures.
66
centralisation of personal information and nefarious uses by powerful organisations
without the knowledge, input or consent of individuals.
Privacy 2.0 concerns, on the other hand, manifest through peer-to-peer technologies
that eliminate points of control regarding the transfer of personal information.361
Whilst the contested social asset remains personal information, the contests that are
now developing in Internet environments are not about the fair or unfair processes
of organisational personal information collection, but rather, they are about the
socially acceptable re-uses of personal information by individuals in multiple,
generative guises. Unlike their predecessors, Privacy 2.0 contested issues do not
involve disputes between individuals and organisations in clear-cut, readily
identifiable scenarios founded on stable and largely, one dimensional, information
pathways. Accordingly, first generation legal controls may now be ineffective
because Web 2.0 enables multiple information contributions from a range of
different and unconnected sources.362
Conceptualisations of information privacy law and privacy problems are therefore
central to how information privacy concerns are resolved. Solove, building on
previous work,
363 provided a comprehensive critique of traditional
conceptualisations of privacy that attempted to determine common elements unique
to privacy within commonly understood notions of what is privacy.364 Rather than
traditional concepts, a reconstruction of what is understood as privacy is required
that is founded on a pluralistic, bottom up perspective that views legal remedies as
‘a set of protections against a cluster of related problems.’365 A pragmatic approach
to conceptualising privacy is necessary that focuses on privacy in specific contextual
situations rather than abstract conceptions.366
In doing so, Solove contends privacy problems which arise from the increased use
of information technologies will not be resolved by ‘clinging to a particular
conception of privacy’ especially regarding the collection and use of personal
361 Ibid 81. 362 Ibid 65. 363 D J Solove, 'Privacy and Power: Computer Databases and Metaphors for Information Privacy' (2001) 53(6) Stanford Law Review 1393; Solove, 'Conceptualizing Privacy', above n 258, 1087. 364 Solove, Understanding Privacy, above n 338, 14 365 Ibid 40. 366 Solove, 'Conceptualizing Privacy', above n 259, 1128.
67
information.367 Accordingly, the conception of privacy as control over information
only partially captures the problems that arise from increased use of personal
information. The resolution of these problems requires ‘conceptualizing privacy
from the bottom up, beginning with the problem itself rather than trying to fit the
problem into a general category.’368 To resolve the deficiencies, a taxonomy of
privacy problems was developed that have achieved a significant degree of social
recognition and can thereby warrant clear and focussed legal attention.369
Solove highlights the social context of information generation and provision is a
latent but ever-present component of the information privacy law literature. Other
authors have also addressed this point. Allen contends that information privacy and
social context is intimately bound with the creation, development and maintenance
of social relationships. Privacy is ‘down time’ that provides the space for reflection
and thus allows individuals to prepare themselves for their wider social
responsibilities within the context of their own lives.
370 Schoeman also outlines the
wider concept of privacy is part of a ‘historically conditioned, intricate normative
matrix with interdependent practices’ and is best understood when viewed
contextually.371 Privacy as a social practice thus shapes individual behaviour in
conjunction with other social practices and it is therefore ‘central to social life.’372
Likewise, Moor and Tavani also acknowledge the importance of ‘situations’ in
deciding when and individual has a condition that is equivalent to privacy.373
However, the notion of a situation is characterised as ‘deliberately indeterminate or
unspecified’ so that it can be construed in a number of different ways in
circumstances that would normally be regarded as private.374
367 Ibid 1151-2.
368 Ibid 1154. 369 Solove, Understanding Privacy, above n 339, 102. 370 Allen, above n 243, 723 the value of privacy therefore lies in ‘the context in which individuals work to make themselves better equipped for their familial, professional, and political roles’; See also F D Schoeman, Privacy and Social Freedom (1992) regarding the role of privacy in the balancing of social freedoms and an individual’s need to be part of a ‘human context.’ 371 Schoeman, above n 370, 137. 372 Ibid. 373 J H Moor, 'Towards a Theory of Privacy in the Information Age' (1997) 27(3) Computers and Society 27, 30 stating privacy is normatively prevalent if an individual or group is protected from intrusion, interference and access by others. 374 See Tavani, above n 248, 10 explaining the role of Moor and Tavani’s Restricted Access/Limited Control (RALC) theory.
68
Nissenbaum’s Privacy in Context375 incorporates her theory of Contextual Integrity376
to provide perhaps the fullest account of the importance of context in the regulation
of information privacy. Nissenbaum puts forward an analytical framework to
examine potential privacy concerns arising from the introduction of new
technologies or technological structures principally involving the use of personal
information.377 Privacy is sufficiently important to the continued existence of social
and political life that it cannot be compartmentalised and reduced in social
importance.378 Instead, contextual integrity represents privacy as a ‘delicate web of
constraints’ relating to flows of personal information that balances the multiple
political and social spheres of human life. An attack on individual privacy is
therefore an attack at the ‘very fabric of social and political life.’379 Privacy in this
regard is not a claim regarding an individual’s control of their personal information
but rather entails a right to appropriate flow of personal information which is
systematically grounded in the characteristics of social situations.380
Contextual Integrity is therefore founded on social context and gains expression
through its primary concept, context-relative informational norms. These norms
govern entrenched expectations that govern flows of personal information in
everyday life. Accordingly, a breach of privacy under the theory of Contextual
Integrity equates to a violation of an established informational norm.
381 These norms
are characterised by four key parameters.382 Contexts provide a backdrop for norm
development and feature an array of components383 that abstractly represent the
experienced social structures of everyday life.384 Actors are those participants
involved in direct context of information exchange: senders and receivers of
information and information subjects.385
375 H Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (2010).
However, the types of relationship that
each party has with each other is not fixed and it is acknowledged that both
376 H Nissenbaum, 'Privacy as Contextual Integrity' (2004) 79 Washington Law Review 119. 377 Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, above n 375, 6-7. 378 Ibid 128. 379 Ibid. 380 Ibid 129. 381 Ibid 140. 382 Ibid. 383 These are canonical ‘activities, roles, power structures, norms (or rules) and internal values (goals, ends, purposes).’ 384 Ibid 134. 385 Ibid 141.
69
individuals and organisational representatives can have different capacities in
different situational circumstances.386 Attributes refer to the type or nature of the
information in question. For example, the same type of information can have
different meaning or application in different contexts.387 Finally, transmission
principles provide a constraint on the flow of information from party to party in a
given context by stipulating terms and conditions which govern the transfer of
personal information.388
These parameters are embedded within informational norms which in turn are
embedded within different social contexts.
389 As such, different parameters come to
the fore in different social contexts and in the guise of different privacy related
problems. For example, in a context of information exchange amongst friends, there
is expected transmission principles, namely that the personal information exchange
is usually volunteered freely and there are certain trust-based expectations about
how that information will or will not be used. However, the medium of exchange
can impact upon friend-based transmission principles especially in situations
involving a broader and thus less controlled transmission of personal information.
Likewise, the provision of the exact same personal information is likely to vary
between the context of a patient to doctor relationship during a medical
consultation compared to an interviewee to interviewer relationship in relation to an
employment application. The analysis of informational norms and component
parameters are best conceived as juggling balls390
Nissenbaum developed the theory of Contextual Integrity as a ‘framework for
determining, detecting, or recognizing when a [information privacy] (sic) violation
has occurred.’
that move in sync with different
emphases placed on different balls depending on the social context involved and the
privacy concern emanating.
391
386 Ibid 143. Nissenbaum contends that an actor in one situation may not act in the same way as in another. For example, the difference between an actor in a ‘businessman to employee’ relationship compared to a ‘parent to child’ relationship. Accordingly, the capacity within which an actor may act has an ‘innumerable number of possibilities.’
To do so requires a comparison between entrenched and novel
practices to adduce whether there has been a violation of context-relative
387 Ibid. 388 Ibid 145. 389 Ibid. 390 Ibid. 391 Ibid 148.
70
informational norms. Privacy in Context is a valuable addition to the literature in that
regard as it cements the importance of contextualisation in the examination of
concerns relating to the provision, protection and use of personal information.
However, Nissenbaum acknowledges that much work has yet to be undertaken
about how Contextual Integrity can apply to existing information privacy legal
regimes, especially comprehensive frameworks.392
2.4 SUMMARY – GAPS IN THE LITERATURE
This chapter has reviewed the salient literature on data breach notification and
information privacy law. The origins of data breach notification law principally
derive from the US and the content of this literature review has focused on the US
literature covering this topic and the literature on information privacy law.
Unsurprisingly, the data breach notification literature is relatively light given that
data breach notification law originated less than a decade ago. Most of the earlier
journal articles are largely descriptive and focus on distinctions between different
state-based laws and federal developments. Fuller examinations of legal and
regulatory impact began to emerge from 2007 onwards and Schwartz and Janger’s
article393 is the leading work in the field. In 2009, the Berkeley Technology Law
Journal ran an issue dedicated to data breach notification and the articles also
provide a significant contribution to the literature.394 Only one article prior to the
publications derived from this thesis examined the issue of data breach notification
in Australia.395
Whilst authors have identified the relationship between data breach notification and
information privacy law needs further examination,
396
392 Ibid 238. Nissenbaum suggests that her theory of contextual integrity may be more suited to sectoral frameworks because ‘it embodies informational norms relevant to specific sectors, or contexts, in the law.’
there has not been a
comprehensive investigation of the relationship between data breach notification
and information privacy laws and their constituent concepts and approaches to
legislative coverage. The review of the information privacy law literature
demonstrated that the complex issue of contextualisation is central to the
393 Schwartz and Janger, above n 10. 394 Froomkin, above n 7; Regan, 'Federal Security Breach Notifications: Politics and Approaches', above n 30; Romanosky and Acquisti, above n 60; Winn, above n 19. 395 Black, above n 149. 396 See eg Schwartz and Janger, above n 10; Winn, above n 19; Needles, above n 7.
71
application of information privacy legal regimes. Yet the issue of contextualisation
has barely been addressed in the data breach notification literature. The literature
review therefore laid the foundation for an exploration into the complementary and
conflicting conceptual components of both laws that directly or indirectly gravitated
around notions of contextualisation to examine the compatibility of both laws. The
articles that constitute this thesis accordingly make a significant contribution to the
examination of the relationship between data breach notification and information
privacy laws.
72
CHAPTER 3 - STAKEHOLDER PERSPECTIVES
Chapter Three consists of:
♦ Co-author contribution statement; and
♦ A copy of the article - Lane, B, et al, 'Stakeholder Perspectives Regarding
the Mandatory Notification of Australian Data Breaches' (2010) 15(1)
Media and Arts Law Review 149.
Stakeholder perspectives regarding the mandatory notification of Australian data
breaches
Bill Lane,' Mark Burdan, t Evanne Millert and Paul van Nessen§
The advent of data breach notification laws in the United States has unearthed a significant problem involving the mismanagement of personal information by a range of public and private sector organisations. At present, there is currently no statutory obligation under Australian law requiring public or private sector organisations to report a data breach of personal information to law enforcement agencies or affected persons. However, following a comprehensive review of Australian privacy law, the Australian Law Reform Commission has recommended the introduction of a mandatory data breach notification scheme. The issue of data breach notification has ignited fierce debate among stakeholders, especially larger private sector entities. The purpose of this article is to document the perspectives of key industry and government representatives to identify their standpoints regarding an appropriate regulatory approach to data breach notification in Australia.
Introduction
Rapid advances in information technologies have revolutionised how both public and private sector organisations conduct their business. Corporate databases can now hold vast amounts of personal information about their clients, including name, address, credit card and bank account details, to the extent that securing information systems is now a difficult and complex task. 1
For example, in the United States data brokerage firms alone have control over billions of records containing information about American citizens.2 It is therefore no surprise that consumer personal information is regarded as a
'" Clayton Utz Professor of Public Law, Faculty of Law, Queensland University of Technology. 1" Research Associate/PhD Candidate, Faculty of Law, Queensland University of Technology. j: Senior Lecturer, School of Design, Queensland University of Technology. § Professor, Business Law and Taxation, Monash University and Consultant, McCullough
Robertson Lawyers. The authors gratefully acknowledge funding from Australian Research Council Grant
DP08790 15 'A new legal framework for identifying and reporting Australian data breaches' . B St Amant, 'Misplaced Role of Identity Theft in Triggering Public Notice of Database Breaches' (2007) 44 Harvard Inion Legislation 505 at 506. See also K Siegel, 'Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age' (2007) 111(3) Penn State L Rev 779.
2 See S Ludington, 'Reining in the Data Traders: A Tort for the Misuse of Personal Information' (2006) 66 Maryland L Rev 143.
149
94
CHAPTER 4 - MANDATORY NOTIFICATION
Chapter Four consists of:
♦ Co-author contribution statement; and
A copy of the article – Burdon, M, Lane, B and von Nessen, P, 'The
Mandatory Notification of Data Breaches: Issues Arising for Australian
and EU Legal Developments' (2010) 26(2) Computer Law & Security Review
115-129.
111
CHAPTER 5 - ENCRYPTION SAFE HARBOURS
Chapter Five consists of:
Co-author contribution statement; and
A copy of the article - Burdon, M, Reid, J and Low, R, 'Encryption Safe
Harbours and Data Breach Notification Laws’ (2010) 26(5) Computer Law &
Security Review 520.
COMPUTER LAW & SECURITY REVIEW 26 (2010) 520-534
available at www.sciencedirect.com
Computer Law
&
Security Review
www.compseconline.com/publications/prodclaw.htm
Encryption safe harbours and data breach notification laws
Mark Burdon, Jason Reid, Rouhshi Low Queensland University of Technology, Australia
Keywords: Data breach notification Encryption Information security management Data protection
1. Introduction
ABSTRACT
Data breach notification laws require organisations to notify affected persons or regulatory authorities when an unauthorised acquisition of personal data occurs. Most laws provide a safe harbour to this obligation if acquired data has been encrypted. There are three types of safe harbour: an exemption; a rebuttable presumption and factor-based analysis. We demonstrate, using three condition-based scenarios, that the broad formulation of most
encryption safe harbours is based on the flawed assumption that encryption is the silver bullet for personal information protection. We then contend that reliance upon an encryption safe harbour should be dependent upon a rigorous and competent risk-based
review that is required on a case-by-case basis. Finally, we recommend the use of both an encryption safe harbour and a notification trigger as our preferred choice for a data breach notification regulatory framework.
© 2010 Mark Burdon, Jason Reid and Rouhshi Low. Published by Elsevier Ltd. All rights
reserved.
The conceptual justification for mandatory data breach notification laws is relatively straightforward. An organisation that has suffered a data breach that exposes personal information must notify those persons whose information may have been acquired so they can take action to mitigate potential harms, predominantly arising from the threat of
identity theft. A general safe harbour to notification exists in most data breach notification laws that relates to encryption.1
Put simply, an organisation that has suffered a data breach
involving encrypted personal information does not have to
notify those persons who may have been affected by the breach. The rationale for the safe harbour is twofold. First, to reduce the risks of notification fatigue2 and the regulatory compliance burden on organisations and regulators, by requiring notification only in circumstances where there is an appreciable risk of identity fraud. 3 Second, to encourage both private and public sector organisations to adopt encryption technologies for the collection and storage of personal infor
mation thus strengthening their information security management practices.4 Data breach notification laws have been successful at revealing serious and innumerable
instances of ineffective management regarding the security of
1 It should also be noted that other common and broad safe harbours exist particularly in relation to 'good faith' use by employees and to acquired information that is already in the public domain.
2 Notification fatigue refers to the negative impact of over-notification upon individuals and potentially the overall impact of data breach notification laws. See e.g. A Cavoukian, A Discussion Paper on Privacy Externalities, Security Breach Notification and the Role of Independent Oversight (2009) http://www.ipc.on.ca!images/Resources/privacy_externalities.pdf; at 19 March 2010, 9 and PM Schwartz and EJ Janger, 'Notification of Data Security Breaches' (2007) 105(5) Michigan Law Review 913, 916.
3 See e.g. California Office of Privacy Protection, 'Recommended Practices on Notice of Security Breach Involving Personal Information' (California Office of Privacy Protection, 2008).
4 See e.g. L Rode, 'Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?' (2007) 43(5) Houston Law Review 1597:1628; ME Jones, 'Data Breaches: Recent Developments in the Public and Private Sectors' (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555, 573; KE Picanso, 'Protecting Information Security Under a Uniform Data Breach Notification Law' (2006) 75(1) Fordham Law Review 355, 384. 0267-3649/$ - see front matter © 2010 Mark Burdon, Jason Reid and Rouhshi Low. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.c1sr .2010.07 .002
129
CHAPTER 6 - CONCEPTUAL BASIS
Chapter Six consists of:
♦ Co-author contribution statement;
♦ A copy of the article - Burdon, M and Telford, P ‘The Conceptual Basis of
Personal Information in Australian Privacy Law’ (2010) 17(1) Murdoch
Elaw Journal 1.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 1
The Conceptual Basis of Personal Information in Australian Privacy Law
Mark Burdon and Paul Telford∗
Australian privacy law regulates how government agencies and private sector organisations collect, store and use personal information. A coherent conceptual basis of personal information is an integral requirement of information privacy law as it determines what information is regulated. A 2004 report conducted on behalf of the UK’s Information Commissioner (the 'Booth Report') concluded that there was no coherent definition of personal information currently in operation because different data protection authorities throughout the world conceived the concept of personal information in different ways. The authors adopt the models developed by the Booth Report to examine the conceptual basis of statutory definitions of personal information in Australian privacy laws. Research findings indicate that the definition of personal information is not construed uniformly in Australian privacy laws and that different definitions rely upon different classifications of personal information. A similar situation is evident in a review of relevant case law. Despite this, the authors conclude the article by asserting that a greater jurisprudential discourse is required based on a coherent conceptual framework to ensure the consistent development of Australian privacy law.
1. Introduction Defining privacy has been a source of perennial angst for both legal academics1 and legislators.2 Legislative efforts to identify and regulate privacy issues have generally focused on the more manageable concerns that arise from the collection, storage and use of personal information.3 Therefore it is common that information privacy laws concentrate on the governance of personal information such that definitions of personal information are central to the application of most privacy laws, including Australian privacy laws.4
Accordingly, what is and what is not personal information is of crucial importance, as it will determine whether statutory redress is available. Despite that, little attention has been focused on what information constitutes personal information.
A review of Australian privacy laws reveals that different definitions of personal information are currently in operation. However, whilst different definitions exist, all Australian privacy
∗ Sessional Academics, Faculty of Law, Queensland University of Technology, 2 George Street, Brisbane, [email protected], [email protected]. The authors gratefully acknowledge funding support from the Smart Services Cooperative Research Centre and the Queensland Government Department for State Development. 1 See R C Post, 'Three Concepts of Privacy' (2001) 89(6) Georgetown Law Journal 2087, 2087 where Post comments that the notion of privacy is so complex that it cannot be usefully conceptualised because it is so entangled with competing and contradictory dimensions; see also A L Allen, 'Coercing Privacy' (1999) 40(3) William and Mary Law Review 723, 745, Allen sees privacy as an inalienable right that should be considered as a pre-conditional foundation of a liberal egalitarian society; contra W M Beaney, 'The Right to Privacy and American Law' (1966) 3(2) Law and Contemporary Problems 253, 255, where Beaney doubts whether it is possible to define a 'right of privacy'. 2 To the extent that most privacy laws do not attempt to define privacy. For example, following the recommendations of the Australian Law Reform Commission, Privacy and Personal Information, Discussion Paper No 14 (1980) and the ‘Younger Report’: Committee on Privacy, Great Britain, Report of the Committee on Privacy (1972), the original drafters of the Privacy Act (Cth) concluded that a rigid definition of privacy was not possible and that 'it is a notion about whose precise boundaries there will always be a variety of opinions'. 3 See for example P M Schwartz, 'Internet Privacy and the State' (2000) 32(3) Conneticut Law Review 815, 820: 'the leading paradigm on the Internet and in the real, or, offline world, conceives of privacy as a personal right to control the use of one's data'. 4 See Australian Law Reform Commission, Privacy, Report No 22 (1983) Vol. 2, 78. 'In the context of personal information, the individual’s claim to privacy is therefore a claim to control, to an appropriate extent, the way that others in the community perceive him. The way that personal information about individuals is collected, used and disclosed is a matter of privacy concern'.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 2
laws use the concept of personal information to assign rights of control to individuals and consign limiting obligations on data collecting organisations. The degree to which that regulation occurs depends upon how information is construed as personal information, and in particular, the extent to which the social complexity of personal information production is acknowledged. A context based analysis of personal information has been integral to the application of Australian privacy laws but different laws, through their definition of personal information, emphasise differing perspectives about the purpose of context based assessments. Section II of this paper details legislative and academic attempts to address the issue of what is personal information. Section III specifies the key elements of a 2004 report (the 'Booth Report') conducted for the UK’s Information Commissioner which examined the underlying basis of personal information in different jurisdictions. Section IV details definitions of personal information in Australian privacy laws and culminates with a brief review of recommendations put forward by the ALRC. Section V attempts to identify the conceptual basis of personal information in Australian law by examining legislative provisions in light of four models developed by the authors of the Booth Report. Section VI examines relevant case law and stresses that a greater jurisprudential discourse is required based on a sound conceptual footing. Finally, in Section VII the authors conclude the article. 2. What is Personal Information? The notion of personal information is central to the effective functioning of information privacy laws. Like most forms of privacy regulation, definitions of personal information are inherently linked to fears arising from the advent of new technologies, particularly regarding the automated collection of information in computerised systems.5 These fears became realisable towards the end of the 1960s and legislative privacy responses focused on the narrower concept of information privacy or data protection.6
The genesis of information privacy laws throughout the world derives principally from three defining documents that were drafted in the decade between the early 1970’s and the early 1980’s.
In 1973, the US Department of Health, Education and Welfare produced a report entitled Records, Computers and the Rights of Citizens.7 The Report’s recommendations led to the enactment of legislation and established a Code of Fair Information Practice for automated database systems that housed personal information. The Code provided the foundation for the Privacy Act 1974 (US) and laid the way for a series of reports that culminated in the Fair Information Practice Principles.8 In 1981, the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data9
5 See eg Committee on Privacy, Great Britain, Report of the Committee on Privacy(The Younger Report) (1972), 177; Education & Welfare Advisory Committee to the Secretary of Health, Records Computers and the Rights of Citizens (1973)
which was intended as a catalyst to encourage and guide state legislative initiatives rather than to
http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm 6 See A F Westin, Privacy and Freedom (New York: Atheneum, 1967), 7 the conceptual starting point for information privacy laws in which Westin defined privacy as 'the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others'. 7 Department of Health, Education and Welfare Secretary's Advisory Committee on Automated Personal Data Systems, United States, Records Computers and the Rights of Citizens (1973) <http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm> at 19 April 2010. 8 Daniel J Solove, Marc Rotenberg and Paul M Schwartz, Information Privacy Law (2nd ed, New York: Aspen Publishers, 2006). 9 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, ETS No 108 (entered into force 1 October 1985).
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 3
provide a readily implementable set of data protection rules and regulations.10 Finally, the Organisation for Economic Cooperation and Development (OECD) was also instrumental in developing guidelines that had a significant impact as a foundation for national legislation, including Australia.11 The OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data12
was developed by a group of government experts under the chairmanship of the Hon. Mr. Justice Michael Kirby, who was then Chairman of the Australian Law Reform Commission.
These three documents enshrined the notion that information privacy should be based on fair information practices and provide individuals with a degree of control about how organisations collect, store and use their personal information.13 However, despite legislative attempts to focus regulation on information privacy, law reformers, academics, regulatory and judicial entities have nevertheless developed alternative methods to assess what kind of information would constitute personal information.14
For example, in the UK, the Younger Committee’s Report into Privacy, was asked by the Heath Government in 1970 to examine whether privacy legislation was required to provide additional protections for individuals and organisations against privacy intrusions.15 The Committee found that the main concerns arising from invasions of privacy involved the use and misuse of personal information.16
Information that should be classed as personal information, and therefore considered for regulation, was information:
in which a person should be regarded as having something in the nature of a proprietary interest...because it relates to him or because he has been entrusted with it by the person to whom it relates.17
The notion of personal information did not entail a private or confidential element though it was recognised that such types of information would naturally engender a higher degree of care in handling. Furthermore, the Committee attempted to classify how members of the public conceived intrusions of privacy and the types of information that individuals would object to being published without their consent.18
10 L A Bygrave, Data Protection Law: Approaching its Rationale, Logic and Limits (The Hague: Kluwer Law International, 2002), 34.
The recommendations of the Younger Committee were not immediately implemented and instead a further review was conducted in
11 Bygrave, above n 10, 32. 12 Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Paris: OECD, 1980). 13 See S T Margulis, 'On the Status and Contribution of Westin's and Altman's Theories of Privacy' (2003) 59(2) Journal of Social Issues 411, for an overview of the ‘privacy as control’ paradigm. 14 The authors acknowledge the distinction between data and information. See eg Raymond Wacks, Personal Information: Privacy and the Law (Oxford: Clarendon Press, 1993), 25 'Data become information only when they are communicated, received and understood. Data are therefore potential information'. However, for the purposes of this article, the concept of personal data and personal information are interchangeable within the ambit of information privacy laws. 15 Younger Report, above n 5, 6. 16 Younger Report, above n 5,19. 17 Younger Report, above n 5, 19. 18 See Younger Report, above n 5, 239-240. The Committee conducted a social survey into public attitudes relating to privacy. Not surprisingly, perhaps, 87% of respondents objected to the idea of having details of their sex life published with income details coming second at 78%. Whereas the lower scale of objections related to nationality (8%), race (10%) and occupation (12%). Interestingly, only 51% of respondents would object to the unauthorised publication of their medical history.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 4
1976, under the chairmanship of Sir Norman Lindop19 which ultimately resulted in the commencement of the Data Protection Act 1984 (UK).20
More recent developments in the UK have also given rise to controversy about the classification of personal information. In 2003, the Court of Appeal considered the meaning of personal data under s1(1) of the Data Protection Act 1998 (UK) (the 'DPA') in the case of Durant v FSA.21 Section 1(1) of the DPA gives effect in UK law to Art 2(a) of Directive 95/4622
and defines personal data as:
Data which relate to a living individual who can be identified (a) from the data; or (b) from those data and other information which is in the possession of or is likely to come into the possession of the data controller.
In Durant, the Court was asked to determine whether information held by the Financial Services Authority (the 'FSA'), relating to an investigation it conducted on behalf of Mr Durant against a bank, was classified as personal data under s1(1) of the DPA. The plaintiff had previously made a request to the FSA under s7 of the DPA to access four files relating to his complaint. The FSA contended that the information held by it was not Durant’s personal information and the Authority was therefore not required to provide him with the information. The key issue involved whether the information in question ‘related to’ Durant sufficiently for it to become personal data under the DPA. The Court’s decision turned on alternative definitions of ‘relate to’ in the Shorter Oxford Dictionary. The first definition is restrictive in nature as it involves having reference to or concern of a data item, whereas the second definition is broad as having some connection with or being connected to data.23 The Court favoured the first definition, a decision that has been subject to some criticism because it provides an unduly restrictive notion of information that relates to an individual under the DPA.24 Furthermore, Jay argues that the Durant decision is inconsistent with the European Court of Justice’s (the 'ECJ') decision in Lindqvist25
19 Committee on Data Protection, Great Britain,
even though the Court of Appeal expressly acknowledged that it was bound to interpret the law in accordance with the EU
Report of the Committee on Data Protection, (London: HMSO, 1978). 20 See Colin J Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (Ithaca: Cornell University Press, 1992), 89. But see Roger Clarke, The Australian Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines (1989) Roger Clarke's Homepage <http://www.rogerclarke.com/DV/PActOECD.html> at 9 September 2009 regarding the UK Government’s reluctance to implement the Committee’s recommendations. 21 Durant v Financial Services Authority [2003] EWCA Civ 1746 (8 December 2003). 22 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [the Data Protection Directive], OJ L 281, 23/11/ 1995, 31–50. 23 See S Chalton, 'The Court of Appeal's Interpretation of "personal data" in Durant v FSA - a Welcome Clarification, or a Cat Amongst the Data Protection Pigeons?' (2004) 20(3) Computer Law & Security Report 175, 176 and M Watts ‘Information, data and personal data – Reflections on Durant v Financial Services Authority’ (2006) 22(4) Computer Law & Security Report, 320-325. 24 See eg D Lindsay, 'Misunderstanding ‘Personal Information’: Durant v Financial Services Authority' (2004) 10(10) Privacy Law and Policy Reporter 13 'This approach to the interpretation of the definition of "personal data", however, completely misconceives the role of the definition of "personal data" or "personal information" in determining the scope of an information privacy law. The basic assumption of all information privacy laws is that the privacy of the data subject is threatened by the processing of any information which identifies the data subject, or is capable of identifying the data subject, regardless of the nature of the information'.; Chalton, above n 23, 180 'applying a difficult and restrictive interpretation of “personal data” to a wide variety of information linked to identifiable individuals may create more difficulties than it solves'. 25 Bodil Lindqvist v Aklagarkammaren i Jonkoping (C-101/01) [2003] ECR.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 5
Directive and the decisions of the ECJ.26 In 2008, the House of Lords had an opportunity to review Durant in Common Services Agency v Scottish Information Commissioner27 but declined to by stating that there was no reason to consider it in this case.28
Accordingly, despite the criticism, the Durant judgment still stands and could be construed as having received tacit support from the House of Lords.
Subsequent to Durant, and perhaps not surprisingly, privacy regulators on both sides of the English Channel have provided updated guidance in attempts to clarify what data will be classed as personal data. The UK’s Information Commissioner re-issued guidelines in February 2006 to take into account the Durant decision and provided a test to identify personal data when it is unclear whether the data in question relates to an individual or not.29 Under the test, if the data is capable of having an adverse impact on an individual’s privacy, then it should be deemed to be personal information.30 The Information Commissioner also stated that more general guidance would be released that would take into account the work of the Article 29 Working Party.31
The Working Party issued an Opinion on the concept of personal data in June 2007.32 The objective of the Opinion was to develop a common understanding of the concept of personal data and how it should be applied uniformly in member states. The Opinion reiterated that the purpose of the Directive was to protect fundamental rights and freedoms of individuals with regard to personal data processing and personal data should therefore be construed broadly. 33 The Working Party also acknowledged the intentional flexibility of the Directive’s language in conjunction with its exemptions to strike 'an appropriate balance' between the rights of data subjects and the legitimate interests of data collectors.34 The Working Party reiterated that undue restrictions regarding the interpretation of personal data should be avoided and it was the role of national data protection authorities to develop appropriate legal frameworks to ensure the requirements of the Directive were fulfilled. As regards the definition of personal data, the Working Party confirmed that information can be considered to relate to an individual when it is about that individual.35
26 See Rosemary Jay and Angus Hamilton, Data Protection Law and Practice (3rd ed, London: Sweet & Maxwell, 2007), 132.
As presaged by the Information Commissioner himself, the release of the Working Party’s opinion instigated updated guidance from the
27 Common Services Agency v Scottish Information Commissioner [2008] UKHL 47. 28 See R Crumbley and P Church, ‘What is Personal Data? The House of Lords Identifies the Issues - Common Services Agency v Scottish Information Commissioner' [2008] UKHL 47’ (2008)24(6), Computer Law & Security Report 565. 29 Information Commissioner’s Office, The ‘Durant’ Case and its Impact on the Interpretation of the Data Protection Act 1998 (2006) Information Commissioner's Office < http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/the_durant_case_and_its_impact_on_the_interpretation_of_the_data_protection_act.pdf> at 19 April 2010. 30 Information Commissioner's Office, above n 29. 31 The Working Party was established under Art. 29 of the Directive and acts as an independent advisory body composed of representatives of the national supervisory authorities, on European data protection and privacy issues. 32 Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN, WP 136 http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf . 33 Article 29 Data Protection Working Party, above n 32, 4. 34 Article 29 Data Protection Working Party, above n 32, 5. 35 Article 29 Data Protection Working Party, above n 32, 9.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 6
UK’s Information Commissioner about what constituted personal data with clear practical guidance for organisations on how to consider whether data relates to an individual.36
Academic legal debate has highlighted the complexity and inconsistency attaching to the conceptualisation of personal information. Wacks contended that instead of pursuing a false god of privacy, legislative attention should aim to provide protections for identified and specific privacy interests.37 Adopting Westin’s theoretical base, Wacks argued that the core problem of privacy emanates from interests claimed by individuals to withhold certain information about themselves.38 The concept of personal information is therefore integral to the regulation of privacy and any definition of personal information must incorporate two key elements: the quality of the information and the reasonable expectations of the individual using it.39 Personal information therefore has both a normative and descriptive function because the notion of what is personal relates to a desired social norm (eg the ability to withdraw certain information about oneself) and to describe something as personal accords the conditions of the desired social norm (eg information as personal information means that an individual is granted legal controls over it).40
Whilst Wacks examines the normative elements of personal information, Bygrave identifies common conditions that make up personal information. According to Bygrave, two cumulative conditions exist: the information must relate to or concern a person and the information must facilitate the identification of a person.41 Identifiability is therefore a key underlying basis for defining personal information. Bygrave identifies six issues for determining what is personal information and notes that most definitions of personal information could mean that almost all pieces of information have a direct relationship with a particular person.42 He argues that limitations are required to ensure the ‘semantic viability’ of the concept and the effective functioning of regulatory capacities required by information privacy laws.43
The issue of context is therefore important to defining personal information given that any piece of information could potentially be classed as personal information. Roth addressed this point extensively in his review of New Zealand privacy laws and cases.44
36 Information Commissioner’s Office, Data Protection Technical Guidance Determining What is Personal Data (2007) Information Commissioner's Office <
He concluded that the complexity surrounding the concept of personal information in New Zealand was partly caused by ‘historical baggage’ that saw the development of the Privacy Act 1993 (NZ) through two separate pieces of legislation that focused on issues relating to freedom of information. As such, personal information under the New Zealand law could have two different applications. First, it could relate to 'information about a person' such as a name, address and other potentially identifying details. Second, personal information could 'denote
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/personal_data_flowchart_v1_with_preface001.pdf> at 19 April 2010. 37 Wacks, above n 14, 10. 38 Wacks, above n 14, 13. 39 Wacks, above n 14, 24. 40 Wacks, above n 14, 20. 41 Bygrave, above n 10, 42. 42 Bygrave, above n 10. The six issues are: the concept of identification/identifiability; the ease of identification; the legally relevant agent of identification; the accuracy of link between data set and individual; the use of auxiliary information and the requirement of individuation. 43 Bygrave, above n 10, 48. 44 P Roth, 'What is "Personal Information"?' (2002) 20 New Zealand Universities Law Review 40.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 7
information that is "personal" to the individual concerned, in the sense of being "private" or "sensitive"', for example political, sexual or religious perspectives.45
It is therefore not possible to determine whether information is personal information 'without having regard to the context in which it appears or is sought'.46 However, there are situations in which certain data can be converted directly into 'information about an identifiable individual without any interposing or additional step by which the data might be given such meaning'.47
Not only is the definition of personal information therefore conceptually complex but the process of personal information production is equally complicated because it depends on the contextual situation of a given piece of information and the social setting in which that information is used.
3. Conceptualising Personal Information In 2004, The UK’s Information Commissioner Office (the 'ICO') procured research from the University of Sheffield to identify the underlying concepts of how worldwide data protection authorities defined personal information.48 The Report’s key finding stated there was no uncontested and coherent definition of personal data amongst international jurisdictions. Even though most jurisdictions adopt similar conceptual frameworks, the researchers identified inconsistent understandings among data protection authorities of the conceptual underpinnings of personal information, which caused a lack of clarity both within and outside the EU. Accordingly, whilst data protection authorities projected clarity on their understanding of personal data, there was nevertheless, major inconsistencies in how the term was conceptualised and applied.49
The researchers adopted an inter-disciplinary approach involving legal, sociological and psychological understandings of personal data and a two stage empirical approach was undertaken. The first stage surveyed thirty-nine data protection authorities to examine how personal data was being understood. Eighteen agreed to participate and eleven also agreed to participate in a follow up survey. The results of the first stage defined operative concepts currently in use by data protection authorities, which were used to develop a theoretical approach on how to conceptualise personal information based on existing policy decisions.50 From the results of the first survey, the researchers identified three conceptual underpinnings on how data protection authorities identified personal information. They are the capacity of a piece of information to either (1) identify an individual (2) affect an individual or (3) identify and affect an individual.51 These options were undeveloped and applied interchangeably which created an uncertain environment and thus made predictions of what could be classed as personal information problematic.52
45 Roth, above n 44, 41. 46 Roth, above n 44, 54. 47 Roth, above n 44, 54. 48 Sharon Booth et al, 'What are ‘Personal Data’? A study conducted for the UK Information Commissioner' (The University of Sheffield, 2004) < http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/executive_summary.pdf>. The Durant decision was delivered during the research and whilst it obviously had a bearing on the final report, the research was not commissioned because of the Durant decision. 49 Booth et al, above n 48, 9. 50 Booth et al, above n 48, 9. 51 Booth et al, above n 48, 95. 52 Booth et al, above n 48. The authors asserted that there was a 'need to develop a robust, express, theoretical and defensible framework within which the concept of "personal data" can begin to be understood'.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 8
From their findings, the researchers deduced that data protection authorities used two general conceptualisations to identify personal information. Context independent conceptualisations enabled data protection authorities to identify personal information without recourse to the social context within which the information is used.53 In effect, the removal of social context simplified the categorisation of personal information because it allowed data protection authorities to make a definitive prediction of what information is always likely to be classified as personal information. Alternatively, context dependent conceptualisations deem that personal information can only be identified by examining the social context within which a piece of information is used.54
This makes definitive prediction virtually impossible because all information could be classed as personal information in the right circumstances, which are likely to be inherently subjective. The researchers subdivided the two conceptualisations to create four models regarding the categorisation of personal information by data protection authorities, as represented by Figure 1 below.
Figure 1 – Booth Models for Conceptualising Personal Information
First is the Unique Identifier (the 'UID') model. In this category, personal information is defined as information that is uniquely related to an individual. Because personal information is inimitable, it cannot be anonymised so the unique identifier will always continue to be related to an identifiable person.55 Personal information is therefore information that resists anonymisation because it contains in itself all that is required to identify an individual.56
53 Booth et al, above n 48, 94.
The social context of information usage is irrelevant because personal information, under this model, links directly to an individual without reference to any other information. The authors
54 See Booth et al, above n 48, 95. 55 Booth et al, above n 48, 96. 56 See Booth et al, above n 48, 99 regarding the different characteristics of unique identifiers which may lead to the identification of an individual. For example, a PIN number is a unique identifier that relies on a four digit number. It is therefore not possible to identify an individual from the PIN number alone and requires recourse to the card with which it is linked. However, some forms of driving licence are constructed by using a combination of first name letters and numbers that may make identification possible from the information.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 9
concluded that in practice, it is rare to find data that can identify a person without recourse to other data and it is inevitable, in the vast majority of cases, that some linking of data is required to identify an individual. 57
Second, the Context Independent Affects (the 'CIA') model defines personal information as information which is capable of affecting an individual in a relevant way.58 Accordingly, personal information must be capable of affecting an individual in a material way. For example, information is only personal information if it affects an individual’s privacy.59
The CIA model is broader than the UID model because it places identification in a particular social context, albeit a limited one. It may be possible to anticipate a particular information type’s ability to affect an individual’s privacy which acknowledges that a piece of information can have a wider affect than simple one to one identification from data to person. The CIA model therefore attempts to reduce rather than ignore social context.
The first context dependent approach is the Context Dependent Identifier (the 'CDI') model which defines personal information as information which may identify an individual.60 Personal information may therefore not be unique to an individual and may not necessarily identify an individual directly from the information itself. The CDI model thus refers to the notion of data sharing and the combined ability to link disparate data together to identify an individual.61 All information could potentially be personal information because any information is capable of identifying an individual in the right circumstances.62 To limit the scope of the CDI model, the researchers indicated that it was necessary to distinguish between actual availability of context and theoretical availability of context. Actual availability refers to information that informs about an individual whereas theoretical availability refers to the possibility that information may inform about an individual.63
For example, the information in question does not directly inform about an individual, but in certain contexts, it is more or less likely to enable identification when linked to other pieces of information. Categorisation of personal information therefore shifts focus from the information itself, to balancing the risk of realising the actual or possible identification of an individual from collective pieces of information.
Finally, the Context Dependent Affects (the 'CDA') model defines personal information as information which may affect an individual in a relevant way. All information is potentially capable of being personal information as any information is capable of affecting an individual
57 See Booth et al, above n 48, 96-7. The example that is used often in the Report is DNA which has all the requirements within itself to identify an individual. However, as highlighted by the researchers, a definitive classification of identity from DNA requires recourse to certain technological techniques and processes to enable identification. However, survey results highlight that a small number of countries exhibited UID model tendencies in their application of dental records and national insurance numbers as always being personal information. 58 Booth et al, above n 48, 53. 59 See Booth et al, above n 48, 103, where the authors assert '"Personal data", according to this model, doesn’t have to be able to identify the individual itself; it will be sufficient (but also necessary) for the information in question to be capable of affecting the "privacy" of an individual that has been/may be identified via other means'. 60 Booth et al, above n 48, 100. 61 See Booth et al, above n 48: 'According to this concept then, it is not the uniqueness of the data per se, that is significant but the availability of a context (possibly informed by other identifiers) within which that data may function as a unique identifier'. 62 Booth et al, above n 48, 101. 63 Booth et al, above n 48, 102.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 10
in a relevant way in the right circumstances.64 Practical day-to-day concerns relate to information that is capable of affecting an individual’s privacy. The application of the model is tested on a case-by-case basis that takes account of a specific context and determines the information should be categorised as personal information based on the impact it may have on an individual’s privacy.65
In summary, Table 1 details the advantages and disadvantages of all four models as identified by the researchers.
Table 1 – Advantages and Disadvantages of the Booth Models Model Advantages Disadvantages UID Enables definitive categorisation of personal
data.
Overestimates the extent that any piece of data may be independent of context. Underestimates the significance of context. Most data and most identifiers are only unique in a given social context.
CIA Potentially enables definitive categorisation of personal data within a specific social context (e.g. the protection of an individual’s privacy). Potentially anticipates whether particular data types will affect an individual’s privacy without taking account of social context. Protects privacy rather than prevention of identity.
Underestimates the extent that context considerations play when assessing an individual’s privacy. All data could potentially be personal data which precludes judgements about whether a type of data will always affect an individual’s privacy. Encompasses an untenable concept of privacy because it presupposes that specific data types may impact upon the privacy of dissimilar individuals’ in similar ways. The model therefore has a very narrow perspective as it disregards the production of privacy and personal data as social context.
CDI Extends the boundaries of personal data to include the notion of linking data as a context to identify an individual. Recognises the significance of information context and allows a determination of personal data based on identification that takes into account relative social contexts.
Prevents definitive categorisation of personal data because theoretically any data and any context could transform data into personal data. Precludes risk assessments of what data is likely to constitute personal data.
CDA Restricts the categorisation of personal data based on context to what actually affects an individual’s privacy. Acknowledges the complex nature of privacy as an interaction between an individual and society.
Precludes definitive categorisation because the classification of personal data entails a subjective process that involves the interaction between an individual and their society that could include all data. Prevents delineation from actual/theoretical distinctions that minimises attempts to identify the contexts that a data types will impact on an individual’s privacy.
64 Booth et al, above n 48, 104. 65 Booth et al, above n 48.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 11
4. Definitions of Personal Information in Australian Privacy Laws66
The first Australian privacy laws started to appear in the early 1970s.
67 These laws were driven by specific technological advancements and were not universally adopted throughout Australia at that time. Nevertheless, concerns regarding the protection of individual privacy culminated in the mid 1970’s when the Australian Law Reform Commission (the 'ALRC') was asked to undertake a wide-ranging review of privacy in Australia including issues relating to the collection, storage and use of personal information.68 The ALRC reported back to the Australian Government in 1983 and made recommendations regarding issues relating to the handling of personal information, largely based on the OECD’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.69 As to the definition of personal information, the ALRC took a broad view of what should be construed as personal information by stating that any information about a natural person should be regarded as personal information. Moreover, the link between an individual and the information in question did not have to be ‘explicit’. If a piece of information could be easily combined with other information to make an individual’s identity apparent, then that information should be regarded as personal information.70
That basic precept has embodied the statutory definition of personal information applied in Australian privacy laws as highlighted in the remainder of this section below.
For the purposes of this article, three categories of legislation or legislative proposals are adduced in which personal information are identified.71
Firstly, the legislative approach to information privacy regulation in Australia can be categorised into two broad groups. Category 1 represents Australian privacy laws which have followed the Privacy Act 1988 (Cth) and its definition of personal information and Category 2 signifies those laws which have not. Category 3 encompasses a new definition of personal information put forward by the ALRC from its recent review of privacy. Table 2 below details these separate definitions of personal information in Australian privacy laws.
Table 2 – Definitions of Personal Information in Australian Privacy Law Category Legislation Definition of Personal Information
1 s 6(1) Privacy Act 1988 (Cth); s. 4 Information Privacy Act 2000, s 3 (VIC); s. 12 Information Privacy Act 2009 (QLD)
Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
2
s 4 Privacy and Personal Information Protection Act 1998
(a) Information or an opinion (including information or an opinion forming part of a database), whether true or
66 At the onset of this section, it is important to highlight that the issue of information context (ie the social context that a piece of information is used in) has been integral to the definitional development of personal information in Australian privacy laws. See also Booth et al, above n 48, 85 where the researchers state that Country 36 (Australia) has 'emphasised the significance of context and more explicitly emphasised the significance of identification'. 67 See for example, the Invasion of Privacy Act 1971(Qld) which was enacted following concerns relating to the use of listening devices for surveillance purposes. See also Listening & Surveillance Devices Act 1972 (SA). 68 Australian Law Reform Commission, above n 4. 69 OECD, above n 12. 70 Australian Law Reform Commission, above n 4, 82. 71 The authors have not included the provisions of the Data Matching Program (Assistance and Tax) Act 1990 (Cth) in this review of Australian privacy laws because the purpose of the legislation is not primarily designed to provide individual privacy protections. However, we acknowledge that the Act’s various definitions of different types of data could be pertinent to this article.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 12
Category Legislation Definition of Personal Information (NSW) not, and whether recorded in a material form or not, about
an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. (b) includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.
s 3 Information Act 2002 (NT)
Government information from which a person's identity is apparent or is reasonably able to be ascertained
Cabinet Administrative Instruction No.1 of 1989 (SA)
Information or an opinion, whether true or not, relating to a natural person or the affairs of a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
s 3 Personal Information Protection Act 2004 (Tas)
Basic personal information means the name, residential address, postal address, date of birth and gender of an individual Personal information means any information or opinion in any recorded format about an individual (a) whose identity is apparent or is reasonably ascertainable from the information or opinion; and (b) who is alive or has not been dead for more than 25 years.
s 6 Information Privacy Bill 2007 (WA)
Information or an opinion, whether true or not, and whether recorded in a material form or not, about an individual, whether living or dead (a) whose identity is apparent or can reasonably be ascertained from the information or opinion; or (b) who can be identified by reference to an identifier or an identifying particular such as a fingerprint, retina print or body sample.
3 ALRC 108 Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified or reasonably identifiable individual.
4.1 Category 1 – The Privacy Act 1988 (Cth) and Complimentary State Acts The Privacy Act 1988 (Cth) (the 'Privacy Act') was passed by the Commonwealth Parliament to give effect to an agreement to implement the OECD Guidelines, as well as Article 17 of the International Covenant on Civil and Political Rights. That said, the focus of the Privacy Act is very much on the former rather than the latter.72
72 See Roger Clarke, The Australian Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines (1989) <
The Act regulates the conduct of agencies, in a public sector context, including the Government of the Australian Capital Territory (ACT), and organisations in the private sector, by affecting the ways in which those bodies are permitted to deal with personal information. The Privacy Act also forms the basis of separate state-based legislation that regulates certain state government agencies. As such, the Act does not prescribe privacy rights to individuals per se, but rather seeks to implement a
http://www.rogerclarke.com/DV/PActOECD.html> at 9 September 2009 regarding the basis of the OECD’s review of member information privacy laws that was based on strengthening the free flow of personal information rather than human rights concerns.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 13
principled approach to privacy regulation that is technology neutral and not corrosive of other rights and freedoms enjoyed in a liberal democracy. The Privacy Act’s definition of personal information has a broad application. Information does not have to identify a person directly for it to be classed as personal information. For example, it is possible for a record to be classed as personal information, even if a person is not mentioned by name, but can be identified by cross-referencing data in the record, with other data that identifies that individual.73 This approach is closely aligned with the OECD Guidelines and its definition of personal data. However, there is a key distinction between the definition of personal data in the OECD Guidelines and the Privacy Act. The Guidelines define personal information as data relating to 'identified or identifiable individuals'. As highlighted in the earlier discussion of what is personal information in a European context, this definition leaves open the possibility of combining information that relates to an individual that can lead to identification. The OECD Guidelines do not require that the information in question must in itself lead to identification of an individual. The Privacy Act, on the other hand, states that information will be personal information if an individual’s identity is apparent or can reasonably be ascertained from the information itself. The Australian definition therefore reduces the scope of 'relating to' because it requires the information itself to have the capacity to identify without reference to other information.74
The definition of personal information found in the Privacy Act has been incorporated directly into state based privacy legislation in Victoria and Queensland. In Victoria, the Information Privacy Act 2000 (Vic) (the 'Victorian Act') regulates the collection, storage and use of personal information by Victorian Government agencies and other public sector entities. The Act’s implementing bill was initially designed to provide stronger controls in the form of its Information Privacy Principles (the 'IPPs') but were subsequently amended through its legislative passage to effect the amendments put forward in the Privacy Act (Private Sector Amendment) Act 2000 (Cth).75 Likewise, the definition of personal information in the Victorian Act is exactly the same as that found in the Privacy Act save for the exclusion of information that would be covered under s 3 of the Health Records Act 2001 (Vic) which covers a range of health related information.76 Finally, the recent enactment of the Information Privacy Act 2009 (Qld) was intended to provide for 'the fair collection and handling in the public sector environment of personal information'.77 The Act also incorporates exactly, the Privacy Act’s definition of personal information.78
4.2 Category 2 – Alternative Legislative Approaches Whilst the two States highlighted above, and the ACT, have all adopted the same definition of personal information found in the Privacy Act, the remaining states and the Northern Territory have implemented information privacy legislation that incorporates a different definition of personal information. For example, in New South Wales (NSW), the Privacy and Personal
73 For example: written records about a person; a photograph or image of a person; fingerprints or DNA samples that identify a person or information about a person that is not written down, but which is in the possession or control of the agency. 74 See Roger Clarke, above n 72 who suggests that the problem of definition actually arose in the ALRC’s draft privacy bill. 75 See Margaret Jackson Hughes on Data Protection in Australia (2nd ed, Pyrmont NSW, 2001), 180. 76 Information Privacy Act 2000 (Vic) s 3. For example: health information can include information or an opinion about the physical, mental or psychological health of an individual; a disability of an individual; or an individual's expressed wishes about the future provision of health services to him or her. 77 Information Privacy Act 2009 (Qld) s 3(1). 78 Information Privacy Act 2009 (Qld) s 12.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 14
Information Protection Act (the 'PPIPA') was enacted in 1998 and contains a set of privacy principles that regulate how NSW agencies handle personal information. The PPIPA is based on NSW’s own information privacy principles which are similar in form but stronger in substance than those contained in the Privacy Act.79 Whereas the first part of the definition of personal information is exactly the same as in the Privacy Act, it is intended to have a broader application that also covers opinions and knowledge gained through perception that is independent of the form in which information is collected.80 This broader definition is balanced against a wider range of exclusions where the PPIPA will not apply.81
Moreover, an additional requirement is added to the definition that covers specific types of biometric unique identifiers.
The Northern Territory Information Act 2002 (NT) (the 'NT Act') is unique amongst its Australian counterparts because it incorporates information privacy, freedom of information and public records legislation within one single Act.82 The NT Act commenced in July 2003 and governs how Northern Territory public sector organisations collect, use and store personal information. The definition of personal information used in the NT Act differs to the Privacy Act in two key ways. First, it only applies to government information.83 Second, and more importantly for the purposes of this article, the definition states that government information will only be personal information in situations 'from which a person's identity is apparent or is reasonably able to be ascertained' [emphasis added]. On the other hand, South Australia (SA) does not have specific privacy legislation but the SA Government has issued an administrative instruction requiring government committees to comply with South Australian privacy principles based on the IPPs.84
The definition of personal information differs to the Privacy Act in three ways. First, the SA definition adopts the concept of 'relate to' that is unique in Australian privacy law and is presumably derived from the EU’s data protection directive. Second, and of less significance, the instruction refers to a natural person rather than an individual. Third, the definition of personal information also covers the affairs of a natural person.
In Tasmania, the Personal Information Protection Act 2004 (Tas) (the 'PIPA') came into effect on 5 September 2005 and also differs to the Privacy Act because it operates under a two tier definitional requirement that includes personal information and basic personal information. The definition of personal information is largely the same as the Privacy Act with the exception that it only applies to individuals who are alive or deceased individuals who died less than 25 years ago. However, basic personal information is specifically identified.85
79 See M Jackson and G L Hughes, Hughes on Data Protection in Australia (2nd ed, 2001), 187.
The purpose of the distinction is to allow agencies to use or disclose basic personal information to other public sector bodies, under s 12 of the PIPA, without the consent of individuals and where the use or disclosure is 'reasonably necessary for the
80 See New South Wales Law Reform Commission, 'Consultation Paper 3 - Privacy Legislation in New South Wales' (2008), 25 “information about a person that is not written down, but which is in the possession or control of the agency.” 81 Ibid., 26. 82 M Paterson, Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State (2005), 537. 83 Under the NT Act, government information means a record held by or on behalf of a public sector organisation and includes personal information. 84 See Jackson, above n 75, 160. 85 Basic personal information means the name, residential address, postal address, date of birth and gender of an individual.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 15
efficient storage and use of that information'.86 Finally, Western Australia does not currently regulate privacy in the public sector by reference to an express legislative privacy instrument.87 On 28 March 2007, the Information Privacy Bill 2007 (WA) was introduced to the Western Australian Parliament. The Bill was introduced to the Legislative Council for second reading in December 2007 and it has remained there since. The definition of personal information used departs from the Privacy Act because, like the Tasmanian PIPA, the Bill provides a tiered definitional structure that incorporates the Privacy Act’s two elements and provides a further tier based on certain unique identifiers.88
4.3 Category 3 – ALRC 108: A New Way Forward On 31 January 2006, the Attorney-General of Australia announced that the ALRC was to be tasked with a review of privacy in Australia, with particular reference to the functioning of the Privacy Act.89 In the Commission’s final report,90 delivered in 2008, the ALRC recommended that a greater level of national consistency regarding the regulation of privacy was required. The ALRC recommended that all Australian Governments should develop and adopt an intergovernmental agreement that sets up a co-operative scheme to enact new provisions including the application of model Unified Privacy Principles (the 'UPPs').91 As regards the definition of personal information, the ALRC considered that the current definition of personal information should be changed.92 The ALRC re-emphasised that personal information should be about an individual who can be identified or whose identity can be reasonably identifiable.93 The ALRC also recommended that one of the key elements of the current definition, that personal information includes 'information or an opinion forming part of a database' should be deleted.94
More importantly, the ALRC recommended that the phrase 'whose identity is apparent or can be reasonably ascertained from the information' be amended in line with other jurisdictions and international instruments.95 The Privacy Act should therefore apply to information about an individual who is 'identified or reasonably identifiable' rather than information about an individual whose 'identity' is apparent, or reasonably ascertainable.96
86 G Greenleaf and L A Bygrave, 'Tasmania’s Privacy Law due to Start' (2005) 11(7) Privacy Law and Policy Reporter.
A reasonableness element should also be included as part of any future definition which means that whether an individual can be identified or is identifiable will depend on context and circumstances. Moreover, actual rather than theoretical circumstances would be the determining factor for
87 However, the Freedom of Information Act 1992 (WA) does regulate government agencies having regard to the concepts of ‘confidential information’ and ‘confidential communications’ provisions. 88 Section 6(1)(b) of the Bill: 'who can be identified by reference to an identifier or an identifying particular such as a fingerprint, retina print or body sample'. 89 Australian Law Reform Commission, Review of privacy, Issues Paper No 31 (2007). 90 Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice Report No 108 (2008) 91 The current provisions of the Privacy Act provide two sets of privacy principles, the Information Privacy Principles (IPPs), which apply to the Australian Government and the ACT, and the National Privacy Principles (NPPs) that apply to private sector organisations. 92 ALRC, above n 90, 306, because it did not 'reflect the standards set in international instruments dealing with the privacy of personal information'. 93 ALRC, above n 90, 306. 94 ALRC, above n 90, 307. The Commission contended that the removal was necessary 'because there is little doubt in this day and age that personal information is held in electronic databases'. 95 ALRC, above n 90, 307. 96 ALRC, above n 90, 307.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 16
deciding whether a piece of information could be categorised as personal information.97 An individual can therefore be reasonably identifiable when he or she can be identified from information held in the possession of an organisation and access to that information would not be prohibitive in terms of cost or difficulty. The test for confirming whether a piece of information is likely to be personal information therefore requires 'a consideration of the cost, difficulty, practicality and likelihood that the information will be linked in such as way as to identify [an individual]'.98 As a limiting factor the ALRC rejected the idea that the test should include whether an individual is potentially identifiable.99 Nevertheless, the ALRC re-affirmed that the basis of information as personal information is still context specific.100
Furthermore, information that simply allows an individual to be contacted, such as a telephone number or address, would not in itself be classed as personal information as the Privacy Act was not intended to provide an unqualified right to be left alone.101 However, as noted above, once other information accretes around a specific piece of information, and an agency or organisation is then able to target that individual 'by linking data in an address database with particular names in the same or another database, that information is personal information'.102
The complexities of defining personal information were acknowledged by the ALRC and the Commission recommended that practical ongoing guidance would always be required to minimise the theoretical uncertainties arising and such guidance should indicate how the definition of personal information is intended to operate in specific contexts.
In October 2009, the Australian Government gave its response to the first tranche of 197 recommendations put forward by the ALRC.103 As to the new definition of personal information, the Government accepted the ALRC’s recommendation because it is important that the definition of personal information in the Privacy Act is 'sufficiently flexible and technology-neutral to encompass changes in the way that information that identifies an individual is collected and handled'.104
The Government response stated that the definition managed to overcome the competing requirements of having a definition that was up to date with international developments but also manage to the retain the scope of what is personal information under the existing definition. Furthermore, the contextual element of the definition was addressed as follows:
The application of "reasonably identifiable" ensures the definition continues to be based on factors which are relevant to the context and circumstances in which the information is collected and held. The Government proposes that this element of the definition will be informed by whether it would be reasonable and practicable to
97 See ALRC, above n 90, 307 where the Commission states, 'While it may be technically possible for an agency or organisation to identify individuals from information it holds, for example, by linking the information with information held by another agency or related organisation, it may be that it is not practically possible. For example, logistics or legislation may prevent such linkage. In these circumstances, individuals are not "reasonably identifiable"'. 98 ALRC, above n 90, 308. 99 ALRC, above, n 90, 308: because a 'great deal of information is about potentially identifiable individuals but where identifying the individuals would involve unreasonable expense or difficulty, and is unlikely to happen'. 100 ALRC, above n 90, 308. 101 ALRC, above n 90, 309. 102 ALRC, above n 90, 309. 103 Australian Government, First Stage Response to the Australian Law Reform Commission Report 108, <http://www.pmc.gov.au/privacy/alrc_docs/stage1_aus_govt_response.pdf>. 104 Australian Government, above n 103, 24.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 17
identify the individual from both the information itself and other reasonably accessible information.105
The Government also accepted the recommendations put forward that required the Privacy Commissioner to provide updated guidance about the meaning of 'identified' or 'reasonably identifiable' to assist all parties to understand the scope and application of the new definition especially given its contextual nature.106 Finally, the Government encouraged the Privacy Commissioner to develop guidance on the meaning of 'not reasonably identifiable' in conjunction with guidance about de-identified data in relation to the data security principle.107
5. The Conceptual Basis of Personal Information in Australian Privacy Laws Adopting the Booth models as a comparator, it is easy to appreciate that there is no coherent Australian approach to the statutory identification of personal information and various approaches employ both context dependant and context independent models. However, different laws place different degrees of emphasis on the requirements of each model as highlighted in Table 3. Table 3 – Application of Booth Models to Australian Privacy Instruments
Category Legislation UID CIA CDA CDI
1 Privacy Act etc +
2
Privacy and Personal Information Protection Act 1998 (NSW)
+
Information Act 2002 (NT) +
Cabinet Administrative Instruction No.1 of 1989 (SA)
+
Personal Information Protection Act 2004 (Tas) +
Information Privacy Bill 2007 (WA)
+
3 ALRC 108 + -
Beginning with Category 1, on the face of it, the Privacy Act’s definition of personal information appears sufficiently wide to cover each of the four conceptual models conceived in the Booth Report. For example, where 'identity is apparent' is a test that is context independent. In that sense, the first element of the Privacy Act definition pertains to the UID model as personal information is information that manifests identity without recourse to other information. However, as highlighted above, the circumstances in which a given piece of information makes the identity of an individual apparent is going to be rare because the UID model is predicated on the sole use unique identifiers. The basis of the UID model therefore goes against broad range application of the Privacy Act which seeks to define personal information in a non-exhaustive and incorporative way.
105 Australian Government, above n 103, 24. 106 Australian Government, above n 103, 24. 107 Australian Government, above n 103, 25.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 18
The contextual aspect of identification is recognised in the second element of the Privacy Act definition, namely those situations where an individual’s identity 'can be reasonably ascertained'. This is very much context dependent. A classification that a piece of information will be personal information is based not only on the type of information in question but also on the context in which that information is applied. The Privacy Act definition of personal information does not address the capacity of a given piece of personal information to affect an individual’s privacy. Instead, the focus of the Act’s first definitional element regards the identification of an individual as a cause of privacy infringement. For example, s 13(a) of the Privacy Act indicates that agency practices can constitute an actionable interference upon an individual’s privacy if that practice or act breaches one of the IPPs. Under s 36, an individual has recourse for breach of the Act by notifying the Privacy Commissioner of their grievance. It is clear therefore that identity and affect are intended to constitute two separate elements. An actionable interference will by necessity involve an individual’s privacy but that interference is not solely based on the ability to identify an individual. Rather, it is based on an agency or organisations failure to provide specified safeguards regarding the collection, storage and use of an individual’s personal information. Whilst it is likely that an actionable interference will always have recourse to some degree of identity issues, it does not in itself require a negative affect from identity to trigger a privacy infringement. The Booth Report highlighted that Australia108 was a jurisdiction that emphasised the significance of context and more explicitly emphasised the significance of identification.109 The authors of the report also contended that Australia, based on the survey responses received, could be said to have a conceptual framework based on the CDI model.110
This point is also borne out by the survey response received by the researchers:
I come back to the issue of context – perhaps most, if not all, of these data sets could be personal data in the right circumstances (i.e. In the right combination of other data and/or collected by the kind of entity/person that has the facility/means to use it to identify the individual). Perhaps it is more a matter of degree of likelihood of such data being identifiable.111
Despite the first element of the Privacy Act definition of personal information, it would seem that context is the key conceptual element to the definition of personal information by Australian regulators. Given the link exhibited between context and identity, the CDI model accurately describes the overall conceptual basis of defining personal information particularly under the second element of the Privacy Act. It therefore follows that the scheme of the Act, which has been replicated by Victoria and Queensland creates a basis for privacy regulation which is equally as dependant on context as it is on the definition of defined principles and terms. However, these principles are not so readily transferred into those Category 2 states and the Northern Territory which have adopted different definitions of personal information that place different degrees of emphasis on the UID and CDI models. For example, the NT Act adopts the phrase 'from which' in its definition of personal information which appears to be an
108 Data protection authorities were granted anonymity for the survey and Australia was given the code Country 36. However, it is possible to identify Australia, and hence the OPC, because of the definition of personal information provided. 109 Booth et al, above n 48, 85. 110 Booth et al, above n 48, 85. 111 Booth et al, above n 48, 86.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 19
artefact from the original ALRC 22 report.112
However, whilst the ALRC confirmed that the approach was intended to be contextually oriented, the effect of the phrase 'from which' is to potentially limit the means of identification by requiring the information itself to give rise to the identity of an individual. In that sense, the use of ‘from which’ purveys an intention to reduce information context by ensuring that identification must arise from the information itself. By doing so, this restricts the ambit of information context and therefore the NT Act’s definition of personal information emphasises a conceptual underpinning that is predicated more on the UID than the CDI model.
Like the NT Act, the South Australian administrative instruction is unique in Australian privacy laws because the definition of personal information employs the ‘relate to’ statutory construction that is associated with the EU’s Data Protection Directive. Again, this would appear to be a throwback from the inception of information privacy law into Australia as the SA administrative instruction adopted the definition of personal information found in the OECD Guidelines. However, the use of 'relate to' could differ markedly compared to the NT Act’s definition that includes 'from which'. As highlighted above, with the exception of the Durant case, the statutory use of relate to has a broader application that goes beyond the requirement of a piece of information to give rise to the identity of an individual before it should be classed as personal information. The purpose of using the 'relate to' as part of the definition of personal information purveys an intention to incorporate rather than minimise information context. Accordingly, the SA administrative instruction has the effect of emphasising information context under the CDI model rather than attempting to mitigate context through an approach based on the UID model. However, the opposite is the case with both the Tasmanian and West Australian definitions of personal information. The Tasmanian definition of basic personal information provides specific guidelines as to the information that will be personal information. Such information includes a name, residential address, postal address date of birth and gender. On the face of it, the clear description of items of information gives rise to a conceptual framework predicated on notions of context independence because the purpose of specifying certain types of information attempts to reduce or mitigate context apparent situations. However, the Tasmanian legislation appears to adopt a different approach. The specification of certain types of information, such as name, may mean that identification is solely possible from that information, depending on the popularity or uniqueness of an individual’s name. This cannot apply to the other types of information listed, particularly gender, which require some form of context analysis to reveal the identity of an individual. For example, an address or gender information will not in itself reveal the identity of an individual. This information will only do so in comparison with other information such as a name, address and gender. The use of basic personal information in the Tasmanian Act is more akin to a type of foundational building block for context based appraisals using certain pieces of information. It therefore has both context dependent and context independent elements. The typification of certain pieces of information creates a more workable definition of what is personal information which will ultimately depend on the context upon which it is used. The definition of personal information in the PIPPA and the WA Bill incorporates the Privacy Act definition, but significantly it also provides for the situation where specific types of unique identifiers will also be classed as personal information. Both definitions therefore provide for the possibility that three different types of information can be classified as
112 See e.g. Australian Law Reform Commission, Privacy, Report No 22 (1983) Vol. 2, 82.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 20
personal information. That is information about an individual that is apparent, information about an individual whose identity may be reasonably ascertainable and specific types of information that are unique to that individual. However, the addition of the clause relating specifically to unique identifier information could emphasise or encompass aspects of both the UID and CDI models. The definition clearly attempts to define information that will give rise to a classification of personal information in the form of unique identifiers or biometric data. Nevertheless, the use of the phrase 'by reference to' connotes a contextual element as it indicates that information could be classified as personal information if it can be used in conjunction with specific forms of identifiers that reveal the identity of an individual. The emphasis though is towards the UID model and the effect of minimising the contextual elements that could give rise to a classification of personal information based on reference to unique identifiers. Rather than specifying the types of information that will be personal information, both the Tasmanian and Western Australian definitions preclude the situations in which certain types of information will give rise to identification. In essence, it minimises theoretical analysis of information that might make an identity reasonably ascertainable by focusing on actual information that makes an identity apparent. In that sense, the use of this type of definition of personal information could have serious limits regarding future classification of information as personal information because it has a strong delimiting factor by reducing the scope of information that may be personal information, as identified through a contextual analysis. This approach could therefore limit severely the development of future jurisprudence which means that the definition may not cope well with technological development. Finally, in Category 3, the ALRC’s recommendation for a new definition of personal information will depart substantially from the Privacy Act’s definition. The focus of the definition remains identity and the two elements from the existing law remains the same, personal information is information that can identify an individual but also has the capacity to identify through information context. However, the new definition re-emphasises the link between identity and context. There is no doubt that the underlying conceptual purpose of defining personal information relates to the identity of an individual. Moreover, the new definition significantly reduces the practical situations in which a piece of information can identify a person. For example, under the previous definition, the use of the term 'apparent' provided a limited scope of flexibility to determine whether a piece of information gave rise to the identification of an individual. Even though this part of the definition was inherently context independent, there remained an element of contextual analysis in the decision relating to whether an identity was apparent. The ALRC have sought to remove that flexibility in the new definition by stating that information is personal information only when an individual is identifiable from the information in question. As such, the change in definition re-emphasises context independence. Likewise, the second element also has some interesting and perhaps contradictory results. The ALRC acknowledged that a reasonableness element will still be a part of a context based determination relating to whether a piece of information is personal information. This point is re-emphasised by the Australian Government’s response. Yet if that is the case, it is curious that the ALRC recommended the removal of the term 'reasonably' from the new definition. The reason for doing so appears to involve the minimisation of theoretical analysis and the enhancement of identity based on actual circumstances. The contextual analysis to be undertaken when examining whether a piece of information is personal information involves the actual realities and practical expectations of normal working practices that relate to cost
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 21
and ease of information aggregation. In effect, the ALRC recognise the importance of context based analysis, but at the same time, they are putting forward a context analysis based on actual rather than theoretical circumstances. This will have the effect of reducing the possibilities of when information can be personal information by placing any adjudication of such decisions within the remit of organisational exigencies. Therefore, while it is theoretically possible for a government agency to link one set of data with another to make individuals identifiable, an assessment of whether that is possible will be based on the actual capabilities, both in terms of cost, skill and technological ability, of the agency in question. In that sense, the new definition is still based on the CDI model but it attempts to minimise the scope of interpretative analysis of information context. 5. The Need for Coherence – The Development of Jurisprudential Discourse Based on a Conceptual Foundation The above analysis demonstrates that the conceptual basis of personal information in Australian privacy laws entails balancing the requirements of certainty provided by context independent analysis and the need for flexibility gained through a context based investigation. The authors contend that the key issue for future development does not entail a choice of one particular definition of personal information over another because it is likely that the implementation of the ALRC’s recent proposals will have the effect of unifying different definitions and approaches of conceptualising personal information. The implementation of the ALRC’s new definition of personal information will engender a uniformed approach to conceptualise personal information which will be supplanted by specific guidance from the Privacy Commissioner. This will of course ameliorate many of the issues highlighted in this article. Nevertheless, as highlighted above, the conceptual underpinning of the ALRC’s definition, whilst acknowledging and accepting the incorporation of context in the identification of personal information, seeks to minimise the scope of contextual analysis by placing such issues within the bounds of organisational exigencies. Whilst this makes much practical sense, the distinction between what is an actual and theoretical circumstance is likely to be a situation in constant flux given the rapid technological advancements involving the collection, storage and use of personal information. The authors assert that adjudications on these points would be better conducted by the courts which emphasises the importance of developing a jurisprudential discourse about appropriate conceptual approaches to the identification and classification of personal information in technologically advanced societies. However, this in itself is a major issue for the development of Australian privacy related jurisprudence. Australia does not enjoy a significant body of judicial law concerning either privacy regulation at large, or more succinctly, the interpretation of the terms and principles used in the Privacy Act and the various State and Territory instruments. There are several reasons for this, in addition to the relative youth and limited size of the Commonwealth. The first is the impact which Victoria Park Racing113 had on the evolution of privacy based litigation in Australia. For a common law nation, the very clear statement of the majority in Victoria Park Racing had a stifling effect on the trial courts for more than 60 years.114
113 Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479.
Furthermore, even
114 Damages awarded for breach of privacy are traditionally modest (absent actual loss) which means that such cases are commenced in the lower courts. Magistrates and inferior court judges were unlikely or unable to challenge High Court precedent in an emerging area of the law and it is reasonable to infer that advice to this effect was given in solicitors' offices on many occasions.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 22
following the implementation of the recommendations contained in ALRC 22, there has not since developed a large and instructive body of judicial decisions or administrative determinations which inform the operation of personal privacy protection in Australia. The main reason for this appear to be that the Privacy Act is limited in its scope, has too many exclusions and exceptions and does not create an enforceable regime for remedies or redress.115
Moreover, the regulatory obligations of the Privacy Act have consistently been overseen by Privacy Commissioners who have taken the intentional approach of not reporting determinations.
Accordingly, only a few reported decisions have considered the scope and operation of personal information as it is defined in the Privacy Act or the alternative state based legislation. However, some cases in which definitions of personal information have been decided indicate that there is a lack of a conceptual base for assessing what is personal information. It then becomes apparent that the lack of cohesion regarding the conceptual basis of personal information leads to different judicial decision making about what constitutes personal information. In Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance (MEAA)116 Gyles J was required to determine whether an internal telephone directory of staff employed by Network Seven, illegally provided to the MEAA and a polling contractor, was personal information within the meaning of s 6 of the Privacy Act. His Honour held that, to know where and for which organisation a person works and the work telephone number of that person is personal within the statutory test but did not give any indication as to how he came to this decision.117 Likewise, the Victorian case of C Cockerill & Sons (Vic) Pty Ltd v The County Court of Victoria118 involved a prosecution against the plaintiff for operating over-weight trucks. The weighbridge tickets sought to be relied on by the State contained personal information about an individual, namely the driver of the vehicle, whose identity was apparent from those documents. In particular, it was alleged that the relevant information ‘about’ the individual contained in the weighbridge tickets was that the individual was the driver of the vehicle. The plaintiff attempted to exclude the evidence contained in the weighbridge tickets on the basis that it had been illegally obtained, contrary to the provisions of the Privacy Act. Ultimately the issue on appeal turned on an exercise by the court of its discretion to accept the evidence, which the court rejected.119
On a similar basis, the courts have accepted that an individual’s name and residential address fall within s 6(1) of the Privacy Act but again have provided no indication why this is so. In Le and Secretary, Department of Education, Science and Training120
115 Privacy Act 1988 (Cth) s 52(1B). See also Day v Lynn [2003] FCA 879 at [50] (Stone J).
a complaint was made about the extent of information contained in a decision reported by the Administrative Appeals Tribunal (the 'AAT') that concerned the applicant. The case involved an application
116 [2004] FCA 637. 117 [2004] FCA 637 at [45]: 'In my opinion the information is "personal" in the statutory sense. To know where and for which organisation a person works and the work telephone number of the person is "personal" as required'. 118 [2007] VSC 182. 119 Mandie J sitting in the Common Law Division of the Supreme Court of Victoria stated, 'It seems to me to be curious and somewhat far-reaching that such a reference (arguably incidental) to an individual in a commercial document or record should constitute personal information for the purposes of protection under privacy principles. However, like the Judge, I find it unnecessary to decide whether personal information is involved and, in what follows, I will assume that it is'. 120 [2006] AATA 208 ('Le').
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 23
for review by the applicant regarding a decision of the Student Assistance Review Tribunal (the 'SART'). The AAT found that the reasons delivered by the SART revealed the plaintiffs personal information. In this case such information included the applicant’s name, the address of the applicant and his parents, the names of the tertiary institutions he attended and the witnesses who gave evidence. The decision in SW v Forests NSW121 concerned a resolution to terminate the applicant’s employment based on information conveyed to the employer by the New South Wales Fire Brigades (the 'NSWFB') which suggested that while on sick leave, the applicant had been performing duties as a part-time fire fighter. The applicant complained that the conduct of the NSWFB in providing information to the employer constituted a breach of the privacy principles contained in the PPIPA. In its decision on internal review NSWFB asserted that the subject disclosures did not involve personal information. They were described as information about the work activities of people listed in the occurrence book also references to name information in the occurrence book, including full and partial names, initial and addresses. These arguments were rejected by the Administrative Decisions Tribunal which held that the photographs were personal information but did not give reasons for this decision.122
None of the Australian decisions discussed in this paper and published post 2004, addressed the findings in the Booth Report when considering the practical, contextual operation of personal information. The examples highlighted above, such as Le123 and SW do not posit the application of any conceptual rationalisation. Instead these cases of context independent association seem to be resolved on intuitive terms.124
The judgments reveal an instinctive approach to the classification of personal information without recourse to an underlying conceptual base. These decisions therefore appear to favour a context independent approach as personal information is information that has been classified without recourse to the social context in question. However, other judgments have specifically addressed the conceptual reach of personal information and have re-emphasised that context must be taken into account upon decisions relating to the classification of personal information.
For example, the determination in WL v Randwick City Council125
121
involved an allegation that photographs taken of a residential apartment were personal information within the meaning of the PPIPA. The applicant owned a unit in a strata plan that was the subject of a complaint to the Council by a neighbour concerned that work was being carried out on the unit without a development approval. A Council officer attended the unit and was allowed entry by a person in occupation of the unit and carrying out work. The Council officer took external and internal photographs of the unit for the purpose of an investigation under the Environmental Planning and Assessment Act 1979 (NSW) (the 'EPA Act'). The Council forwarded a copy of the photographs to the solicitor for the Strata Managers and a copy of a Notice made under the EPA Act (the 'EPA Notice') to the Strata Managers. The applicant complained that the
[2006] NSWADT 74 ('SW'). 122 SW at [2006] NSWADT 74, at [31]: 'There is no dispute that the four digital photographs of SW taken by an officer of Forests NSW, stored electronically in his office computer, copied (downloaded) on to a number of compact discs and distributed to a number of people, are personal information about SW, as defined in s 4 of the PPIP Act'. 123 [2006] AATA 208 at [45] and [46]. 124 For example in SW, the relevant reasons proceeded on the following basis: 'The second argument is simply unsustainable on the facts. The email referred to the applicant by reference to his full first name and his surname.' 125 [2007] NSWADT 12.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 24
council breached his privacy by entering his unit, taking photographs, forwarding the photographs to the solicitor and the EPA Notice to the Strata Managers. He argued that the photographs could easily identify him to the Strata Managers, however the Tribunal disagreed and held that the photographs did not identify the plaintiff or contain information that would have made his identity apparent or from which it could be reasonably ascertained.126 The Tribunal also decided that the Plaintiff’s name and address also did not constitute personal information and further stated that it was a 'a question of fact in every case as to whether or not the name or address of a person amounts to "personal information"'.127
This decision provides an interesting example of the application of a context dependant identifier model, although the Tribunal was less motivated to protect privacy interests, presumably due to the nature of the informational context. It nonetheless found that it was a ‘question of fact in every case as to whether or not the name or address of a person amounts to personal information’ and that in the circumstances of this case, the photographs did not identify any individuals or contain information about an individual whose identity was apparent. It appears that this determination was reached without specific reference to the applicant’s submission that his identity would be apparent to any member of the body corporate who was shown the photographs. The case was heard on appeal by the President of the Tribunal, O’Connor DCJ who roundly criticised the Tribunal’s judgment because the analysis of what constitutes personal information was based on an interpretation of ‘personal affairs’ found in freedom of information legislation.128 The President reaffirmed that a 'broad, unrestricted primary definition of personal information' was a standard feature of privacy protection statutes and must be interpreted broadly.129 Moreover, the court found that that it would be rare for a name not to be considered personal information as it is 'generally regarded as the primary form of identification for a person'.130
The issue of context based analysis was dealt with directly by O’Connor P in Y v Director General, Department of Education and Training.131 The case involved four documents produced by a management review team pertaining to a review of a school at which the applicant was employed. The documents made certain allegations about the applicant which were disclosed at a public meeting. The issue of whether the documents contained personal information was not contested but the respondent sought to rely on s 4(3)(j) of PIPPA which provides an exclusion for personal information that relates to an individual’s suitability for appointment or employment as a public sector official.132
The key issue of the case therefore regarded whether the information collected by the management review team was about the applicant’s suitability for appointment or employment at the school. O’Connor P stated that the test to determine this issue was as follows:
126 WL v Randwick City Council [2007] NSWADT 12 at [34]. 127 WL v Randwick City Council [2007] NSWADT 12 at [35]. 128 WL v Randwick City Council (GD) [2007] NSWADTAP 58 at [19]. 129 WL v Randwick City Council (GD) [2007] NSWADTAP 58 at [20]. 130 WL v Randwick City Council (GD) [2007] NSWADTAP 58 at [21]. 131 [2001] NSWADT 149. 132 The exemption states 'information or an opinion about an individual’s suitability for appointment or employment as a public sector official'.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 25
The test, as I see it, must in each case be whether having regard to the content of the information in issue and the context in which it is found it can reasonably be said to be ‘about an individual’s suitability for appointment or employment'.133
The judgment clearly acknowledges the requirement for a context based analysis to determine the scope of the exclusion under s 4(3)(j) of PIPPA. The subsequent case of PN v Department of Education and Training134 also examined the same exclusion in a case that involved the disclosure of medical and complaint information which was disclosed without authorisation. The judgment applied the above test,135 which was accepted by both parties, but also went further in relation to the adoption of a purposive approach to interpretation that is in keeping with the notion of PIPPA as a piece of beneficial legislation.136 The judge also confirmed that had the same information been applied in a different context that regarded the applicant’s suitability for employment then he would have been minded to exclude the information under s 4(3)(j). However, a more rigid approach has been adopted to exclusions under s 4(3)(b) that involve personal information published in publicly available documents. In EG v Commissioner of Police NSW137 the Tribunal held that whether personal information was exempt because it was publicly available had to be interpreted 'according to its plain and ordinary meaning' and the fact that 'information or an opinion may have a different significance depending on context does not provide a legal basis for concluding that the exception...does not apply'.138
This determination therefore has the effect of limiting the degree of context based analysis with regard to s 4(3)(b).
Two other cases have also set boundaries to interpretation of context based analysis regarding the classification of personal information. In Macquarie University v FM,139 the respondent was a doctoral student at Macquarie University. His enrolment was terminated for disciplinary reasons. Subsequently, he sought to become a doctoral student at the University of New South Wales (the 'UNSW'). The latter University made enquiries of Macquarie University concerning the circumstances of the termination of the respondent’s candidature. Information was supplied in two telephone conversations. In both conversations, a person from Macquarie related to a person at UNSW their observations of incidents that lead to complaints being made against the respondent, and information they had been told about other incidents. Initially the complaint was upheld by the Administrative Decisions Tribunal, although the university successfully appealed to New South Wales Court of Appeal which held that information provided to UNSW, being information held in the minds of employees, was not of a kind to which the Privacy Act applied because it was not personal information held by Macquarie University.140
Macquarie has a limiting effect on information context because it reduces the scope of information to be considered as part of a context based analysis that is encapsulated in hard copy form.
In the Victorian case of WL v La Trobe University141
133 Y v Director General, Department of Education and Training [2001] NSWADT 149 at [33].
the complainant’s partner was interviewed as part of a social survey conducted on behalf of the respondents. The applicant’s
134 [2006] NSWADT 122. 135 See also GL v Director-General, Department of Education and Training [2003] NSWADT 166 which also involves a case with the same exclusion. 136 PN v Department of Education and Training [2006] NSWADT 122 at [57-58]. 137 [2003] NSWADT 150. 138 [2003] NSWADT 150 at [25]. 139 [2005] NSWCA 192. 140 See also OD v Department of Education [2006] NSWADT 312. 141 [2005] VCAT 2592.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 26
telephone number was used as a contact point and a number of personal questions were asked about the applicant without her knowledge or consent. Moreover, as the applicant was concerned that she could be re-identified from de-identified data as she was both the home owner and the telephone number was in her name. The central issue of the case was whether the information provided was personal information which required adjudication about the applicant’s identity was either apparent or reasonably ascertainable under s 3 of the Information Privacy Act 2000 (Vic). The Tribunal held that the applicant’s identity was not apparent because there was nothing in the information collected that would enable the applicant’s identity to be apparent.142
Of more interest to this article, was the Tribunal’s decision regarding the reasonably ascertainable element as it set the bounds of what would be reasonably ascertainable as regards steps to re-identify the applicant. The process for doing so would involve cross-matching of various internal databases with an external database and the completion of this process could still not guarantee re-identification of the applicant.143 Accordingly, the applicant’s identity was not reasonably ascertainable and the information was not deemed to be personal information. The Tribunal did confirm that the process of reasonably ascertaining an individual’s identity was context based and required 'some resort to extraneous material'.144 However, the reasonableness element of the legislation bounds the process of ascertainment because it constrains the range of information that can be include as part of an analysis of additional materials.145 In that sense, the definition of personal information was developed in the Victorian legislation 'in the interest of supporting a nationally consistent approach to the protection of privacy'.146
It is at this point that we square the circle between the inconsistent approaches adopted at both legislative and judicial levels regarding the classification of personal information. The application of the Booth Report models to Australian privacy laws demonstrates that different laws have varying degrees of application regarding a context based approach to the classification of personal information. A similar situation is apparent from a review of the relevant case law as personal information has been classified in three ways, from an:
• Intuitive perspective that favours context independence; 147
• Expansive perspective that favours a greater context dependent approach;
148
• Constraining perspective that acknowledges the importance of a context dependent approach but seeks to bound it within a manageable framework predicated on reasonableness.
and
149
The issue of context dependent judgments relating to the classification of personal information are a fundamental part of Australian privacy laws and will increase in complexity
142 WL v La Trobe University [2005] VCAT 2592 at [19]. 143 WL v La Trobe University [2005] VCAT 2592 at [42]. 144 WL v La Trobe University [2005] VCAT 2592 at [45]. 145 WL v La Trobe University [2005] VCAT 2592 at [52]. 146 WL v La Trobe University [2005] VCAT 2592 at [53]. 147 See eg Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance (MEAA) [2004] FCA 637; C Cockerill & Sons (Vic) Pty Ltd v The County Court of Victoria [2007] VSC 182; Le and Secretary, Department of Education, Science and Training [2006] AATA 208; SW v Forests NSW [2006] NSWADT 74. 148 See eg WL v Randwick City Council [2007] NSWADTAP 58; Y v Director General, Department of Education and Training [2001] NSWADT 149; PN v Department of Education and Training. 149 See eg EG v Commissioner of Police NSW [2003] NSWADT 150; Macquarie University v FM [2005] NSWCA 192; WL v La Trobe University [2005] VCAT 2592.
Mark Burdon, Paul Telford The Conceptual Basis of Personal Information in Australian Privacy Law
eLaw Journal: Murdoch University Electronic Journal of Law (2010) 17(1) 27
as different technologies develop and different situations arise. Much could therefore be gained from having a coherent conceptual base for the classification of personal information at the heart of both legislative and judicial development. The models put forward by the Booth Report provide a framework that could formally link the disparate, inconsistent and sporadic development of Australian privacy legislation and case law relating the classification of personal information. However, this will require a wider ranging jurisprudence and the greater involvement of the courts in privacy related actions. Whether this materialises remains to be seen but a wider jurisprudential discourse based on a coherent theoretical framework could enhance awareness of the conceptual role of classification and could greatly assist the consistent development of Australian privacy laws and the intricate balance of context dependent and independent classificatory analysis of what information constitutes personal information. 5. Conclusion Australian privacy laws have adopted a range of different definitions of personal information. Nevertheless, as highlighted by the application of the Booth models, the underlying conceptual focus of defining personal information in Australian privacy laws regards the revealment of identity as the social harm to be protected and the acknowledgment that social context plays an important role in classifications of personal information. However, the degree to which a context dependent or context independent approach exists varies within different categories of definitions of personal information. The extent to which this has been problematic has not sufficiently been addressed because one of the integral issues of Australian privacy law, the question of what is personal information, has thus far not been examined in depth due the unsatisfactory lack of information privacy related jurisprudence. This article contends that the conceptual models developed by the authors of the Booth Report could provide a foundation for future legislative and juridical decisions regarding the classification and scope of personal information in Australian privacy laws. Whilst this would require some fundamental changes to the direction of Australian privacy law one thing seems certain – rapid technological advances are likely to grow at ever increasing rates which will ultimately have an effect of what does and does not constitute personal information. The process of deciding what personal information is will therefore become more complex and will in turn require more complex conceptual models of classification.
158
CHAPTER 7 - FIRST GENERATION LAWS
Chapter Seven consists of:
♦ A copy of the article - Burdon, M, 'Privacy Invasive Geo-Mashups: Privacy
2.0 and the Limits of First Generation Information Privacy Laws' (2010) (1)
University of Illinois Journal of Law, Technology and Policy 1.
1
PRIVACY INVASIVE GEO-MASHUPS: PRIVACY 2.0 AND THE LIMITS OF FIRST GENERATION INFORMATION PRIVACY LAWS
Mark Burdon†
ABSTRACT
Online technological advances are pioneering the wider distribution of geospatial information for general mapping purposes. The use of popular web-based applications, such as Google Maps, is ensuring that mapping based applications are becoming commonplace amongst Internet users which has facilitated the rapid growth of geo-mashups. These user-generated creations enable Internet users to aggregate and publish information over specific geographical points. This article identifies privacy invasive geo-mashups that involve the unauthorized use of personal information, the inadvertent disclosure of personal information and invasion of privacy issues. Building on Zittrain’s Privacy 2.0, the author contends that first generation information privacy laws, founded on the notions of fair information practices or information privacy principles, may have a limited impact regarding the resolution of privacy problems arising from privacy invasive geo-mashups. Principally because geo-mashups have different patterns of personal information provision, collection, storage and use that reflect fundamental changes in the Web 2.0 environment. The author concludes by recommending embedded legal, organizational technical and social solutions to minimize the risks arising from privacy invasive geo-mashups that could lead to the establishment of guidelines to assist courts and regulators with the protection of privacy in geo-mashups.
† PhD Candidate and Research Associate, Faculty of Law and Information Security Institute, Queensland University of Technology. The author gratefully acknowledges funding support from the Smart Services Cooperative Research Centre and the Queensland Government Department for State Development. The author would like to thank Roger Clarke and an anonymous reviewer for their helpful comments on previous drafts.
2 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
I. INTRODUCTION
There are now over one billion Internet users worldwide.1 The wider availability of high-speed broadband2 has facilitated greater levels of information sharing and culminated in the second generation of the Internet, often labeled as Web 2.0.3 Consequently, Internet users now create, store and publish more information online.4 The social networking site, Facebook, has published online over fifteen billion photographs uploaded by the site‘s user community.5 Facebook publishes an average of 220 million new photographs each week and at its busiest, Facebook can publish around 550,000 photographs per second.6 Contemporary Internet environments have propagated new online technologies and sources of data, which culminates in new technical, social, and economic structures. Different types of information are now available that can be easily re-composed into new content. The increased availability of geospatial information is a prime example. Geobrowsers7 now make it easier for Internet users to create geo-mashups, individualized and specialized maps that use freely available, or user generated information. For the purpose of this article, a geo-mashup8 is defined as an information system that combines one or more data streams that is overlaid on an online geographical interface, to create original content.9
The numbers of geo-mashups continue to rise inexorably. In mid-2005, the leading UK mapping website at that time, MultiMap had 7.3 million visitors and 47 million visitors used the leading USA equivalent, MapQuest.10 In 2007, following the introduction into the market by Google, an estimated
1. Dawn Kawamoto, Internet Users Worldwide Surpass 1 Billion, CNET NEWS, Jan. 23, 2009, http://news.cnet.com/8301-1023_3-10149534-93.html. 2. See generally ORG. FOR ECON. CO-OPERATION AND DEV., BROADBAND GROWTH AND POLICIES IN OECD COUNTRIES (2008), available at http://www.oecd.org/dataoecd/32/57/40629067.pdf (examining broadband development and remaining policy challenges). 3. E.g. Tim O‘Reilly, What Is Web 2.0, O‘REILLY, Sept. 30, 2005, http://oreilly.com/web2/ archive/what-is-web-20.html. 4. See ORG. FOR ECON. CO-OPERATION AND DEV., PARTICIPATIVE WEB AND USER-CREATED CONTENT: WEB 2.0, WIKIS AND SOCIAL NETWORKING 53–66 (2007), available at http://213.253.134.43/ oecd/pdfs/browseit/9307031E.PDF [hereinafter PARTICIPATIVE WEB] (describing growth of ―user-created content‖ from technological developments and analyzing economic and social impacts). 5. Adam Ostrow, How Facebook Serves Up Its 15 Billion Photos, MASHABLE, Apr. 30, 2009, http://mashable.com/2009/04/30/facebook-photo-sharing/. 6. Id. 7. See Arno Scharl, Towards the Geospatial Web: Media Platforms for Managing Geotagged Knowledge Repositories, in THE GEOSPATIAL WEB: HOW GEOBROWSERS, SOCIAL SOFTWARE AND THE WEB 2.0 ARE SHAPING THE NETWORK SOCIETY 4 (Arno Scharl & Klaus Tochtermann eds., Springer 2007) (describing geobrowsers as an interface metaphor for the Earth providing users with an accurate visual representation that lets them browse geospatial data from a satellite perspective). 8. See, e.g., Google Maps Mania, http://googlemapsmania.blogspot.com/ (last visited Feb. 23, 2010) (detailing thousands of different geo-mashups); Programmable Web, Mapping Mashups http://www.programmableweb.com/tag/mapping (last visited Feb. 23, 2010) (listing of various geo-mashups). 9. See ELIZABETH GOODMAN & ANDREA MOED, COMMUNITY IN MASHUPS: THE CASE OF PERSONAL GEODATA 1 (2006), http://mashworks.net/images/5/59/Goodman_Moed_2006.pdf (defining geo-mashups as ―hybrid sites that draw on freely available online map functionality‖). 10. See Muki Haklay et al., Web Mapping 2.0: The Neogeography of the GeoWeb, 2 GEOGRAPHY COMPASS 2011 (2008) (providing an overview of geo-mashup development during the last fifteen years).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 3
71.5 million users visited Google Maps and a further 22.7 million used Google Earth.11 From 2005 to 2007 an estimated 50,000 mashups utilizing Google Maps were created.12
The rapid growth of geo-mashups highlights the shift from one-directional information provision in Web 1.0 to the bi-directional collaboration and interaction of Web 2.0.13 This change has brought with it a concomitant set of new privacy concerns. Zittrain categorizes these new privacy problems as Privacy 2.0 and provides a cogent argument for the application of new ways to think about privacy in ―the generative Internet.‖14 He argues that innovative applications of privacy protection are required that transcend the first generation of privacy laws which focus explicitly on information privacy and the regulation of organizational activities related to the collection, storage, and use of personal information.15 First generation limits arise in Web 2.0 structures because new data relationships emerge from the active participation of individual Internet users as well as governmental or corporate bodies. Using Zittrain‘s work,16 the author contends that threats arising from privacy invasive geo-mashups require the implantation of effective protections in the fabric of technical and social structures that surpass the legislative limits and the regulatory capabilities of first generation laws.
Part II highlights Web 2.0 growth and the rise of geo-mashups. Two types of geo-mashups are identified: location and function oriented. Part III identifies a small number of privacy invasive geo-mashups that have given rise, or have the potential to give rise, to privacy concerns. Part IV details Zittrain‘s Privacy 2.0 and examines his criticism of first generation information privacy laws in light of changing information relationships. Part V, applies 11. See Mark Sweney & Jemima Kiss, Microsoft Buys Multimap, GUARDIAN, Dec. 12, 2007, http://www.guardian.co.uk/media/2007/dec/12/microsoft.digitalmedia/print (providing usage statistics for Google Maps, Google Earth, Microsoft Windows Live Maps, and Multimap). 12. Posting of Thai Tran to Google Lat Long Blog, http://google-latlong.blogspot.com/2007/07/google-maps-mashups-20.html (July 11, 2007, 5:58 EST). 13. See Michael F. Goodchild, Citizens as Sensors: The World of Volunteered Geography, 69 GEOJOURNAL, 211, 214–215 (2007) [hereinafter Goodchild, Citizens as Sensors] (describing the movement from early web sites to Web 2.0 sites, which contain user-generated content and can be edited by users); Michael F. Goodchild, Citizens as Voluntary Sensors: Spatial Data Infrastructure in the World of Web 2.0, 2 INT‘L J. OF SPATIAL DATA INFRASTRUCTURES RES. 24, 27 (2007) [hereinafter Goodchild, Voluntary Sensors] (explaining the difference between the early one-directional Web and the new bi-directional Web 2.0). 14. See Jonathan L. Zittrain, The Generative Internet, 119 HARV. L. REV. 1975, 1981 (2006) [hereinafter Zittrain, The Generative Internet] (regarding the concept of generativity which ―is a function of a technology‘s capacity for leverage across a range of tasks, adaptability to a range of different tasks, ease of mastery, and accessibility‖). 15. Id. at 2018–20. 16. In his work, Zittrain uses generativity as a concept that is wider than Web 2.0. See JONATHAN ZITTRAIN, THE FUTURE OF THE INTERNET AND HOW TO STOP IT 123 (2008) (defining ―Web 2.0‖ as ―a new buzzword that celebrates this migration of applications traditionally found on the Internet to the PC. Confusingly, this term also refers to the separate phenomenon of increased user-generated content and indices on the Web – such as relying on user-provided tags to label photographs‖) [HEREINAFTER ZITTRAIN, THE FUTURE]. The author acknowledges the differences between Zittrain‘s concept of the generative Internet and the definition of Web 2.0 used in this Article. Nonetheless, the author contends that the interchangeable focus in this Article regarding Web 2.0 and the generative Internet is possible in the context of privacy invasive geo-mashups. That is because both concepts stress the importance of new information flows that highlight the limitations of first generation privacy laws.
4 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
key principles of Privacy 2.0 to a privacy invasive geo-mashup to highlight the limits of first generation information privacy laws. Part VI recommends Privacy 2.0 based technical and social solutions to mitigate the negative effects of privacy invasive geo-mashups. Finally, in Part VII, the author concludes by calling for the development of Privacy Standards for geo-mashups that would balance the requirements of continued geo-mashup innovation with the advancement of effective privacy protections against privacy invasive geo-mashups. These standards could assist the courts and privacy regulators regarding the interpretation of privacy laws in context with geo-mashups and thus aid the identification of privacy invasive geo-mashups.
II. WEB 2.0 AND GEO-MASHUPS
A brainstorming session at the Medialive International Conference in 2005 provided the first definition of the term ―Web 2.0‖. The purpose of the conference was to identify the common effects of technologies that survived and flourished the ‗dot.com‘ crash of the late 1990‘s.17 The conceptual basis of the phenomenon that Web 2.0 describes varies,18 but for the purposes of this paper it is defined as
―a set of social, economic and technology trends that collectively form the basis for the next generation of the Internet—a more mature, distinct medium characterized by user participation, openness, and network effects.‖
19 The key ideals of Web 2.0 reflect the use of the Internet to foster greater
user participation, to increase openness, and to enhance sharing through a more decentralized structure.20 The effect of Web 2.0 has been manifold in terms of technological, economic, and social developments.21 Regarding technology, Web 2.0 has been a transformative impetus for the expansion of new technologies that concentrate on the delivery of information based online services to individual or collective Internet users rather than the provision of software to individual computer users.22 For example, the makers of high
17. E.g. Tim O‘Reilly, What Is Web 2.0, O‘REILLY, Sept. 30, 2005, http://oreilly.com/web2/ archive/what-is-web-20.html. 18. See, e.g., PARTICIPATIVE WEB, supra note 4, at 17 (defining the ―participative web‖ which is intended to describe ―the more extensive use of the Internet‘s capabilities to expand creativity and communication‖); YOCHAI BENKLER, THE WEALTH OF NETWORKS: HOW SOCIAL PRODUCTION TRANSFORMS MARKETS AND FREEDOM 30 (2006) (detailing the ―networked information economy‖ which presents ―the first modern communications medium that expands its reach by decentralizing the capital structure of production and distribution of information, culture, and knowledge‖); ZITTRAIN, The Generative Internet, supra note 14, at 1981 (defining the ―generative Internet‖). 19. See JOHN MUSSER & TIM O‘REILLY, WEB 2.0 PRINCIPLES AND BEST PRACTICES 12 (2007). 20. See BENKLER, supra note 18, at 3 (explaining the difference between the networked information economy and the displaced industrial information economy). 21. See PARTICIPATIVE WEB supra note 4, at 27 (―There [is] a range of technological, social, economic and institutional drivers of user-created content accounting for its rapid growth and pervasiveness.‖). 22. See, e.g., Lisa Veasman, ―Piggy Backing” on the Web 2.0 Internet: Copyright Liability and Web 2.0 Mashups, 30 HASTINGS COMM. & ENT. L.J. 311, 313–17 (2008) (highlighting the types of technologies used in Web 2.0 and differences from the previous Internet era).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 5
quality word processing software geared their products towards individual personal computers and governed software use through specific license agreements. Now, such software is freely available over the Internet.23 In economic terms, shifting technology patterns fostered a change in how online technology providers perceived Internet users. Companies realized that greater user involvement through active participation in product development, adds value to the enduring expansion of ―perpetual beta technologies‖.
24 Internet users were not just content consumers, but they were now content producers.25 Online software companies tailored designs to match Internet user needs through new information exchange channels that led to the greater sharing of knowledge.26 Successful Web 2.0 companies exploited the collective intelligence of Web communities through customer interaction and facilitated collaboration with Internet users.27
The change of Internet users from passive content consumers to active co-producers heralds the most significant social modification caused by Web 2.0.28 New technologies provided a foundation for the rapid escalation in the amount of user generated content published online.29 New modes of online service delivery enabled the collection and publication of information from mobile devices that made Internet user participation more relevant and instantaneous.30 The use of everyday consumer devices, such as digital cameras and mobile phones, as mobile information collectors, enabled the incorporation of geographical elements with the publication of user generated content.31 For the first time, it was easy to combine and share disparate sets of
23. See, e.g., Edward Lee, Warming up to User-Generated Content, 2008 U. ILL. L. REV. 1459, 1500–01 (2008) (regarding the transfer of traditional desktop to web-based applications). 24. See MUSSER & O‘REILLY supra note 19, at 5–8, 15 (describing the development process, involving sampling, testing and actively responding to user activity and feedback to decide if development objectives are being met). 25. See AXEL BRUNS, BLOGS, WIKIPEDIA, SECOND LIFE, AND BEYOND: FROM PRODUCTION TO PRODUSAGE 34 (2008) (defining a content producing Internet user as a ―produser‖ to describe the idea of an Internet users as both a producer and user of technologies and information). 26. See ZITTRAIN, THE FUTURE, supra note 16, at 84 (―[g]enerative systems allow users at large to try their hands at implementing and distributing new uses‖). 27. See Mohamed Bishr & Lefteris Mantelas, A Trust and Reputation Model for Filtering and Classifying Knowledge About Urban Growth, 72 GEOJOURNAL 229, 235–36 (2008) (regarding the provision of geospatial related information in Web 2.0). 28. See Lee, supra note 23, at 1504 (describing consumer transition from ―couch-potato‖ to ―active participants in the creation of expressive works‖ as a social good, in that it reaches new audiences and epitomizes the freedoms of the First Amendment). 29. See id. at 1501 (regarding the growth of user generated content generated by the power of the Internet and its various ―social networking platforms‖). 30. See, e.g. Scharl, supra note 7, at 5 (noting the various images, including maps, that can be projected through the service by users‘ ―GPS-enabled handsets‖); see also David Tulloch, Many, Many Maps: Empowerment and Online Participatory Mapping, 12 FIRST MONDAY (2007), http://www.uic.edu/htbin/ cgiwrap/bin/ojs/index.php/fm/issue/view/224 (regarding the use of new Internet mapping tools that ―are creating a newly empowered class of users‖). 31. See Claus Rinner, et al., The Use of Web 2.0 Concepts to Support Deliberation in Spatial Decision-Making, 32 COMPUTERS, ENV‘T & URB. SYS. 386, 387 (2008) (highlighting the natural geospatial element to much user generated material ―which increasingly is made explicit by adding geographic coordinates to the material‘s metadata (i.e. geotagging it). This way, the content can be visualized on a map and in some cases, the map material itself is user-generated content.‖).
6 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
information, related to specific geographical locations, with other users via publication on the Internet.32 The sharing of user geographical information spawned a user-based, geo-mashup cottage industry fueled by the arrival of user-friendly, online mapping interfaces that facilitated the production of geo-mashups.
Free and easy-to-use geo-browsers such as Google Maps,33 and to a lesser extent, Yahoo Maps,34 Microsoft Live Maps35 and NASA‘s Worldwind36 provide a platform for non-technical users to overlay information on mapping interfaces to create geo-mashups.37 The geo-browsers present a geospatial and visual representation of the world that is accessible via the Internet to integrate different types of data with specific geographical locations. In terms of geo-mashup technical development, application programming interfaces (APIs) have been the key enhancement.38
APIs are largely responsible for the growing popularity of mashups as they are able to combine different sources of publicly available data and provide an interface, either free or for a cost recovery charge, for different services based on data supplied by multiple providers.39 As regards geo-mashups, APIs have facilitated third party online services by making the aggregation of different sets of information easier and have made the publication of overlays onto geo-browsers a relatively simple matter.40 Because they ―are relatively easy to use, APIs have made application development more accessible‖ and have enabled a wider community of Internet users to create, share and publish geographic information.41 Internet
32. See Kei-Hoi Cheung, et al., Semantic Mashup of Biomedical Data, 41 J. BIOMED. INFO. 683, 683, 685 (2008) (describing mashup tools that allow end-users to manipulate and publish their data on various web sites in the form of photos and maps). 33. Google, Google Maps, http://maps.google.com/ (last visited Feb. 17, 2010). 34. Yahoo!, Yahoo Maps, http://maps.yahoo.com/ (last visited Feb. 17, 2010). 35. Microsoft, Live Search Maps, http://maps.live.com/ (last visited Feb. 17, 2010). 36. NASA, Worldwind, http://worldwind.arc.nasa.gov/index.html (last visited Feb. 17, 2010). 37. See Scharl, supra note 7, at 5 (explaining how geo-browers and other platforms, such as Sigalert.com and Google Earth, aggregate traffic and accident data from users and project it onto a map). 38. MARTIN C. BROWN & CORPORATION EBOOKS, HACKING GOOGLE MAPS AND GOOGLE EARTH (2006); See VLAD TANASESCU, ET AL., THE GEOSPATIAL WEB: HOW GEOBROWSERS, SOCIAL SOFTWARE AND THE WEB 2.0 ARE SHAPING THE NETWORK SOCIETY 247 (2007) (regarding the distribution of APIs, such as Google Maps, and the resulting growth of geo-mashups due to Web 2.0 maps and their ―map reality effect‖). See generally ANDREW J TURNER, INTRODUCTION TO NEOGEOGRAPHY (2006). 39. Posting of Brady Forrest to O‘Reilly Radar, http://radar.oreilly.com/2009/05/google-launches-maps-data-api.html (May 20, 2009) (regarding how Google could become a geodata supplier as well as a mapping interface provider); see Google Code, Google Maps Data API, http://code.google.com/apis/maps/ documentation/mapsdata/ (last visited Oct. 24, 2009) (regarding the announcement of a new API that allows ―client applications to view, store and update map data in the form of Google Data API feeds using a data model of features (placemarks, lines and shapes) and maps (collections of features)‖); see also ZITTRAIN, THE FUTURE, supra note 16, at 124 (regarding the generative effects of the Google Maps API). 40. See Scharl, supra note 7, at 5 (―Most providers of geobrowsing platforms offer Application Programming Interfaces (APIs) or XML scripting to facilitate building third-party online services on top of their platforms (Roush 2005).‖). 41. See Haklay et al., supra note 10, at 2020 (noting the ―simpler tools [for geomashing] that, when deployed, enable a more pleasurable and effective user experience‖).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 7
users could now easily aggregate cartographic data with geo-tagged,42 individual user knowledge, such as a photo of a certain place or an advert for a business.43 For example, software engineer Paul Rademacher created HousingMaps.com,44 one of the first web mashups,45 in 2005, when he aggregated a list of San Francisco real estate properties for sale, from the Craigslist website, with Google Maps, using residential address information as the aggregation point for the map overlay.46 In the same year, Scipionus.com47 highlighted the potential social benefits of geo-mashups following the aftermath of Hurricanes Katrina, Rita, and Wilma in New Orleans, Louisiana and Florida respectively.48 Scipionus.com produced an interactive map of the disasters, populated by Internet users on the ground, which provided helpful and important information to other Internet users and for government authorities involved in rescue and relief.49 Internet users added notes to locations on Google Maps that enabled residents of affected areas to enquire and receive information about missing persons and about the status of their homes and communities.50
Whilst the use of APIs have enhanced the interoperability of different data sets, the other key factor in the growth of geo-mashups has been the greater availability of information in forms that can be readily used for geospatial aggregation purposes.51 One of the key social effects of the previous decade has been the wider availability of geographic and statistical information, and more importantly, the greater willingness of organizations to share their data, either free, or for fees that enable and encourage innovation.52 As highlighted above, Internet users have also been more willing to share their
42. See Scharl, supra note 7, at 5 (defining geotagging as the ―process of assigning geospatial context information, ranging from specific point locations to arbitrarily shaped regions‖). 43. Rinner et al., supra note 31, at 386. 44. HousingMaps, http://www.housingmaps.com/ (last visited Feb. 21, 2010). 45. See MUSSER & O‘REILLY, supra note 19, at 28. 46. Id. 47. The Scipionus website is no longer available on the Internet. 48. See Official Google Australia Blog: Mapping the Victorian Fires, http://google-au.blogspot.com/2009/02/mapping-victorian-fires.html (last visited Feb. 21, 2010) (regarding a geo-mashup similar in principle to Scipionus developed by Google regarding the Victorian Bushfire disaster in February 2009 to provide assistance and information to people affected by the fires and emergency services personnel). 49. See Christopher C. Miller, A Beast in the Field: The Google Maps Mashup as GIS/2, 41 CARTOGRAPHICA 187, 194–95 (2006) (regarding further details about the Scipionus website). 50. Jacqueline W. Mills & Andrew Curtis, Geospatial Approaches for Disease Risk Communication in Marginalized Communities, 2 PROGRESS IN COMMUNITY HEALTH PARTNERSHIPS: RESEARCH, EDUCATION, AND ACTION, 61, 68–69 (2008). 51. See Marin Perez, Nokia Enters Google Territory, Opens up Mapping API, INFORMATION WEEK, May 20, 2009 http://www.informationweek.com/news/software/development/showArticle.jhtml?articleID= 217600266&subSection=All+Stories (regarding Nokia‘s new API for Ovi Maps which is claimed to be ―the first step toward an ecosystem where developers can access Nokia‘s unique contextual assets, such as location, to create mobile applications that will redefine how we use our mobile devices‖ (quoting Michael Halbherr, VP of Nokia‘s social location services)). 52. See John Palfrey & Urs Gasser, Case Study: Mashups Interoperability and eInnovation 3 (The Berkman Ctr. for Internet & Soc‘y at Harv. L. Sch., Nov. 2007), http://cyber.law.harvard.edu/ interop/pdfs/interop-mashups.pdf (stating that two ingredients of mashups are the data and application programming interfaces, which provide access to ―malleable‖ forms of data for non-programmers).
8 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
information with other users for geo-mashup purposes.53 User provided information for mapping purposes has been categorized as
volunteered geographic information (VGI)54 and is seen as part of the wider ambit of Neogeography55 or GIS/2.56 Technologies, such as Global Positioning Systems (GPS) and Radio Frequency Identification (RFID), in widespread consumer devices such as mobile phones, palmtops, satellite navigation systems and digital cameras has made the proliferation of VGI possible. It is now possible for an Internet user to plot their destination in line with the use of their consumer goods.57 For example, digital cameras or mobile phones with inbuilt GPS can automatically provide a latitude and longitude reading for any photograph taken on the device.58 Not only has this enhanced a user‘s ability to record a wealth of new geographically related information, but it has also had the effect of making human beings geographical sensors.59 For example, geo-mashups now exist for cyclists to share information about cycle routes,60 for runners to plan details of running routes61 and for anglers to reveal the sites of secret fishing holes.62
These geo-mashups are defined as location oriented geo-mashups because
53. See Miller, supra note 49, at 192 (explaining the relationship between the increase of user generated content and Google Maps). 54. Compare, e.g., Goodchild, Citizens as Sensors, supra note 13, at 217–20 (regarding VGI), and Bishr & Mantelas, supra note 27, at 229–30 (regarding the concept of Collaboratively Contributed Geographic Information (CCGI)), with Andrew Flanagin & Miriam Metzger, The Credibility of Volunteered Geographic Information, 72 GEOJOURNAL 137, 142 (2008) (regarding a critical examination of the credibility of VGI), and ANDREW KEEN, THE CULT OF THE AMATEUR 64–68 (2007) (regarding more general concerns about the accuracy of information collected and published on the Internet). 55. See, e.g., TURNER, supra note 38, at 3 (defining Neogeography as ―people using and creating their own maps, on their own terms and by combining elements of an existing toolset‖); Haklay, et al., supra note 10, at 2021 (contrasting the difference between traditional cartographic sciences and Neogeography). 56. See, e.g., Miller, supra note 49, at 189 (describing GIS/2 as ―a proposed alternative to mainstream GIS that would account for the less rigid, more socially and culturally mutable information needs of user groups being shut out by GIS/1.‖). 57. See Goodchild, Citizens as Sensors, supra note 13, at 212 (highlighting GPS enabled mobile phones and digital cameras are able to take photos with automatic metadata tags of latitude and longitude readings of the photograph location); Scott Counts & Marc Smith, Where Were We: Communities for Sharing Space-Time Trails, in PROCEEDINGS OF THE 15TH ANN. ACM INT‘L SYMPOSIUM. ON ADVANCES IN GEOGRAPHIC INFO. SYS. (Hanan Samet et. al., ed. 2007), http://doi.acm.org/10.1145/1341012.1341026 (regarding a typography of such technologies); Official Google Mobile Blog: Your Maps in Your Hands for the Holidays, http://googlemobile.blogspot.com/2008/12/your-maps-in-your-hands-for-holidays.html (Dec. 15, 2008, 11:07 EST) (regarding the next stage of development relating to Google Android and the recording of geospatial data that will allow users to ―create, edit, share, and view personalized maps on your Android powered phone synchronized with the My Maps tab on Google Maps. . . .Your maps are automatically synchronized with your My Maps on the web‖). 58. Goodchild, Citizens as Sensors, supra note 13, at 212. 59. See Goodchild, Voluntary Sensors, supra note 13, at 25–27 (explaining that humanity as a whole has a wealth of geographic knowledge that is only enhanced through the use of technology). 60. Reid Priedhorsky, et al., How a Personalized Geowiki Can Help Bicyclists Share Information More Effectively, in PROCEEDINGS OF THE 2007 INT‘L SYMPOSIUM. ON WIKIS 93–98 (2007), available at http://doi.acm.org/10.1145/1296951.1296962; Reid Priedhorsky & Loren Terveen, The Computational Geowiki: What, Why, and How, in PROCEEDINGS OF ACM CSCW‘08 CONFERENCE ON COMPUTER-SUPPORTED COOPERATIVE WORK 267–276 (2008), available at http://doi.acm.org/10.1145/1460563.1460606. 61. Mapmyrun.com, http://www.mapmyrun.com/ (last visited Nov. 18, 2009). 62. Fishing Lake Map, 1001 Secret Lake Fishing Maps!, http://www.1001seafoods.com/fishing/fishing-maps.php (last visited Nov. 18, 2009).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 9
they allow users to provide or upload information relating to a specific geographical location. Other geo-mashups that fall within this category include Wikimapia.com63 that provides a vetted service where users can provide descriptions of places of interest along with geographic coordinates, as long as the comments meet specified criteria64 and Flickr, the photography-publishing website that allows users to geotag uploaded photos to a specific location.65 Furthermore, Platial.com, is a social networking site where users can provide comments or maps related to geographic points or their experiences around specific geographic points66 and Placeopedia.com overlays information published on Wikipedia over a geographic location. 67 Finally, OpenStreetMap68 is an open access street map of the world in which users populate information about specific locations.
Another type is function-oriented geo-mashups. These geo-mashups overlay information with a mapping interface to provide a geographical context related to a specific publication purpose. For example, the London Profiler69 geo-mashup provides a range of statistical and public data on London boroughs and Who Is Sick?70 provides user generated information about illnesses contracted by individuals in geographical areas. Furthermore, the Tunisian Prison Map71 geo-mashup provides the location of prisons in Tunisia and details human rights violations of prisoners held within those prisons and Topobiographies of the Catalan Exile72 tracks exiles who fled from Spain during the Spanish Civil War. The One Big Thing73 geo-mashup provides information on the US Federal Government‘s stimulation package spending and Antenna Search74 provides the location of mobile phone antenna masts anywhere in the USA. Finally, the Hospital Rankings75 geo-mashup provides quality assurance information of US hospitals based on type of illness.
The author contends that function oriented geo-mashups can particularly give rise to privacy concerns because of how they use both personal and non-personal information with a residential address, as shown in the next part of the article.
63. Wikimapia—Let‘s Describe the Whole World!, http://wikimapia.org/ (last visited Nov. 18, 2009). 64. See Goodchild, Voluntary Sensors, supra note 13, at 28 (explaining Wikimapia). 65. About Flickr, http://www.flickr.com/about (last visited May 19, 2009). 66. Platial.com—Who and What‘s Nearby, About Us, http://platial.com/about (last visited May 19, 2009). 67. Placeopedia, http://www.placeopedia.com/ (last visited May 19, 2009). 68. OpenStreetMap, http://www.openstreetmap.org/ (last visited May 31, 2009). 69. London Profiler, http://www.londonprofiler.org/ (last visited May 19, 2009). 70. Who Is Sick?, http://whoissick.org/sickness/ (last visited May 19, 2009). 71. Tunisian Prison Map, http://www.kitab.nl/tunisianprisonersmap/ (last visited May 19, 2009) 72. Universitat Oberta De Catalunya, Topobiographies of the Catalan Exile, http://www.topobiografies.cat/en/ (last visited Feb. 20, 2010). 73. David Erickson, The One Big Thing: Federal Government Spending Data Mashups, http://e-strategyblog.com/2009/04/the-one-big-thing-federal-government-spending-data-mashups/ (last visited Feb. 20, 2010). 74. Antenna Search, http://www.antennasearch.com/ (last visited Feb. 20, 2010). 75. Netdoc.com, Hospital Rankings, http://www.netdoc.com/hospital-rankings (last visited Feb. 20, 2010).
10 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
III. PRIVACY-INVASIVE GEO-MASHUPS
A small number of geo-mashups have created, or have the potential to create, privacy concerns that involve the unauthorized use of personal information, the inadvertent disclosure of personal information and invasion of privacy issues. Geo-mashups that give rise to privacy issues are labeled privacy invasive geo-mashups because they able to intrude into an individual‘s privacy.76 The definition of a privacy invasive geo-mashup is intentionally broad to transcend privacy issues based solely on personal information use. As Solove comments, a conception of privacy based purely on control over information only partially captures the problems that arise from increased use of personal information.77 For the sake of completeness, privacy protection is defined as the ―process of finding appropriate balances between privacy and multiple competing interests‖.78 That said, however, as this article is an introduction to the concept of privacy invasive geo-mashups and the limits of first generation information privacy laws, the author concentrates mostly on issues that arise from the use and re-use of personal information.
It is also important to concede that the small number of privacy invasive geo-mashups detailed is a minuscule fraction of the total number of geo-mashups currently published on the Internet. Whilst the examples may not be representative of the total geo-mashup population, they nonetheless provide clear indications of the types of problems that can emerge and emphasize the capacity privacy invasive geo-mashups have to affect a large number of individuals,79 as evidenced by the first example.
A. Unauthorized Use of Personal Information
In this sub-section, two geo-mashup examples are used to demonstrate concerns involving the unauthorized publication of personal information. The first gave rise to actual privacy problems whereas the second could have
76. See Roger Clarke, Introducing Pits and Pets: Technologies Affecting Privacy, http://www.rogerclarke.com/DV/PITsPETs.html#Terms (last visited Feb. 20, 2010) (regarding the article‘s definition of privacy invasive geo-mashups which is based on Clarke‘s definition of privacy invasive technologies). 77. Daniel J. Solove, Conceptualizing Privacy, 90 CAL. L. REV. 1087, 1154 (2002). See Anita L. Allen, Privacy as Data Control: Conceptual, Practical and Moral Limits of the Paradigm, 32 CONN. L. REV. 861, 869 (2000) (regarding the conceptual and practical limits of information privacy as control over personal information ―privacy is open to broader and more perspicacious definitional analysis. . . . It is pointless (or merely symbolic) to ascribe a right to data control if it turns out that exercising the right is impossible‖); Lisa Austin, Privacy and the Question of Technology, 22 L. & PHIL. 119, 127 (2003) (regarding the difficulty in distinguishing specific normative arguments about privacy as control against more general principles of liberty and autonomy). 78. Roger Clarke, Privacy: More Wobble-Board Than Balance-Beam, http://www.rogerclarke.com/DV/ Wobble.html (last visited Feb. 20, 2010). 79. The author acknowledges the social benefits that can arise from geo-mashups and this article should not be viewed as a general criticism of the use of geo-mashups or a call to restrict geo-mashup innovations. Geo-mashups provide exciting and new opportunities to involve members of the public and thus creates greater awareness to geographic, cartographic and indeed broader social issues. However, the author contends that the privacy issues raised from privacy invasive geo-mashups need to be addressed and discussed further.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 11
caused privacy concerns if published. The first example entails the membership list of the British National Party and gives rise to serious privacy concerns as identified in later parts of this article.
1. British National Party Membership List
The British National Party80 (BNP) is a nationalist political party based in the United Kingdom.81 The BNP contends that it is a legitimate democratic organization despite its historical background, which has links to racially related and politically motivated violence and involvement with far-right paramilitary groups, both in the UK and overseas.82 Despite attempts at political legitimization, BNP policies remain fervently right wing.83 Rank-and-file membership of the BNP is therefore a sensitive issue especially as some professions preclude membership of the party84.
On November 18 2008, a disgruntled former BNP employee published the 12,000 plus party membership list on the Internet.85 Previously, five individuals acquired the membership list without authorization in April 2008. The BNP obtained an injunction against them, which prohibited the publication
80. The author has no political allegiances with the BNP and this example is used solely to highlight the privacy issues that can emerge from privacy invasive geo-mashups. Moreover, the author respects the right of individuals to keep their political allegiances private should they choose to do so. 81. British National Party, http://bnp.org.uk/ (last visited Feb. 20, 2010). 82. See Wikipedia, British National Party, http://en.wikipedia.org/wiki/British_National_Party (last visited Feb. 20, 2010) (providing a concise history of the BNP). 83. E.g. BNP, Immigration, http://bnp.org.uk/policies/immigration/ (last visited Feb. 20, 2010) (―We will abolish the ‗positive discrimination‘ schemes that have made white Britons second-class citizens. We will also clamp down on the flood of ‗asylum seekers‘, all of whom are either bogus or can find refuge much nearer their home countries‖). 84. E.g. ACPO Bans Police from Joining BNP, BBC NEWS, July 27, 2004, http://news.bbc.co.uk/2/hi/ uk_news/3930175.stm (regarding the Association of Chief Police Officers (ACPO) ban on membership of the BNP in UK police forces); Christopher Hope, How Many BNP Activists Live in Your Town? Now You Can Find Out, THE TIMES, Nov. 20 2008, http://www.telegraph.co.uk/news/newstopics/politics/3484489/How-many-BNP-activists-live-in-your-town-Now-you-can-find-out.html (―There is no question that the BNP is widely viewed with deep suspicion. Police officers, for example, cannot join because it ―would be incompatible with our duty to promote equality under the Race Relations Amendment Act and would damage the confidence of minority communities‖ (quoting Greater Manchester Police Chief Constable, Peter Fahy)). 85. BNP Activists‘ Details Published, BBC NEWS, Nov. 18, 2008, http://news.bbc.co.uk/ 2/hi/uk_news/7736405.stm; Esther Addley & Haroon Siddique, BNP Membership List Posted Online by Former ‘Hardliner’, THE GUARDIAN, Nov. 19 2008, http://www.guardian.co.uk/politics/2008/nov/19/bnp-list; Dominic Kennedy & Nico Hines, Thousands in Fear after BNP Members List Leak, THE TIMES, Nov. 19 2008, http://www.timesonline.co.uk/tol/news/politics/article5183833.ece; James Kirkup & Christopher Hope, BNP Membership List Leaked onto Internet, THE DAILY TELEGRAPH, Nov. 19 2008, http://www.telegraph.co.uk/news/newstopics/politics/3479612/BNP-membership-list-leaked-onto-internet.html (describing the contents of the members list); Ben Russell, BNP Membership List Published on Internet, THE INDEPENDENT, Nov. 19 2008, http://www.independent.co.uk/news/uk/politics/bnp-membership-list-published-on-internet-1024719.html (detailing the publication of home addresses, phone numbers and emails of about 13,500 people on the BNP members list); James Sturcke et al., BNP Membership List Leaked Online, THE GUARDIAN, Nov. 18 2008, http://www.guardian.co.uk/politics/2008/nov/18/bnp-membership-list-leak (informing the public about the publication of the list).
12 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
of the list and ordered the destruction of any copies.86 The membership list was nonetheless disseminated in November 2008 and published details included names, addresses, telephone numbers, email addresses and in some cases, employment details. The list also included the names and ages of children who have become members of the party after a parent had taken out a family membership, and several people who have joined the party at the age of 16.87 Moreover, the BNP admitted that the list was only partially correct as it included the names of persons who had never been party members.88 Media sources reported that Dyfed Powys Police arrested and charged two persons with criminal offences under the Data Protection Act 1998, in a joint investigation with the Information Commissioner‘s Office, regarding the publication of the list.89
Wikileaks, 90 a website that provides online space for the publication of anonymous submissions of sensitive corporate or government material published the membership list on the Internet. Different organizations and individuals used Bit Torrent and social networking websites91 to copy and disseminate the list further. More importantly, in terms of this article, both media organizations and individuals used the membership list to create geo-mashups based on its content. For example, the Times provided an overlay of the BNP membership list on Google Maps to highlight postcode areas where BNP membership was at its highest.92 Bubbles represented different postcode districts and different colored bubbles represented the density of BNP
86. See BNP Protest after Arrests, MANCHESTER EVENING NEWS, Nov. 19, 2008, available at http://www.manchestereveningnews.co.uk/news/s/1080665_bnp_protest_after_arrests (explaining that BNP brought an injunction at the High Court in Manchester against five people to stop them publishing a list of party members). 87. See Addley & Siddique, supra note 85 (describing the content of the list of members). 88. See id. (describing the content of the list of members); Kirkup & Hope, supra note 83, at 5 (reporting that data collected and published on the list was of a rather unconventional nature: ―[s]ome of the detail leaves the BNP open to mockery. Why, for example, would the BNP need to record the following about one member from Wiltshire: ‗Hobbies: amateur radio & ―church crawling‖. Quaker attender - proof of entitlement seen‘? Or how about this, attached to the entry for one woman from the south of England: ‗Owner of a WW2 jeep. Singer with a ladies‘ barber shop chorus and quartet‘‖). 89. See BNP Expects More Arrests over Leaked Membership List, NOTTINGHAM EVENING POST, Dec. 6, 2008, http://www.thisisnottingham.co.uk/crime/arrested-Notts-BNP-membership-leakarticle-527013-details/article.html (notifying about the arrests and describing the charges); BNP List Arrest Pair Are Bailed, BBC NEWS, Dec. 10, 2008, http://news.bbc.co.uk/2/hi/uk_news/england/nottinghamshire/7775631.stm 2009) (stating that the two arrested persons were bailed out); Ian Johnston, Two Held over BNP Member List Leak, THE INDEPENDENT Dec. 6, 2008, http://www.independent.co.uk/news/uk/home-news/two-held-over-bnp-member-list-leak-1054428.html (speaking about the arrests in Brinsley); Sarah Knapton, Two Arrested over Leaking of BNP Membership List, THE TELEGRAPH, Dec. 5, 2008, http://www.telegraph.co.uk/news/ newstopics/politics/3568802/Two-arrested-over-leaking-of-BNP-membership-list.html; Two Arrests over Leaked BNP List, BBC NEWS, Dec. 5, 2008, http://news.bbc.co.uk/2/hi/uk_news/england/ nottinghamshire/7768142.stm. 90. Wikileaks, http://wikileaks.org (last visited Sept. 30, 2009). 91. See Sam Leith, What’s ‘Liberal’ About Hacking into the BNP?, THE TIMES, Nov. 22, 2008, http://www.telegraph.co.uk/comment/columnists/samleith/3563694/Whats-liberal-about-hacking-into-the-BNP.html (regarding publication of personal information from the BNP membership list on Facebook). 92. BNP Membership by Postal District, THE TIMES, Nov. 19, 2008, http://www.timesonline.co.uk/ tol/news/uk/article5191424.ece.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 13
members in the postcode district.93 The Guardian produced a similar geo-mashup showing the population density of BNP members by political constituency rather than postcode.94
Individual Internet users also created BNP geo-mashups. For instance, the ―BNP Near Me‖ geo-mashup95 initially used single red pinpoints to represent the location of BNP members by postcode. However, unlike the Times geo-mashup, the use of the red pinpoints gave a misleading impression as they inadvertently singled out an individual residential property on Google Maps even though the pinpoint represented a postcode district. The creator of the ―BNP Near Me‖ subsequently altered the geo-mashup after he received voluble criticism about the apparent misrepresentation of postcode information.96 Red heat spots, replaced the pinpoints, and provided a representation of postcode area without highlighting an individual property. Another BNP membership list geo-mashup is the ―BNP Member Proximity Search‖.
97 An Internet user is required to enter a postcode into a search field and another webpage details those BNP members who reside within a two-mile radius of the entered postcode. Unlike the other BNP membership geo-mashups, the Proximity Search geo-mashup provides both postcode and name of BNP members. Additionally, another webpage, linked to the hyperlinked postcode, directs a user to Google Maps, which pinpoints a specific residential property.
The unauthorized release of the BNP membership list has had some serious consequences. Some BNP members have had their employment terminated98 or have received death threats99 and in one instance, a car
93. Id. 94. BNP Members: The Far Right Map of Britain, THE GUARDIAN, Nov. 19, 2008, http://www.guardian.co.uk/uk/interactive/2008/nov/19/bnp. 95. Ben Charlton, Leaked BNP Member List Map, SPOD.CX, http://spod.cx/bnp_members_list.shtml (the original map has subsequently been removed and replaced). 96. See Mike Butcher, One More BNP Thing - Heatmaps Replace Pins, but Pandora’s Box Is Now Open, TECHCRUNCH EUROPE, Nov. 19, 2008, http://uk.techcrunch.com/2008/11/19/one-more-bnp-thing-heatmaps-replace-pins-but-pandoras-box-is-now-open/ (highlighting some of the consequences of the publication of the BNP list); Mike Butcher, Updated: BNP Member List Mashed with Google Maps Creates a Sea of Red Dots, but Dangerously Inaccurate, TECHCRUNCH EUROPE, Nov. 19, 2008, http://uk.techcrunch.com/2008/11/19/bnp-member-list-mashed-with-google-maps-creates-a-sea-of-red-dots/ [hereinafter Butcher, Updated: BNP Member List] (reporting potential inaccuracies and misrepresentations relating to the BNP Near Me geo-mashup). 97. BNP Member Proximity Search, http://www.fishmech.net/bnp/ (last visited May 19, 2009). 98. See ‘BNP Membership’ Officer Sacked, BBC NEWS, Mar. 21, 2009, http://news.bbc.co.uk/2/hi/ uk_news/england/merseyside/7956824.stm (regarding the sacking of a police officer for being a member of the BNP); Church Asked to Ban BNP Members, BBC NEWS, Jan. 19, 2009, http://news.bbc.co.uk/ 2/hi/uk_news/7838280.stm (highlighting that the Church of England Synod is considering banning clergy from joining the BNP after it was revealed that clergymen were members of the BNP); Joe Murphy, Radio Host Exposed in BNP Leak is Axed, LONDON EVENING STANDARD, Nov. 19, 2008, http://www.thisislondon.co.uk/standard/article-23589438details/Radio+host+exposed+in+BNP+leak+is+ sacked/article.do (regarding the sacking of a national talk back radio presenter).
14 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
belonging to the neighbor of a BNP member was mistakenly petrol bombed.100
2. Amazon.com’s Wish Lists & Data Mining
In January 2006, Tom Owad published an article on the Applefritter website about governmental use of data mining techniques.101 Owad highlighted that large amounts of information can be easily data mined using readily available, home computer equipment. The purpose of his research was to highlight how much data mining the US Government could undertake with its much larger computing capabilities and information accessing powers. For instance, section 215 of the Patriot Act,102 allows the Federal Bureau of Investigations (―FBI‖) to obtain a court order, without probable cause, from the Foreign Intelligence Surveillance Act Court regarding the production of ―any tangible things (including books, record, papers, documents, and other items) for an authorized investigation to protect against terrorism or clandestine intelligence activities‖.
103 The legislation defines ―any tangible thing‖ to include books withdrawn from a library.104 In keeping with the nature and content of the Patriot Act, Owad conducted his experiment on wish lists created on the book-selling website Amazon.com.105 Users can create an Amazon wish list as a guide for potential, future gift ideas106 and by default, Amazon makes the wish lists public to anyone who conducts a search by name.107
It is also possible to send an item direct to the wish list creator if he or she has entered a shipping address. However, the downloadable wish lists only
99. BNP Members ‘Targeted by Threats’, BBC NEWS, Nov. 19, 2008, http://news.bbc.co.uk/2/hi/ uk_news/politics/7736794.stm (regarding details of threats received by callers to a BBC radio program); Death Threats as BNP Members Are Named, THIS IS CORNWALL, Nov. 25, 2008, http://www.thisiscornwall.co.uk/northcornwall/Death-threats-BNP-members-named/article-499803-detail/article.html (regarding death threats to Cornish BNP members); Death Threats for Politician after BNP Members List Is Leaked, THE SENTINEL, Nov. 20, 2008, http://www.thisisstaffordshire.co.uk/news/Death-threats-follow-BNP-listarticle-488115-details/article.html (regarding death threats received by a BNP local councillor); Ian Watson, Privacy Issues for BNP Members, BBC NEWS, Nov. 19, 2008, http://news.bbc.co.uk/2/hi/uk_news/politics/7737651.stm (regarding the security of BNP members in Northern Ireland and the Irish Republic). 100. See Nico Hines, BNP Member Says Family Safety at Risk after Car Explodes Outside Home, THE TIMES, Nov. 21, 2008, http://www.timesonline.co.uk/tol/news/uk/crime/article5204727.ece (explaining the car bombing outside a BNP member‘s home); Police Probe BNP Link to Car Fire, BBC NEWS, Nov. 21, 2008, http://news.bbc.co.uk/2/hi/uk_news/england/bradford/7741270.stm (discussing the firebombing of a BNP member‘s house). 101. Posting of Tom Owad to Applefritter, Data Mining 101: Finding Subversives with Amazon Wishlists, http://www.applefritter.com/bannedbooks (Jan. 4, 2006, 19:37 EST). 102. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act of 2001, Pub. L. No. 107–156, 115 Stat. 272 (2001) [hereinafter Patriot Act]. 103. Patriot Act § 215. 104. See Eric Lichtbau, F.B.I., Using Patriot Act, Demands Library’s Records, N.Y. TIMES, Aug. 26 2005, http://www.nytimes.com/2005/08/26/politics/26patriot.html (regarding the first attempt by the FBI to use the powers under the Act to demand access to library records from a Connecticut institution). 105. Amazon, http://www.amazon.com/ (last visited May 19, 2009). 106. Amazon Wish List, http://www.amazon.com/gp/registry/wishlist/ (last visited May 19, 2009). 107. Owad, supra note 101.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 15
include city and state information and the full shipping address remains private.108 Due to Amazon‘s popularity, a vast number of wish lists exist, and whilst it is not possible to search for a particular person in an index, it is possible to conduct a search by a particular forename, such as ―Mark‖. Owad retrieved over 120,000 wish lists by using this type of search.109 Owad then conducted a search on an unspecified, yet common, forename and downloaded 260,000 wish lists of US citizens. Owad selected some potentially subversive books and searched the wish list data to see who had chosen them.
The retrieved wish lists included forename but not street address. Owad was able to cross-reference the wish list names with Yahoo People Search110 to obtain an address and telephone number of those people listed.111 Owad then created a geo-mashup by overlaying the wish list information, with street addresses retrieved from Yahoo People Search over Google Maps. However, whilst the option was technically available to match an individual wish list entry by address to a specific satellite image of a home on Google Maps, Owad decided against this on the basis that it would be extreme and potentially lead to an invasion of an individual‘s privacy.112 Instead, Owad used city names and states as the basis for geographical aggregation. The Amazon subversive book geo-mashup nonetheless shows the issues that can arise from the unauthorized aggregation of information with a residential address.
B. Inadvertent Disclosure of Personal & Sensitive Information
The following sub-section examines two geo-mashup examples featuring the inadvertent disclosure of personal or sensitive information. The first involves the publication of crime statistics and the use of Google Streetview and the second entails the use of Google‘s My Maps function to create and publish user generated geo-mashups.
1. Crime Maps
One of the first geo-mashup incarnations was the Chicago Crime Maps website,113 which overlaid crime statistics and information from the Chicago Police Department over Google Maps. The resultant geo-mashup was seen as ―a profoundly civic-minded utility: a light GIS built by a single citizen that takes one base map and a freely available store of data and makes meaning of the two in ways that can easily reach members of that community‖.
114 The success of Chicago Crime Maps spawned a number of different
crime related geo-mashups by law enforcement authorities and by individuals. 108. Id. 109. Id. 110. Yahoo People Search, http://people.yahoo.com/(last visited May 19, 2009). 111. Owad, supra note 101. 112. Id. 113. Everyblock Chicago, http://chicago.everyblock.com/crime/ (last visited May 19, 2009). The Chicago Crimes website was formerly known as chicagocrime.org and is represented as such in the older literature. 114. Miller, supra note 49, at 192.
16 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
For example, the Los Angeles Police Department offers a crime map that provides up to date information on crimes in the city.115 On a wider scale, Crime Reports116 works with 468 different law enforcement agencies that provide the website with details of the latest crimes. Crime Reports then geo-code the crime data and send email alerts to users who have requested updated information from a specific agency. Crime Reports then overlays crime data on a Google Map and pinpoints to a specific location.117 However, Crime Reports protects the privacy of crime victims by ensuring that
Law enforcement agencies remove victim identification as part of the data publishing process. In addition, we help protect victim identities by converting the exact street addresses to the ―block level‖. For example, the address ―1486 Lincoln Avenue‖ would be mapped and displayed as ―1400 block of Lincoln Avenue‖.
118 The Metropolitan Police‘s crime map of London also highlights the
sensitivity inherent in the wider reporting of crime statistics.119 Unlike their US counterparts, the Metropolitan Police will only release information of crimes at a borough or ward level rather than an individual street or location. Media organizations have also provided similar geo-mashups.120 The LA Times Homicide Map121 details every homicide in Los Angeles County. An Internet user can view murders committed in a particular location or can click on the name of a murder victim and a Google Map pinpoints the location of the crime. An Internet user can then click on the pinpoint tag for the crime, which is hyperlinked to the LA Times Blog, The Homicide Report for more details and user comments.122 However, whilst Google Maps tags the pinpoint to a specific property, it is unclear whether this is the actual address of the crime or whether it is representative of a wider aggregation source, such as zip code.
Spotcrime123 is similar in concept to the geo-mashups highlighted above. Like Crime Reports, the geo-mashup uses crime statistics but it also has an option for Internet users to provide details of certain crimes.124 These crimes 115. Los Angeles Police Department, Crime Maps, http://www.lapdcrimemaps.org/ (last visited May 20, 2009). 116. Crime Reports, http://crimereports.com/lea/cr (last visited May 20, 2009). 117. Crime Reports, How It Works, http://crimereports.com/lea/crhowitworks (last visited May 21, 2009). 118. Crime Reports, FAQs, http://crimereports.com/company/faq#whycreated (last visited May 19, 2009). 119. Metropolitan Police, Metropolitan Police Crime Mapping, http://maps.met.police.uk/ (last visited May 21, 2009). 120. See Berliner Kurier, Berlin Crime Map, http://www.berliner-kurier.de/blaulichtkurier/ (last visited May 20, 2009) (showing the use of crime mapping in Germany as provided by a media group). 121. Los Angeles Times, The Homicide Map, Los Angeles County Victims, http://www.latimes.com/news/local/crime/homicidemap/ (last visited May 20, 2009). 122. E.g. The Homicide Report, L.A. TIMES, May 14, 2009, http://latimesblogs.latimes.com/ homicidereport/2009/05/crenshaw-michael-mccullough-15.html#comments (regarding the murder of Michael McCullough). 123. Spotcrime - Know Your Neighborhood, http://www.spotcrime.com/ (last visited May 21, 2009). 124. See Spotcrime, Spotcrime Help, http://www.spotcrime.com/help.php (last visited May 21, 2009) (regarding a user‘s opportunity to report crimes relating to theft, burglary, robbery, assault, arson, shootings, vandalism and arrests).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 17
are searchable on the SpotCrime website along with user-supplied information. SpotCrime acknowledges the sensitivity in the reporting of crimes by partially redacting address information.125 An Internet user can click on a reported crime to open a new webpage, which supplies a zoomed in version of the geo-mashup that provides basic crime details, such as the type of crime, the case number and the partially redacted address. The webpage also activates Google Streetview126 and it provides a ground level photo image of the geo-tagged residential property.
The use of Google Streetview can give rise to privacy concerns relating to sensitive crimes, particularly rape. A user cannot search for rape related crimes on SpotCrime because it is not one of the searchable categories.127 It is unclear whether SpotCrime intends to report rape crimes because they are not categorized by their own searchable group. However, the author discovered one report of a rape crime in the Los Angeles area, which was classified as an ‗assault‘ in SpotCrime, in which the street address was redacted but the street number was clearly visible on Google Streetview,128 thus making the redaction of street address irrelevant. The residential property highlighted by Google Streetview is a small apartment block that appears to have a limited number of apartments, which could make it easier to identify the victim.
2. Google’s My Maps
In November 2008, 37 schools in Japan inadvertently disclosed the personal information of 980 school students on Google Maps.129 In Japan, it is customary for teachers to visit the homes of pupils who are about to start a new school.130 Several teachers of primary and secondary school pupils used the My Maps131 feature on Google Maps to ascertain directions and to record certain information about the pupils, such as name and telephone numbers.132 The teachers‘ tagged residential addresses with information provided by the pupil and used My Maps as a convenient tool to find the quickest route from one pupil‘s house to another.133 A vice principal of one of the schools in the affected areas stated that ―[f]or teachers unfamiliar with local geography, it can 125. Typically, the last two digits are replaced from a house address number with ‗XX‘, for example ―205XX Roscoe BL‖ or ―7XX W 148th ST.‖ It would appear that the Los Angeles Police Department conducts this process automatically. Spotcrime - Most Wanted – Most Viewed Crimes, http://www.spotcrime.com/mostviewed.php (last visited Feb. 19, 2009). 126. Google, Google Maps Street View, http://maps.google.com/help/maps/streetview/faq.html (last visited Oct. 20, 2009). 127. SpotCrime, supra note 125. 128. The author does not intend to provide details of the incident for obvious reasons of sensitivity. However, SpotCrime has been informed about the situation. 129. Student Data Slip out via Google Maps, YOMURI SHIMBUN, Nov. 18, 2008, http://educationinjapan.wordpress.com/edu-news/current-concerns-8/current-concerns-9/current-concerns-12-teachers-slip-up-via-google-map-use-school-stabbing-cannabis-crimes. 130. Id. 131. Google Lat Long Blog, Save and Share Directions with My Maps, http://google-latlong.blogspot.com/2009/04/save-and-share-directions-with-my-maps.html (last visited Oct. 20, 2009). 132. YOMURI SHIMBUN, supra note 129. 133. Id.
18 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
be a hard job tracking down each student‘s home on foot. So Google Maps is a convenient tool for finding houses and creating lists of locations just by inputting the relevant addresses.‖
134 The teachers believed that the maps created for the home visits were only
accessible by themselves but in fact, the maps, and the pupil‘s information, were accessible to the public.135 The My Maps default setting is to make information available to the public unless the map creator says otherwise.136 Once the teachers realized their mistake, they tried to delete the pupils‘ information but found that they were unable to do so.137 The teachers‘ tried several times to delete the customized maps but to no avail.138 Google stores My Maps information on two or more different servers and deletion problems occurred because a data record remained on one server even if a user has deleted it from another.139 Companies and hospitals in Japan have also encountered similar issues using My Maps.140 Sega, the Tokyo-based video game maker, discovered personal information from 115 job applications was accessible to the public and a Nagoya hospital revealed the names, and personal information of patients receiving artificial dialysis.141
C. Invasions of Privacy
The last example involves the more general notion of invasions of individual privacy, which is defined as ―the wrongful intrusion by individuals . . . into private affairs with which the public has no concern.‖
142 Two examples below highlight general concerns of invasions of privacy.143
1. Celebrity Tracking
In 2006, the media gossip website, Gawker144 launched a Google Maps based geo-mashup called Gawker Stalker.145 Internet users pinpoint and record the location of celebrity sightings in either New York or Los Angeles.146
134. Id. 135. Id. 136. Id. See also Google Code, Google Maps Data API: Developer Guide for Http Protocol, http://code.google.com/apis/maps/documentation/mapsdata/developers_guide_protocol.html (last visited Nov. 24, 2009) (describing how the Google maps data default settings make user inputted information available to the public). 137. YOMURI SHIMBUN, supra note 129. 138. Id. 139. Id. 140. Id. 141. Id. 142. Wordnet, http://wordnetweb.princeton.edu/perl/webwn?s=invasion%20of%20privacy (last visited Nov. 24, 2009). 143. The author acknowledges the voluminous case law and commentary relating to celebrities and invasions of privacy. However, these issues will not be addressed in this article. 144. Gawker, http://gawker.com/ (last visited Nov. 24, 2009). 145. Gawker, Gawker Stalker, http://gawker.com/stalker/ (last visited Nov. 24, 2009). 146. Gawker, Introducing Gawker Stalker Maps, http://gawker.com/news/stalker/introducing-gawker-stalker-maps-160338.php (last visited Nov. 24, 2009) [hereinafter Gawker Maps].
No. 1] PRIVACY INVASIVE GEO-MASHUPS 19
Gawker aims to update a celebrity sighting within fifteen minutes of receiving it.147 A person can text or email Gawker and provide them with details of the celebrity sighting, such as location, time, date and other information such as how the celebrity looked and who they were with at the time of the sighting.148 The user provided information is then aggregated with Google Maps.149 An Internet user can click on a hotspot listed on the Gawker geo-mashup to view the latest celebrity listings or click on a particular celebrity to view all of the sightings provided by Gawker contributors.150
Not surprisingly, Gawker Stalker has been subject to some criticism regarding the privacy and the safety of those celebrities sighted. Dominic Knight, a journalist of the Sydney Morning Herald, stated in his news blog
In particular, it [Gawker Stalker] seems like a fantastic way to put mentally ill people in touch with the famous people they want to stab. One of the sightings on there at the moment is Christian Slater coming out of the Dakota – the same building John Lennon lived in when he was shot by a crazy fan.151 Jeff McIntyre a reporter for the Canadian Broadcasting Corporation also
writes that ―[t]he immediate media response has been loud and contagious, with publicists and celebrities expressing shock and disdain. Not only do the pinpointed map coordinates constitute a new invasion of privacy, they insist, but Gawker Stalker is potentially fomenting a DIY paparazzi movement.‖152 As presaged in the McIntyre article, celebrities themselves have responded with some angst at the prospect of having their whereabouts tracked. Stan Rosenfield, who represents the interests of George Clooney, amongst others, has highlighted issues regarding the provision of information about individuals ―it‘s [Gawker Stalker] conceptually bad because it provides information to people that they don‘t need to have,‖ he says. ―There‘s a reasonable expectation of privacy that anyone has—you, me or someone who makes $200
147. Jonathan Zittrain, Privacy 2.0, U. CHI. LEGAL F. 65, 86 (2008) [hereinafter Zittrain, Privacy 2.0] (―Gawker strives to relay the sightings within fifteen minutes and place them upon a Google map, so that if Jack Nicholson is at Starbucks, one can arrive in time to stand awkwardly near him before he finishes his latte.‖). 148. See Gawker Maps, supra note 146 (encouraging site goers to include details such as the time, location, and behaviour of the celebrities they spot). 149. Id. 150. Id. 151. Dominic Knight, Google‘s Searching for Stalkers, http://blogs.smh.com.au/newsblog/ archives/dom_knight/013909.html?page=2#comments (last visited May 19, 2009) (―As always, Google‘s got great technology, but serious privacy problems‖). I.d. The criticism directed purely at Google is a little harsh given that the geo-mashup was actually created by Gawker but it does address an interesting issue, which is addressed below, namely how much responsibility should Google have as a technological facilitator of geo-mashups. See discussion infra Part V (suggesting that the problems the website causes are compounded by the fact that there is little or no redress or remedy available against the geo-mashup creators or the geo-mashup technological facilitators). 152. Jeff McIntyre, Stalk Market: Why Gawker.Com Is Putting the Fear in Celebrities, CBA, Mar. 23, 2006, http://www.cbc.ca/arts/media/gawker.html. See also Igossip, GPS Images - Celebrity Tracking, http://igossip.com/gossip/GPS_Images_a_Celebrity_Tracking_Ali_Lohan/542043 (last visited May 19, 2009) (regarding an example of McIntyre‘s ―DIY paparazzi movement‖).
20 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
billion. This is why people have unlisted phone numbers.‖153 The geo-mashup tracking phenomenon does not just involve high profile
celebrities as it has also involved ―urban eccentrics‖.154 For example,
FindHeMan155 allows Internet users to tracks the whereabouts of a well-known Manhattan resident ―who bears a distinct resemblance to the comic book hero [He-Man].‖156 Users are asked to email the Find He-Man website with updates of the latest sightings.157 Once received, the geo-mashup aggregates the latest observation onto a Platial map showing the location sighting of ―He-Man.‖
158 Spiegel also reports about a site called the Seattle Notables, which is similar to Find He-Man, allows users to track the whereabouts of readily identifiable, local individuals.159
In a slightly different vein to tracking the activities of celebrities or well-known local persons, the Celebrity Maps geo-mashup shows Internet users where well known celebrities reside.160 The geo-mashup overlays residential address information on top of a Google Map to pinpoint the homes of celebrities.161 Internet users enter a surname in the search field and the geo-mashup returns a list of celebrities with that surname.162 A user then clicks on a particular celebrity and the geo-mashup aggregates the name of the celebrity, along with the celebrity‘s residential address, over the corresponding geographical point on Google Maps.163
D. Summary Analysis
Privacy concerns in privacy invasive geo-mashups involve the interlinking of personal information misuse and invasions of individual privacy. Regarding the latter, geo-mashups, such as Gawker Stalker, clearly raise privacy issues.164 Putting aside the legal and policy sentiments regarding the privacy of celebrities, it does not take a major stretch of imagination to see how a similar tracking geo-mashup could be developed as a means to bully an
153. Donna Freydkin & Olivia Barker, At Gawker Stalker, a ‘Big Whole To-Do’ over the Mapping Feature, USA TODAY, Mar. 28, 2006, http://www.usatoday.com/life/people/2006-03-28-gawker-sidebar_x.htm. 154. Brendan Spiegel, Websites Go Crazy Tracking Urban Eccentrics, WIRED, April 30, 2008, http://www.wired.com/entertainment/theweb/news/2008/04/urban_eccentrics . 155. Find He-Man, http://findheman.com (last visited May 19, 2009). 156. Spiegel, supra note 154. 157. Find He-Man, supra note 155. 158. He-Man Sightings, http://platial.com/map/He-Man-sightings/42645 (last visited Feb. 19, 2010). 159. Spiegel, supra note 154. 160. Celebrity Maps Home Page, http://www.celebrity-maps.com/index.php (last visited Feb. 19, 2010) (search ―celebrity names‖ for a specific celebrity and the geo-mash will bring up a Google Map image of the celebrity‘s address). 161. Celebrity Maps About Us, http://www.celebrity-maps.com/about_us.php (last visited Feb. 19, 2010). 162. Celebrity Maps Home Page, supra note 160. 163. Id. 164. See discussion supra Part III.C.1.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 21
ordinary individual by constant tracking and surveillance165 or to marginalize further, already marginalized communities.166
The issues involving personal information misuse are equally complex. The Japanese My Maps geo-mashup showed how easy it is to publish personal information inadvertently on geo-mashups.167 Those problems were also borne out by the BNP geo-mashup.168 Both examples demonstrate the complex issues involved in the removal of information after publication.169 The common concern that all the geo-mashups share, albeit Gawker Stalker170 to a lesser extent, is the aggregation of information, particularly personal information, with a residential address, that can lead to the identity of an individual, based on the information provided and the address location. Addresses are therefore an important aspect of the regulation of privacy in geo-mashups.
However, is an address itself personal information and therefore subject to privacy laws? The recent Australian Law Reform Commission (―ALRC‖) review of privacy171 analyzed the complexities that emerge when trying to define an address as personal information
3.139 In the ALRC‘s view, information that simply allows an individual to be contacted—such as a phone number, a street address or an IP address—in isolation, would not fall within the proposed definition of ‗personal information‘. The Privacy Act is not intended to implement an unqualified ‗right to be let alone‘. . . . Contact information may become ‗personal information‘ in certain contexts, for example, once a mobile number is linked to a particular individual or the number can reasonably be linked to a particular individual. If an agency or organisation [sic] can reasonably ascertain the identities of direct mail recipients by linking data in the address database with particular names in the same or another database, that information is ‗personal information‘ and should be treated as such. 3.140 As information accretes around a point of contact such as a
165. Given the ubiquity of mobile/cell phones, the merger of mobile communications with social networking facilities and the easy transfer of data to geo-mashups, it seems to the author only a matter of time before geo-mashup bullies emerge. The ability to track bullied individuals and then provide location-tracking information with commentary, overlaid onto a geo-mashup for either for public or private use is now becoming a simple task. See, e.g. Jennifer Van Grove, 4 Teens Sued for Obscene Fake Facebook Profile, MASHABLE BLOG, Sept. 25, 2009, http://mashable.com/2009/09/25/fake-facebook-profile (describing how four teenagers created a fake Facebook profile for another Illinois student, in order to harm his reputation). 166. A website along the lines of TrackYourTramp.com is not a great a leap forward from the existing Seattle Notables geo-mashup. See, e.g., Adopt-a-Tramp, http://www.facebook.com/ group.php?gid=8251968356 (last visited Oct. 20, 2009) (describing a Facebook business/public relations group). 167. See discussion supra Part III.B.2. 168. See discussion supra Part III.A.1. 169. See discussion supra Part III.A.1. 170. See Gawker, supra note 144. 171. See AUSTRALIAN LAW REFORM COMMISSION, REP. NO. 108, FOR YOUR INFORMATION: AUSTRALIAN PRIVACY LAW AND PRACTICE (2008) [hereinafter AUSTRALIAN PRIVACY LAW AND PRACTICE] (regarding the final report); AUSTRALIAN LAW REFORM COMMISSION, DISCUSSION PAPER NO. 72, REVIEW OF AUSTRALIAN PRIVACY LAW (2007) [hereinafter ALRC DISCUSSION PAPER] (regarding the Commission‘s initial discussion paper).
22 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
telephone number, an address, an email address or an IP address, it will become possible to link that information to a particular individual, to contact or affect that individual or to target the individual, for example, with advertising material. Once this occurs, that information becomes ‗personal information‘ for the purposes of the Privacy Act.172 The ALRC states that where an individual‘s address presents with other
information, which relates to that individual, then the likelihood increases that an individual‘s identity can be reasonably ascertained, especially if that individual can then be contacted.173 Thus, the character of the information set as a whole tilts toward ‗personal information.‘ From an information privacy perspective, addresses can act as an identifier to link different data sets together.174 Because it helps ‗accrete‘ data around pieces of information, linking datasets increases the likelihood that the identity of the subject is ascertainable from the set as a whole. The status of information as ‗personal information‘ therefore has an important element of context, i.e., the context and inter-relationship of each of the available information components and the extent to which they collectively make identification possible.
Moreover, the use of geo-mashups exacerbates such issues because their use of information and their generation of visual content forces attention towards geography, particularly in the form of residential addresses. For example, the BNP membership list is a simple text file that merely provides a list of information that includes personal information.175 It is of course possible to identify where a BNP member resides from the list but it is the generative exercise of enhancing and overlaying the raw text with an online map that re-emphasizes focus on cities, towns and individual residential addresses.176 It is therefore not just the content of information that it is of concern but it is also the context of information use. Both of these situations arise in geo-mashups given the ease with which information can be aggregated onto maps that can have the effect of creating new information that is particularized around specific geographic points. It is this particularization that can give rise to enhanced privacy concerns regarding geo-mashups because, as highlighted by the ALRC above, access to addresses can enable identification.177
In terms of geo-mashups and identification, it is important to look beyond
172. ALRC DISCUSSION PAPER, supra note 171, at 205. 173. See AUSTRALIAN PRIVACY LAW AND PRACTICE supra note 171, at 299. 174. See Roger Clarke, Introduction to Dataveillance and Information Privacy, and Definitions of Terms, Roger Clarke‘s Web Site, http://www.rogerclarke.com/DV/Intro.html (defining information privacy as ―the interest an individual has in controlling, or at least significantly influencing, the handling of data about themselves‖). 175. See supra note 30, and accompanying text. 176. See, e.g., TANASESCU, ET AL., supra note 36, at 247 (―The popularity of Web 2.0 maps and mash-up applications shows the interest and the appeal of the geographic environment for Web users; mash-ups are used for such a wide variety of goals that it seems that space, mediated through realistic Web maps, may provide the terrain for data integration rooted into human cognition that the more abstract textual Web has not yet succeeded to achieve.‖). 177. See ALRC DISCUSSION PAPER, supra note 171, § 3.139-3.140.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 23
the limited notion of identity as the ability to name, and thus identify an individual. Instead, geo-mashups underline the importance of a wider societal identity of a person as a constituent of the various wanted and unwanted meta-societies we live in, such as a member of the BNP, a reader of ‗subversive‘ books or a rape victim.178 Residential addresses provide access to ourselves by the ability to link the sensitive constituent meta-societies we reside in, to our identity, which can then be made available to a wider audience, outside the parameters of the meta-societies.179 This brief discussion of the status of addresses highlights the limits of statutory privacy protection founded solely on the concept of information privacy and the overt focus on the collection and use of personal information. As highlighted in the next part, privacy invasive geo-mashups challenge the effectiveness of fair and lawful regulation of personal information exchange, based on the notion of fair information principles or practices. The next part of the article will draw on Zittrain‘s Privacy 2.0 as a framework to highlight the difficulties that first generation privacy laws have regarding the regulation of privacy in Web 2.0 and with geo-mashups in particular.
IV. PRIVACY 2.0
In his 2008 article, Privacy 2.0, Zittrain contends that the unique issues raised by the generative web require new privacy solutions because first generation information privacy laws are fast becoming defunct against the issues arising from generativity.180 Information privacy laws are concerned with regulating the relationship between individuals and powerful organizations about the provision and use of personal information. In new online structures, individuals, as well as organizations, collect and use personal information. Building on Zittrain‘s work, this part of the article will outline the foundations and legal principles of first generation information privacy laws before detailing Zittrain‘s criticism of them.
A. The Foundations & Legal Principles of First Generation Information Privacy Laws
Zittrain highlights the rise of privacy concerns in the 1970‘s generated by the advent of new computing technologies that enabled organizations to automate the collection of personal and non-personal information from
178. See Roger Clarke, Human Identification in Information Systems: Management Challenges and Public Policy Issues, 7 INFO. TECH. & PEOPLE 4, 6–37 (1994), available at http://www.rogerclarke.com/ DV/HumanID.html#Bases (regarding the bases of human identification that recognize societal inputs above and beyond identification by name). 179. See Gary T Marx, What’s in a Concept? Some Reflections on the Complications and Complexities of Personal Information and Anonymity, 3 U. OTTAWA L. & TECH. J. 1 (2006) (regarding the value conflicts that can arise between the individual and the community regarding identity and anonymity). 180. Zittrain, The Generative Internet, supra note 14, at 1980 (defining generativity as ―a technology‘s overall capacity to produce unprompted change driven by large, varied, and uncoordinated audiences‖).
24 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
individuals.181 Key reports and international instruments, from the early 1970‘s, through to the early 1980‘s, were instrumental in the development of first generation information privacy laws and thus addressed rising societal, governmental and institutional concern.182
In 1973, the US Department of Health, Education and Welfare produced a report entitled Records, Computers and the Rights of Citizens (―HEW Report‖).183 The HEW Report‘s central apprehension was the relationship between individuals and recordkeeping organizations with regard to the ―growing concern about the harmful consequences that may result from uncontrolled application of computer and telecommunications technology to the collection, storage, and use of data about individual citizens.‖
184 The Report attempted to find a balance between the organizational benefits arising from the enhanced efficiencies of automated personal data processing and the potential infringement of personal liberties from impersonal data collection.185 The balance was achievable through the concept of mutuality and by providing a degree of individual control over the collection of, access to, and disclosure of, an individual‘s personal information:
An individual‘s personal privacy is directly affected by the kind of disclosure and use made of identifiable information about him in a record. A record containing information about an individual in identifiable form must, therefore, be governed by procedures that afford the individual a right to participate in deciding what the content of the record will be, and what disclosure and use will be made of the identifiable information in it. Any recording, disclosure, and use of identifiable personal information not governed by such procedures must be proscribed as an unfair information practice unless such recording, disclosure[,] or use is specifically authorized by law.186 The Report concluded that existing laws provided inadequate protection
of individual privacy against potential record-keeping abuses and recommended the establishment of a Federal ―code of fair information
181. Zittrain, Privacy 2.0, supra note 147, at 66–67. 182. See Colin J. Bennett, Convergence Revisited: Toward a Global Policy for the Protection of Personal Data?, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 99 (Philip E. Agre & Marc Rotenberg eds., MIT Press 1997) (―[S]trong pressures for ‗policy convergence‘ had forced different states to legislate a broadly similar set of statutory principles to grant their citizens a greater control over personal information.‖); Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or Frontier for Individual Rights?, 44 FED. COMM. L. J. 195, 200 (1992) (―[P]rivacy principles applicable to computer processing of personal information were widely recognized around the world as a necessity for an information-based economy.‖). 183. U.S. DEP‘T OF HEALTH, EDUC., & WELFARE, RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS: REPORT OF THE SECRETARY‘S ADVISORY COMMITTEE ON AUTOMATED PERSONAL DATA SYSTEMS (1973), available at http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm [hereinafter HEW REPORT]. 184. Id., at Preface. 185. See Robert Gellman, Does Privacy Law Work?, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 195–96 (Philip E. Agre & Marc Rotenberg eds., 1997) (―[T]he executive and legislative branches looked at the increasing computerization of personal records and decided that new controls on technology were needed and that new protections for individuals were appropriate.‖). 186. HEW REPORT, supra note 185, § III.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 25
practice‖ for all automated data systems.187 The HEW Report‘s recommendations led to the enactment of the Privacy Act of 1974 (US)188 which established the recommended Code of Fair Information Practice for Federal Government agencies.189 These five core principles of fair information practice are the:
1. Notice/Awareness principle requires organizations to give an individual clear notice about information practices before personal information is collected;190
2. Choice/Consent principle provides an individual the opportunity to consent to secondary uses of their information;191
3. Access/Participation principle ensures that an individual is able to access data about themselves to ensure that data is accurate and complete;192
4. Integrity/Security principle obliges an organization that collects personal data to take reasonable steps to ensure that the data is accurate193 and is held in a secure environment;194 and
5. Enforcement/Redress principle provides an individual with the means to enforce a breach of the principles.195
During the same period, the Committee of Ministers of the Council of Europe adopted two resolutions that concerned the protection of individual privacy arising from personal information held in private and public sector databases.196 The resolutions were the instigator of ―a more substantial legal instrument‖ to ensure adequate individual protections whilst enhancing the free trade of member countries.197 In 1981, the Council of Europe formally adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data that extended the ambit of the previous Council Resolutions.198 The Convention was intended as a catalyst to 187. Id. § IX. See Gellman, supra note 185, at 195 (―A key objective of the Privacy Act was restricting the government‘s use of computer technology to invade privacy. This act was based on the 1973 recommendations of a federal advisory committee.‖). 188. Privacy Act of 1974, 5 § U.S.C 552 (2006). 189. See DANIEL J. SOLOVE, ET AL., INFORMATION PRIVACY LAW 578 (2006) (citing HEW REPORT, supra note 183 at 23–30, 41–42). 190. 5 U.S.C. § 552(e)(3) (agency requirements). 191. 5 U.S.C. § 552(b) (conditions of disclosure). 192. 5 U.S.C. § 552(d) (access to records). 193. 5 U.S.C. § 552(e)(6). 194. 5 U.S.C. § 552(e)(9), (10). 195. 5 U.S.C. 552(g) (civil penalties), (i) (criminal penalties), 196. Resolution on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Private Sector, Council of Europe Res. 73(22) (Sept. 18, 1973), available at http://www.coe.int/t/e/ legal_affairs/legal_co-operation/data_protection/documents/internationallegalinstruments/ 1Resolution(73)22_EN.pdf; Resolution on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector, Council of Europe Res. (74)29 (Sept. 16, 1974), available at http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/documents/ internationallegalinstruments/1Resolution(74)29_EN.pdf. 197. ROSEMARY JAY & ANGUS HAMILTON, DATA PROTECTION LAW AND PRACTICE 8 (3d ed. 2007). 198. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Jan. 28, 1981, Europ. T.S. 108, available at http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm.
26 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
encourage and guide state legislative initiatives rather than to provide a readily implementable set of data protection rules and regulations,199 as exemplified by the generality of the Convention‘s principles, namely, that personal information is to be:
1. Collected and processed in a fair and lawful manner; 2. Only stored for specified purposes; 3. Only used in ways that are compatible with those specified at the
point of data collection; 4. Adequate, relevant and not excessive in relation to the purpose
of data collection; 5. Accurate and where necessary kept up-to-date; 6. Preserved in identifiable form for no longer than is necessary; 7. Kept adequately secure; and 8. Accessible by individuals who have rights of rectification and
erasure.200 Fourteen years later the European Community adopted the Directive on
the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data201 to create an EU wide regime that sets governance rules for member states to follow.202
The Organization for Economic Cooperation and Development‘s (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data crystallized transnational improvements in 1980.203 The OECD recognized that the 1970s were an intensive period of legislative investigation and activity about the protection of privacy with respect to the collection and use of personal information.204 Member countries of the OECD had a common interest in the protection of individual privacy and in the reconciliation of fundamental and competing values involved in automatic data processing and transborder flows of personal information.205
For this reason, OECD Member countries considered it necessary to develop Guidelines, which would help to harmonise national privacy legislation and, while upholding such human rights, would at the same time prevent interruptions in international flows of data. They represent a consensus on basic principles which can be built into
199. LEE A. BYGRAVE, DATA PROTECTION LAW: APPROACHING ITS RATIONALE, LOGIC AND LIMITS 34 (2002). 200. JAY & HAMILTON, supra note 197, at 8–9. 201. Council Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L281) 31 (EU). 202. See BYGRAVE, supra note 164, at 58. 203. ORG. FOR ECON. CO-OPERATION AND DEV. [OECD], Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/document/ 18/0,2340,es_2649_34255_1815186_1_1_1_1,00.html [hereinafter OECD GUIDELINES]. 204. OECD GUIDELINES, supra note 203. 205. Roger Clarke, The OECD Data Protection Guidelines: A Template for Evaluating Information Privacy Law and Proposals for Information Privacy Law, http://www.anu.edu.au/people/Roger.Clarke/ DV/PaperOECD.html (last visited Feb. 21, 2010).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 27
existing national legislation, or serve as a basis for legislation in those countries which do not yet have it.206 As with the HEW Report and the Council of Europe Convention, the
OECD Guidelines were concerned with the maintenance of balance.207 On this occasion, the balance was between the harmonization of different legislation to protect privacy and to preserve the integrity of transborder flows of personal information.208 The Guidelines were therefore an attempt to reduce the restrictions that inhibited the transfer of personal information and to strengthen the free information flow between member countries.209 The OECD considered that this balance was achievable because
[I]t is possible to identify certain basic interests or values which are commonly considered to be elementary components of the area of protection. . . . Generally speaking, statutes to protect privacy and individual liberties in relation to personal data attempt to cover the successive stages of the cycle beginning with the initial collection of data and ending with erasure or similar measures, and to ensure to the greatest possible extent individual awareness, participation and control.210 The Guidelines provided eight core principles of data collection, storage,
and use for application by member countries, namely the: 1. Collection limitation principle which guarantees that the
collection of personal data is within lawful and fair means, and where appropriate is conducted with the knowledge and consent of the individual;
2. Data quality principle which requires data collectors to collect personal data for relevant purposes only and to ensure that collected data is accurate, complete[,] and up to date;
3. Purpose specification principle which states that the purpose for which personal data is to be used must be stated at the time of collection and subsequent use must be limited to that purpose, unless individuals are notified of additional uses before that re-use takes place;
4. Use limitation principle which states that personal data should only be disclosed or used in accordance with the consent of the individual or by authority of law;
5. Security safeguard principle which requires that personal data must be kept in reasonably secure conditions;
6. Openness principle which states that organizations should implement a general policy of openness about data collection
206. OECD GUIDELINES, supra note 203. 207. Id. 208. Id. 209. Id. 210. Id.
28 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
developments, practices and policies; 7. Individual participation principle which confirms that an
individual should retain certain rights over the collection, storage and use of their information; and
8. Accountability principle, which confirms that a data collecting organization, should be accountable for complying with the above principles.211
The HEW Report, the Council of Europe Convention, and the OECD Guidelines have been at the forefront of the development of first generation information privacy laws. There are obvious similarities between the three documents that first generation information privacy laws reflect.212 The HEW Report was directly responsible for the instigation of the Privacy Act of 1974, and the Convention eventually founded the European Union‘s Data Protection Directive. Furthermore, the OECD Guidelines have had a significant impact as a foundation for national legislation,213 including Australia214 and Canada.215 All of these laws have organizational-oriented controls founded on the privacy principles or fair information practices developed in the previous decade.216
Bygrave217 has adduced eight core legal principles that reflect the
211. Id. 212. See Marc Rotenberg, Fair Information Practices and the Architecture of Privacy, STAN. TECH. L. REV 2 (2001)
Not only have Fair Information Practices played a significant role in framing privacy laws in the United States, these basic principles have also contributed to the development of privacy laws around the world and even to the development of important international guidelines for privacy protection. . . . Commentators have also noted a remarkable convergence of privacy policies. Countries around the world, with very distinct cultural backgrounds and systems of governance, nonetheless have adopted roughly similar approaches to privacy protection. Perhaps this is not so surprising. The original OECD Guidelines were drafted by representatives from North America, Europe, and Asia. The OECD Guidelines reflect a broad consensus about how to safeguard the control and use of personal information in a world where data can flow freely across national borders.
Id. 213. See BYGRAVE, supra note 199, at 32 (noting that the treaty has been ratified by twenty-seven member states). 214. PRIVACY ACT 1988 (Austrl.). See also Greg Tucker, Frontiers of Information Privacy in Australia, 3 JLIS (1992) (regarding a brief history of the Act‘s development and the relationship with the OECD Guidelines). 215. The PRIVACY ACT 1983 (Can.) was developed from the OECD Guidelines with reference to public sector privacy protection only. See Austin, supra note 77, at 123–4 (referring to the impact of the OECD Guidelines on the development of Canadian privacy law in general and the PIPED Act in particular). 216. See e.g., COLIN J. BENNETT & CHARLES D. RAAB, THE GOVERNANCE OF PRIVACY: POLICY INSTRUMENTS IN GLOBAL PERSPECTIVE (2d ed. 2006) (addressing policies of private protection of private information); Viktor Mayer-Schonberger, Generational Development of Data Protection in Europe, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE, 219, 221 (1997) (describing the European advances in data storage and protection). 217. The author provides examples of Bygrave‘s principles with reference to four key first generation information privacy laws: the PRIVACY ACT 1974, the EU DATA PROTECTION DIRECTIVE, the PRIVACY ACT 1988 (Austrl.) and the PRIVACY ACT 1983 (Can.).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 29
fundamental aims of first generation information privacy laws.218 The primary principle is that personal information is to be ―processed fairly and lawfully,‖
and this concept manifests throughout the remaining principles.219 The lawful element is apparent, that organizational personal information collection practices must be within existing law, but the fairness criterion is more abstract in nature, particularly because general agreement about what is fair will change over the course of time.220 In general, the notion of fairness requires data collectors to take account of the interests and expectations of individuals who provide personal information to them.221 Personal data collection organizations are therefore obliged not to pressure individuals when they provide their personal information and to ensure an individual consents to the provision.222
The minimality principle directs data collecting organizations to ensure that the collection of personal information is ―limited to what is necessary to achieve the purpose(s) for which the data are gathered and further processed.‖223 Under this principle, organizations are required to collect personal information only for a relevant purpose.224 Linked to minimality, the purpose specification principle dictates that personal information is only collected for specified, lawful or legitimate purposes and can only be used within these bounds.225 Bygrave states that the principle is essentially a cluster of three related sub-principles, namely that the data collection purpose is: (1) specified; (2) lawful and/or legitimate; and (3) that further personal data
218. See BYGRAVE, supra note 199, at 57 (referring to data protection rather than information privacy laws); SIMON DAVIES, RE-ENGINEERING THE RIGHT TO PRIVACY: HOW PRIVACY HAS BEEN TRANSFORMED FROM A RIGHT TO A COMMODITY, IN TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE 158 (1997) (regarding a critical distinction between the data protection and information privacy); Paul M. Schwartz, Privacy and Participation: Personal Information and Public Sector Regulation in the United States, 80 IOWA L. R. 553, 560 (1995) (regarding a more positive view of data protection as the enhancement of participation in informational and political processes); Roger Clarke, Introduction to Dataveillance and Information Privacy, and Definitions of Terms, http://www.rogerclarke.com/DV/Intro.html (last visited Feb. 23, 2010).
Legislatures of countries on the Continent of Europe, and to some extent also in North America, passed laws addressing information privacy, primarily during the 1970s, though with some laggards deferring action until the 1980s or even 1990s. These laws mostly focus on ‗DATA PROTECTION‘, i.e. they protect data about people, rather than people themselves. This is unfortunate because, although data protection is a more pragmatic concept than the abstract notion of privacy (and it‘s therefore easier to produce results), it‘s not what humans actually need.
Id. Clarke touches on the normative values of data protection laws as a protector of individual rights rather than the protection of personal data. In many ways, this type of protection is akin to that described by Zittrain in Privacy 2.0. Accordingly, for the purposes of this article, the author recognizes the distinctions that can arise from data protection and information privacy legal concepts but uses ‗first generation information privacy laws‘ as a catch all for both types of law. 219. BYGRAVE, supra note 199, at 58. 220. Id. 221. Id. 222. Id. at 59. For example, 5 U.S.C. § 552(a)(b)(1)–(4); Council Directive 95/46, art. 6(1) & 7(1), 1995 O.J. (L 281) (EC); Privacy Act, R.S.C., ch. P–21, S. 7 (2009) (Can.); Privacy Act, 1988, s. 14 (Austrl.) Information Privacy Principles 1 & 9. 223. BYGRAVE, supra note 199 at 59. 224. See, e.g., 5 U.S.C § 552(a)(b)(2) (2006); Council Directive 95/46, art. 6(1)(b)–(c), 1995 O.J. (L 281) (EC); Privacy Act, R.S.C., ch. P 21, § 5(1) (2009) (Can.); Privacy Act, 1988, s. 14 at 54 (Austrl.). 225. BYGRAVE, supra note 199, at 61.
30 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
processing is compatible with the data collection purpose.226 The information quality principle ensures that personal information is
accurate, both in terms of its content and context, and with regard to the purpose of information collection and processing.227 The principle ensures that personal data is valid because it describes unambiguously what it pertains to and because it is relevant and complete with respect to the purposes of intended processing and use.228 Information quality requires the participation of individuals to ensure that information held is up to date. Accordingly, the individual participation and control principle is pivotal because it ensures that persons have a measure of influence over the processing of their personal information by organizations and individuals.229 However, most first generation information privacy laws do not refer to the principle directly.230 Instead, legislation implicitly acknowledges the principle in legal rules that govern the collection, storage, and use of personal information in accordance with individual knowledge and consent.231 Likewise, first generation laws rarely state the disclosure limitations principle directly but it implicitly requires data collecting organizations to restrict the disclosure of personal information within the confines of how data is collected, and within the consent provided by individuals or by the authority of a given law.232 The two remaining principles, information security233 and sensitivity234 protect the integrity of personal information through the provision of adequate methods of security, particularly regarding sensitive information, which may require controls that are more stringent.
The historical development of first generation information privacy laws highlights that the collection, storage and use of personal information by data collecting organizations was the dominant concern of lawmakers and solutions to emergent problems lay in the construction of information privacy principles
226. Id. See, e.g., 5 U.S.C § 552(a)(b)(2); Council Directive 95/46, art. 6(1)(A), 1995 O.J. (L 281) (EC); Privacy Act R.S.C. ch. P-21, s. 4 (2009) (Can.); Privacy Act, 1988, s. 14 (Austl.) Information Privacy Principle 1. 227. Privacy Act, 1988, s. 14 (Austl.). 228. See, e.g., 5 U.S.C. § 552(a)(e)(1),(5)-(6); Council Directive 95/46, art. 6(1)(d), 1995 O.J. (L 281/40) (EC); Privacy Act, R.S.Q., ch. P 21, S. 4-5 (2009) (Can.); Privacy Act, 1988, s. 14 (Austl.), Information Privacy Principle 3. 229. See BYGRAVE, supra note 199 at 63. 230. Id. See, e.g., 5 U.S.C. § 552(a)(c)(1)-(4); Council Directive 95/46, art. 10, 12, 1995 O.J. (L 281/41-42) (EC); Privacy Act, R.S.Q., ch. P 21, s. 12(1)(A)-(B) (2009) (Can.); Privacy Act, 1988, s. 14 (Austl.), Information Privacy Principles 5–7. 231. See BYGRAVE, supra note 199 at 63. See, e.g., 5 U.S.C. § 552(a)(c)(1)-(4); Council Directive 95/46, art. 10, 12, 1995 O.J. (L 281/41-42) (EC); Privacy Act, R.S.Q., ch. P 21, s. 12(1)(A)&(B) (2009) (Can.); Privacy Act, 1988, s. 14 (Austl.), Information Privacy Principles 5–7. 232. See BYGRAVE, supra note 199 at 67. See, e.g., 5 U.S.C. § 552(a)(e)(9)-(10); Council Directive 95/46, art. 17, 1995 O.J. (L 281/43) (EC); Privacy Act, R.S.Q., ch. P 21, s. 6(3) (1985) (Can.); Privacy Act, 1988, s. 8(1)-(2) (Austl.), Information Privacy Principle 4. 233. See BYGRAVE, supra note 199 at 67. For example, the information security principle is not recognised as fully as the other principles. 234. See BYGRAVE, supra note 199 at 68; Marx, supra note 175, at 13 (demonstrating the rationale for greater control over personally sensitive information); Council Directive 95/46, art. 8(1), 1995 O.J. (L 281/40) (EC).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 31
or fair information practices.235 Such regulation was possible because the social modes of personal information provision, process and use were predictable, stable, and relatively static.236 Public and private sector organizations were the main collectors of personal information for clearly defined purposes.237 As such, the imposition of fairness upon the procedures of personal information collection and use was possible because those procedures were identifiable and therefore manageable. Information privacy regulation was able to find a balance, or a compromise, between the societal concerns of individuals that provided their personal information and the organizations that required personal information to fulfill their business or statutory purpose. However, Web 2.0 has distorted the balance because new information relationships require new forms of privacy regulation as outlined in Zittrain‘s Privacy 2.0.238
B. Zittrain’s Criticism of First Generation Laws
Zittrain has two principal criticisms about the ineffectiveness of first generation information privacy laws in newly, evolving Internet structures.239 The first regards the new information exchange relationships that emerge from Web 2.0 which are more complex than the traditional personal data collection pathways of the previous decades.240 The second contends that individual, as well as organizational actions, can now give rise to an equal number of privacy concerns.241 New technological developments and social structures mean that individuals now have the same capacity to infringe the privacy of individuals as organizations once did.242
Zittrain argues the privacy problems that arise from Web 2.0 related technologies and cultures require new solutions because existing laws only provide remedies for older ideas of privacy predicated on the concept of information privacy. Such laws safeguard an individual‘s privacy by providing
235. DANIEL J. SOLOVE ET AL., supra note 185, at 578–79.
Fair Information Practices can be understood most simply as the rights and responsibilities that are associated with the transfer and use of personal information. Since the intent is to correct information asymmetries that result from the transfer of personal data from an individual to an organization, Fair Information Practices typically assign rights to individuals and responsibilities to organizations. Id.
236. See, e.g., Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for Information Privacy, 53 STAN. L. REV. 1393, 1400–413 (2001) (providing a historical overview of governmental and private sector personal information collection and legal impacts through notions of Big and Little Brother focused regulation). 237. See ALAN F. WESTIN & MICHAEL A. BAKER, DATABANKS IN A FREE SOCIETY: COMPUTERS, RECORD-KEEPING, AND PRIVACY 66–75 (1972) (regarding disclosures of personal information that may have been flexible but the pathways of personal information provision which were relatively static, as in the New York State Department of Motor Vehicles (DMV) case study). 238. Zittrain, Privacy 2.0, supra note 147, at 65. 239. Id. 240. Id. at 74. 241. Id. at 65. 242. See, e.g., Owad, supra note 101 (regarding the use of home computer equipment for relatively complex data mining purposes).
32 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
protections relating to the collection, storage and use of personal information along well-established data provision pathways. These laws thus recognize that there is a degree of social sensitivity attached to the production of personal information and that organizational activities relating to personal information should be restricted to legally mandated, legitimate means.243
Legal remedies designed in the 1970‘s and 1980‘s, may therefore provide ineffective and rigid solutions to personal information exchange problems in Web 2.0. The first generation of information privacy laws focused on the regulation of three stakeholder groups involved in personal information provision. The three groups in question are of course, those individuals244 who provide personal information,245 personal data collecting organizations246 and finally, a further set of organizations that use personal information previously collected, by their own or by different organizations, that has been disclosed to them.247 Legal controls attempt to regulate the activities between individuals and organizations within two binary relationships: the first between the data provider and the data collector and the second between the data collection organization and the data re-user organizations. A chain of accountability links all three groups to ensure that personal information provided by individuals is collected and stored within certain legal boundaries.248 Moreover, personal information provided by individuals is stored with legally requisite standards to ensure the accuracy and the security of the information.249 Finally, future re-uses of provided personal information are circumscribed within specific confines, to ensure that the information collected can only be used for the purpose for which it was originally collected250 or under a specified exemption to that purpose.251
However, first generation legal controls may now be ineffective because
243. See Zittrain, Privacy 2.0, supra note 147, at 69 (discussing the tension between the utility of electronic consumer data gathering and privacy concerns). 244. For example, using the four laws highlighted above, in 5 U.S.C § 552(a)(2) ―individual‖ means a citizen of the United States or an alien lawfully admitted for permanent residence; in Council Directive 95/46, art. 2(a), 1995 O.J. (L 281) (EC) ―data subject‖ means an identified or identifiable natural person; in Privacy Act, R.S.C., ch. P-21 (2009) (Can.) ―individual‖ is undefined; and in Privacy Act, 1988, s. 6 (Austl.) ―individual‖ means a natural person. 245. The type of information or data covered by first generation laws varies. Compare, e.g., Privacy Act, 1988, s. 6(1) (Austl.) (referring to ―personal information‖) with Council Directive 95/46, art. 2(a), 1995 O.J. (L 281) (EC) (referring to ―personal data‖). 246. The definition of the organization can vary by country. See 5 U.S.C § 552a(a)(9), (11) (referring to ―source‖ and ―recipient agency‖); Council Directive 95/46, art. 2(e)-(g), 1995 O.J. (L 281) (EC) (referring to ―processor‖, ―third party‖ and ―recipient‖); Privacy Act, R.S.C., ch. P-21, s. 2 (2009) (Can.) (referring to ―government institution‖); Privacy Act, 1988, s. 3(a) (Austl.) (referring to ―agency‖ or ―organisation‖). 247. This class of organization can vary by country. See 5 U.S.C § 552a(a)(e)(9)-(10) (referring to ―recipient agency,‖ and ―non-federal agency‖); Council Directive 95/46, art. 17, 1995 O.J. (L 281) (EC) (referring to ―member states,‖ ―controller[s]‖ and ―processor[s]‖); Privacy Act, R.S.C., ch. P-21, s. 3 (2009) (Can.) (referring to ―government institution‖); Privacy Act, 1988, S. 6 , s. 3(a) (Austl.) (referring to ―agency‖ or ―organisation‖). 248. See, e.g. BYGRAVE, supra note 199 (regarding the minimality and purpose specification principles). 249. See Id. (regarding the information quality, individual control and participation, information security and sensitivity principles). 250. See Id. (regarding the individual control and participation principles). 251. See Id. (regarding the disclosure limitation principles).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 33
Web 2.0 enables multiple information contributions from a range of different and unconnected sources. As Zittrain states, ―[t]he heart of the next generation privacy problem arises from the similar but uncoordinated actions of individuals that can be combined in new ways thanks to the generative Net.‖252 First generation laws envisage selected pathways of personal information provision and distribution. The move from binary to multiple pathways of personal information provision and use has been brought about and created a situation in which ―the Net puts private individuals in a position to do more to compromise privacy than the government and commercial institutions traditionally targeted for scrutiny and regulation.‖253 As such, Web 2.0 now delivers many different pathways because individual Internet users are now the collectors, disseminators, and re-users of personal information.
One of the key points of concern arising from Zittrain‘s Privacy 2.0 therefore involves the governance of ever developing information pathways that enable the collection, storage, and use of personal information from individuals, by other individuals.254 The once clear cut boundaries have been blurred to the extent that Internet personal information users are no longer just organizations but are now inchoate collections of far flung individuals, who coalesce in different groups to use and share their own and other individual‘s personal information.255 These collectives are themselves ―databases [that] are becoming as powerful as the ones large institutions populate and centrally define‖.
256 Except the power to infringe personal privacy within these new data collectives is different from the fears of the 1970‘s and 1980‘s. The flows of personal information into and out of these collectives are multiple, diffuse, erratic and serve many different purposes of collection and subsequent re-use. Contrast that to the concerns of first generation laws in which monolithic organizations collected personal information for specific purposes, largely direct from the individuals themselves and whose subsequent re-use of personal information was mostly predictable.257
252. Zittrain, Privacy 2.0, supra note 147, at 65. 253. Id. 254. See Id. at 81 (stating ―[w]ith cheap sensors, processors, and networks, citizens can quickly distribute to anywhere in the world what they capture in their backyard. Therefore, any activity is subject to recording and broadcast‖. 255. See Id. at 100 (discussing the personal information on databases that are produced and continually changing on peer-produced social groups such as Facebook and MySpace). 256. Id. at 99. 257. Personal information disclosure has historically been more difficult to approximate than personal information collection because of the different uses that personal information can be put to. However, privacy concerns regarding the disclosure and the re-use of personal information can still fall into a relatively small number of categories, particularly surveillance, data matching and commercial purposes. See e.g. Austin, supra note 77, at 143 (regarding the major concerns arising from public and private sector personal data collection); Chris Jay Hoofnagle, Big Brother’s Little Helpers: How Choicepoint and Other Commercial Data Brokers Collect and Package Your Data for Law Enforcement 29 N.C.J. INT‘L L. & COM. REG. 595, 595–96 (2004) (showing how Choicepoint, a commercial database, makes available a wide array of information); Gary T. Marx, A Tack in the Shoe: Neutralizing and Resisting the New Surveillance, 59 J. SOC. ISSUES., 370 (2003) (regarding general surveillance concerns); Paul Schwartz, Data Processing and Government Administration: The Failure of the American Legal Response to the Computer, 43 HASTINGS L.J., 1321, 1329–34 (1992)
34 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
Accordingly, the fundamental analytical template of first generation information privacy laws regarded the fact that ―both the analysis and suggested solutions speak in terms of institutions gathering data, and of developing ways to pressure institutions to better respect their customers‘ and clients‘ privacy‖.
258 This basic template has shaped the development of privacy legislation during the last three decades but has not effectively made the transition from ―a functional theory to a successful regulatory practice‖.
259 In fact, some commentators argue that business interests have skewed the balance sought from first generation laws.260 However, the very notion of what a business organization is has itself changed, and continues to change, in new online structures. With that comes changes in business technologies and techniques, as can be seen with the very foundation of first generation concerns, the database, which is now almost in ―constant beta‖ to the extent that ―how a database is defined, changes from one moment to the next, both in terms of content, structure and scope.‖261
First generation fears focused on powers arising from the centralization of personal information and nefarious uses by powerful organizations without the knowledge, input or consent of individuals. The first generation information privacy laws were an attempt to manage disputes arising between individuals and organizations about a contested social asset, an individual‘s perceived right of control over their personal information against an organization‘s economic need to use that information. Contested issues were disputed within a scenario of clearly identifiable actors, accepted definitions of personal information and evident, yet limited legal rights and obligations. Privacy 2.0 concerns, on the other hand, manifest through peer-to-peer technologies that eliminate points of control regarding the transfer of personal information.262 Whilst the contested social asset is still personal information, the contests that are now developing in Web 2.0 are not about the fair or unfair processes of organizational personal information collection, but rather, they are about the socially acceptable re-uses of personal information by individuals in multiple, generative guises. Therefore, unlike their predecessors, Privacy 2.0 contested issues do not involve disputes between individuals and organizations in clear-cut, readily
(regarding the reasons for public sector personal information collection); Solove, supra note 236, at 1395 (regarding the scale of commercial re-use of personal information that causes current privacy problems and not just the commercial activity itself); Derek J Somogy, Information Brokers and Privacy, 1 I/S: J. L.& POL‘Y FOR INFO. SOC‘Y 901, 904–06 (2006) (regarding the rise of data brokers whose scale of development may not have been fully appreciated in the 1970‘s). 258. Zittrain, Privacy 2.0 supra note 147, at 69. 259. See id. at 68 (citing pressures arising from law enforcement and commerce as significant reasons for these failures). 260. See, e.g., DAVIES supra note 218; Marcy E. Peek, Information Privacy and Corporate Power: Towards a Re-Imagination of Information Privacy Law, 37 SETON HALL L. REV. 127 (2006); Solove, supra note 196; Chris Jay Hoofnagle, Privacy Self-Regulation: A Decade of Disappointment, in CONSUMER PROTECTION IN THE AGE OF THE ‗INFORMATION ECONOMY‘ 379 (Jane K. Winn ed., 2006) [hereinafter Hoofnagle, Privacy Self-Regulation]. available at http://epic.org/reports/decadedisappoint.pdf. 261. See Zittrain, Privacy 2.0, supra note 147, at 100 (discussing the dynamic nature of databases today and the unknown or secret depository of information users have on one another). 262. Id. at 81.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 35
identifiable scenarios founded on stable and largely one dimensional information pathways. Instead, disputes arise within webs of diverse individual Internet users within which numerous problems arise in unimagined scenarios. The next part of the article examines the BNP geo-mashup situation to show the change from binary to multiple information relationships and the increasing involvement of individuals as potential infringers of individual privacy.
V. THE BNP GEO-MASHUP: FROM BINARY TO MULTIPLE PERSONAL INFORMATION RELATIONSHIPS
In the BNP geo-mashup, we see a situation that highlights the limits of first generation information privacy laws when faced with a privacy invasive geo-mashup. As suggested by Zittrain, the key reason is the informal personal information dissemination pathways that were developed post publication of the membership list which effectively eliminated any vestige of control that BNP members may have thought they had over their personal information. While some forms of first generation legal redress are still available to individual BNP members, via obligations imposed on the BNP as a data collector, there is little or no redress or remedy available against the geo-mashup creators or the geo-mashup technological facilitators, Wikileaks and Google Maps.
The original act of personal information provision took place when an individual joined the BNP. In doing so, he or she provided the party with their personal information and that provision and collection of personal information was covered by the relevant privacy legislation, in this case the Data Protection Act of 1998.263 The minimality and purpose specification principles‘ govern the act of personal information provision between the individual and the collecting organizations, which thus creates an information exchange relationship between them. These principles ensure that the BNP collects and processes personal information in a fair and reasonable manner. Furthermore, the information quality, individual control, and participation principles oblige the BNP to ensure that any collected personal membership information is kept accurate by reference to the individual who has provided that information. In so doing, an individual BNP member is able to ascertain from the BNP what personal information the BNP holds so that he or she can check the accuracy of that information, at any given time. Moreover, the information security and sensitivity principles mandate the BNP to keep personal information supplied by its members in a secure environment.
In the BNP example, the BNP conclusively failed to secure the personal information of its members because a disgruntled employee was able to gain unauthorized access to the BNP membership list. Furthermore, once the disgruntled employee gained access to the list, he or she was then able to copy 263. Data Protection Act, 1998, C. 29, (U.K.) available at http://www.opsi.gov.uk/acts/acts1998/ ukpga_19980029_en_1.
36 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
it and to take it outside of the control of the BNP. At this point, first generation information privacy laws, founded on the core principles highlighted above, would continue to operate relatively effectively. The principles, and their concomitant laws, could not have stopped the willful unauthorized access by the disgruntled employee but the laws would provide some sort of recourse for those individuals who provided information to the BNP under a breach of the information security principle.264 The primary reason for the effectiveness of the laws is a clear and unambiguous binary relationship between the individual BNP member and the BNP, as a data collector.
However, the binary relationship between the data collector and the data re-user fails to manifest under first generation laws because of the unauthorized breach by the disgruntled employee. The disclosure limitation principle that is central to the relationship between the BNP and subsequent information re-users fails to materialize in the absence of a binary relationship. BNP members therefore have little or no recourse against the BNP or subsequent information re-users under first generation laws. Nevertheless, there were a number of information re-users in the BNP example because Wikileaks, various geo-mashup creators, and Bit Torrent websites re-used the personal information of BNP members in a number of different ways.
Accordingly, there is an absence of one of the key links in the chain of accountability. The information re-users have no link with the data collection organization, the BNP, but more importantly, they have no link with the data provider, individual BNP members. Putting aside the misuse of personal information by the disgruntled BNP employee,265 the first re-use took place when Wikileaks published the BNP membership list on their website. The second re-use then saw various individuals copying the membership list and placing it on BitTorrent websites for the purpose of wider distribution. News of the story then broke on various blogs. The third reuse of the BNP membership list arose when media outlets and individuals aggregated the BNP 264. In fact, in some ways it could be argued that the Data Protection Act provided strong privacy protections given the arrest of the two individuals who were alleged to have been responsible for the unauthorized leak of the membership list. The arrests were presumably under offenses related to section 55(1) and (3) of the Act, ―A person must not knowingly or recklessly, without the consent of the data controller— (a) obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data.‖ Section 55(3) states ―A person who contravenes subsection (1) is guilty of an offence.‖ Id. § 55(1), (3). 265. It should be noted that the lack of a data breach notification law in the U.K. might also have exacerbated the problem particularly in light of the reporting to law enforcement agencies suggested. See, e.g., Paul M. Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH. L.R. 913 passim (2007) (discussing current state and federal data breach notification laws). If law enforcement agencies had been notified at the onset of the problem then perhaps action could have been taken to restrict the use of names and addresses. This is a debatable point given the fact that the effectiveness of data breach legislation remains in question. See, e.g. Flora J. Garcia, Data Protection, Breach Notification, and the Interplay between State and Federal Law: The Experiments Need More Time, 17 FORDHAM INTELL. PROP. MEDIA & ENT. L.J. 693, 726 (2007) (suggesting that it would be premature to judge the effectiveness of data breach legislation at this time); Kathryn E Picanso, Protecting Information Security Under a Uniform Data Breach Notification Law, 75 FORDHAM. L. REV. 355, 390 (2006) (recommending that federal data notification breach legislation be supplemented with common law remedies to provide the most effective consumer protection).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 37
membership list with Google Maps to create the geo-mashups highlighted above.
The original misuse of personal information by the disgruntled BNP employee infringed the privacy of BNP members through unauthorized access to their information and subsequent disclosure. However, it is the use of the BNP membership list, as a foundation stone for geo-mashups, which brings the situation to the fore and exacerbates the privacy infringements of BNP members, particularly in the case of the BNP Proximity Search geo-mashup.266 Yet there is little or no recourse against Wikileaks, the creator of the geo-mashup or the facilitator of the geo-mashup, Google, under first generation information privacy laws because of the absence of a binary relationship between the information collector and the information re-user, even though issues arise under the information quality principle. For example, it is unclear whether the BNP Proximity Search geo-mashup aggregated the BNP list by postcode or by house number and street address. The residential properties pinpointed on Google Maps could either be (a) the address of a BNP member or (b) an out of date address for a BNP member or (c) the address of an individual who has nothing to do with the BNP but has the misfortune of having his/her house automatically tagged with a certain postcode by Google Maps.267 All scenarios are feasible given the problems that arose from the BNP ―Near Me‖ geo-mashup and the fact that the BNP admitted that the membership list was out of date.
The BNP Proximity Search raises specific privacy concerns regarding the use of sensitive and personal information, in the form of political party membership, names and addresses. The geo-mashup identifies members of the BNP by name and address. However, it is the aggregation and overlay on to Google Maps that causes greater concerns, particularly in combination with Google Street View, because the geo-mashup enables any person to identify the location of a BNP member at a particular house.268 Furthermore, specific issues relating to the use and development of geo-mashups arise because the generative re-publication of information itself can give rise to inaccuracies. 266. See TANASESCU, ET AL, supra note 36, at 247 (regarding reasons for the popularity of geo-mashups that add another, easier to understand dimension to the written words of the Internet). 267. A car bombing attack provides a graphic example of the dangers arising from the provision of inaccurate information. The car attacked was owned by a neighbor of a BNP member and he had parked his car outside of his neighbor‘s house. According to the BBC, the BNP reported that none of its members lived on the street where the attack took place even though one of the houses in the street was on the BNP membership list. BBC NEWS, supra note 96. See also Paul Sims, Police Probe ‘Vigilante Firebomb’ Attack on Home of Man Named on BNP List, DAILY MAIL, Nov. 22, 2008, http://www.dailymail.co.uk/ news/article-1088167/Police-probe-vigilante-firebomb-attack-home-man-named-BNP-list.html (reporting the person who was named on the BNP list and his confirmation that he left the Party the previous year). 268. Google Street View itself has been subject to some criticism. See Greece Puts Brakes on Street View, BBC NEWS, May 12, 2009, http://news.bbc.co.uk/2/hi/technology/8045517.stm (regarding the banning of Street View in Greece); Josh Blackman, Omniveillance, Google, Privacy in Public, and the Right to Your Digital Identity: A Tort for Recording and Disseminating an Individual’s Image over the Internet, 49 SANTA CLARA L. REV. 313, 354–91 (2009) (regarding the development of a privacy related tort, ―the right to your digital identity,‖ in public places to counteract problems emerging from Google Street View). But cf. All Clear for Google Street View, BBC NEWS, April 23, 2009, http://news.bbc.co.uk/2/hi/technology/8014178.stm (regarding a decision by the U.K. Information Commissioner to pass its use in the U.K.).
38 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
For example, as highlighted by the BNP ―Near Me‖ geo-mashup, the simple use or misuse of a specific type of marker, such as a pointer or a hot spot, can give an inaccurate representation of an otherwise accurate piece of information. Additionally, any inaccuracies in the BNP membership list will automatically be replicated in any subsequent geo-mashup. As such, it is astonishing to think that, at the time of writing, the BNP Proximity Search is still online and is still identifiable through Internet search engines.269
Referring back to Zittrain‘s work, the BNP example shows the limits of information privacy laws based on first generation principles because of the difficulties faced in applying founding maxims to generative systems of distributed personal information.270 The definitional founding blocks of first generation regulation—personal information, records, databases, data subjects, collectors, and users—are becoming so diffuse that the core concepts of first generation laws are themselves changing from one moment to the next. To the extent that the concept of privacy regulation, like Web 2.0 technologies and structures, is now entering a period of constant beta, the developments of the online world are far outpacing the decades old laws that are currently being used to regulate it.271 This raises serious questions about the ability of privacy laws predicated on the concept of technological neutrality272 and their ability to keep pace with developments in Web 2.0, 3.0 and beyond.
VI. PRIVACY 2.0 SOLUTIONS FOR PRIVACY INVASIVE GEO-MASHUPS: EMBEDDED TECHNICAL & SOCIAL STANDARDS
If the intention of first generation laws is to regulate the relationship between individuals and powerful, monolithic organizations, how then should Privacy 2.0 attempt to govern disparate collectives of information collecting individuals and individuals themselves? Zittrain contends that the levels of privacy responsive regulation has to be lower for individuals than for organizations, otherwise the burden of compliance becomes so great that it
269. The author has not included details of websites where the membership list is still available for obvious reasons but these sites are accessible via Internet search engines. 270. See Zittrain, Privacy 2.0, supra note 147, at 100 (stating that generative systems of personal information distribution generate an ever-changing ―database‖). 271. James P. Nehf, Recognizing the Societal Value in Information Privacy, 78 WASH. L. REV. 1, 7 (2003) (referring generally of the societal issues involved with privacy regulation that require flexible and new approaches).
If we look at the way in which information is collected and used in today‘s society, we see that the problems presented are not typical consumer issues that we can expect individuals to police for themselves with the aid of prohibitory laws. The policy issues have much more in common with societal problems that we have historically regulated in a fundamentally different way. Policy makers should recognize this relationship in the formulation of privacy legislation and create a regulatory environment that provides meaningful protection of our collective privacy interests.
Id. 272. See, e.g., AUSTRALIAN PRIVACY LAW AND PRACTICE, supra note 171, at 422 (enshrining the idea of technological neutrality in Australian privacy law) (―In the ALRC‘s view, technology-neutral privacy principles provide the most effective way to ensure individual privacy protection in light of developing technology.‖).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 39
effectively restricts taken-for-granted Internet activities.273 Abundant over regulation of individuals from an overtly complex privacy regime is dangerous because it has the capacity to frustrate the ―generative developments‖ of individual users.274 This part explores this idea in further depth to suggest embedded technical and social standards as potential solutions to mitigate the negative consequences of privacy invasive geo-mashups. However, in concluding this part, the author suggests that while embedded solutions, developed through discourse and interaction, would go some measure toward alleviating concerns, such standards must still be enmeshed in a legal framework to ensure effective protections and remedies.
A. Technical Solutions
Zittrain uses Creative Commons licenses as a potential template for privacy-related code-backed norms.275 He argues that Creative Commons licensing has become popular on the Internet because they provide a collective signal to share information within agreed social boundaries.276 Creative Commons277 is a worldwide social project, embodied as non-profit organizations in different countries,278 that operates to enhance the widespread use of creative output into ―the commons – the body of work that is available to the public for free.‖279 One of the key aims of the Creative Commons project is ―to make copyright material more accessible and negotiable in the digital environment.‖280 Creative Commons attempts to achieve this aim by making available to the public a license from which content users can attribute certain terms regarding the re-use of their material or information. For example, if a user‘s content is re-used by a third party then the third party may be required to attribute the original content creator, or a user can ensure that their content is not used for commercial purposes. As such, ―the content owner reserves some rights of control but eschews the common commercial approach of all rights reserved.‖281 Building on this approach, Zittrain contends that it is not the threat of legal sanctions that gives Creative Commons licenses weight, but rather, it is the capacity to touch into a ―cultural mindshare‖ of web users.282
273. See Zittrain, Privacy 2.0, supra note 147, at 99 (discussing how such regulation would effectively amount to a ban on information collection by non-institutional collectives of individuals). 274. Id. 275. Id. at 109. 276. Id. 277. Creative Commons, http://creativecommons.org (last visited Sept. 30, 2009). 278. See Creative Commons, International, http://creativecommons.org/international (last visited Sept. 30, 2009) (displaying the mission of the organization and tools available for download); Creative Commons Australia, http://www.creativecommons.org.au (last visited Sept. 30, 2009). 279. Creative Commons, What is CC?, http://creativecommons.org/about/what-is-cc (last visited Sept. 30, 2009). 280. BRIAN FITZGERALD, OPEN CONTENT LICENSING: CULTIVATING THE CREATIVE COMMONS 3 (Sydney Univ. Press 2007). 281. Id. 282. Zittrain, Privacy 2.0, supra note 147, at 104–105.
40 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
Creative Commons licenses reside in the realm of intellectual property and a number of journal articles have already examined the copyright issues that arise from mashups and Web 2.0.283 Whilst many of the same issues of information usage appear to be similar, the purpose and use of intellectual property and privacy regulation are so different that they do not offer grounds for clinical comparison.284 However, Zittrain considers the use of Creative Commons licenses in a broad sense, not as a way to enforce rights over the protection of personal information per se, but as a potential template that would enable individuals to express preferences about how search engines should use and index their personal information.285 Accordingly, in this context, Zittrain suggests the use of Creative Commons licenses as a readily available and popular template as a potential medium for individuals to specify their privacy preferences rather than an intellectual property based legal solution to enhance Privacy 2.0 solutions.286 The lack of a privacy preference tool for Internet users inhibits meta-data transfer that could enable a two way passing of information about the agreed uses of personal information.287 Zittrain argues that tagged meta-data would provide a way for individuals to signal whether they would like to remain associated with information they place on the web and to be consulted about any unusual future uses.288 Privacy tags would promote respect regarding the uses of personal information on the Internet by creating a means ―that connects and sets informal standards for distant and disparate individuals about the use and re-use of personal information‖.
289 Such tags would generate ―privacy spaces‖ and would thus become the touchstone privacy tool of Web 2.0 by creating points of connection and accountability for Internet users who produce, transform and consume personal information.290
Warner and Chun have also developed the notion of privacy spaces in
283. See, e.g., Veasman, supra note 20; Lee, supra note 21; Branwen Buckley, Suetube: Web 2.0 and Copyright Infringement, 31 CVLAJLA 235 (2008); Greg Lastowka, User-Generated Content and Virtual Worlds, 10 VAND. J. ENT. & TECH. L. 893 (2007); Steven Hetcher, User-Generated Content and the Future of Copyright: Part One - Investiture of Ownership, 10 VAND. J. ENT. & TECH. L. 863 (2007); Steven Hetcher, User-Generated Content and the Future of Copyright: Part Two - Agreements Between Users and Mega-Sites Symposium Review, 24 SANTA CLARA COMPUTER & HIGH TECH. L.J. 829 (2007); Casey Fiesler, Everything I Need to Know I Learned from Fandom: How Existing Social Norms Can Help Shape the Next Generation of User-Generated Content Note, 10 VAND. J. ENT. & TECH. L. 729 (2007). 284. See, e.g., Jessica Litman, Information Privacy/Information Property, 52 STAN. L. REV. 1297 (2000) (highlighting deficiencies in the inter-changeability of copyright and information privacy concepts); Pamela Samuelson, Privacy as Intellectual Property?, 52 STAN. L. REV. 1147 (2000) (rejecting the concept of propertizing personal information); Ann Bartow, Our Data, Ourselves: Privacy, Propertization, and Gender, 34 USFLR 634 (2000) (contending the opposite view). 285. See Zittrain, Privacy 2.0, supra note 147, at 106. 286. Id. at 104–105. 287. Id. at 106. 288. Id. at 107. 289. Id. at 109. 290. Id. at 118.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 41
mashups founded on government provided information.291 Their concept aims to ensure privacy protection through the interaction of different privacy policies that represent the interests of different parties involved in a mashup process.292 This combination of different privacy policies:
[A]llows a user, as a data owner, to describe their privacy preferences as Personal Privacy Policies (PPP), government agencies, as data providers, to specify Regulatory Privacy Policy (RPP), and mashup service provider to specify their privacy policy (MPP). . . . The proposed technology solution includes a PPP network where citizens can register their personal privacy preferences, and a Privacy Enforcement engine that interprets PPP, RPP and MPP before releasing individual‘s data requested by third party applications such as mashups.293 The real time interaction of interrelated privacy policies builds boundaries
between what individuals want to be kept private and information that can legitimately be used for public purposes. Warner and Chun recognize the privacy problems arising from mashups by the fact that individuals who provide personal information have virtually no control over who will be able to access their information once it is aggregated in a mashup.294 Their remedy to this problem is to place limits on the use of personally identifiable information in mashups by the extensive use of a range of privacy policies ―that enforce a situation in which an individual has the right to control information about them‖.
295 As such, internal data flows that found geo-mashups should be controlled, to adhere to the privacy requirements expressed by individuals and government agencies.296
The notions of individual control over information and the use of privacy policies are hallmarks of first generation laws, and Warner and Chun‘s work develop first generation concepts in interesting and novel ways. However, when faced with privacy invasive geo-mashups, such as the BNP geo-mashup, the bounds of protection are limited because their work focuses on personal information provided to and supplied by government organizations. A network of privacy preferences and policies may provide ―multiple protection spaces [that allow] private data to be shared under certain protection spaces and not in others,‖
297 but information sharing is based on the idea of a limited number of stable and identifiable information pathways. For instance, the authors state that: 291. Janice Warner & Soon Ae Chun, A Citizen Privacy Protection Model for E-Government Mashup Services (2008), available at http://delivery.acm.org/10.1145/1370000/1367866/p188-warner.pdf?key1= 1367866&key2=0455350721&coll=GUIDE&dl=GUIDE&CFID=83050524&CFTOKEN=90806981; Janice Warner & Soon Ae Chun, Privacy Protection in Government Mashups, 14 INFORMATION POLITY (2009) [hereinafter Warner & Chun, Government Mashups]. 292. Warner & Chun, Government Mashups, supra note 245, at 88. 293. Id. 294. Id. at 76. 295. Id. at 79. 296. Id. at 80. 297. Id. at 82.
42 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
The [Personal Privacy Policies] network will allow citizens to have more control over their own private data, through direct participation in protecting the private data. This participatory privacy protection also accommodates a high degree of individual differences in privacy, and may foster the level of trust in government agencies. It also simplifies the requirements on individuals. They can specify their preferences once for all known as well as unknown potential uses of their data.298 It may be possible for an individual to specify their preference for known
uses of their personal information but how is an individual expected to specify their preference for an unknown use of their personal information? Take, for example, the BNP geo-mashup scenario. An individual BNP member may have been able to stress the limits on the use of their personal information by the BNP. They could state in their personal privacy policy that they do not want their information used in any subsequent geo-mashup created or authorized by the BNP. However, in this situation, personal privacy preferences would have become defunct once the disgruntled BNP employee accessed and used the membership list without authorization. A personal privacy policy could envisage a future use by the BNP within its own organizational standards, membership expectations, and policies, but not a geo-mashup generated by individual creators that have no connection to the BNP who therefore have different levels of understanding about the privacy requirements of rank-and-file BNP members. Even if individual privacy preferences had travelled with the data as meta-data tags, as Zittrain suggests, there is no suggestion in the BNP scenario that the ultimate geo-mashup creators would have respected those preferences, especially the creators of the BNP Proximity Search geo-mashup.
The author contends that even if a privacy preference network such as that highlighted by Warner and Chun299 had been in place with the BNP, it would have had little practical effect on the creation of geo-mashups. The reason being, as highlighted by Zittrain, is that privacy protection is still based on the regulation of data collection organizations and on limited and identifiable information provision and use pathways.300 As highlighted above, the pathways involved in the BNP geo-mashup were numerous, were more socially complex, and were not identifiable until they were created.
At this point, it is important to acknowledge that the privacy problem that emerged from the BNP geo-mashup is possibly an extreme example because it involved a socially sensitive situation. These sensitivities were exacerbated because the geo-mashup creators used a combination of sensitive and personal information that was aggregated by residential address. However, the issues raised by this example are equally applicable to less socially charged and
298. Id. at 84. 299. See id. at 88–89 (summarizing Warner and Chun‘s privacy preference network proposal, and their hopes for its applications). 300. Zittrain, Privacy 2.0, supra note 147, at 68.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 43
sensitive situations due to the involvement of individual geo-mashup creators rather than organizations. The BNP geo-mashup situation brings Privacy 2.0 issues closer to the fore because of the disgruntled employee‘s data breach, which effectively severed any possibility that individual BNP members could have a say in how their personal information was subsequently re-used. The same principles arise in other Web 2.0 personal information collection and use scenarios, such as the collection of personal information by individuals as human sensors, or the exchange of personal information in the inchoate data collectives highlighted above. The real issue of significance is the social, temporal, and cultural distance between the provision or collection of personal information by individuals and the re-use of that information in geo-mashup form. It is this distance that can give rise to unresponsive or uncaring re-uses of personal information that have the potential to infringe privacy without the prospect of any real accountability. Whether extensive use of privacy conscious meta-data tags can bridge this distance remains to be seen.
Where then do technical solutions for privacy invasive geo-mashups arise if not through the creation and instigation of more complex privacy policy networks and meta-data tags? One possible solution could reside with geo-browsers themselves. Geo-browsers could inhibit access to residential address aggregation, particularly when large numbers of residential addresses are involved. Large-scale aggregation would therefore only be possible at a zip code, town, or state level rather than at the individual residential address level. This would provide a level of anonymity in the form of broad rather than specific location which would restrict the situations from which an individual could be identified. Accordingly, it would simply not be technically possible for a geo-mashup creator to create maps based on the aggregation of multiple residential addresses. It would still be possible to create a geo-mashup based on an individual tag that relates to an individual residential address, but it would not be possible to aggregate and overlay hundreds or thousands of records over numerous residential addresses. A solution of this type will not prevent all privacy problems. However, the blocking of residential address aggregation would ensure that similar problems to those generated by the BNP geo-mashup are not repeated. Whilst the BNP membership list may still be available on the Internet via Bit Torrent websites, the elimination of mass aggregation using residential addresses at least reduces the scope for privacy invasive activities arising from the use of online mapping applications.301
A number of issues could arise from the suggested approach. Firstly, it would require geo-browsers to identify residential properties on their mapping systems. This, in itself, is likely to be a complex and potentially expensive exercise. Secondly, restricting aggregation access to residential addresses could stifle the legitimate innovations of non-privacy invasive geo-mashups like, for example, Housingmaps.com. A potential solution for the second issue 301. The author acknowledges that it would be possible for an individual or an organization to undertake individual tagging of addresses in similar scenarios but at least that would take time to complete and the time taking would in itself provide some form of limited protection.
44 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
may lie in a reverse approach to the publication of My Maps. Instead of a default setting that allows anyone to aggregate anything onto any map, aggregation access to numerous residential addresses would be restricted to those individuals or corporate entities who are willing to enter into a license agreement with geo-browsers that sets boundaries relating to the aggregation of information with residential addresses. The author acknowledges that such a licensing arrangement would still be open to potential abuses, but it would be at least a first step on a journey to provide effective privacy protections against privacy invasive geo-mashups. Moreover, a licensing arrangement may assist with the development of standards relating to good privacy practices in geo-mashups. However, it is clear that further research is required to investigate the feasibility of any long-term technical or legal solution.
B. Social Standards
Technical solutions inherently come packaged with social standards that enable and foster good uses of technology. In Privacy 2.0, Zittrain states that the development of social tools, in the form of code-backed norms, is of equal importance as technical solutions to the effective regulation of privacy protections regarding the generative Web.302 He contends that ―a simple, basic standard created by people of good faith can go a long way toward resolving or forestalling a problem containing strong ethical or legal dimensions.‖
303 Public and private sector organizations have developed corporate
standards for the use of Web 2.0 technologies, particularly social networking sites. For example, the British Broadcasting Corporation (BBC) has devised a set of principles for their staff to follow when using Web 2.0 Internet applications in areas where conflicts can arise.304 The guidelines and their principles are designed to primarily protect the interests of the Corporation but they nonetheless attempt to raise awareness of privacy issues and to set standards for individual participation on the Internet. For instance:
Social networking sites provide a great way for people to maintain contact with friends. However, through the open nature of such sites, it is also possible for third parties to collate vast amounts of information. . . . . All BBC staff should be mindful of the information they disclose on social networking sites. Where they associate themselves with the Corporation (through providing work details or joining a BBC network) they should act in a manner which does not bring the BBC into disrepute.
302. See Zittrain, Privacy 2.0, supra note 147, at 118 (discussing the importance of code-backed norms to protect privacy. 303. Id. at 104. 304. British Broadcasting Corporation, Guidance Note: Personal Use of Social Networking and Other Third Party Websites (Including Blogging and Personal Web-Space), http://www.bbc.co.uk/guidelines/ editorialguidelines/assets/advice/personalweb.pdf (last visited Nov. 22, 2009).
No. 1] PRIVACY INVASIVE GEO-MASHUPS 45
. . . . Under no circumstance should offensive comments be made about BBC colleagues on the Internet. This may amount to cyber-bullying and could be deemed a disciplinary offence. . . . . Personal blogs and websites should not be used to attack or abuse colleagues. Staff members should respect the privacy and the feelings of others. Remember also that if they break the law on a blog (for example by posting something defamatory), they will be personally responsible.305 IBM306 and the Australian Public Service Commission have released
similar standards.307 At the privacy regulator level, both the UK‘s Information Commissioner308 and the Australian Office of the Privacy Commissioner309 have released information about the safe use of personal information on social networking sites. A conglomeration of major media and software commercial copyright owners has also developed the Principles for User Generated Content (UGC) Services, which seek ―to foster an online environment that promotes the promises and benefits of UGC Services and protects the rights of Copyright Owners.‖
310 The purpose of the UGC Principles is to eliminate user-generated material that infringes copyright while encouraging the uploading of legitimate content and the protection of legitimate interests of user privacy.311 However, none of these fledgling standard setters provides guidance on the creation and use of geo-mashups, either at a corporate or individual level.
The BNP geo-mashup example shows that there is already an awareness of privacy issues arising from the use of personal information amongst geo-mashup creators. For example, three of the four geo-mashups noted, namely the Times, the Guardian and the BNP Near Me geo-mashup, did not publish
305. Id. at 2–5. 306. IBM, IBM Social Computing Guidelines: Blogs, Wikis, Social Networks, Virtual Worlds and Social Media, http://www.ibm.com/blogs/zz/en/guidelines.html (last visited Nov. 22, 2009). 307. Australian Public Service Commission, Circular 2008/8: Interim Protocols for Online Media Participation, http://apsc.gov.au/circulars/circular088.htm (last visited May 19, 2009). 308. Information Commissioner‘s Office, Using Social Networking Sites Safely (Nov. 23, 2007), http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/social_networking_v04_final.pdf. 309. Office of the Privacy Commissioner, Your Privacy Rights FAQ, http://www.privacy.gov.au/ faq/individuals#social_networking (last visited Feb. 19, 2010). 310. UGC Principles, Principles for User Generated Content Services, http://www.ugcprinciples.com/ (last visited Feb. 19, 2010). 311. The UGC Principles have a limited consideration of privacy protection issues for individuals, and focus mainly on protecting the interests of copyright holders. For instance, Principle 10 states:
Consistent with applicable laws, including those directed to user privacy, UGC Services should retain for at least 60 days: (a) information related to user uploads of audio and video content to their services, including Internet Protocol addresses and time and date information for uploaded content; and (b) user-uploaded content that has been on their services but has been subsequently removed following a notice of infringement. UGC Services should provide that information and content to Copyright Owners as required by any valid process and consistent with applicable law.
Id.
46 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
any BNP related personal information. Moreover, these geo-mashups aggregated their maps around postcodes rather than individual residential addresses. By doing so, they provided a degree of privacy protection by obscuring the identity of residential addresses that are linkable to BNP members. Concerns still arose, however, because of the particular nature of UK postcodes and their effect when aggregated with Google Maps. The BNP Near Me geo-mashup creator altered his original geo-mashup because its pinpoints gave a misleading impression that a BNP member resided at a specific address when in fact the representation of the BNP membership data was incorrect. The creator of the geo-mashup explained his reason for changing and ultimately removing the geo-mashup from the Internet.
I have decided to take down the map. Many people have commented that the map does give a false impression of accuracy, despite my making this clear, and I‘m tempted to agree. I do not want to single anybody out and by removing the accuracy from the map it is possible that it ends up incorrectly implying a property contains a BNP member. It has been suggested that an inaccurate map that doesn‘t make that clear is worse than publishing the list itself, and I think that‘s a reasonable comment.312 There is a clear recognition of the negative consequences that could arise
from the use of inaccurate personal information that could give a misleading impression. Owad also highlighted similar concerns in the Amazon wish list geo-mashup.313 However, the opposite occurred with the BNP Proximity Search geo-mashup, which provided the postcodes and names of BNP members, and then overlaid that information over specific residential addresses.314 The Proximity Search geo-mashup may or may not have been aggregated on an individual address or a postcode. However, it is possible to
312. Butcher, Updated: BNP Member List, supra note 96. 313. As Owad noted in his article:
Thanks to Google Maps (and many similar services) a street address is all we need to get a satellite image of a person‘s home. Tempted as I was to provide satellite images of the homes of the search subjects, it just seemed a bit extreme even for this article. Instead, I opted only to pinpoint the centers of the towns in which they live. So at least you‘ll know that there‘s somebody in your community reading Critical Thinking or some other dangerous text.
Owad, supra note 101. 314. Similar criticisms can also be raised relating to the Gawker staff, who seem acutely unaware of the privacy issues arising from Gawker Stalker. See Larry King Live: Paparazzi: Do They Go Too Far? (CNN television broadcast Apr. 6, 2007), transcript at http://transcripts.cnn.com/TRANSCRIPTS/ 0704/06/lkl.01.html, video excerpt at http://www.youtube.com/watch?v=2-avakrRUaU (documenting Jimmy Kimmel‘s interview with Emily Gould, the then-editor of Gawker, on Larry King Live). One Gawker editor described the Gawker staff‘s reactions to criticism of the site:
But Gawker editors were ―totally taken aback by the big whole to-do‖ over the maps, says one of them, Jesse Oxfeld. ―We thought we were using a cool new tool, adding a new element‖ that didn‘t provide additional information. Stalker sightings, which have always come with a none-of-this-is-verified disclaimer, have typically included specifics; it‘s just that now they‘re presented in both visual and text form. The uproar was ―hysterical,‖ Oxfeld says. ―We had Access Hollywood saying we‘re destroying celebrity lives.‖ And since the maps—and the PR mayhem—started, sightings have increased, he says.
Freydkin & Barker, supra note 153.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 47
use the geo-mashup to identify a BNP member at a specific street, because (a) it is possible to reverse search a postcode to find a corresponding street address, which can be cross referenced with other sources to check where a particular person lives; or (b) that person does in fact reside at that address, which, again, can be confirmed with a relatively quick check of other data sources. As such, the author contends that the BNP Proximity Search has infringed expected social standards regarding the use of personal and non-personal information in geo-mashups as exemplified by the actions of the other BNP geo-mashup creators.
At this point Zittrain‘s contentions regarding the establishment of code-backed norms as a means of privacy protection look a trifle weak. The BNP Proximity Search geo-mashup gives rise to serious privacy concerns and yet the geo-mashup is still available on the Internet. At what point does further action need to be taken either to remove the geo-mashup or to ensure that access is restricted? Either solution is potentially difficult to implement because the BNP membership list has been widely disseminated and neither solution guarantees that the same problem would not arise again. What code-backed norms can do, however, is to provide a spotlight for those geo-mashups that can give rise to privacy invasive tendencies, enabling earlier identification by individuals, organizations, or geo-browsers before more serious problems emerge from publication via the blogosphere or via the ubiquity of search engines.
The technical solution, highlighted above, would mitigate the threats of privacy invasive geo-mashups and would require geo-browsers to restrict aggregation and overlay of information on individual residential addresses. The author does not intend to single out geo-browsers as the new pseudo-regulators of privacy in geo-mashups, but it nonetheless needs to be acknowledged that these organizations are the gatekeepers for geo-mashup creation because they facilitate the geo-mashup process with their technologies. As such, it is no longer sufficient for geo-browsers to provide only one means of remedial relief for individuals against privacy invasive geo-mashups in the form of simple take down notices. Proactive standard setting is now required to augment reactive removal of privacy infringing material.
As a first step, this article suggests that the major geo-browsers work together with the geospatial community, privacy regulators, and reputed privacy organizations to develop a new set of privacy-oriented standards for the creation of geo-mashups, in order to increase awareness of the detrimental issues that can arise from privacy invasive geo-mashups. These privacy standards for geo-mashups could be the first step in a continuing evolution of social norm development that (a) sets standards for the collection and use of personal information in the creation of geo-mashups, and (b) allows a flexible framework in which individual concerns, geo-mashup creator innovations, and geo-browser requirements can be aired and discussed. Part of this ongoing societal discussion will also need to address interaction with existing and future legal frameworks.
48 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
C. Legal Frameworks
The essence of Zittrain‘s work is the development of ―bottom-up‖
initiatives315 to counteract the weaknesses of existing privacy laws that simply fail to cope with the complexities of online personal information exchange. However, embedded social and technical solutions, which have no recourse to legal frameworks, inherently rely on self-regulatory measures for enforcement and remedies. During the last decade, there has been voluble criticism regarding the self-regulation of privacy protections.316 The main criticism being that there is an overwhelming incentive for private sector data collecting organizations to breach, rather than preserve, privacy protections.317 As such, critics argue that standalone self-regulatory measures, with no recourse to underlying legal frameworks, do not provide effective privacy protections.318 After an extensive review of international privacy protection instruments, Bennett and Raab produced four sets of factors that indicate where a self-regulatory environment for privacy protections is likely to be adopted and is more likely to be effective.319 First, organizations that conduct operations at an international level are exposed to a greater level of international privacy standards, and a higher motivation exists to adopt self-regulatory practices to comply with those standards. Second, the introduction of new technologies, which have publicly perceived privacy implications, provide a motive for self-regulation that attempts to anticipate problems before they occur and thus assures consumers that their privacy is not at risk. Third, situations involving actual or potential negative publicity also provide an impetus. Finally, industry structure can have an impact on the introduction of self-regulatory measures, especially if there is a broadly representative trade association that can self-regulate the industry.
A brief overview of Bennett and Raab‘s work shows that the conditions for effective self-regulation heavily entail the notions of first generation information privacy laws that protect individuals from data collecting organizations—albeit protections governed by the organizations themselves. As highlighted above, many of the concerns that arise from privacy invasive geo-mashups are generated by individuals rather than organizations. At the
315. One of Zittrain‘s articulations of this idea follows:
Enduring solutions to the new generation of privacy problems brought about by the generative internet will have as their touchstone tools of connection and accountability among the people who produce, transform, and consume personal information and expression: tools to bring about social systems to match the power of the technical one.
Zittrain, Privacy 2.0, supra note 147, at 118. 316. See, e.g., Roger Clarke, Privacy as a Means of Engendering Trust in Cyberspace Commerce, 24 U.N.S.W. L.J. 290, 295 (2001) [hereinafter Clarke, Cyberspace Commerce] (―Self-regulation is seen by the public for what it is: supervision of the sheep by the wolves, for the benefit of the wolves, and a means for business to establish a pretence of regulation in order to hold off actual regulation.‖); Hoofnagle, Privacy Self-Regulation, supra note 260 (reviewing self-regulatory failures involving privacy in the United States); see also BENNETT & RAAB, supra note 216, at 171 (summarizing critics of self-regulation). 317. BENNETT & RAAB, supra note 216. 318. Clarke, Cyberspace Commerce, supra note 316, at 295–97. 319. BENNETT & RAAB, supra note 216, at 172–73.
No. 1] PRIVACY INVASIVE GEO-MASHUPS 49
same time, it is clear that informal social standards are in existence regarding the appropriate use of personal information in geo-mashups as evidenced by the different BNP geo-mashups and the awareness that pinpointing information to residential addresses can give rise to privacy concerns. So where does the balance lie, both in terms of Privacy 2.0 and the governance of protections relating to privacy invasive geo-mashups, between the instigation of ―bottom-up‖ social and technical standards generated by Internet users and geo-browsers, and the ―top-down‖ legal sanctions of first generation laws applied by privacy regulators and the courts?
Zittrain‘s analysis of first generation privacy laws is persuasive because it vividly highlights the limits of these laws against new technological and social initiatives arising from the Internet. Moreover, the recognition that legal, social, and technical developments are derived from the interaction of many different sources provides a healthy impetus to enhance discourse about appropriate uses of personal information in geo-mashups specifically, and in society in general. However, technical solutions and socially developed standards for privacy protection must be embedded in a legal framework in order to provide effective privacy protections. A technical solution or a socially developed standard should assist and inform the development of legal privacy protections but they should not be a substitute for those protections.
It is beyond the scope of this article to define an appropriate Privacy 2.0-based legal framework for geo-mashups, but it is apparent from Zittrain‘s analysis and the examples provided above, that we have entered a time when the parameters of online personal information usage are getting manifestly broader while the scope of first generation information privacy laws are getting increasingly narrower. The death knell for first generation privacy laws may or may not be sounding—it is too early to say, and it is a matter of such importance that to suggest so, without recourse to extensive policy, legal, and social analysis, would be giving lip service to a complex concern and an essentially contested social issue. That said, a more appropriate balance needs to be sought between ―bottom-up‖ activities and ―top-down‖ directions that recognizes the value that each brings to the regulation of privacy and the legal protections afforded. The former can augment the latter, but it is the latter that sets the standards to be augmented by the former. This process of continual augmentation will be characterized by the balance or imbalance of interaction between all parties involved in the creation, publication, and direct or indirect regulation of Internet activities, including geo-mashups. In that regard, it is hoped that Zittrain‘s call for a wider social discourse about the regulation of privacy will be the most enduring aspect of his Privacy 2.0 analysis.
VII. CONCLUSION
This article has highlighted the privacy concerns that can arise from privacy invasive geo-mashups particularly in light of the limits of first generation information privacy laws as suggested by Zittrain. The Internet now provides manifold pathways for the provision and use of personal
50 JOURNAL OF LAW, TECHNOLOGY & POLICY [Vol. 2010
information providing numerous Internet users, with multiple opportunities to use personal information in many different ways. More importantly, in terms of information privacy regulation, these multiple users can be individuals as well as organizations. Potential Privacy 2.0 solutions for the prevention and mitigation of privacy problems reside in the development of embedded technical and social standards, and not solely through avenues of legal recourse founded on the concept of information privacy. These standards, by their nature, must be inclusive and flexible given the changes that are taking place in the everyday Web 2.0 environment. Moreover, whilst the article acknowledges the limits of first generation information privacy laws with regard to Web 2.0 environments, including geo-mashups, it is too early to say whether we are witnessing the death of first generation information privacy laws in general. First generation laws may still have a place regarding the regulation of interaction between individuals and organizations about the provision and re-use of personal information along more traditional lines involving stable information collection relationships and defined information pathways. Privacy 2.0 requirements suggest a move from laws based purely on information privacy to the establishment of laws, codes, and norms that reflect, and respect, the conceptual complexity and uncertainty of privacy, which is fitting for ever-changing online environments. This article has put forward legal, organizational, technical, and social solutions in the form of standard development that would help to alleviate some of the concerns arising from privacy invasive geo-mashups. The author hopes that geo-browsers take up the call for the development of privacy standards for geo-mashups, which will assist with the complex balancing act of encouraging further geo-mashup innovations, whilst at the same time enshrining acceptable uses of personal information that will assist courts and privacy regulators to identify and respond to privacy infringements arising from privacy invasive geo-mashups.
209
CHAPTER 8 - CONTEXTUALIZING TENSIONS AND WEAKNESSES
Chapter Eight consists of:
♦ A pre-print copy of the article - Burdon, M, ‘Contextualizing the Tensions
and Weaknesses of Information Privacy and Data Breach Notification
Laws’ (2010) 27(1) Santa Clara Computer and High Technology Law Journal
(forthcoming)
1
CONTEXTUALIZING THE TENSIONS AND WEAKNESSES OF INFORMATION PRIVACY AND DATA BREACH NOTIFICATION LAWS
Mark Burdon ∗
ABSTRACT
Data breach notification laws have detailed numerous failures relating to the
protection of personal information that have blighted both corporate and
governmental institutions. There are obvious parallels between data breach
notification and information privacy law as they both involve the protection of
personal information. However, a closer examination of both laws reveals
conceptual differences that give rise to vertical tensions between each law and
shared horizontal weaknesses within both laws. Tensions emanate from conflicting
approaches to the implementation of information privacy law that results in
different regimes and the implementation of different types of protections. Shared
weaknesses arise from an overt focus on specified types of personal information
which results in ‘one size fits all’ legal remedies. The author contends that a greater
contextual approach which promotes the importance of social context is required
and highlights the effect that contextualization could have on both laws.
I. INTRODUCTION
Data breach notification laws appear to have been a successful addition to legal
frameworks relating to the protection of personal information. For example, as a
result of these laws, numerous information security failings have been reported that
have affected both corporate and governmental institutions.1 They have uncovered
a major social problem that has the capacity to affect millions of citizens.2
∗ PhD Candidate/Research Associate, Faculty of Law/Information Security Institute,
Queensland University of Technology. The author gratefully acknowledge funding from Australian Research Council Grant DP0879015 ‘A new legal framework for identifying and reporting Australian data breaches.’
They have
highlighted that general levels of corporate information security practices are
inadequate. It is not surprising that these apparent successes have been
1 See, e.g., Open Security Foundation, Periodic PDF Reports, http://datalossdb.org/reports (last visited Sept. 10, 2010) (detailing the numerous data breaches that have been notified since the inception of US state-based notification laws).
2 See, e.g., Privacy Rights Clearinghouse, Chronology of Data Breaches, http://www.privacyrights.org/data-breach#2 (last visited Sept. 10, 2010) (suggesting that hundreds of millions of US citizens may have been affected by a data breach).
2
instrumental in the proliferation of data breach notification laws throughout the
United States (US) and beyond. Only a handful of US state legislatures have not yet
enacted a data breach notification law3 and it is possible that a federal law will be
implemented this year.4 Other jurisdictions have also followed suit, including the
European Union (EU)5 and comprehensive proposals have been put forward in a
number of other jurisdictions including Australia, 6 Canada, 7 New Zealand8 and the
United Kingdom (UK).9
3 Currently, only four states do not have a data breach notification law: Alabama,
Kentucky, New Mexico and South Dakota. See National Conference of State Legislatures, State Security Breach Notification Laws, Apr. 12, 2010, http://www.ncsl.org/IssuesResearch/Telecommunications InformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx (last visited October 6, 2010).
4 The Data Accountability and Trust Act of 2009, H.R. 2221, 111th Cong. (2009) is the first bill to have passed a vote from one of the Houses of Congress. See David Navetta, House Passes Data Accountability and Trust Act (DATA). INFO LAW GROUP, (Dec. 10, 2009), http://www.infolawgroup.com/2009/12/articles/data-privacy-law-or-regulation/house-passes-data-accountability-and-trust-act-data/. It should also be noted that the Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. (2009) has also been referred from the Senate Judiciary Committee to a full vote on the Senate floor. See Jaikumar Vijayan, Federal Data-protection Law Inches Forward, COMPUTERWORLD.COM (Nov. 5, 2009), http://www.computerworld.com/s/article/9140408/Federal_data_protection_law_inches_forward.
5 See Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services Council Directive 2009/136, 2009 O.J. (L 337) 11 (EC), Council Directive 2002/58, 2002 O.J. (L 201) 37 (EC) concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (2009) [hereinafter e-Privacy Directive]. See also Mark Burdon, et al., The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments, 26 C.L.S.R 115, 120-123 (2010) (regarding an overview of the notification provisions of the new Directive) [hereinafter “Burdon et al., Mandatory Notification of Data Breaches”]
6 See AUSTRALIAN LAW REFORM COMMISSION, FOR YOUR INFORMATION: AUSTRALIAN PRIVACY LAW AND PRACTICE (2008) [hereinafter AUSTRALIAN PRIVACY LAW AND PRACTICE] (regarding the Australian Law Reform Commission’s proposal for an Australian data breach notification scheme).
7 See Stikeman Elliot, Bill C-29 proposes to enhance current private-sector privacy legislation, Aug. 13, 2010, http://www.canadiantechnologyiplaw.com/2010/08/articles/privacy/bill-c29-proposes-to-enhance-current-privatesector-privacy-legislation/ (regarding a recent bill put before the Canadian House of Commons to implement a data breach notification scheme via the Personal Information Protection and Electronic Documents Act 2000 (Can)). See also Industry Canada, Government of Canada Moves to Enhance Safety and Security in the Online Marketplace (2010) http://www.marketwire.com/press-release/Government-of-Canada-Moves-to-Enhance-Safety-and-Security-in-the-Online-Marketplace-1265966.htm (regarding an overview of the proposed amendments); CANADIAN INTERNET POLICY AND PUBLIC INTEREST CLINIC, APPROACHES TO SECURITY BREACH NOTIFICATION: A WHITE PAPER, 36 (2007) (regarding a review of data breach notification in Canada).
3
At face value, there are apparent similarities between data breach notification laws
and information privacy laws as they both involve legal obligations relating to the
protection of personal information.10 Both laws seek to foster better security
practices and have an information dissemination role that provides an individual
with greater knowledge about how his or her information is stored and used.
However, the development of data breach notification laws relates to a fundamental
difference within information privacy legal regimes that is typically highlighted by
distinctions between the sectoral approach to information privacy adopted by the
US and the comprehensive approach to data protection adopted by the EU and
other countries.11
Data breach notification laws were developed in the absence of a comprehensive
data protection framework as a specific law for a particular problem,
These distinctions manifest in different ways and this article
identifies vertical tensions between both laws and shared horizontal weaknesses
within both laws.
12 whereas they
are now being implemented within the generic rights-based frameworks founded
on comprehensive approaches to data protection or information privacy.13
8 See LAW COMMISSION OF NEW ZEALAND, REVIEW OF THE PRIVACY ACT 1993: ISSUES
PAPER 17 (2010) (regarding a recent review of the New Zealand Privacy Act and the possible introduction of a data breach notification scheme).
Data
9 The United Kingdom has taken a different track to data breach notification compared to other countries. A formal data breach notification scheme has been rejected by the Information Commissioner as notification of problems to the Commissioner was deemed to be a matter of existing good practice. See The News, The UK Does Not Need a Data Breach Notification Law, says Government, OUT-LAW NEWS (Nov. 25, 2008), http://www.out-law.com/page-9619. However, the Commissioner has been granted extra powers to award penalties of £STG500,000 against organizations in breach of the Data Protection Act 1998 (UK), which includes data breaches. See Dan Raywood, Half a Million Pound Penalty Introduced for Personal Data Security Breaches by the Information Commissioner's Office, SC MAGAZINE, Jan. 13, 2010, http://www.scmagazineuk.com/half-a-million-pound-penalty-introduced-for-personal-data-security-breaches-by-the-information-commissioners-office/article/161159/ (providing an overview of the introduction of the fine).
10 See, e.g., Priscilla M. Regan, Federal Security Breach Notifications: Politics and Approaches, 24 BERKELEY TECH. L.J. 1103, 1106 (2009) (regarding data breach notification as a concern of sectoral information privacy law in the US).
11 It should be noted that the concepts of information privacy and data protection are used interchangeably in this article although the author acknowledges differences between them.
12 See Jill Joerling, Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data, 32 WASH. U. J.L. & POL'Y 467, 471 (2010) (explaining California enacted the country’s first data breach notification law on July 1, 2003).
13 Id. at 473 (explaining that other states use similar frameworks but alter them). See generally, Burdon et al, supra note 5 (regarding the implementation of data breach notification in the comprehensive frameworks of the EU and Australia).
4
breach notification laws consequently not only attempt to fulfill a specific purpose,
the mitigation of identity theft, but also have expansive conceptual aims originated
on the conflicting goals of consumer protection and corporate compliance cost
minimization. Comprehensive information privacy legal frameworks, on the other
hand, have an expansive purpose, namely, to ensure legal protections related to the
protection of personal information. Information privacy laws set minimum
standards that relate to fair information practices and provide individuals with a
series of limited rights of involvement in the process of personal information
exchange.14 The different developmental rationales behind encryption safe harbors
for data breach notification demonstrate differences in the types of regulatory
responses adopted by both laws. Data breach notification laws adopt market-based
initiatives that are cognizant of corporate compliance cost burdens, whereas
comprehensive information privacy laws adopt rights-based protections that favor
individual interests over corporate requirements.15
Combined with vertical tensions, there are also shared horizontal weaknesses
because both laws are predicated on overt information-based foundations.
16 Both
laws focus too much on the type of information regulated rather than the social
contexts and relationships that are involved in the personal information generation
and exchange processes. Regulatory responses are formed upon the creation of
chains of accountability and “one size fits all” remedies. These chains are founded
upon binary relationships involving three parties: a personal information provider,
a personal information collector and a personal information re-user.17
14 See Privacy Rights Clearinghouse, Why Privacy, http://www.privacy
rights.org/why-privacy (last visited Sept. 10, 2010).
Problems
occur in the application of both laws because the social process of information
exchange can now involve more parties than envisaged by one-dimensional and
largely static chains of accountability. Data breaches themselves provide
illumination on this point as they typically involve the insertion of a third party
15 See, e.g., Sara A. Needles, The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law, 88 N.C. L. REV. 267, 280-281 (2009) (regarding the distinction between data protection and data security perspectives and different emphases at the heart of data breach notification laws).
16 See discussion at Part IV.C. 17 Mark Burdon, Privacy Invasive Geo-Mashups: Privacy 2.0 and the Limits of First
Generation Information Privacy Laws, 2010 U. ILL. J.L. TECH. & POL'Y 101, 32 (2010) [hereinafter "First Generation Laws"].
5
auxiliary to the accountability framework created by both laws, as demonstrated by
an overview of three illustrative data breaches.
Part II of this article provides a brief overview of the conceptual foundations and
development of both information privacy and data breach notification law. Part III
examines the conflicting vertical tensions and Part IV identifies the shared
horizontal weaknesses of both laws. The purpose of this examination is to
demonstrate underlying conceptual weaknesses of data breach notification and
information privacy laws that are founded on an insufficient regard for the crucial
role of social context and social relationships as the foundation of information
exchange processes. Part V introduces notions of contextualization that promote
legal attention towards social relationships rather than specific types of information,
which in turn, suggest a different approach to the conceptualization and application
of both laws.
II. CONCEPTUAL FOUNDATIONS & LEGISLATIVE DEVELOPMENT
Later sections of this article will examine the conflicting tensions and shared
weaknesses of both laws but before that analysis can take place it is necessary to
briefly overview the conceptual foundations and legislative development of
information privacy and data breach notification laws.
A. INFORMATION PRIVACY LAW
The legal concept of information privacy is generally considered a sub-set of the
many and multi-faceted theories of privacy that has been generated through the
kaleidoscopic lens of different authors and different academic disciplines.18
18 See Philip Leith, The Socio-Legal Context of Privacy, 2 INT'L. J.L. CONTEXT 105, 108 (2006)
(regarding the socio-legal implications of privacy and the limits of information privacy); Herman T. Tavani, Philosophical Theories of Privacy: Implications for an Adequate Online Privacy Policy, 38 METAPHILOSOPHY 1, 2, 3-9 (2007) (reviewing the basis of different theories of privacy).
Attempts to answer the question “what is privacy?” in a meaningfully legal sense
have generated a literature that is immense in its intellectual breadth, intense in its
scholarly conviction and ingenious in its development of analytical frameworks.
However, an answer to the question sought has not been forthcoming thus leading
6
to a degree of despair about whether such an answer can ever be found.19
Conversely, attempts to answer the question “what is information privacy?” are
much more coherent from a conceptual sense to the extent that information privacy
laws have been implemented in many different legal jurisdictions. 20
The concept of information privacy is generally associated with control theories of
privacy that relate to an individual’s choice regarding the disclosure of his or her
personal information.
21 One of the first and most influential representations of the
control theory is Westin’s “Privacy and Freedom.”22 Westin did not use either the
term “right” or “control” or even “information privacy” in his description of an
individual’s required claim for information privacy23 but his work has nonetheless
been perceived as information privacy that provides individual rights of control
over personal information.24
19 See generally DANIEL J. SOLOVE, UNDERSTANDING PRIVACY 1-2 (Harvard University
Press. 2008) (providing an overview of commentaries). See also William M. Beaney, The Right to Privacy and American Law, 31 LAW & CONTEMP. PROBS. 253, 255 (1966) (doubting whether it is possible to define a ‘”right of to privacy’”); Robert C. Post, Three Concepts of Privacy, 89 GEO. L.J. 2087, 2087 (2001) (commenting that the notion of privacy is so complex that it cannot be usefully conceptualized because it is so entangled with competing and contradictory dimensions); Judith Jarvis Thomson, The Right to Privacy, 4 PHILOS. & PUB.LIC AFF. 295, 310 (1975) (contending that ideas about the right of privacy are so overlapped by other rights that it is indeterminable).
In Privacy and Freedom, Westin determined four basic
20 COLIN J. BENNETT & CHARLES D. RAAB, THE GOVERNANCE OF PRIVACY: POLICY INSTRUMENTS IN GLOBAL PERSPECTIVE, 8 (MIT Press [2nd and updated ed. 2006) [hereinafter "GOVERNANCE OF PRIVACY"] (regarding the policy goals of different jurisdictions “to give individuals greater control of the information that is collected, stored, processed, and disseminated about them” by organizations).
21 See COLIN J. BENNETT, REGULATING PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE UNITED STATES 14 (1992) (regarding the analogous links between “data protection” and Westin’s information privacy); Tavani, supra note 18, at 7 (regarding an overview of key authors and theoretical applications); See, e.g., Lisa Austin, Privacy and the Question of Technology, 22 L. & PHIL. 119, 125 (2003) (stating that individual control of personal information has been a key tenet of information privacy laws and has been a significant driver of conceptual development.).
22 ALAN F. WESTIN, PRIVACY AND FREEDOM (photo. reprint 1970) (Atheneum. 1967). 23 But see id. at 42 (regarding Westin’s “right of individual privacy” which is defined as
“the right of the individual to decide for himself, with only extraordinary exceptions in the interests of society, when and on what terms his acts should be revealed to the general public”).
24 See, e.g., JAMES B. RULE, PRIVACY IN PERIL 22-23 (2007) (regarding the influence of Westin’s work and the need to regulate organizational data systems in the late 1960’s and early 1970’s); RAYMOND WACKS, PERSONAL INFORMATION: PRIVACY AND THE LAW 14 (1993) (noting the influence of Privacy and Freedom in relation to privacy as control definitions of privacy); JAMES WALDO ET AL., NAT'L RESEARCH COUNCIL OF THE NAT'L ACADS., ENGAGING PRIVACY AND INFORMATION TECHNOLOGY IN A DIGITAL AGE 59-60 (2007) (highlighting Westin’s role in the development of the concept of information privacy).
7
states of individual privacy: solitude, intimacy, anonymity and reserve.25
“creation of a psychological barrier against unwanted intrusion; this occurs when the individual’s need to limit communication about himself is protected by the willing discretion of those surrounding him.”
The latter
state, reserve, is of most interest regarding information privacy as it requires the:
26
The need for barriers is necessary as the communication of the self is always
incomplete. The requirements of societal involvement mean individuals are
required to retain some information about them which is too personal for other
persons or organizations to possess.
27 This mental distance, the space generated by
choosing not to declare everything about one’s self, requires an individual to have
the ability and control to withhold or to disclose personal information. The ability of
choice over our own information is consequently the “dynamic aspect of privacy in
daily interpersonal relations.”28
Westin also adduced four specific functions of privacy that reflect the value or
purpose of privacy within society.
29 They are: Personal autonomy, emotional release,
self-evaluation and limited and protected communication.30 Again, the latter function is
of relevance and it has two facets. The first, limited communication, sets
interpersonal boundaries for the exchange of personal information. The second,
protected communication, “provides for sharing personal information with trusted
others.”31
“Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”
It is the state of reserve in conjunction with limited and protected
communication that is inherent in Westin’s definition of information privacy:
32
Information privacy law is consequently based on the notion that individuals have
rights relating to control over their personal information,
33
25 WESTIN, supra note 22, at 31-32.
or at least, have rights
26 Id. at 32. 27 Id. 28 Id. 29 WESTIN, supra note 22, at 32. 30 Id. 31 See Stephen Margulis, T., On the Status and Contribution of Westin's and Altman's
Theories of Privacy, 59 J. SOC. ISSUES 411, 413 (2003). 32 WESTIN, supra note 22, at 7.
8
pertaining to who can access their personal information34 or a combination of both.35
However, the “privacy as control paradigm”36 is not without its critics. Schwartz
highlights that while the control model has benefits because it seeks “to place the
individual at the centre of decision-making about personal information use”37 it
nonetheless suffers from several major flaws because it pays little consideration to
information asymmetries38 and it is founded on the idea that personal information
can mistakenly be construed as property.39
33 See, e.g., Charles Fried, Privacy, 77 YALE L.J. 475, 482 (1968) (stating that privacy
regards “the control we have over information about ourselves”); Arthur R Miller, Personal Privacy in the Computer Age: The Challenge of a New Technology in an Information-Oriented Society, 67 MICH. L. REV. 1091, 1107 (1968) (“the basic attribute of an effective right to privacy is the individual’s ability to control the flow of information concerning or describing him”); Randall P Bezanson, The Right to Privacy Revisited: Privacy, News and Social Change, 1890-1990, 80 CAL. L. REV. 1133, 1135 (1992) (advancing a “concept of privacy based on the individual’s control of information”); JERRY KANG, Information Privacy in Cyberspace Transactions, 50 STAN. L. REV. 1193, 1203 (1998) (referring to an individual’s control over the processing of personal information); PRISCILLA M. REGAN, LEGISLATING PIVACY: TECHNOLOGY, SOCIAL VALUES, AND PUBLIC POLICY, 9 (University of North Carolina Press. 1995) [hereinafter “LEGISLATING PRIVACY”] (commenting that privacy, in regard to US governmental collection of personal data, was defined as the “right of individuals to exercise some control over the use of information about themselves”).
Regan also states that Westin’s work is
34 See, e.g., Ruth Gavison, Privacy and the Limits of Law, 89 YALE L.J. 421, 423 (1980) (contending that privacy is a concern of accessibility that includes physical access by and the attention of other individuals); RULE, supra note 24, at 3. (“Let me define privacy as the exercise of an authentic option to withhold information on one’s self.”); DANIEL J. SOLOVE, Conceptualizing Privacy, 90 CAL. L. REV. 1087, 1110 (2002) (stating that information privacy as the right to “control-over-information can be viewed as a subset of the limited access conception”); DAVID ARCHARD, The Value of Privacy, in PRIVACY AND THE CRIMINAL LAW 16 (Erik Claes, et al. eds., 2006) (stating that the concept of limited access to a specified personal domain is the most plausible notion of privacy).
35 See, e.g., JAMES H. MOOR, Towards a Theory of Privacy in the Information Age, 27 COMP. & SOC. 27, 31 (outlining the restricted access/limited control approach to privacy).
36 PAUL M. SCHWARTZ, Internet Privacy and the State, 32 CONN. L. REV. 815, 820 (2000). 37 Id. at 820. 38 Id. at 830 (regarding privacy as control as the “commodification illusion”). 39 The notion of personal information as property has been a controversial aspect of the
information privacy law literature. See, e.g., WESTIN, supra note 7, at 324-25 (introducing the notion that personal information can be classed as property). See also Lawrence Lessig, Privacy as Property, 69 SOC. RES. 261 (2002) (comparing privacy protection to intellectual property protection and the propertization of privacy “to allow individuals to differently value their privacy”); Richard S Murphy, Property Rights in Personal Information: An Economic Defense of Privacy, 84 GEO. L.J. 2381, 2383 (1996) (outlining an economic theory of personal information as property). Contra Julie E. Cohen, Examined Lives: Informational Privacy and the Subject as Object, 52 STAN. L. REV. 1373, 1390 (2000) (“Juxtaposing the data privacy debate with the politics of intellectual property thus exposes an ideological fault line within the transaction costs approach to designating property interests”); CORIEN PRINS, PROPERTY AND PRIVACY: EUROPEAN PERSPECTIVES AND THE COMMODIFICATION OF OUR IDENTITY, in THE FUTURE OF THE PUBLIC DOMAIN 249, (Lucie M. C. R. Guibault & P. B. Hugenholtz eds., 2006) (regarding the difficulties in assigning value to personal information); Sonia Katyal, Privacy vs. Piracy, 7 YALE J.L. & TECH. 222, 242 (2004) (stating a weakness of the propertization of
9
too individualistic which leads to the conclusion that Westin regarded “privacy as
fundamentally at odds with social interests,”40 when that is clearly not the case.41
Moreover, criticism is leveled at privacy as control from the seemingly tautological
perspective that privacy as control is either too broad or too narrow.42
The conceptual reach of privacy as control has also been subject to criticism
particularly regarding issues of individual consent. Allen contends there is a
fundamental disconnect between what can be considered as having control over
personal information and the requirements of a sufficient state of privacy because
the former is not necessarily a constituent element of the latter.
43 Instead, privacy as
control directs attention to issues of consent and choice about uses of personal
information that connote an element of inaccessibility separate from privacy
considerations.44 Finally, the control aspect of information privacy has also been
subject to criticism.45 Simitis contends that privacy considerations no longer arise
out of individual problems but they instead express conflicts that affect everyone.
Information privacy is thus not simply a problem of individual control over
information.46
privacy concept is that it is grounded in notions of real property which do not extend to cyberspace).
40 REGAN, LEGISLATING PIVACY, supra note 33, at 28. See also BENNETT & RAAB, Governance of Privacy, supra note 20, at 50 (contending that Westin undertook a functional view regarding his investigation of privacy for an individual); Margulis, supra note 31, at 413 (stating that Westin’s work takes an individualistic perspective about the societal role of information privacy).
41 REGAN, LEGISLATING PIVACY, supra note 33, at 220 (“I argue that privacy’s importance does not stop with the individual and that recognition of the social importance of privacy will clear a path for more serious policy discourse about privacy and for the formulation of more effective public policy to protect privacy”).
42 See Solove, Conceptualizing Privacy, supra note 34, at 1115 (contending that privacy as control is too vague due to the failure to define the types of information that individuals should control whilst other theories overcompensate and becoming too limiting).
43 See Anita L Allen, Privacy as Data Control: Conceptual, Practical, and Moral Limits of the Paradigm, 32 CONN. L. REV. 861, 867-68 (2000) (regarding the differences between physical and informational privacy).
44 Id. at 869 (stating that informational privacy involves information in a state of inaccessibility).
45 See Austin, supra note 21, at 125-26. 46 Spiros Simitis, Reviewing Privacy in an Information Society, 135 U. Pa. L. Rev. 707, 709
(1987).
10
Despite these trenchant criticisms, the concept of privacy as control was the basis for
information privacy legislation47 and the development of what we recognize as
“data protection”48 or “information privacy”49 or even “privacy”50 laws. Three legal
instruments, developed in the 1970s and 1980s, have been integral to the
development of information privacy law as we know it today.51 In Europe, the
Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data by Council of Europe52 was a cornerstone for the European Union’s
subsequent Data Protection Directive.53 In the US, an influential report produced by
the US Department of Health, Education, and Welfare54 led to the implementation
of the Privacy Act of 1974 and the Code of Fair Information Practice for Federal
Government Agencies.55 Finally, The Organization for Economic Cooperation and
Development’s (OECD) developed guidelines56 for member countries relating to the
transfer of personal information between member states which is a significant driver
regarding the formulation of member state national legislation.57
47 BENNETT & RAAB, GOVERNANCE OF PRIVACY, supra note 20, at 8 (commenting that the
policy problem of “privacy” settled on the concept of information privacy).
48 See, e.g., Council Directive 95/46/EC, 1995 O.J. (L281) 31 (EU) [hereinafter Council Directive 95/46]; Data Protection Act, 1998, c. 29 (UK).
49 See, e.g., Information Privacy Act, 2000 (Vict. Acts); Information Privacy Act, 2009 (Queensl. Stat.).
50 See, e.g., Privacy Act, 1988 (Austl.); 5 U.S.C. § 552a (1974). 51 RULE, supra note 24, at 25, 29 (regarding the effect of the three instruments on the
overall development of information privacy law); BENNETT supra note 21, at 95-101 (regarding the development of fair information principles through different international legal instruments).
52. Eur. Consult. Assoc., Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, (1981), available at http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm..
53 Council Directive 95/46. 54. U.S. DEP’T OF HEALTH, EDUC., & WELFARE, RECORDS, COMPUTERS, AND THE RIGHTS OF
CITIZENS: REPORT OF THE SECRETARY’S ADVISORY COMMITTEE ON AUTOMATED PERSONAL DATA SYSTEMS (1973), available at http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm [hereinafter HEW REPORT].
55. See DANIEL J. SOLOVE, et al., INFORMATION PRIVACY LAW (Aspen Publishers 2nd ed. 2006) (citing HEW REPORT at 23–30, 41–42).
56. Org. for Econ. Co-Operation and Dev. [OECD], Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/document/ 18/0,2340,es_2649_34255_1815186_1_1_1_1,00.html.
57. See Michael Kirby, Twenty-five Years of Evolving Information Privacy Law--Where Have We Come From and Where Are We Going?, 21 PROMETHEUS 467 (2003) (regarding implementation of the Guidelines in Australia and New Zealand); LEE A. BYGRAVE, DATA PROTECTION LAW: APPROACHING ITS RATIONALE, LOGIC AND LIMITS 32 (Kluwer Law International 2002) (noting that the treaty has been ratified by twenty-seven member states).;
11
The originating legal instruments and subsequent laws have many common
features.58 They are imbued on a principle of fairness and they adopt
organizational-oriented controls relating to the process of personal information
processing.59 A series of “fair information practices”60 or “information privacy
principles”61 stipulate minimum standards regarding the collection, storage and use
of personal information by data collecting organizations have thus been developed
to regulate the process of personal information exchange.62
B. DATA BREACH NOTIFICATION LAW
However, while the
genesis of information privacy laws can be traced back to these three roots causing
subsequent laws to share similar features, a fundamental divergence has occurred
that entails the sectoral approach adopted by the US and the comprehensive
approach adopted by the EU and non-EU states of the OECD, as outlined in Part
III.A.
Although forms of mandatory data breach notification existed prior to the
development of US state-based laws,63 the inception of these laws are normally
associated with US state-based legislatures, particularly the California data breach
notification law which was enacted in 2003.64
58 See BYGRAVE, supra note 57, at 32; REBECCA A. GRANT & COLIN J. BENNETT, VISIONS OF
PRIVACY: POLICY CHOICES FOR THE DIGITAL AGE, 6 (University of Toronto Press. 1999).
That law requires any California
business that has suffered a data breach, or believes that it has suffered a data
breach that entails an unauthorized acquisition of unencrypted and computerized
59. See, e.g., RULE, supra note 24, at 27 (“the workings of personal data systems [are] open, accountable, and subject to known rules of due process”). See also VIKTOR MAYER-SCHONBERGER, Generational Development of Data Protection in Europe, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE, 221, (Philip Agre & Marc Rotenberg eds., 1997) (describing the European advances in data storage and protection).
60 See, e.g., ROBERT GELLMAN, Does Privacy Law Work?, in TECHNOLOGY AND PRIVACY: THE NEW LANDSCAPE, 195-202, (Philip Agre & Marc Rotenberg eds., 1997) (regarding the development of fair information practices arising out of the HEW Report and subsequent implementation through the Privacy Act 1974).
61 See, e.g., GRAHAM GREENLEAF, et al., Strengthening Uniform Privacy Principles: An Analysis of the ALRC's Proposed Principles at http://www.bakercyberlawcentre.org/ipp/publications/papers/ALRC_DP72_UPPs_final.pdf. (regarding the application of Australia’s privacy principles).
62 See, e.g., BENNETT & RAAB, supra note 20, at 12 (outlining the impact of fair information practices on the jurisdictional development of information privacy law).
63 See, e.g., Ethan Preston & Paul Turner, The Global Rise of a Duty to Disclose Information Security Breaches, 22 J. MARSHALL J. COMPUTER & INFO. L. 457, 465 (2004) (regarding security breach notification under the EU’s e-Privacy Directive which came into force in 2002).
64 CAL. CIV. CODE § 1798.29 (West 2003).
12
personal information, to notify California residents about the incident.65 Individuals
are to be notified within a timeframe that is expedient and without reasonable
delay.66 Notification can take different forms including by letter, electronic
notification or substitute notice67 which entails “conspicuous posting”68 on the
organization’s website or via state media sources. However, some data breaches are
exempt from notification. These include “good faith acquisitions”69 of personal
information by an employee or agent of the breached entity70 or encrypted personal
information.71 The type of personal information required to be notified also
provides a limiting factor. Unlike information privacy laws, data breach notification
laws have specific requirements as to what constitutes information to be regulated.72
The purpose of the California law and most other subsequent data breach
notification laws is directly linked to the mitigation of identity theft.
73
65 Id.
The law was
66 However, law enforcement agencies can request a delay if notification would impede a criminal investigation. See CAL. CIV. CODE § 1798.29 (West 2003). Time frames also vary between different states. See, e.g., FLA. STAT. § 817.5681 (2005) (within 45 days); OHIO REV. CODE ANN. § 1349.19 (West 2005); WIS. STAT. § 134.98 (2006); COLO. REV. STAT. § 6-1-716 (2006) (as quickly as possible); DEL. CODE ANN. tit. 6, § 12B-102 (2005); IDAHO CODE § 28-51-104 (Michie 2006).
67 Under the Californian law, substitute notice is only available if the data breach involved more than half a million individuals or would exceed a cost of over $250,000. Other states vary on this point. See, e.g., HAW. REV. STAT § 487N-1 (2007) (breach involves over 200,000 persons and cost exceeds more than $100,000) and N.H. REV. STAT. ANN. § 359-C:20 (2007) (breach involves over 1,000 persons and cost exceeds more than $5,000).
68 CAL. CIV. CODE § 1798.29 (West 2003). 69 Id. 70 See, e.g., CAL. CIV. CODE § 1798.29 (West 2003). (West 2003); FLA. STAT. § 817.5681
(2005); OHIO REV. CODE ANN. § 1349.19 (West 2005); WIS. STAT. § 134.97 (2006); COLO. REV. STAT. § 6-1-716 (2006); DEL. CODE ANN. tit. 6, § 12B-102 (2005); ALASKA STAT. § 45.48.010 (2009); ARIZ. REV. STAT. § 44-7501 (2007); ARK. STAT. § 45.48.010 (Michie 2009); D.C. CODE ANN. § 28-3851 (2007); GA. CODE ANN. §§ 10-1-911 (2005); 815 ILL. COMP. STAT. 530/5 (2005); IND. CODE § 24-4.9-2-2 (2006); MD. CODE ANN., COM. LAW § 14-3504 (2008); MASS. GEN. LAWS ch.93H, §1 (2007); NEB. REV. STAT. §§ 87-802 (2006); NEV. REV. STAT. § 603A.220 (2006); N.J. STAT. ANN. § 56:8-163 (West 2006); N.Y. GEN. BUS. LAWS §§ 899-aa (2005); N.D. CENT. CODE §§ 51-30-02 (2005); OKLA. STAT. tit. 74, § 3113.1 (2006); OR. REV. STAT. § 646A.602 (2007); S.C. CODE ANN. § 39-1-90 (2009); TENN. CODE ANN. § 47-18-2107 (2005); TEX. BUS. & COM. CODE. § 521.053 (Vernon 2005); WASH. REV. CODE § 19.255.010 (2005); W. VA. CODE § 46A-2A-101 (2008).
71 See, e.g., Mark Burdon, et al., Encryption Safe Harbours and Data Breach Notification Laws, 26(5) C.L.S.R, (2010) (forthcoming) [hereinafter "Burdon et al., Encryption Safe Harbors"].
72 This point is covered in depth below at Part IV.A. 73 See, e.g., CAL. OFFICE OF PRIVACY PROTECTION, RECOMMENDED PRACTICES ON NOTICE OF
SECURITY BREACH INVOLVING PERSONAL INFORMATION, at 6 (2009) (“One of the most significant privacy laws in recent years is the California law intended to give individuals early warning when their personal information has fallen into the hands of an unauthorized
13
introduced to the California legislature as Senate Bill 1386 (hereafter “SB1386”) but
at its point of introduction, SB1386 bore no resemblance to the data breach
notification law that it would eventually evolve into.74 However, a radical re-write
was undertaken following a computer hacking incident at a data processing
warehouse maintained by the California State Government.75 An unidentified
intruder gained access to the Government’s information systems and retrieved the
personal information of approximately 265,000 California public servants.76 An
informational hearing into the incident was held and it became apparent that the
state government delayed notification to its employees.77
person, so that they can take steps to protect themselves against identity theft or to mitigate the crime’s impact.”); Amanda Draper, Comment, Identity Theft: Plugging the Massive Data Leaks with a Stricter Nationwide Breach-notification Law, 40 J. MARSHALL L. REV. 681, 686 (2007) (noting that high profile data breaches in credit card processing corporations have been an incentive for the development of new laws); Kenneth M Siegel, Comment, Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age, 111 PENN ST. L. REV. 779, 781 (2007) (highlighting the identity theft risks that can arise from a single data breach); Regan, Federal Security Breach Notifications: Politics and Approaches, supra note 10, at 1105-1106 (regarding the impact that major data breaches had on Congressional developments relating to a national data breach notification law); Lilia Rode, Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?, 43 HOUS. L. REV. 1597, 1621 (2007) (“California’s Notification Act has an admirable goal to curb identity theft.”) Sara A. Needles, Comment, The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law, 88 N.C. L. REV. 267, 281 (2009) (“Much of data breach law has been enacted to deal with the threat of identity theft resulting from unauthorized access of computerized records.”); Jennifer Chandler, A. , Negligence Liability for Breaches of Data Security, 23 REV. BANKING & FIN. L. 223, 229 (2008) (highlighting potential mitigation benefits in relation to identity theft).
Presented evidence
74 See S.B. 1386 (Introducted), 2002 Leg., Reg. Sess. (Cal. 2002), available at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020212_introduced.pdf (a bill concerned with exempting the disclosure of personal information under the auspices of Californian freedom of information law). See also Joseph Simitian, How a Bill Becomes Law, Really, 24 BERKELEY TECH. L.J. 1009 (2009) (regarding the background development of some of the key issues relating to notification under the Californian law).
75 Personal Information: Disclosure; Breach Of Security: Before the Assem. Comm. on Judiciary (Cal. 2002), availible at http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_cfa_20020617_141710_asm_comm.html. See also Preston & Turner, supra note 63, at 459 (regarding the effect on the attack on the development of the law); Timothy H Skinner, California’s Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation, 10 RICH. J. L. & TECH., 4 (2003) (confirming the impact of the breach on the law’s development); Jane Winn, Are 'Better' Security Breach Notification Laws Possible?, 24 BERKELEY TECH. L.J. 1133, 1142-1143 (2009) (providing a brief outline of the background development to California’s law).
76 Assem. Comm. on Judiciary, supra note 75. 77 See SKINNER, supra note 75, at 4 (regarding details of the delay).
14
attributed several attempts of identity theft to the data breach.78 As a consequence of
the breach, SB1386 was therefore radically re-drafted and was redesigned to provide
immediate notification for the purposes of identity theft mitigation.79 Despite the
fact that data breach notification laws are designed to mitigate identity theft,
subsequent research critically questions whether the link between data breaches and
identity theft is as strong as initially indicated.80
The California law dramatically impacted the uptake of data breach notification
laws in other state legislatures..
81 A majority of state-based laws are largely based on
the California model,82
78 See id. at 5 (providing details of the hearing in which attempts at identity theft were
examined but could not be conclusively tied to the data breach).
but some state laws have adopted different notification
79 See, e.g., Simitian, supra note 74, at 1011 (regarding the impetus for legislative action following the data breach).
80 See, e.g., Javelin Strategy and Research, Data Breaches and Identity Fraud: Misunderstanding Could Fail Consumers and Burden Businesses (2006) (conducting a study of identity theft victims which demonstrated that a small percentage was linked to data breaches); U.S. Gov’t Accountability Office, No. GAO-07-737, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (2007) (reviewing 24 of large data breaches to find little evidence of concomitant identity theft incidents); Sasha Romanosky, et al., Do Data Breach Disclosure Laws Reduce Identity Theft?, SSRN (2008), http://ssrn.com/abstract=1268926 (analyzing identity theft complaints from victims and finding little evidence that data breach notification laws reduce the frequency of identity theft incidents); Brendan St. Amant, Recent Development, Misplaced Role of Identity Theft in Triggering Public Notice of Database Breaches, 44 Harv. J. on Legis., 527 (2007) (“The currently favored cost-benefit analysis that links security breaches to identity theft obscures the central policy issue of what actual rights citizens should have over the whereabouts and release of their personal information.”); Fred H. Cate, Information Security Breaches: Looking Back and Thinking Ahead (2008), at http://www.hunton.com/files/tbl_s47Details/FileUpload265/2308/Information_Security_Breaches_Cate.pdf (“Identity fraud and security breaches are both certainly important issues, but there is little evidence connecting the two, especially in the case of true identity theft.”).
81 See Burdon, et al., Mandatory Notification of Data Breaches, supra note 5, at 117 (chronicling the uptake of data breach notification laws post the inception of the Californian law). See also Flora J Garcia, Comment, Data Protection, Breach Notification, and the Interplay between State and Federal Law: The Experiments Need More Time, 17 FORDHAM INTEL. PROP. MEDIA & ENT. L.J. 693, 707-708 (2007) (regarding the rapid proliferation of state-based data breach notification laws).
82 CAL. CIV. CODE § 1798.29(A) (West 2003); FLA. STAT. § 817.5681 (2005); WIS. STAT. § 134.98 (2008); COLO. REV. STAT. § 6-1-716 (2006); 6 DEL. CODE ANN. tit. 12B § 102 (2005); IDAHO CODE ANN § 28-51-105 (2006); ALASKA STAT. § 45.48.010 (2009); ARK. CODE ANN. § 4-110-105 (2005); GA. CODE ANN. §§ 10-1-911 (2005); 815 ILL. COMP. STAT. 530/5 (2005); NEV. REV. STAT. §§ 603A.220 (2006); N.J. STAT. ANN. § 56:8-163 (WEST 2006); N.Y. GEN. BUS. LAW §§ 899-AA (MCKINNEY 2005); N.D. CENT. CODE §§ 51-30-02 (2005); OKLA. STAT. tit. 74 § 3113.1 (2006); S.C. CODE ANN. § 39-1-90 (2009); TENN. CODE ANN. § 47-18-2107 (2005); TEX. BUS. & COM. CODE. ANN. § 521.053 (VERNON 2007); WASH. REV. CODE § 19.255.010 (2005); CONN. GEN. STAT. § 36A-701B (SUPP. 2006); LA. REV. STAT. ANN. § 51:3074 (2005); MINN. STAT. § 325E.61
15
triggers.83 Acquisition based triggers, such as the California law, have a relatively
low triggering threshold84 that triggers an obligation to notify when an organization
has suffered, or believes it has suffered a breach.85 Risk based triggers, on the other
hand, attempt to raise the triggering threshold to minimize the threat of
unnecessary notification.86 These triggers have a range of different standards that
include a reasonable likelihood of harm or material harm,87 a reasonable likelihood
of substantial economic loss,88 a significant or material risk of identity theft or other
frauds89 and whether a data breach has or is reasonably likely to cause loss or
injury.90
While laws have been enacted at the state level, the situation at the federal level in
the US has some parallels to state-based law. First, there was an explosion of interest
in data breach notification law that lead to a proliferation of legal proposals in 2005
(2006); MO. REV. STAT. § 407.1500 (2009); R.I. GEN. LAWS § 11-49.2-3 (2005); UTAH CODE ANN. §§ 13-44-202 (2006).
83 See Kathryn E Picanso, Comment, Protecting Information Security Under a Uniform Data Breach Notification Law, 75 FORDHAM L. REV. 355, 383 (2006) (outlining states with a reasonable risk of harm trigger); Michael E Jones, Comment, Data Breaches: Recent Developments in the Public and Private Sectors, 3 I/S: J.L. & POL'Y FOR INFO. SOC'Y 555, 571-572 (2007) (detailing the use of risk based triggers in federal data breach proposals).
84 See Garcia, supra note 81, at 704 (Triggering notification even if only reasonably believed acquired without actual use.).
85 See Jones, supra note 83, at 562 (regarding the elements of acquisition based triggers that are deemed to favor consumer protection because notification is not left to the breached entity); Paul M. Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH. L. REV. 913, 933 (2007) (commenting the Californian law “is marked by a low threshold for notification”).
86 See CATE, supra note 80, at 13 (“Requiring breach notices in situations other than those in which they are realistically likely to prevent or mitigate harm or serve some other clearly articulated valuable function threatens to exacerbate the existing tendency of recipients to ignore those notices”); MICHAEL Turner, Towards a Rational Personal Data Breach Notification Regime. (2006), http://perc.net/files/downloads/data_breach.pdf. (“At some point, consumers begin to discount notices if the average likelihood that a breach will result in damage is very low”); Jones, supra note 83, at 562 (regarding risk based triggers that are deemed to favor corporate interests because the decision to notify or not is left squarely with the breached organization).
87 See, e.g., FLA Stat. § 817.5681 (2005); ALASKA Stat. § 45.48.010 (2009); ARK. Code Ann. § 4-110-105 (2005); OR. Rev. Stat. § 646A.600 (2007); CONN. GEN. STAT. § 36a-701b (2006); LA. Rev. Stat. Ann. §§ 51:3071 (2005); IOWA CodE § 715C.1 (2008); N.C. Gen. Stat. §§ 75-60 (2005).
88 See ARIZ. Rev. Stat. § 44-7501 (2007). 89 See OHIO Rev. Code Ann. § 1349.19 (West 2005); WIS. Stat. § 134.98 (2006); MD. Code.
Ann. Com. Law §§ 14-3501 (2008); MASS GEN. LAW ch. 93H §1 (2007); R.I. Gen. Laws § 11-49.2-1 (2005); UTAH Code Ann. §§ 13-42-101 (2006); KAN. Stat. Ann. §§ 50-7a01 (2006); MICH. Comp. Laws § 445.72 (2007).
90 See 73 PA. CONS. STAT. § 2303 (2006); MICH. COMP. LAWS § 445.72 (2007); MONT. CODE ANN. § 30-14-1704 (2006); VA. CODE ANN. § 18.2-186.6 (2008).
16
which has continued until the present time.91 None of these bills have been enacted
yet although this may be about to change.92 The purposes of the bills varied. For
example, some bills sought to develop a national, federal-based data breach
notification law to supplant state-based laws.93 Other bills responded to specific
data breach incidents94 and further bills covered certain industrial sectors, such as
the data brokerage industry95 or Federal government agencies. 96 Second, the
proposed federal bills share the underlying rationale of state-based laws that the
primary function of data breach notification was to provide individuals with an
opportunity to mitigate any potential adverse outcomes, thus assisting with the
prevention of identity theft-related crimes.97
Accordingly, data breach notification laws attempt to fulfill two differing
conceptual aims. First, the law primarily seeks to formally recognize that an
individual has a “right to know” about unauthorized misuse of his or her personal
information and notice of the incident enables mitigation of subsequent identity
theft.
98
91 See Regan, supra note 10, at 1109-110 (outlining bills placed before both Houses of
Congress).
Smedinghoff contends that the reporting of personal information data
92 See Data Accountability and Trust Act of 2009, H.R. 2221, 111th Cong. (2009, supra note 4.
93 See, e.g., Data Accountability and Trust Act of 2009, H.R. 2221, 111th Cong. (2009); Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. (2009); Data Breach Notification Act of 2009, S. 139, 111th Cong. (2009).
94 See, e.g., Veterans' ID Theft Protection Act of 2006, H.R. 5487, 109th Cong. (2006); Comprehensive Credit Services for Veterans Act of 2006, H.R. 5783, 109th Cong. (2006); Comprehensive Veterans' Data Protection and Identity Theft Protection Act of 2006, H.R. 5577, 109th Cong. (2006) (following the aftermath of a major data breach involving the US Government’s Department of Veterans Affairs). See also DEPARTMENT of Veterans Affairs Office of Inspector General, Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans. (2006) (for extensive details of the breach).
95 See, e.g., Identity Theft Bill, H.R. 3140, 109th Cong. (2005). 96 See, e.g., Federal Agency Data Breach Notification Act of 2006, H.R. 5838, 109th Cong.
(2006); Federal Agency Data Breach Protection Act of 2007, H.R. 2124, 110th Cong. (2007). 97 See, e.g., Personal Data Privacy and Security Act of 2009, S. 1490, 111th Cong. (2009)
(“To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information”).
98 See, e.g., Rode, supra note 73, at 1621 (commenting that the purpose of the Californian law was to provide consumers with greater knowledge in order they could take action); THOMAS J SMEDINGHOFF, Trends in the Law of Information Security, 17 INTEL. PROP. & TECH. L. J. 1, 4 (2005) (stating that data breach notification laws are designed as a way to protect persons who may be adversely affected by a security breach); Needles, supra note 73, at 380 (stating “Breach notification laws let individuals know that their data has slipped into
17
breaches is akin to the common law duty to warn of dangers.99 The duty requires a
party who has a superior knowledge of a potential danger of injury or damage that
could be inflicted upon another person, by a specific hazard, to warn persons who
lack such knowledge.100 Data breach notification law was thus intended to provide
an ex post protection for individuals and mandatory notification was deemed the
regulatory tool to complete that task.101
Second, the auxiliary aim of the law is to encourage organizations to adopt better
security practices.
102 Encryption safe harbors are a case point as they seek to
encourage the wider adoption of encryption technologies for the storage and use of
personal information.103 However, notification also acts as a regulatory threat
through the tool of reputational sanction as breached organizations have to confess
the incident to their customers.104
unauthorized hands”); Schwartz & Janger, supra note 85, at 917 (stating that breach notification can assist individuals and organizations to mitigate harm caused by a breach).
Both encouragement and threat elements are
designed to ensure that sound information management procedures and practices
99 THOMAS J SMEDINGHOFF, The State of Information Security Law: A Focus on the Key Legal Trends. (2009), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1114246.
100 Id. By requiring notice to persons who may be adversely affected by a security breach (e.g., persons whose compromised personal information may be used to facilitate identity theft), these laws seek to provide such persons with a warning that their personal information has been compromised, and an opportunity to take steps to protect themselves against the consequences of identity theft.
101 See SASHA ROMANOSKY & ALESSANDRO ACQUISTI, Privacy Costs and Personal Data Protection: Economic and Legal Perspectives, 24 BERKELEY TECH. L. J. 1061, 1072-1074 (2009) (regarding an overview of information disclosure measures as an ex post mechanism in data breach notification laws).
102 See, e.g., id. at 1075 (notification as an information disclosure mechanism is used to improve organizational security controls); Winn, supra note 75, at 1147-1148 (regarding the incentives for database owners to implement security measures); Rode, supra note 73, at 1624 (“notification statutes...serve as powerful incentives for businesses to attack identity theft at the front lines”); Skinner, supra note 75, at 7 (quoting Benjamin Wright “they [data breach notification laws] have powerful incentive (sic) to secure data from the beginning”); Schwartz & Janger, supra note 85, at 953-955 (regarding “reasonable security” measures that the “ideal data processing entity” would put in place from a data breach notification act).
103 See generally Burdon et al, Encryption Safe Harbours, supra note 71 (providing a detailed critique of encryption safe harbors in data breach notification laws); MARK BURDON, et al., If its Encrypted its Secure! The Viability of US State-based Encryption Exemptions (IEEE ed. 2010) (analyzing encryption exemptions found in US state-based data breach notification laws against a factor-based safe harbor proposed in Australia and the EU); Winn, supra note 75, at 1145-1146 (critiquing the Californian law’s encryption safe harbor). See also Part III.B below.
104 See, e.g., Winn, supra note 75, at 1143 (stating that the “shaming function” of data breach notification laws is a “direct and concrete” element); Schwartz & Janger, supra note 85, at 929-931 (detailing in depth the role of “reputational sanction” in data breach notification laws); Rode, supra note 73, at 1628 (regarding the disclosure of a security breach which can tarnish a company’s public image).
18
become a management priority.105 This reflects the fact there was little market
incentive for private sector organizations to behave responsibly and to report a data
breach due to the negative publicity that would arise.106 As such, the second aim of
data breach notification law also has an ex ante element through the encouraged
adoption of information security measures.107 Nevertheless these are two very
different aims that arise from data breach incidents.108 Data breach notification laws
therefore demand a delicate balancing act that require gauging the risks of
providing adequate notification to individuals while attempting to minimize
corporate compliance cost burdens relating to unnecessary notification.109
C. SUMMARY
This brief overview of the conceptual background and legislative development of
both information privacy and data breach notification laws reveal similarities and
differences between both legal concepts. Both laws have an obvious interest relating
to the protection of personal information and they both attempt to provide
individuals with a greater knowledge about the use of their personal information by
organizations. Despite these obvious similarities, there are also significant
105 See Schwartz & Janger, supra note 85, at 926 (regarding the various forces that are
formed under data breach notification law). 106 See COMPUTER SECURITY INSTITUTE, Computer Crime and Security Survey (2006) available
at http://pdf.textfiles.com/security/fbi2006.pdf (detailing the reluctance of organizations to inform law enforcement agencies about a data breach); A ACQUISTI, et al., Is There a Cost to Privacy Breaches? An Event Study, 4 (2006) available at http://aisel.aisnet.org/icis2006/94/ (“a privacy incident is a negative externality that natural incentives cannot correct”); Chandler, supra note 73, at 228 (regarding the lack of consumer interest in data breaches and the limited effect on share price as an effective deterrent to implement security measures); Rode, supra note 73, at 1631 (regarding the ineffectiveness of market based provisions when businesses miscalculate the value placed by individuals on privacy). See contra JACOB W. SCHNEIDER, Preventing Data Breaches: Alternative Approaches to Deter Negligent Handling of Consumer Data, 15 B.U. J. SCI. & TECH. L. 279, 291 (2009) (stating that the ineffectiveness of data breach notification as a legal remedy because it provides little market incentive to strengthen data security).
107 See Romanosky & Acquisti, supra note 101 (regarding the ex ante role of security protections to reduce the numbers of future data breaches).
108 See Needles, supra note 73, at 281 (noting the different purposes between data breach notification as “data control” and as a “privacy” concern); Turner, supra note 86 (regarding the conflicting notions of notification to individuals and the use of notification as an incentive to strengthen security).
109 See Schwartz & Janger, supra note 85, at 918 (regarding the “important function of breach notification” after a breach that requires a “multi-institutional, co-ordinated response”); Schwartz, supra note 36; THOMAS J SMEDINGHOFF, Security Breach Notification - Adapting to the Regulatory Framework, 21 The Review of Banking & Financial Services 115 (2005); Turner, supra note 86 (regarding the risks that organizations face in decision to notify or not to notify).
19
differences between the two laws that go to the heart of both concepts and different
legal frameworks. To outline these distinctions, the metaphor of vertical and
horizontal is employed to determine tensions shared weaknesses.110
Fig.1 – Vertical Tensions and Horizontal Weaknesses
These issues are
explored further in the next parts of this article and represented by figure 1 below.
III. CONFLICTING VERTICAL TENSIONS
Vertical tensions emanate due to the differing conceptual and developmental
origins of both laws that ultimately represent the distinction between sectoral and
comprehensive approaches to the regulation of information privacy.111
110 See, e.g., PATRICIA L. BELLIA, Federalization in Information Privacy Law, 118 YALE L. J.
868, 872-873 (2009) (regarding the classification of dimensions relating to US information privacy law as vertical issues, such as the desirability of a comprehensive federal law over state-based laws and horizontal issues which regard “the interplay of any federal information privacy law with other sector-Specific federal rules”).
The author
111 The author acknowledges that the distinction between sectoral and comprehensive frameworks is a broad categorization only and notes that some comprehensive laws also have aspects of sectoral regulation. See BENNETT & RAAB, supra note 20, at 132-133 (highlighting that the sectoral/comprehensive distinction is broad in its conceptual reach and that in practice several countries encompass aspects of both approaches within their legal systems). However, this broad distinction is sufficient for the purposes of this article because it demonstrates the different conceptual, normative and regulatory foundations of US data breach notification law when examined in conjunction with comprehensive information privacy regimes.
20
asserts that the sectoral/comprehensive distinction also determines the form of
regulatory remedy that is deemed appropriate which further highlight distinctions
between market-based initiatives and rights-based protections that result in
contradictory emphases over the minimization of corporate compliance costs.
A. SECTORAL VERSUS COMPREHENSIVE APPROACHES
The implementation of information privacy laws have taken essentially different
tracks despite the fact of their similar origins.112 That in itself is not surprising as a
right to privacy is not perceived as an absolute right and thus the interpretation of
what weight an individual’s right to control his or her personal information is in
competition with other social rights and interests. The application of information
privacy legal regimes is likely to be a matter of contestable discussion amongst
different legislative jurisdictions.113 As such, information privacy laws are
manifestations of political processes which have implications for the implementable
scope of such laws.114 Jurisdictional information privacy laws therefore reflect the
wider social, legal and policy values of individual jurisdictions.115
The sectoral approach
The US attitude
towards information privacy law and the developmental purpose of data breach
notification laws reflect this point.
116 to information privacy in the US has been characterized as
“sporadic”117 and “reactive.”118
112 See BENNETT & RAAB, supra note 20, at 3-6 (stating that human need for privacy is
“manifested to different degrees and in different ways from culture to culture”).
The regulatory focus of US information privacy law
113 See, e.g., Charles Raab, From Balancing to Steering: New Directions for Data Protection, in VISIONS OF PRIVACY: POLICY CHOICES FOR THE DIGITAL AGE 68, (Colin J. Bennett & Rebecca Grant eds., 1999) (regarding the limited role of a right to privacy which does not take precedence over all uses of personal information); REGAN, supra note 33, at 16 (regarding privacy protection in the US as the balancing of individual and political interests); BENNETT & RAAB, supra note 20, at 13 (stating that privacy is not an absolute right and is balanced against other community rights and obligations).
114 BENNETT & RAAB, supra note 20, at 125 (contending that information privacy law is “an exercise of the power of the state in regulating the processing of personal data”).
115 See BENNETT, supra note 21, at 242-243 (regarding the effect of different political philosophies on the implementation of information privacy legislation); PETER P. SWIRE & ROBERT E. LITAN, NONE OF YOUR BUSINESS: WORLD DATA FLOWS, ELECTRONIC COMMERCE, AND THE EUROPEAN PRIVACY DIRECTIVE 153 (1998) (contending that different approaches to privacy protection reflect unique jurisdictional approaches).
116 See Gellman, supra note 60, at 195 (describing sectoral as “no general privacy laws, just specific laws covering specific records or record keepers”); Paul M. Schwartz, Preemption and Privacy, 118 YALE L.J. 902, 910 (2009) (US information privacy laws “regulate information use exclusively on a sector-by-sector basis”).
21
is the general curtailment of government powers in combination with laws that
govern industry-specific practices or various types of sensitive information.119 The
existence or non-existence of information privacy regulation at the federal level is
specific to particular circumstances or sectors. For example, the Privacy Act120
provides a range of fair information practices that US Government agencies must
comply with regarding the handling of personal information. The Gramm Leach
Bliley Act121 (GLBA) creates privacy protections for personal financial information
within the specific remit of the financial services sector. The Health Insurance
Portability and Accountability Act (HIPAA)122 consigns legal protections in relation
to identifiable health information held in the medical and health insurance sectors.
In a different vein, the Children’s Online Privacy Protection Act (COPPA)123
Alongside these sector-based laws, there are a collection of other laws that provide
legal remedies for specific issues that have become sufficiently politicized to
governs
restrictions on the collection of online personal information from children under the
age of thirteen.
117 See Joel R. Reidenberg, The Globalization of Privacy Solutions: The Movement Towards
Obligatory Standards for Fair Information Practices, in VISIONS OF PRIVACY: POLICY CHOICES FOR THE DIGITAL AGE, 217 (Colin J. Bennett & Rebecca Grant eds., 1999); Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or Frontier for Individual Rights?, 44 FED. COMM. L.J. 195, 236 (1992) [hereinafter “Privacy in the Information Economy”] (stating that the lack of a coherent and systematic approach to information privacy protection in the US “presents an undesirable policy void”); John T. Soma et al., Corporate Privacy Trend: The "Value" of Personally Identifiable Information ("PII") Equals the "Value" of Financial Assets, 25 RICH. J.L. & TECH. 1, 15 (2009) (stating that US privacy regulation is best described as “a haphazard set of industry specific regulations...which frequently overlap and are often contradictory”); GELLMAN, supra note 60, at 195 (describing the legal structure for US privacy protection as a “patchwork quilt”).
118 See BENNETT & RAAB, supra note 20, at 37 (regarding reactivity as a weakness of sectoral regimes).
119 See, e.g., REIDENBERG, supra note 117, at 209 (stating that US federal and state information privacy laws target individual protection in relation to defined problems that arise from fear of government intervention and a reluctance to regulate industry).
120 The Privacy Act of 1974, 5 U.S.C. § 552a (2006). 121 Financial Services Modernization (Gramm-Leach-Bliley) Act of 1999, 15 U.S.C. §§ 6801-
6809 (2006). 122 Health Insurance Portability and Accountability Act of 1996, 45 C.F.R. §§ 160, 162, 164
(2006). 123 Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506 (2006).
22
warrant legislative action.124 For example, the Drivers Privacy Protection Act125
restricts the disclosure of driver license information by state authorities following
the murder of actress Rebecca Schaeffer, in which, an assailant used publicly
available driver license information to stalk and then murder Ms. Schaeffer.126 The
DPPA has also been instrumental in restricting the sale of driver license information
by state agencies to commercial entities.127 The Video Privacy Protection Act128
protects personal information provided to video rental stores following a
controversy involving Supreme Court nominee Robert Bork and the publication of
his video watching habits by the media.129
The myriad of information privacy legislation has also been replicated at state
level.
130 Some states implement laws that provide general statutory rights of privacy
that are akin to tort law protections and thus govern areas such as common law
invasions of privacy.131 Other state laws, like their federal counterparts, have
enacted a number of sectoral based laws, aimed at certain industry practices. For
example, in addition to federal laws, some states have specifically legislated laws
relating to the use of personal information in relation to certain information, such as
video rental records, as highlighted above.132
124 See BENNETT & RAAB, supra note 20, at 37; REGAN, supra note 33, at 199 (stating that
congressional privacy legislation was based on various critical events which opened up a policy window); Priscilla Regan, The United States, in GLOBAL PRIVACY PROTECTION: THE FIRST GENERATION 51 (James B. Rule & Graham Greenleaf eds., 2008) (“Generally it takes an incident to focus attention on the issue of information privacy – and such incidents tend to focus on one type of record system at a time.”).
Accordingly, Schwartz contends that a
duopoly exists between federal and state laws in which federal laws deliver
125 Drivers Privacy Protection Act of 1994, 18 U.S.C. § 2725 (2006). 126 See, e.g., SOLOVE, UNDERSTANDING PRIVACY supra note, 19 at 69 (regarding the
distinction between public and private data in the Schaeffer case); Garcia, supra note 81, at 715 (stating the “Schaeffer case is credited with sparking the passage of the Drivers’ Privacy Protection Act”). See also REGAN, supra note 33, at 207 (regarding the use of state driver license information to harass pregnant mothers who visited abortion clinics).
127 See, e.g., Michael A. Froomkin, Government Data Breaches, 24 BERKELEY TECH. L. J. 1019, 1029 (2009) (noting the importance of the DPPA to state agencie).; Garcia, supra note 81, at 715 (highlighting state revenues based from the sale of driver license information); REGAN, supra note 124, at 50 (summarizing the development of the DPPA).
128 VIDEO PRIVACY PROTECTION ACT OF 1998, 18 U.S.C. § 2710 (2006). 129 See Schwartz, supra note 116, at 935-936 (providing a comprehensive overview to the
development of the law including details of congressional outrage). 130 See Joel R. Reidenberg, Privacy in the Information Economy: A Fortress or Frontier for
Individual Rights?, 44 FED. COMM. L.J. 195, 221 (1992) (commenting that state-based protections suffer from incompleteness and that state-based protections vary from state to state).
131 Id. at 228. 132 See Schwartz, supra note 116, at 919 (regarding state variants on the VPPA).
23
specified benchmarks which allow state laws further room for experimental
development.133
Comprehensive legal frameworks, on the other hand, adopt a different approach to
sectoral regimes. They establish information privacy rights for individuals and
define obligations for data collecting organizations regardless of industrial sector.
134
Comprehensive frameworks have universal notions of the type of information that
is covered by information privacy laws, typically defined as “personal data”135 or
“personal information.”136 Moreover, the type of data covered by these laws is
generally context dependent which means that different types of information can be
personal information at different times depending upon the context upon which it is
used.137
Enforcement mechanisms operated by comprehensive information privacy regimes
are also different to those found in sectoral regimes. Most comprehensive
frameworks employ specific supervisory authorities with given sets of legislative
powers to protect the rights of individuals and impose compliance obligations upon
organizations and are seen as a necessary condition of an effective information
privacy regime.
The context dependent approach is a significant difference to sectoral laws
that have a restrictive outlook of the type of information that will constitute
personal information. Hence, sectoral information privacy laws have developed
context independent approaches related to the classification of personal information
that reflect the restricted aims of industry or information specific legislation.
138
133 Id.; but see Bellia, supra note 110, at 873.
Contrast that with the situation in the US, which does not have a
dedicated supervisory authority for the enforcement of information privacy.
Instead, governance obligations are dispersed amongst different public sector
134 See, e.g., Council Directive 95/46, Art 7, 1995 O.J. (L281) (EC). 135 Council Directive 95/46, Art 2(a), 1995 O.J. (L 281) (EC). 136 S6(1) PRIVACY ACT 1988 (Cth) (Austrl.). 137 See, e.g., Mark Burdon & Paul Telford, The Conceptual Basis of Personal Information in
Australian Privacy Law, 17 Murdoch Elaw Journal 1 (2010) [hereinafter “Conceptual Basis”] (regarding an overview of context independent and context dependent approaches in Australian privacy law); See also SHARON BOOTH ET AL., WHAT ARE ‘PERSONAL DATA’? A STUDY CONDUCTED FOR THE UK INFORMATION COMMISSIONER 6 (2004) (regarding a survey of data protection authorities and their conceptual construction of personal information).
138 BENNETT & RAAB, supra note 20, at 113 (noting the European Union's approach to privacy laws).
24
organizations that mirror the fragmented legislative focus of the US approach.139
Moreover, the lack of a unified commission is now seen as a detriment to the US
approach to information privacy.140
Data breach notification laws have thus been developed within the sectoral
environment of the US to provide a remedial fix to a given problem, namely, the
mitigation of identity theft arising from data breaches of personal information.
141
However, a law that has a primary purpose of mitigating identity theft is
fundamentally different from a law that is purposely designed to ensure the
protection of personal information as found in comprehensive information privacy
regimes.142
These are weighty normative distinctions for to do so require a major change in
perspective, from both sectoral and comprehensive approaches, regarding the
purpose of data breach notification. There is a clear conceptual foundation for a
narrower approach to the protection of personal information in data breach
notification laws that goes back to the first data breach notification law, California
Civil Code 1729(a), and flows through to recent US state and federal developments.
However, even in comprehensive jurisdictions, there has been a degree of reluctance
to enmesh data breach notification completely within established legal
frameworks.
The former is designed to provide a particular remedy to a specific
problem while the latter consigns broad rights to individuals regarding the personal
information exchange process. The question consequently arises whether data
breach notification laws should regard the protection of personal information per se,
as information privacy laws do, rather than focusing on the specified remit of
mitigating identity theft?
143
139 E.g., eight federal agencies have supervisory powers to enforce elements of the GLBA.
They are the Federal Trade Commission; The Office of the Comptroller of the Currency; The Federal Reserve Board; The Federal Deposit Insurance Corporation; The Office of the Thrift Supervision; The National Credit Union Administration; The Security and Exchange Commission and the Commodity Futures Trading Commission.
This has resulted in the EU’s data breach notification scheme being
developed within the reduced scope of the e-Privacy Directive and the Australian
140 See Schwartz, supra note 116, at 927 (regarding one of the positive effects of a comprehensive law in the US).
141 Id. at 929-31. 142 See, e.g., Winn, supra note 75, at 1134 (regarding the potential limiting implications of
data breach notification laws that predominantly focus on the mitigation of identity theft). 143 See, e.g., Burdon, et al., supra note 5, at 127 (regarding the reluctance of Austrlian and
EU legislators to fully enmesh data breach notification within existing legal frameworks).
25
Law Reform Commission’s proposal that has not only developed an ancillary
definition of personal information for the specific purpose of data breach
notification,144 but has recommended that data breach notification not be formalized
as a privacy principle. 145
Data breach notification law, viewed from the perspective of the type of information
privacy legal framework within which it operates, provides a contradictory picture
about how it has been applied. In the US, data breach notification law is a
comprehensive measure to remedy deficiencies arising from the sectoral approach
to information privacy.
146 The comprehensiveness of the law is evident because it
generally applies to all types of organization regardless of industrial sector.147
However, the application of this comprehensive approach is nevertheless
constrained by focusing notification to specified circumstances that could give rise
to identity theft which involve certain types of combined personal information.
Conversely, data breach notification law in comprehensive regimes is a sectoral
measure to remedy deficiencies in the application of fair information practices or
information privacy principles that regard corporate obligations to secure personal
information.148 In effect, the notifications resulting from the advent of data breach
notification laws demonstrate that the application of security-related principles and
practices simply are not working both in terms of the volume of incidents and the
number of persons affected. Accordingly, data breach notification is either a
comprehensive facet to a sectoral approach or a sectoral adjunct to a comprehensive
regime.149
144 See AUSTRALIAN PRIVACY LAW AND PRACTICE, supra note 6, at 1693 (Specifying personal
information under the proposal, “should draw on the existing definitions of ‘personal information’ and ‘sensitive information’ in the Privacy Act and should prescribe what combinations of these types of information would, when acquired without authorization, give rise to a real risk of serious harm requiring notification”).
These differences in application are manifested in the scope of protections
provided in sectoral and comprehensive regimes which place different priorities
relating to the provision of individual protections and the minimization of corporate
compliance costs.
145 See Nigel Waters, et al., Intepreting the Security Principle, (Cyberspace Law and Policy Centre, University of New South Wales, Working Paper No. 1, 2007), available at http://www.cyberlawcentre.org/ipp/wp/WP1%20Security.pdf.
146 Id. at 34-5. 147 See Needles, supra note 73, at 277. 148 Id. at 283. 149 See, e.g., Needles, supra note 73, at 303 (regarding the application of data breach
notification in US and other jurisdictions).
26
B. MARKET-BASED INITIATIVES VERSUS RIGHTS-BASED PROTECTIONS
The manifestations of sectoral and comprehensive approaches highlight differences
between both laws as they place alternate priorities about the role of organizational
compliance cost mitigation. Data breach notification laws tend to adopt market-
based remedies that are conscious of the compliance requirements of data collecting
organizations whereas those information privacy regimes that adopt data breach
notification laws tend to focus more on the preservation of individual protections.
The development of encryption safe harbors for data breach notification in the US
and other jurisdictions is relevant in this regard.
The use of an encryption safe harbor has been an integral element of data breach
notification laws because legislators use encryption to define notification parameters
for organizations. As applied in most data breach notification laws, encrypted
personal information does not trigger an obligation to notify because the
information that has been acquired without authorization is secure and therefore
does not pose an identity theft risk.150 In a review of 2007 US developments, Jones
identified three types of encryption safe harbors. 151 Exemptions exempt notification
based on the notion that encrypted data is secure and does not pose a risk.152
Rebuttable presumptions create a presumption that encrypted data is secure and
unauthorized acquisitions do not have to be notified.153 However, this presumption
can be rebutted by facts to the contrary. Factor-based analysis requires breached
organizations to demonstrate that the encryption adopted was effective before
notification is exempted.154
150 Id. at 278-79.
The use of these different types of safe harbors reveals
underlying contestations that take place in sectoral and comprehensive regimes
regarding the use of encrypted personal information as a means to minimize
corporate compliance costs. Recent research shows that the use of exemptions and
rebuttable presumptions are favored by the sectoral approach of the US while
151 Michael Jones, Data Breaches: Recent Developments in the Public and Private Sector, 3 ISJLP 555, 573 (2007).
152 Id. at 565. 153 Id. at 573. 154 Mark Burdon, Roushi Low, and Jason Reid, If It’s Encrypted its Secure! The Viability of
US State-Based Encrpytion Exemptions, IEEE (2010), http://eprints.qut.edu.au/32781/1/c32781.pdf (last visited September 3, 2010).
27
factor-based analysis is favored in comprehensive regimes such as the EU and
Australia.155
At the US state legislature level, the use of encryption exemptions is directly linked
to corporate compliance cost reduction and the development of market incentives to
enhance corporate information security measures. For example, the controversial
encryption exemption adopted in the California law appears to have been
developed as a means of reducing corporate fears relating to compliance costs and
to ensure that the law was compliant with related federal legislation and
regulation.
156 The legislative intent of the California encryption exemption was thus
a relatively simple solution to the complex balancing act of enhancing information
security practices, while at the same time, minimizing compliance burdens. Similar
outcomes are also evident in other states. In Indiana, a second data breach
notification bill was introduced in 2008, following implementation of Indiana’s data
breach notification law in 2006,157 which sought to alter the statute’s definition of
encryption amongst other things. The provisions of the second bill would have had
the effect of benchmarking adopted encryption processes and technologies to ensure
they meet existing industry best practices, including the move away from password
protection to encryption. However, the vast majority of the bill was rejected
following intensive lobbying by major corporations who feared an increase in
compliance requirements.158
155 See generally Burdon et al., supra note 71.
156 Personal Information Privacy: Hearing on SB1386 Before the Assembly Committee on Buisness and Professions, (need leg. session info) (2002) (statement by Lou Correa, Chairman, Assembly Committee on Business and Professions) (“[I]n practice, this bill will create incentives for organizations seeking to simplify their legal requirements to encrypt their personal information data and develop privacy policies with similar notification procedures.”).
157 H.B. 1197, 2008 115th Gen. Assemb., Second Reg. Sess. (Ind. 2008) (sought additions to the existing encryption definition that would require adopted encryption processes to be “consistent with best practices common in the industry” including the security management arrangements of the encryption key).
158 See Chris Soghoian, At&T, Microsoft Win as ID Theft Bill Eviscorated, CNET NEWS, February 13, 2008, 7:00 A.M) http://news.cnet.com/8301-13739_3-9870992-46.html(regarding the contentious discussions involved in the development of the second bill).
28
The development of the Massachusetts encryption exemption has also been fraught
with contention. The Massachusetts definition of encryption is unique159 and has
been the subject to much controversy particularly relating to the use of further
regulations developed by the Office of Consumer Affairs and Business Regulation
(OCABR). The first version of the OCABR regulations was released in early 2008 to
voluble criticism from private sector organizations regarding potential compliance
requirements.160 The criticism was such that a public hearing was held and a further
senate bill (SB173) was put forward to revise the encryption requirements of the
OCABR regulations.161 SB173 was introduced by Senate Chairman Morrissey who
stated at the hearing that the regulations went “beyond its intent”162 in relation to
technical requirements and other factors. Moreover, SB173 removed the specific
requirement for a type of encryption and stated that a specified form of encryption
was not to be applied.163
159 See MASS. GEN. LAWS ch. 93H, §1 (2007). (The full definition of encryption reads:
encryption “is the transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.” It is the second element of the definition, in conjunction with the 128bit requirement that has led to controversy).
The primary reason for the removal of the specified
encryption exemption was to protect small and medium size businesses as specified
160 See Mark E Schreiber & Robert G Young, Aggressive New Massachusetts Data Breach Law and Proposed Security Rules Require Company Action, 3 PRIVACY & DATA SECURITY L.J. 140, 144 (2008), available at http://www.eapdlaw.com/files/News/4322f87f-a398-4342-8c0b-33c977a22c54/Presentation/NewsAttachment/eb517cbf-4b50-4d70-a250-399e9596f7da/aggressive%20new%20massachusetts%20data%20law.pdf (regarding private sector concerns); see also Anne Doherty Johnson, AeA Update: Massachusetts Data Breach Regulations, AEA NEW ENGLAND COUNCIL (Nov. 17, 2008), http://www.aeanet.org/AeACouncils/zpUnYyihJjBdaJkdVziIPsEPkNrmnYWy.pdf (particularly in relation to technical issues such as the definition of encryption, the requirement to encrypt personal information and the requirement to encrypt information transmitted wirelessly).
161 See Alexander B Howard, Mass. Senate Seeks to Amend, Weaken Data Breach Notification Law, SEARCH COMPLIANCE, May 14, 2009, http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1356356,00.html# (regarding the claim that the Massachusetts Legislature had the power to change 93(H) but not the regulations). See also Jason Lefferts, Office of Consumer Affairs Files Revised ID Theft Regulations, OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION Feb. 12, 2009,,http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=20090212_idtheft&csid=Eoca (regarding the regulatory change of approach).
162 See Alexander B Howard, Mass. Senate Seeks to Amend, Weaken Data Breach Notification Law, SEARCH COMPLIANCE, May 14, 2009, http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1356356,00.html#.
163 Id.
29
by section one of SB173.164 In February 2009, OCABR released amended regulations
and the definition of encryption was changed.165 At present, SB173 has not been
enacted but the new regulations have now come into force.166
At the US federal level, the two bills that have passed a vote in Congress contain
rebuttable presumptions rather than exemptions. However, the use of rebuttable
presumptions still indicates a desire to reduce corporate compliance obligations.
Testimony heard by the House of Representative Subcommittee on Commerce,
Trade and Consumer Protection, in relation to the DATA 2009 bill is clear on this
point. The threat of over-regulation was clearly articulated in line with the adoption
of a risk-based approach that focused on the implementation of reasonable and
appropriate security measures rather than specific technologies.
167 A similar point is
echoed by California Senator Diane Feinstein regarding her efforts to introduce a
number of data breach notification bills including the Notification of Risk to
Personal Data Act of 2005. Senator Feinstein did not believe an encryption
exemption
164 See S.B. 173, 186th General Court (Mass. 2009) available at
http://www.mass.gov/legis/bills/senate/186/st00pdf/st00173.pdf. S1(A), SB173 (stating “The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.”).
was warranted because “[c]onsumers must have the tools they need to
165 Office of Consumer Affairs and Business Regulation, 201 CMR 17.00: Standards for the Prtoection of Personal Information of Residents of the Commonwealth, http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf (last visited Sept. 7, 2010) (“the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”).
166 Id. (regarding the new regulations). 167 See Testimony of Robert Holleyman: Hearing on H.R. 2221 "the Data Accountability and
Protection Act" and H.R. 1319 "Informed P2P User Act" Before the Subcommittee on Commerce, Trade and Consumer Protection House Committee on Energy and Commerce, 111th Cong. 5 (May 5, 2009) (statement of Robert Holleyman President and CEO of Business Software Alliance) (regarding testimony provided by Robert Holleyman, the president of the Business Software Alliance (BSA) and stating “The potential is high to turn data custody – an activity that is for most companies, whether large or small, only incidental to their core business – into a stifling compliance burden, with little to gain in terms of increased data security”). See also Business Software Alliance, About BSA and Members, BSA http://www.bsa.org/country/BSA%20and%20Members.aspx (last visited Sept. 8, 2010) (stating “BSA is the voice of the world's commercial software industry and its hardware partners on a wide range of business and policy affairs”).
30
protect themselves against the risk of identity theft”168 even though it was against
the interests of the financial sector.169
These examples highlight that the use of encryption safe harbors in US data breach
notification laws and proposals prioritize the reduction of corporate compliance cost
burdens by minimizing the scope of notification. The encryption safe harbor has
been an adjunct to the primary aim of the laws, the mitigation of identity theft
crimes, and has been developed as a counterbalance to corporate fears of the
compliance implications of over-notification that potentially conflict with the
consumer protection aims of data breach notification laws.
The bill did not succeed, but Senator Feinstein
clearly indicates corporate interests in the reduction of compliance requirements
related to data breach notification.
Contrast that with similar discussion within the EU where encryption safe harbors
have also been a bone of contention but for different reasons. The Article 29 Data
Protection Working Party issued an opinion on the proposed amendments to the e-
Privacy Directive and stated that the appropriate technological protection measures
exemption should not be implemented.170 The Working Party feared that the
enactment of an exemption would significantly reduce the quality and usefulness of
notifications delivered to affected persons.171
168 Press Release, Senator Diane Feinstein, Press Release: Senator Feinstein Calls for Passage of
Legislation to Require Prompt Notification When Personal Information Has Been Compromised by Data Breach (June 6, 2006) (on file with author), available at http://feinstein.senate.gov/public/index.cfm?FuseAction=NewsRoom.PressReleases&ContentRecord_id=7929faac-7e9c-9af9-71f4-d3142e230015&Region_id=&Issue_id=5b8dc16b-7e9c-9af9-7de7-22b24a491232).
In essence, the only way a person can
take action to protect themselves is if they have received adequate information
about the risk. The content of notification format is an essential component of
notification and organizational decisions to notify should only be based on the
principle of risk assessment rather than exemptions based on technical measures to
169 Press Release, Senator Diane Feinstein, Press Release: Senator Feinstein Reiterates Call for Passage of Strong ID Theft Legislation (June 7, 2006) (on file with author), available at http://www.feinstein.senate.gov/public/index.cfm?FuseAction=NewsRoom.PressReleases&ContentRecord_id=792a0134-7e9c-9af9-75ef-07abbb67d740&Region_id=&Issue_id=5b8dc16b-7e9c-9af9-7de7-22b24a491232).
170 See Opinion 1/2009 on the proposals amending Directive 2002/58/EC on privacy and electronic communications (e-Privacy Directive) at 6, Article 29 Data Protection Working Party (2009).
171 Id. at 6.
31
protect personal data.172 The European Data Protection Supervisor (EDPS) voiced a
similar concern by broadly stating that Article 4 of the amended e-Privacy Directive
“should not contain any exception to the obligation to notify”.173 Instead, the issue
of safe harbors to notification should be addressed through extensive debate
relating to the issues at stake which would be reflected in implementing
legislation.174
Significant differences exist between sectoral and comprehensive approaches
regarding the choice of encryption safe harbors in data breach notification laws. The
use of encryption safe harbors highlights the different prioritization between
sectoral and comprehensive approaches regarding conflicting interests of corporate
compliance and consumer protection.
175 The use encryption safe harbors again
highlights the ex ante and an ex post purposes176 that are inherent to data breach
notification. Comprehensive approaches focus on the ex ante purpose through the
encouraged adoption of encryption and other technologies to protect personal
information.177
172 Id.
The sectoral approach, on the other hand, focuses on the ex post aim
that regards a greater importance to the minimization of compliance cost burdens
by not requiring notification for data breaches that involve the unauthorized
acquisition of encrypted personal information. As such, the use of encryption safe
harbors for data breach notification purposes in comprehensive legal frameworks
encourage the use of encryption as a means to secure personal data per se thus
ensuring the protection of individual rights of control and access to personal
information. However, encryption safe harbors in sectoral data breach notification
173 Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council amending, among others, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) at 8 (2008).
174 Id. at 8. 175 See, e.g., Winn, supra note 75, at 1161 (regarding the development of the Californian law, “Confronted with the complex, multi-polar institutional framework of business information systems, the California legislature asserted jurisdiction over only two parties and crafted a bi-polar solution that resembles the holding of a case more than it resembles modern regulation: California citizens were given a right of notice of problems occurring at businesses serving them.”).
176 Romanosky & Acquisti, supra note 101, at 1061. 177 See, e.g., The Future of Privacy - Joint Contribution to the Consultation of the European
Commission on the Legal Framework for the Fundamental Right to Protection of Personal Data at 15-16, Article 29 Data Protection Working Party (2009); Plain English Guidelines to Information Privacy Principles 4-7 at 7, Office of the Privacy Commissioner (Austrl.) (1998).
32
laws use encryption as compliance cost reduction measure and a market-based
incentive for encouraged adoption of information security procedures.178
IV. SHARED HORIZONTAL WEAKNESSES
These are
two different motivations for the use of encryption that reflect the expansive scope
of rights-based protections of information privacy laws and the narrow approach of
market-based initiatives found in data breach notification laws. These fundamental
differences explain why the sectoral approach of data breach notification sits rather
uncomfortably in comprehensive frameworks and the comprehensive element of
universal coverage generates such compliance cost-related concerns.
Along with fundamental differences, both information privacy and data breach
notification laws share similar weaknesses which come more clearly into focus
when the conceptual reach of the information covered by the laws is examined.
Regulatory action under both laws is derived under chains of accountability that
seek to link providers, collectors and users of personal information. Moreover, both
laws have an overt focus on the regulation of specific types of information albeit
from different conceptual and contextual approaches. These shared weaknesses are
illustrated within the context of three major data breaches.
A. THREE ILLUSTRATIVE DATA BREACHES
Three data breaches are examined to demonstrate that individual breaches have
different causes and ramifications that require alternative regulatory responses. The
introduction of Bennett and Raab’s Fallibility Matrix reveals the different causes
behind the three breaches that involve both human and technological errors.
However, both data breach notification and information privacy laws have
restricted accountability frameworks which results in limited remedies.
The first example involves the British National Party (BNP) and the leaking of their
membership list. The BNP is a right-wing, nationalist political party based in the
United Kingdom and membership of the party is a sensitive issue as some
178 See, e.g., REIDENBERG, supra note 117, at 239-40.
33
professions preclude membership of the party.179 In 2008, a disgruntled former BNP
employee obtained the BNP’s membership list without authorization and published
the roughly 13,500 party membership list on the Internet.180 The published details
included names, addresses, telephone numbers, email addresses and in some cases,
employment details. The list also included the names and ages of children who have
become members of the party after a parent had taken out a family membership,
and several people who have joined the party at the age of 16.181 The BNP
subsequently admitted that the list was inaccurate as it included the names of
persons who had never been party members.182
Different organizations and individuals used bit torrent and social networking
websites
183
179 See ACPO Bans Police from Joining BNP, BBC NEWS, May 19, 2004,
http://news.bbc.co.uk/2/hi/uk_news/3930175.stm (regarding the Association of Chief Police Officers (ACPO) ban on membership of the BNP in UK police forces); Christopher Hope, How Many BNP activists Live in Your Town? Now You Can Find Out, THE DAILY TELEGRAPH, Nov. 20, 2008, available at http://www.telegraph.co.uk/news/newstopics/politics/3484489/How-many-BNP-activists-live-in-your-town-Now-you-can-find-out.html.
to copy and disseminate the membership list further. Moreover, media
organizations and individuals used the membership list to create geo-mashups
based on its content. The unauthorized release of the BNP membership list had
180 See generally Ian Cobain, Esther Addley & Haroon Siddique, BNP Membership List Posted Online by Former 'Hardliner', GUARDIAN, Nov. 19, 2008, available at http://www.guardian.co.uk/politics/2008/nov/19/bnp-list; BNP Activists' Details Published, BBC NEWS, May 19, 2008, http://news.bbc.co.uk/2/hi/7736405.stm; Dominic Kennedy & Nico Hines, Thousands in Fear after BNP Members List Leak, THE TIMES, Nov. 19 2008, available at http://www.timesonline.co.uk/tol/news/politics/article5183833.ece; James Kirkup & Christopher Hope, BNP Membership List Leaked onto Internet, THE DAILY TELEGRAPH, Nov. 19 2008, available at http://www.telegraph.co.uk/news/newstopics/politics/3479612/BNP-membership-list-leaked-onto-internet.html; Ben Russell, BNP Membership List Published on Internet, THE INDEPENDENT, Nov. 19 2008, available at http://www.independent.co.uk/news/uk/politics/bnp-membership-list-published-on-internet-1024719.html; James Sturcke, et al., BNP Membership List Leaked Online, GUARDIAN, Nov. 18, 2008, available at http://www.guardian.co.uk/politics/2008/nov/18/bnp-membership-list-leak.
181 See Cobain, Addley & Siddique, supra note 180. 182 See Sturcke, et al., supra note 180 (reporting that data collected and published on the
list was of a rather unconventional nature). 183 See Sam Leith, Comments, What's 'Liberal' About Hacking into the BNP?, DAILY
TELEGRAPH (London), Nov. 22, 2008, at 30, available at http://www.telegraph.co.uk/comment/columnists/samleith/3563694/Whats-liberal-about-hacking-into-the-BNP.html (regarding publication of personal information from the BNP membership list on Facebook).
34
some serious consequences. Some BNP members lost their jobs184 or received death
threats185 and in one instance, a car belonging to the neighbor of a BNP member was
mistakenly petrol bombed.186 Media sources reported that two persons were
arrested and prosecuted with criminal offences under the Data Protection Act 1998,
in a joint investigation with the Information Commissioner’s Office, regarding the
publication of the list.187
The second example involves the pharmaceutical corporation Pfizer. In 2007, the
spouse of a Pfizer employee accessed his partner’s work-related laptop by using the
employee’s username and password.
188
184 See 'BNP Membership' Officer Sacked, BBC NEWS, March 21, 2009,
http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/england/merseyside/7956824.stm (regarding the sacking of a police officer for being a member of the BNP); Radio Host Exposed in BNP Leak is Axed, LONDON EVENING STANDARD, NOV. 19, 2008, http://www.thisislondon.co.uk/standard/article-23589438-radio-host-exposed-in-bnp-leak-is-axed.do (regarding the sacking of a national talk back radio presenter); Church Asked to Ban BNP Members, BBC NEWS, Jan. 19, 2009, http://news.bbc.co.uk/2/hi/uk_news/7838280.stm (highlighting the Church of England Synod is considering banning clergy from joining the BNP after it was revealed that clergymen were members of the BNP).
After he had gained access, the spouse
installed an unauthorized software program which enabled access to a peer-to-peer
185 See BNP Members 'Targeted by Threats,' BBC NEWS, Nov. 19, 2008, http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/politics/7736794.stm (regarding details of threats received by callers to a BBC radio programme); Ian Watson, Privacy Issues for BNP Members, BBC NEWS, Nov. 19, 2008, http://news.bbc.co.uk/2/hi/uk_news/politics/7737651.stm (regarding the security of BNP members in Northern Ireland and the Irish Republic); Iain Robinson, Death Threats Follow BNP List, THE SENTINEL, Nov. 20, 2008, at 11, available at http://www.thisisstaffordshire.co.uk/news/Death-threats-follow-BNP-list/article-488115-detail/article.html (regarding death threats received by a BNP local councilor); Death Threats as BNP Members are Named, CORNISH GUARDIAN, Nov. 26, 2008, at 22, available at http://www.thisiscornwall.co.uk/news/Death-threats-BNP-members-named/article-499803-detail/article.html (regarding death threats to Cornish BNP members).
186 Police Probe BNP Link to Car Fire, BBC NEWS, Nov. 21, 2008, http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/england/bradford/7741270.stm; Nico Hines, BNP Member Says Family Safety at Risk After Car Explodes Outside Home, TIMES ONLINE, Nov. 21, 2008, available at http://www.timesonline.co.uk/tol/news/uk/crime/article5204727.ece.
187 Two Arrests over Leaked BNP List, BBC NEWS, Dec. 5, 2008, http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/england/nottinghamshire/7768142.stm; BNP List Arrest Pair are Bailed, BBC NEWS, Dec. 10, 2008, http://news.bbc.co.uk/go/pr/fr/-/2/hi/uk_news/england/nottinghamshire/7775631.stm; Ian Johnston, Two Held over BNP Member List Leak, THE INDEPENDENT, Dec. 6, 2008, available at http://license.icopyright.net/user/viewFreeUse.act?fuid=OTg1NDg4Mg.
188 Jaikumar Vijayan, Pfizer Waited Six Weeks to Disclose Data Breach, INFOWORLD, July 18, 2007, http://www.infoworld.com/d/security-central/pfizer-waitedsix-weeks-disclose-data-breach-268.
35
file sharing network.189 The installation of the software was done without the
knowledge or consent of the corporation and was against Pfizer’s employee
policies.190 The laptop held details of 17,000 Pfizer employees and the unauthorized
software was configured in such a way that other members of the peer-to-peer
network were able to access files containing Pfizer employee details.191 Pfizer was
able to determine that the personal information of 15,700 Pfizer employees had been
accessed or copied by unknown members of the peer-to-peer network.192 Pfizer was
also asked a number of critical questions by the Attorney General of Connecticut,
Richard Blumenthal regarding Pfizer’s knowledge of the data breach and the delay
in notification to its employees.193 Pfizer replied in depth about the circumstances of
the breach but offered no indication as to the reason for the delay in notification.194
The final example regards one of the most important and influential data breaches,
the ChoicePoint incident. ChoicePoint was a data collection and storage company
that held information on USA households and persons totaling 19 billion records on
US citizens.
195 ChoicePoint provided access to its databases for legitimate businesses
for a subscription fee. At the time of the breach, ChoicePoint had 50,000 subscribing
companies that included insurance agencies, banks, landlords and private
detectives.196
189 Martin H. Bosworth, Pfizer Keeps Data Breach Quiet, CONSUMERAFFAIRS.COM, July 17,
2007, http://www.consumeraffairs.com/news04/2007/07/pfizer_data.html.
In February 2005, criminals posing as a small business applied to
ChoicePoint for subscription to their information services. Once the criminals
190 Pfizer, FAQs Related to Pfizer Data Breach: Introduction (2007), http://www.pfizer.com/contact/pfizer_data_breach_introduction.jsp (last visited Sept. 10, 2010).
191 Vijayan, supra note 188; John Leyden, Pfizer Worker Data Leaked via P2P, THE REGISTER, June 14, 2007, http://www.theregister.co.uk/2007/06/14/pfizer_p2p_data_leak/.
192 Vijayan, supra note 188. 193 Letter from Richard Blumenthal to Bernard Nash, Esq., Dickstein Shapiro LLP, re
Pfizer Security Breach (June 6, 2007) (on file with the State of Connecticut), http://www.ct.gov/ag/lib/ag/consumers/pfizerdatabreachletter.pdf.
194 Vijayan, supra note 189. 195 See Choicepoint, EPIC.ORG (Electronic Privacy Information Center, Washington D.C.),
http://epic.org/privacy/choicepoint/ (last visited Sept. 10, 2010) (regarding the role of ChoicePoint as a data broker); Garcia, supra note 81, at 716 (stating that ChoicePoint collected personal information of consumers, “including names, social security numbers, dates of birth, bank and credit card account numbers, and credit histories, much of which is sensitive and not publicly available”).
196 See, e.g., Derek A. Bishop, To Serve and Protect: Do Businesses Have a Legal Duty to Protect Collections of Personal Information?, 3 SHIDLER J. L. COM. & TECH. 7, (2006) (regarding class actions against ChoicePoint); see generally Martin G. Bingisser, Data Privacy and Breach Reporting: Compliance with Varying State Laws, 4 SHIDLER J. L. COM. & TECH. 9 (2008) (regarding the actions of state attorney general’s).
36
subscribed to ChoicePoint’s information services they were allowed to acquire the
personal information of 163,000 persons including date of birth, social security
numbers and credit reports to be used for identity theft crimes.
The application forms necessary to access ChoicePoint’s data were completed using
false information which the company failed to realize because it had not
implemented procedures that confirmed and authorized the identities of potential
subscribers.197 ChoicePoint later admitted that 50 business clients to whom it was
selling data were fraudulent entities.198 ChoicePoint simply did not have processes
in place to identify and monitor unlawful users despite the fact that they had been
previously notified by law enforcement authorities of fraudulent activities arising
from some of their subscribers.199 ChoicePoint notified consumers of the incident
pursuant to the California law and were subsequently charged with offences
relating to the failure to provide adequate security and for making false and
misleading statements about its privacy policy.200 In total, eight hundred incidents
of identity theft have been attributed to the ChoicePoint data breach.201 ChoicePoint
agreed to pay $US10 million in civil penalties and $US5 million in consumer redress
to reimburse consumers for expenses due to identity theft. 202
B. ONE SIZE FITS ALL CHAINS OF ACCOUNTABILITY
The author contends that both laws have a shared weakness because they are
predicated on process-based chains of accountability that seek to provide legislative
remedies within the bounds of designated roles involving providers, collectors and
re-users of personal information. However, limitations emerge due to the simplistic
nature of these chains, which no longer account for the complexities of personal
197 See P. N. Otto, et al., The ChoicePoint Dilemma: How Data Brokers Should Handle the
Privacy of Personal Information, 5 IEEE SECURITY & PRIVACY, 15, 18. (2007) (providing a detailed and critical overview of the incident).
198 See Garcia, supra note 81, at 716-717. 199 United States of America (for the Federal Trade Commission) v. ChoicePoint Inc., FTC
File No. 052-3069 p. 13, (Stipulated Final Judgment and Order for Civil Penalties, Permanent Injunction, and Other Equitable Relief, January 26, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf.
200 See Samuel Lee, Breach Notification Laws: Notification Requirements and Data Safeguarding Now Apply to Everyone, Including Entrepreneurs. 1 ENTREPRENEURIAL BUS. L. J. 125, 130 (2006).
201 Press Release, Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress. (2006), available at http://www.ftc.gov/opa/2006/01/choicepoint.shtm.
202 Id. (outlining details of the settlement); see also Garcia, supra note 81, at 716.
37
information exchange and because remedial responses treat different concerns
within the same constrained rubric of the accountability framework. The limits of
both laws are illustrated when the three data breaches highlighted are examined in
greater depth using Bennett and Raab’s fallibility matrix203
Bennett and Raab developed a simple four cell matrix to examine the source of
privacy problems that arise through human and technological fallibilities and
infallibilities.
which underscores that
different types of privacy problems are essentially addressed in the same manner by
both laws.
204 The authors use the matrix to demonstrate that different types of
privacy problems can occur within different cells. For example, Cell I contains most
privacy problems as they involve both human and technological fallibilities such as
the excessive collection of personal information.205 Cell II details a different type of
situation, namely, where there are no technological or structural problems and the
privacy problem occurs due solely to the “workings of human agency.”206 Cell III
covers opposite situations to Cell II where a technological or structural issue, rather
than a case of human error, gives rise to privacy problems, such as a deficient data
processing system or a malicious hacking attack.207 Finally, Cell IV refers to
situations in which both human agents and technological structures perform
adequately but this level of performance creates surveillance-related concerns.208
Bennett and Raab also contend that each fallibility axis is a continuum and thus the
positioning of privacy problems can be related to any part of each cell.
The latter cell is of less concern to this article as the focus on data breaches naturally
requires an examination of personal information leakage. However, the remaining
three cells are instructive because they highlight that data breaches and therefore
information privacy problems arise in different contexts, as outlined in figure 2
below.
209
203 BENNETT & RAAB, supra note 20, at 25 (regarding the conceptual basis of the matrix).
However,
204 Id. 205 Id. at 26-27. 206 Id. (citing examples such as “wrong inferences or conclusions from outputs of data
produced by the system, whether because of inadequate training, the biases inherent in the pursuit of certain organizational goals, the pressures of reward systems in the organization”).
207 Id. 208 Id. 209 Id.
38
in practice, it is likely that most positions will be found nearer the meeting point of
the axes rather than the corners of each cell because “few human agents, and few
technical systems, are either perfect or imperfect.”210
Figure 2 – Application of Illustrative Data Breaches to Bennett and Raab’s Fallibility Matrix
The three example breaches
show that even though each breach can be separated into different cells they
nonetheless share overlapping features that make each breach relatively similar. For
example, it could be argued that all data breaches involved issues of ineffective
security which would tend to suggest a technological or structural failing. It is not
surprising to find that each breach locates towards the center of the matrix rather
than periphery. Nevertheless, each data breach highlights that information privacy
problems originate in different ways.
The BNP data breach can be located in Cell I because it entails both technological
and human failings. First, human infallibilities arose because unnecessary and
inaccurate personal information was collected from BNP members and even non-
BNP members. Second, technological and structural fallibilities occurred because
the disgruntled employee was able to easily acquire and copy the complete
membership list without authorization and remove it from the confines of the BNP’s
organizational structure. The Pfizer data breach, on the other hand, gives rise to a
different problem which locates it in Cell II of Bennett and Raab’s matrix. The initial
210 Id. at 26.
39
data breach arose because the employee’s spouse installed unauthorized software
which enabled unknown third parties to access and acquire employee personal
information without authorization. Accordingly, there was no technological or
structural fallibility and the problem solely originated from the actions of the
employee’s spouse who was able to bypass technological protections. The
ChoicePoint data breach is an example of a Cell III type privacy concern as it
originated from a problem of structural and technological rather than human
fallibility. In this case, it was ChoicePoint’s procedures which were at fault. In fact, if
ChoicePoint had completed a background check on the criminals, based on its own
records, it would have found a link between one of the applicants and previous
frauds involving social security numbers. 211
The application of Bennett and Raab’s matrix to these three data breaches is helpful
because it demonstrates that data breaches, as information privacy problems,
emerge in different ways and contain different contexts. For example, only one of
the breaches, the ChoicePoint incident, is directly related to identity theft issues. The
BNP data breach, while not giving rise to identity theft issues, clearly gave rise to
different forms of harm such as the petrol bombing attack that took place. The Pfizer
data breach did not materialize any actual identity theft or other related harms but
certainly had the potential to do so.
212
The BNP data breach occurred because of the disgruntled employee’s initial
unauthorized acquisition but the real ‘privacy problem’ was the subsequent re-use
of the membership list and its publication on the internet by third parties ulterior to
the breach. The Pfizer breach, like the BNP breach, demonstrates a layered,
emergent problem. The installation of the peer-to-peer software by the employee’s
spouse gave rise to the initial privacy concern. However, it is the second
However, while the three data breaches have
different contexts all of them involve the insertion of outside third parties that are
integral to the emergent privacy problems.
211 See United States of America (for the Federal Trade Commission) v. ChoicePoint Inc.,
FTC File No. 052-3069 p. 13, (Stipulated Final Judgment and Order for Civil Penalties, Permanent Injunction, and Other Equitable Relief, January 26, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/0523069stip.pdf.
212 Data security breach at Pfizer affects thousands, TechTarget, Sep. 5, 2007, http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1270736,00.html. See, e.g., BLUMENTHAL, supra note 194) (regarding proposed actions for Pfizer to take to mitigate the possibilities of identity theft).
40
unauthorized acquisition by third parties unknown to the breached organization
that gave rise to the actual problem. . The ChoicePoint data breach is somewhat
different in character to the BNP and the Pfizer data breaches because there is less of
an emergent problem involving stages of unauthorized access. There was not an
initial unauthorized act that gave rise to a series of subsequent and more serious
unauthorized acts. Instead, the data breach was mistakenly authorized by
ChoicePoint due to the failings of its own security systems. As such, only one act of
unauthorized acquisition took place which involved a different type of ulterior third
party, identity theft criminals.
These three incidents show that data breaches involve different types of privacy
problems. However, both information privacy and data breach notification laws
deal with those problems in a ‘one-size fits all’ fashion founded upon narrow chains
of accountability and one-dimensional remedies that provide limited help or real
redress. For example, previous work has highlighted the limits of information
privacy law in dealing with the BNP data breach.213
A similar concern arises with the Pfizer data breach in which there is no relationship
at all between the provider of personal information (Pfizer’s employees) and the
subsequent re-users (the peer-to-peer members) other than a tangential link via the
errant spouse. However, it is clear that these re-users can give rise to serious
potential threats even though there is no direct relationship. Information privacy
law seems to operate more effectively with the ChoicePoint data breach because this
type of breach more readily accords with the imposition of security protections for
personal information within a readily identifiable and largely institutionalized
The analysis of this data breach
within the rubric of investigating privacy invasive geo-mashups highlighted the
limits of information privacy law. The principle reason being is that information
privacy law is predicated on predictable, binary chains of accountability between
personal information providers, collectors and re-users. However, in this incident
the binary relationship between the data provider and the data re-users (Wikileaks
and the geo-mashup creators) does not materialize and thus there is no form of
redress available against these parties for individual BNP members whose personal
information has nonetheless been disclosed by them.
213 Burdon, supra note 17, at 35-38 (regarding the ineffectiveness of privacy protections in
relation to publication on the internet).
41
focus.214 It is clearly arguable that ChoicePoint failed to implement adequate
security measures in relation to the storage of personal information which is a key
element of most information privacy laws.215
Accordingly, the application of information privacy laws makes it difficult to cope
with the insertion of most third parties into the contextual mix of privacy problems
even though the transition from binary to multiple information relationships is now
an everyday part of life in the information society.
The outside third party in that breach
is therefore considered in information privacy laws as being a reasonable
eventuality unlike the third parties in the other two data breaches.
216 Information privacy laws
overtly focus on the process of personal information exchange rather than the
relationships or social contexts involved in that process.217 The law’s focus on
process has the benefit of providing a manageable and implementable set of fair
information principles that can readily translate to a regulatory mechanism but it
relegates the protection of privacy to limited circumstances and thus greatly reduces
the potential scope for legal redress or remedial action. The inherently reductionist
scope of information privacy law218 has created the situation in which even
legislative rights granted through the law are nonetheless limited because they are
based on mechanistic processes of personal information exchange.219
Data breach notification laws, on the other hand, have been developed to tackle a
specific substantive issue regarding the mitigation of identity theft risks arising
from specified misuses of personal information. In effect, they are less concerned
about the process of information exchange and pay lesser heed to regulating the
activities of personal information collectors and re-users by giving personal
information providers a set of limited rights. Accordingly, data breach notification
214 BENNETT & RAAB, supra note 20, at 35 (stating that fundamental classifications under
information privacy law are predicated on an institutionalized basis). 215 See, e.g., BYGRAVE, supra note 57, at 67 (regarding the role of information security as a
key principle of information privacy laws). 216 Burdon, supra note 17, at 36. 217 See, e.g., BENNETT & RAAB, supra note 20, at 35 (stating that after 30 years of information
privacy law there is still very little known about the needs or requirements of ‘data subjects’).
218 See David Lindsay, An Exploration of the Conceptual Basis of Privacy and the Implications for the Future of Australian Privacy Law, 29 MELB. U. L. REV. 131, 165 (2005) (regarding the role of excessive rationalization to minimize the scope of information privacy law).
219 BENNETT & RAAB, supra note 20, at 147 (stating “[information privacy] laws have typically provided procedural rules and devices without greatly tackling many substantive issues concerning the processing of personal data in contemporary society”).
42
laws do not suffer from the same sort of difficulties pertaining to chains of
accountability due to their limited focus. If an organization loses control over an
individual’s personal information, then they have to notify that individual.220 If a
chain of accountability exists, it is a rudimentary one between an organization and
an individual regarding the notification of unauthorized acquisition of personal
information. However, they do share the same weakness as information privacy
laws because they provide a one size fits all remedy. 221
The three data breaches illustrated in this section emit different types of problems,
demonstrate different types of causes and involve different types of parties who
have different motives. Despite these differences, the only remedial response
available is notification of the incident. Schwartz and Janger have highlighted a
number of criticisms of this remedial aspect of data breach notification laws.
222
Notification letters are problematic due to the context in which they are used. For
example, ChoicePoint’s notification letters attempted to minimize the extent of the
breach and were concerned with damage control to the company rather than the
provision of accurate and meaningful information to individuals.223 ChoicePoint
was also signaled out for significant criticism as their notification letter attempted to
sell the company’s credit reference products to those persons who were being
notified.224 Notification fatigue may also be a prominent concern as individuals
appear to treat notification letters as another form of marketing material and do not
read them.225
220 Dealing with a Data Breach, Federal Trade Commission,
http://www.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.html (last visited Sept. 14, 2010). See, e.g., St. Amant, supra note 80, at 511 (stating that the Californian law does not require an actual breach or an identity theft element to oblige notification).
Notification may therefore provide a limited remedy.
221 See, e.g., Bill Lane, et al., Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches, 15 M.A.L.R 149, 164 (2010) (presenting findings of Australian research that questions the effectiveness of remedies provided by data breach notification laws).
222 Schwartz & Janger, supra note 85, at 952. 223 Id. 224 Id. at 953. 225 See PONEMON INSTITUTE, NATIONAL SURVEY ON DATA SECURITY BREACH NOTIFICATION
(2005) (regarding a survey of individuals who received notification letters and their subsequent response to those letters).
43
A greater focus is needed on the context of each individual breach and the remedies
appropriate for that breach. For example, in the BNP breach,226 it is questionable
whether notification of the breach would have made any difference given the public
nature of the membership lists re-publication. Instead, removal of the published
information was required although this would have been practically very difficult
given the extent the list was copied and re-used. Accordingly, as Schwartz and
Janger highlight, a more emphasized focus on co-ordinated responses to data
breaches is required that goes beyond simple and blunt notification strategies.227
C. INFORMATION BASED FOCUS & LIMITED HARMS
However, to do so would require a deeper contextual analysis that is conducted on
a case-by-case basis. This contextual analysis may be difficult to implement from a
regulatory perspective given the limited role that data breach notification is
intended to fulfill because both data breach notification and information privacy
laws have an overt focus on the regulation of information which manifests in the
mitigation of limited social harms.
Both data breach notification laws and information privacy laws are designed to
regulate certain types of information. However, there are differences with regard to
the inclusion or exclusion of context based approaches. Information privacy has a
wider outlook that generally builds on context dependency and is flexible about
what information will be regulated.228 However, while data breach notification laws
also regulate certain types of information they do so from a context independent
approach that seeks to negate the application of context-based analysis.229
226 It is of course acknowledged that the breach was not required to be notified under UK
law.
The
reason that both laws use different types of information based regulation
mechanisms is due to their different purposes as highlighted above. Data breach
notification laws regulate a specific type of information to mitigate a specific
problem whereas information privacy laws regulate a wider type of information for
a potentially wider purpose. As such, both laws regulate specified types of
227 Schwartz & Janger, Notification of Data Security Breaches supra note 85, at 960. 228 See, e.g., PRIN, supra note 39, at 247-249 (regarding the difficulties in assigning what is
personal information under data protection laws within the broad rubric of economic notions of privacy as property).
229 Schwartz & Janger, supra note 85, at 926-927. See Needles, supra note 15, at 281 (regarding the purpose of data breach notification as “the loss of control over a particular type of data which can cause a “measurable economic harm” in the form of identity theft).
44
information to preclude certain harms but the harms that they seek to preclude are
relatively limited as demonstrated below.
Information privacy laws cover personally identifiable information that is generally
classified as “personal data”230 or “personal information.”231 The broad purpose of
information privacy laws is reflected in how personal information is classified. A
key component of information privacy law is that personal information will be
construed expansively232 and thus the classification of personal information is
potentially a complex task. The complexity generates from the tacit acceptance of
the need for context dependent approaches in classifying personal information that
go beyond the information itself and require an examination of the social context of
information generation.233 For example, the definition of personal information in the
Australian Privacy Act has two distinct elements.234 The first element states that
personal information is information that makes an identity apparent and the second
element is information from which an identity is reasonably ascertainable.235 The
first element is a context independent approach because there is no recourse to the
context of information generation because the information itself is enough to enable
identity. However, the second element offers a different approach. It allows for the
situation in which information can be combined with other information to enable
identity. Accordingly, the second element relies heavily on social context and this is
seen as an integral element of Australian privacy law.236
230 Council Directive 95/46, art. 2(a), 1995 O.J. (L 281) (EC).
231 S6(1) PRIVACY ACT 1988 (Cth) (Austrl.) 232 See, e.g., ARTICLE 29 DATA PROTECTION WORKING PARTY, OPINION 4/2007 ON THE
CONCEPT OF PERSONAL DATA. (2007) (confirming that a “wide notion” of personal data is to be applied).
233 See, e.g., BOOTH, supra note 137 (providing models of how data protection authorities conceptualize personal information both from a context independent and dependent approach); Burdon & Telford, Conceptual Basis, supra note 137 (applying the models put forward by the Booth Report to Australian legislation); WACKS, supra note 24, at 20 (regarding the normative and descriptive role of personal information).
234 S6(1) PRIVACY ACT 1988 (Cth) (Austrl.) (“[P]ersonal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”).
235 Id. See Burdon & Telford, Conceptual Basis, supra note 137, at 12 (describing both elements within the context of Australian privacy law).
236 See KAREN CURTIS, Speech to the Australian Corporate Lawyers Association on Privacy and 'Walking the Line,' Canberra, (29 February 2009), at http://www.privacy.gov.au/materials/types/download/9473/7038 (“This idea of what
45
The issue of harm negation is a key element in the use of context dependent
approaches to the classification of personal information. Harm in the eyes of the
Australian law is the revealment of identity.237 Accordingly, the law takes an open
approach to what constitutes personal information because the harm and the use of
such information are directly linked. However, it is acknowledged that not all
information privacy laws have an identity-related focus and some laws require a
type of privacy-related harm, above and beyond, the revealment of identity.238
Data breach notification laws attempt to mitigate the specific harm of identity theft
and they do so by regulating specified forms of personal information in
combination with other information. For example, although the California law
requires notification upon the unauthorized acquisition of personal information, the
definition of personal information is different to those found in most comprehensive
information privacy laws because it seeks to negate a context dependent analysis.
As such, personal information under the California law is
[A]n individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.239
The California law is therefore solely concerned with combinations of personal
information that can be used to give rise to identity theft harms. Some US state-
based laws have attempted to expand definitions to include other identifying
information, for example, biometric information,
240 passport number241
can be ‘reasonably ascertained’ is significant. Clearly, whether an individual’s identity can be ascertained depends on the context in which the information is held”)
and account
237 See Burdon & Telford, Conceptual Basis, supra note 137, at 17-20 (regarding a review of Australian legislation and confirming the centrality of identity revealment in Australian privacy law).
238 See, e.g., BOOTH, supra note 138, at 95-102 (regarding different conceptualizations of harm).
239 CAL. CIV. CODE § 1798.29(E). See also Bingisser, supra note 197 (regarding an overview of differences).
240 See, e.g., NEB. REV. STAT. §§ 87-801(5)(e) (2006). 241 See, e.g., MONT. CODE ANN. § 30-14-1704 (2006) (5)(B)(4); OR. REV. STAT. § 646A.600
(2007).
46
passwords or other access codes.242 The North Carolina law has one of the most
expansive definitions relating to “identifying information” that also includes digital
signatures, parents’ former legal surname243 and email addresses, amongst others.244
The Texas law recognizes both “personally identifying information”245 and
“sensitive personal information.”246 The former can be information that does not
require cross-referencing with other information to trigger notification of a data
breach whereas the latter requires the combination of personal information and
other identifying details. Likewise, the New York law incorporates both “personal
information”247 and “private information”248 and the latter is the type of information
normally covered by data breach notification laws. The purpose of the different
definitions in the New York law is to clearly identify what will be constituted as
personal information for combination with private information to create a specified
sub-set of regulable information. As such, all of these laws specify the types of
information or combinations of information that when breached could give rise to
an obligation to notify. What constitutes personal information within the rubric of
data breach notification is therefore deliberately constrained.249
Data breach notification proposals that have been put forward in comprehensive
information privacy laws also have a context independent approach as to what
information will trigger notification. For example, the data breach notification
proposal put forward by the Australian Law Reform Commission (ALRC) uses a
new form of information called “specified personal information” that is designed to
242 See, e.g., ALASKA STAT. § 45.48.010 (Michie 2009); D.C. CODE ANN. § 28-3851 (2007); GA.
CODE ANN. §§ 10-1-911 (2005); IOWA CODE § 715C.1 (2008); N.C. GEN. STAT. §§ 75-60 (2005); ME. REV. STAT. ANN. 10, §§ 210-B-1346 (West 2007); 9 VT. STAT. ANN. §§ 2430 (2007).
243 See also N.D. CENT. CODE §§ 51-30-01 (2005). 244 N.C. GEN. STAT. §§ 75-60 (2005). 245 TEX. BUS. & COMM. CODE § 48.002(1) (2008). 246 Id. at § 48.002(2). 247 N.Y. GEN. BUS LAWS §§ 899-aa (2005) §1(a). ("Personal information" shall mean any
information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person”).
248 Id. at §1(b). ("Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:(1) social security number;(2) driver's license number or non-driver identification card number; or(3) account number, credit or debit card number, in combination with any required security code, access code, or password).)
249 See St. Amant, supra note 80, at 526 (criticizing this approach and calling for flexible definitions of personal information similar to comprehensive information privacy legal regimes).
47
limit the broad ranging definition of personal information in the Privacy Act for
data breach notification purposes. Specified personal information prescribes
combinations of information that would “when acquired without authorization,
give rise to a real risk of serious harm requiring notification.”250 According to the
ALRC, such information is likely to include an individual’s name and address in
combination with other identifying information that could enable a person to
commit an “account takeover” or “true name fraud” while recognizing that other
harms can also arise.251
The EU has taken a different approach in the e-Privacy Directive.
The ALRC’s approach to information that could oblige
notification is in some respects similar to that of US state-based data breach
notification laws as it is largely founded upon a context independent approach to
classifying sensitive personal information.
252 The e-Privacy
Directive differs substantially from the purpose of US data breach notification laws
as it has a much wider ambit about the type of situations and the sort of information
that will trigger notification of a data breach.253 However, it is limited in the sense as
it only covers data breach incidents in the telecommunications sector.254 The e-
Privacy Directive simply states that notification is required where there is a breach
of network security that lies beyond the provider to remedy.255
250 AUSTRALIAN LAW & PRACTICE, supra note 6, at 1693.
The e-Privacy
Directive is potentially more expansive than its US data breach legislative
counterparts because it does not require a specified type of information to trigger
notification. The European Commission has recently addressed this point by putting
forward a new version of the e-Privacy Directive which amends the existing security
251 Id. at 1694. 252 Council Directive 2002/58/EC. 253 See, e.g., Preston and Turner, supra note 63, at 463-464 (commenting on the “organic
development” of EU privacy legislation and the application of general data protection rules to the telecommunications sector in the e-Privacy Directive)
254 Id. 255 Council Directive 2002/58/EC, Art. 20 (“Service providers should take appropriate
measures to safeguard the security of their services, if necessary in conjunction with the provider of the network, and inform subscribers of any special risks of a breach of the security of the network.”)
48
breach notification requirements.256 A provider of a publicly available electronic
communications services will now have to notify a competent national authority
about a personal data breach.257
“[a] breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.”
The definition of a personal data breach is
258
The e-Privacy Directive now focuses mandatory data breach notification on
situations that (a) relate to personal data (b) involve specified unauthorized uses of
personal data and (c) personal data is stored or processed in connection with a
publicly available electronic communications service.
259 Nevertheless, the definition
of a personal data breach is still reliant upon the definition of personal data in the
Data Protection Directive.260 The EU consequently differs from both the US and the
Australian approaches to data breach notification because it does not include a
specifically modified definition of personal data (or information) for the purposes of
data breach notification. Moreover, the definition of personal data under Article 2(a)
is to be construed expansively rather than prohibitively and therefore has a
fundamentally context dependent element.261
A context independent approach can have some benefits because it is possible to
predict what information will constitute personal information as it is pre-defined by
256 See Commission Proposal for a directive of the European Parliament and of the Council
amending Directives 2002/22/EC on universal service and users' rights relating to electronic communications networks and services and 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on consumer protection cooperation, at 2 COM (2007) 698 [hereinafter Updated E-Privacy Directive] (adopted at the GAERC Council of 26/10/2009).
257 Id. at 33. 258 Id. 259 See, e.g., Burdon, et al., Mandatory Notification of Data Breaches, supra note 5, at 127
(regarding the potentially problematic application of data breach notification in the Directive).
260 See Council Directive 95/46, art 2(a), 1995 O.J. (L 281) (EC) (“’[P]ersonal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”).
261 See generally ARTICLE 29 DATA PROTECTION WORKING PARTY, OPINION 4/2007, supra note 232.
49
regulatory authorities.262 However, an overt focus on types of information to
stimulate regulatory activity can produce anomalies because it forsakes a contextual
analysis of information generation. For example, some data breaches would not be
covered even though they could have significant ramifications. This point is
demonstrated by the BNP data breach.263
In the BNP data breach, the type of personal information breached did not entail
personal information that would necessarily enable identity theft, such as a credit
card or bank account number. Thus, under US state-based laws, there would not be
a legal requirement to notify because the BNP breached data would not meet the
determinant threshold required for publication, namely, that the breached data
gives rise to a risk of identity theft. The same is less so with regard to the ALRC’s
proposal as it acknowledges that wider harms to identity theft are applicable.
However, and somewhat perversely, under Australian information privacy law, the
Internet is construed as a generally available document and the Privacy Act would
There is little doubt that the BNP data
breach should meet most of the requirements for notification under a data breach
notification law as there was an unauthorized acquisition of personal information
and there were clearly harms and risks arising from the breach. However, under
most data breach notification laws, the breached organization would not have to
notify an individual about the breach because the type of information that was
breached would not necessarily trigger a notification requirement.
262 See BOOTH, supra note 137, at 12 (emphasizing that a “context independent” approach
facilitates consistency because it would not require analysis outside of the data at issue). 263 BNP members 'targeted by threats,' BBC News (Nov. 19, 2008),
http://news.bbc.co.uk/2/hi/uk_news/7736794.stm.
50
not have applied because personal information published would be construed as a
generally available record and thus is exempt from the Act.264
The BNP example shows the limits of an overt focus on the types of personal
information that is predicated on a context independent approach which seeks to
minimize the complexities of social context as part of the fulfillment of legislative
obligations. Data breach notification laws, regardless of whether sectoral or
comprehensive based, have such a limited view of what constitutes harm that they
preclude a range of data breaches, like the BNP data breach, even though material
harms and risks arose to those persons whose information had been accessed
without authorization. This highlights the weaknesses of analysis that is focused
predominantly on information and the process of information exchange and not the
context of which the information is used.
265 Even the e-Privacy Directive which has
a more expansive, context dependent approach to the classification of personal
information would encounter problems with this data breach266 due to the fact that
the Directive only covers organizations in the telecommunications sector267
Potential weaknesses of data breach notification law that is founded on a sectoral
approach can still exist when implemented within comprehensive frameworks. The
effect of a purely context independent approach is to minimize the scope of data
and
would therefore have not applied to the BNP.
264 The ALRC examined whether personal information held within a generally available
publication should be regulated under the Privacy Act. Currently, the Act only covers personal information held in records and a generally available publication, such as most public registers or telephone address books, are classed as a record so they are not covered within the auspices of the Act. As regards publication of personal information on the Internet, the determining factor to decide whether a publication is generally available online is “whether access to that publication [e.g. a website] can be obtained by public.” As such, a website that has encryption and password protections is not considered generally available and therefore may be subject to the Privacy Act, whereas a website without such protections is not subject to the Act because it is a publication that can generally be obtained by the public. The ALRC contended that it was not appropriate to enforce greater restrictions of the use of personal information on the Internet by tightening regulation of personal information held in ‘generally available publications’, e.g. websites. However, the ALRC stated that both organizations and agencies should be encouraged to put restrictions on the publication of personal information in electronic form. See AUSTRALIAN LAW & PRACTICE, supra note 6, at 462.
265 See, e.g., Solove, Conceptualizing Privacy, supra note 34, at 1110 (“The theory's focus on information, however, makes it too narrow a conception, for it excludes those aspects of privacy that are not informational”).
266 UPDATED E-PRIVACY DIRECTIVE, supra note 257. 267 Id.
51
breach notification either by developing restrictive forms of personal information or
by reducing the scope of coverage to particular sectors.268 However, this
minimization can reduce the effective potential of data breach notification because it
provides bounding limits to the obligation to notify. The definition of personal
information in the Australian Privacy Act269
V. INTRODUCING CONTEXTUALIZATION
demonstrates that a context
independent and dependent approach can work together but that does not mean
that the former can be imposed upon the latter without any significant
consequences. Data breach notification can work in comprehensive information
privacy frameworks but it will produce anomalies if it is implemented from a
context independent perspective. The complex issue of contextualization is thus
fundamental to the effectiveness of regulatory remedies in relation to data breaches.
The above analysis highlights concerns relating to the underlying approaches of
both laws that seek to minimize the role of social context. Consequently, the
legislative requirements of both laws focus upon restricted notions of harms,
confined types of regulable information and one size fits all conceptions of how
problems emerge and how they are to be remedied. However, the inclusion of a
wider contextual analysis into the application of both laws produces a different
perspective. First, it highlights that information privacy law needs to pay greater
heed to issues of privacy rather than issues of personal information management.
Second, it highlights that data breach notification law should be considered as part
of a wider concern that relates to the societal use of critical information
infrastructures that entail the protection of personal information.
A. THE CONTEXTUAL ELEMENT
The social context of information generation and provision is a latent but ever-
present component of information privacy that is directly or indirectly recognized
by different laws.270
268 Burdon, supra note 137.
For example, Bennett and Raab contend that the content and
provision of a privacy right is inherently dependent on the context of social
application and is thus applied subjectively by individuals to their own
269 Privacy Act, 1988, pt. III, div. 3, 16B (Austl.) 270 See BOOTH, supra note 137, at 10-11 (highlighting a context dependent approach to the
identification of personal information is a key element of some information privacy laws).
52
circumstances.271 Allen offers a different view of information privacy and social
context that is intimately bound with the creation, development and maintenance of
social relationships.272 Privacy is “down time” that provides the space for reflection
and thus allows individuals to prepare themselves for their wider social
responsibilities within the context of their own lives.273 Schoeman also outlines that
the wider concept of privacy is part of a “historically conditioned, intricate
normative matrix with interdependent practices” and is best understood when
viewed contextually.274 Privacy as a social practice thus shapes individual behavior
in conjunction with other social practices and it is “central to social life.”275 Likewise,
Moor and Tavani also acknowledge the importance of “situations” in deciding
when an individual has a condition that is equivalent to privacy.276 However, the
notion of a situation is characterized as “deliberately indeterminate or unspecified”
so that it can be construed in a number of different ways in circumstances that
would normally be regarded as private.277
One of the most recent and perhaps fullest accounts of the importance of context in
the regulation of information privacy is Nissenbaum’s Privacy in Context
278 which
outlines and expands the theory of Contextual Integrity.279 Nissenbaum puts
forward an analytical framework to examine potential privacy concerns arising
from the introduction of new technologies or technological structures principally
involving the use of personal information.280
271 BENNETT & RAAB, GOVERNANCE OF PRIVACY, supra note 20, at 9 (“But for the most part,
the content of privacy rights and interests have to be defined by individuals themselves according to context”).
Privacy is sufficiently important to the
continued existence of social and political life that it cannot be compartmentalized
272 Anita L. Allen, Coercing Privacy, 40 WM. & MARY L. REV. 723 (1999). 273 Id. at 739-40. (The value of privacy therefore lies in “the context in which individuals
work to make themselves better equipped for their familial, professional, and political roles.”); See also FERDINAND DAVID SCHOEMAN, PRIVACY AND SOCIAL FREEDOM (CAMBRIDGE UNIVERSITY PRESS. 1992) (regarding the role of privacy in the balancing of social freedoms and an individual’s need to be part of a “human context.”)
274 SCHOEMAN, supra note 274, at 137. 275 Id. 276 Moor, supra note 35, at 30 (stating privacy is normatively prevalent if an individual or
group is protected from intrusion, interference and access by others). 277 Tavani, supra note 18, at 10 (explaining the role of Moor and Tavani’s Restricted
Access/Limited Control (RALC) theory). 278 HELEN NISSENBAUM, PRIVACY IN CONTEXT: TECHNOLOGY, POLICY, AND THE INTEGRITY OF
SOCIAL LIFE (Stanford Law Books 2010) [hereinafter "PRIVACY IN CONTEXT"]. 279 Helen Nissenbaum, Privacy as Contextual Integrity, 79 WASH. L. REV. 119 (2004). 280 NISSENBAUM, PRIVACY IN CONTEXT, supra note 278, at 6-7.
53
and reduced in social importance.281 Instead, contextual integrity represents privacy
as a “delicate web of constraints”282 relating to flows of personal information that
balances the multiple political and social spheres of human life. An attack on
individual privacy is therefore an attack at the “very fabric of social and political
life.”283 Privacy in this regard is not a claim regarding an individual’s control of
their personal information but rather entails a right to appropriate flow of personal
information which is systematically grounded in the characteristics of social
situations.284
Contextual Integrity is therefore based on social context and gains expression
through its primary concept, context-relative informational norms. These norms
govern entrenched expectations that govern flows of personal information in
everyday life. Accordingly, a breach of privacy under the theory of Contextual
Integrity equates to a violation of an established informational norm.
285 These norms
are characterized by the following four key parameters.286 Contexts provide a
backdrop for norm development and feature an array of components287 that
abstractly represent the experienced social structures of everyday life.288 Actors are
those participants involved in direct context of information exchange: senders and
receivers of information and information subjects.289 However, the types of
relationship that each party has with each other is not fixed and is acknowledged
that both individuals and organizational representatives can have different
capacities in different situational circumstances.290 Attributes refer to the type or
nature of the information in question.291
281 Id. at 128.
For example, the same type of information
282 Id. 283 Id. 284 Id. at 129. 285 Id. at 140. 286 Id. 287 Id at 132 (defining the components as canonical “activities, roles, power structures,
norms (or rules) and internal values (goals, ends, purposes)).” 288 Id. at 134. 289 Id. at 141. 290 Id. at 143. Nissenbaum contends that an actor in one situation may not act in the same
way as in another. For example, the difference between an actor in a “businessman to employee” relationship compared to a “parent to child” relationship. Accordingly, the capacity within which an actor may act has an “innumerable number of possibilities.”
291 Id. at 144.
54
can have different meaning or application in different contexts.292 Finally,
transmission principles provide a constraint on the flow of information from party to
party in a given context by stipulating terms and conditions which govern the
transfer of personal information.293
These parameters are embedded within informational norms which in turn are
embedded within different social contexts.
294 Flows of information are intrinsic to
human society and informational norms regulate these flows within the context of
socially expected information uses and within socially specified situations. As such,
different parameters come to the fore in different social contexts and in the guise of
different privacy-related problems. For example, in a context of information
exchange amongst friends, there is expected transmission principles, namely that
the personal information exchange is usually volunteered freely and there are
certain trust-based expectations about how that information will or will not be used.
However, the medium of exchange can impact upon friend-based transmission
principles especially in situations involving a broader and thus less controlled
transmission of personal information.295 Likewise, the provision of the exact same
personal information is likely to vary between the context of a patient to doctor
relationship during a medical consultation compared to an interviewee to
interviewer relationship in relation to an employment application. The analysis of
informational norms and component parameters are best conceived as juggling
balls296
The introduction of contextualization consequently adds a sophisticated and multi-
dimensional element to conceptualizations of ‘privacy problems.’ Nissenbaum
that move in sync with different emphases placed on different balls
depending on the social context involved and the privacy concern emanating.
292 Id. See, e.g., Burdon, et al., Encryption Safe Harbours, supra note 71 (contrasting the
different requirements for the loss of personal information involving different types of data breach).
293 NISSENBAUM, PRIVACY IN CONTEXT, supra note 278, at 145. 294 Id. 295 Id at 145-6 (describing the characteristics of friend-based transmission principles as
voluntary sharing of information, in combination with locally relative prohibitions on information use which thus provide confidential settings for sharing information between friends). Accordingly, the provision of personal information directly between an individual and other friends via email and one via open Facebook pages impacts upon the applicability of friend-based transmission principles. The prospect of uncontrolled, wider distribution may in itself act as a factor upon the release of information because there is less control over transmission principles.
296 NISSENBAUM, PRIVACY IN CONTEXT, supra note 279, at 145.
55
developed the theory of Contextual Integrity as a “framework for determining,
detecting, or recognizing when a [information privacy] (sic) violation has
occurred.”297 To do so requires a comparison between entrenched and novel
practices to adduce whether there has been a violation of context-relative
informational norms.298 Privacy in Context is a valuable addition to the literature in
that regard as it cements the importance of contextualization in the examination of
concerns relating to the provision, protection and use of personal information.
However, Nissenbaum acknowledges that much work has yet to be undertaken
about how Contextual Integrity can apply to existing information privacy legal
regimes, especially comprehensive frameworks.299
The purpose of introducing Nissenbaum’s work into this article is not to provide a
framework for specifically assessing the weaknesses of information privacy and
data breach notification laws but rather to reinforce the importance of applying
social context to laws that govern the protection of personal information. The
recognition that information privacy issues have a contextual element is integral
because it focuses greater attention to key foundation stones, namely, social
relationships, expectations of social and legal norms and the differing, subjective
values of privacy that emanate in different guises and in different social
circumstances. Privacy regulation has many singular facets that involve diverse
parties that have dissimilar values relating to the protection of privacy, both at a
societal and individual level. The protection of personal information is consequently
an essentially contestable issue and is determined in fluid rather than static
environmental circumstances. Laws that involve the protection of personal
information need to be cognizant of the wider social contexts involving the creation,
exchange and re-use of personal information. However, as highlighted in this
article, both information privacy and data breach notification laws forsake a context
dependent approach and focus on deterministic modes of regulation that overtly
focus on specified types of information and management processes. The final sub-
sections of this article incorporate ideas of contextualization to suggest new courses
of action.
297 Id. at 148. 298 Id. at 148-149. 299 Id. at 238. Nissenbaum suggests that her theory of contextual integrity maybe more
suited to sectoral frameworks because “it embodies informational norms relevant to specific sectors, or contexts, in the law.”
56
B. MORE PRIVACY, LESS INFORMATION
The introduction of a contextual analysis assists to highlight that information
privacy problems in relation to data breaches are not simply related to a loss of
control over personal information. Instead, problems emerge from the breakdown
of social relationships and these relationships vary from context to context and data
breach to data breach. For example, the three illustrative data breaches employed in
this article show that information privacy problems involve auxiliary third parties
that are typically beyond the accountability framework of information privacy law.
The BNP data breach300 showed that the actual privacy problem was exacerbated by
the advent of geo-mashup creations which not only increased the number of
generative sources available but provided a different context on how the list was
used.301 The Pfizer data breach302, on the other hand, involved two third parties
ulterior to the context of personal information provision, storage and use: the Pfizer
employee’s spouse and the peer-to-peer users. Finally, the ChoicePoint breach303
The application of a contextual analysis, especially within the framework of Bennett
and Raab’s infallibility matrix,
involved identity theft-related criminals that were able to acquire individual’s
personal information due to the lack of adequate security provided by the
corporation.
304
300 See Burdon, First Generation Laws, supra note 17, at 12.
demonstrates that data breaches as information
privacy problems are predicated upon multiple rather than binary relationships and
that the mechanics of privacy-related problems arising from data breaches can
manifest outside the chain of accountability created by information privacy law.
Moreover, information privacy laws find it difficult to acknowledge the importance
of multiple relationships in regard to data breaches because information privacy law
is postulated on the regulation of information management processes involving
defined parties. Accordingly, the issue is not about the length or strength of an
accountability chain between singular parties. Rather, the issue regards how
information privacy law attempts to identify and reconcile situations that are
deemed to be ‘privacy problems.’ It is this deeming and reconciliation that is the
301 See, e.g., id. at 37 (outlining the role of geo-mashup creation in the data breach). 302 See PFIZER, supra note 191. 303 See P.N. Otto, et al., supra note 198. 304 See BENNETT & RAAB, GOVERNANCE OF PRIVACY, supra note 20, at 25-26.
57
ultimate limitation of information privacy law because it is management processes
rather than social relationships that are deemed to be the problem. Regulatory
remedies therefore focus on the provision of limited rights of control or access to
that process as opposed to the provision of remedies to actual privacy concerns.
Thus, for example, a BNP member has no redress against a geo-mashup creator and
a Pfizer employee is in the same position against a member of a peer-to-peer
network.
However, the ChoicePoint data breach provides a different perspective as it
involves an ever-present figure that is partially recognized by the security principles
of information privacy law – the computer hacker or identity theft criminal. The
security principles of information privacy laws require organizations to maintain
levels of adequate security regarding the storage and transfer of personal
information.305 An individual who provided personal information to an
organization was reassured that their personal information would be secured.
Expectations are such now that if an organization has a database of personal
information then that organization must expect an unauthorized attempt to access
or acquire it. This is a new information security reality of our life in the information
society. The inclusion of the hacker/identity theft criminal as an ever-present third
party as a part of the contextual situation of personal information exchange
therefore brings into play a third party separate to the accountability framework of
information privacy law that is at least tangentially foreseeable. In turn, the
enhanced identification of third parties touches on a further significant benefit of a
contextual approach as it recognizes the possibilities for wider informational harms
and injustices than those currently envisaged by information privacy laws.306
Nissenbaum incorporates the van den Hoven’s account of privacy which provides
four moral justifications for information privacy, informational harms, information
inequality, informational injustice and encroachment on moral autonomy, in order to
305 See, e.g., BYGRAVE, supra note 57, at 68 (regarding the role of information security
principles in data protection laws). 306 See Bellia, supra note 110, at 898 (contending a requirement for a wider notion of
dignitary harms that goes beyond material harms relating to identity theft).
58
prevent further harms and thus promote equality, justice and personal autonomy.307
Informational harms acknowledge that a much greater span of harms can arise from
the unauthorized or illicit use of many types of personal information in many
different ways.308 Harms consequently do not simply involve identity theft-related
issues but can cause fear and anxiety to individuals which can lead to a withdrawal
from social life.309 Informational inequality recognizes that information asymmetries
exist between different parties and therefore social benefits can be accrued
disproportionately.310 Individuals may provide their personal information to
organizations but by and large they are generally unaware about organizational
uses of personal information and have limited roles of involvement in essentially
market-based informational structures.311 The notion of inequality is important
because it brings to the fore an analysis of power relationships which is largely a
latent aspect of the information privacy law literature.312
Informational injustice refers to the importance of personal information remaining
within the contextual sphere within which it was created and disseminated.
313
307 NISSENBAUM, PRIVACY IN CONTEXT, supra note 278, at 78. See, e.g., JEROEN VAN DEN
HOVEN, Privacy and the Varieties of Moral Wrong-Doing in an Information Age, 27 SIGCAS Comput. Soc., (1997); JEROEN VAN DEN HOVEN, Information Technology, Privacy and the Protection of Personal Data, in INFORMATION TECHNOLOGY AND MORAL PHILOSOPHY, (Jeroen van den Hoven & John Weckert eds., 2008).
For
example, a recent study by Microsoft about the employment checks conducted by
human resources departments in four different countries found that forty three
percent of US departments had rejected a prospective candidate based on comments
308 Id. 309 For example, a data breach concerning sensitive law enforcement related information
provided by informers can have serious consequences that include threats or loss of life. See, e.g., Michael Isikoff, Missing: A Laptop of DEA Informants, NEWSWEEK, June 7, 2004, available at http://www.newsweek.com/id/53958 (regarding the loss of a laptop containing informant details relating to investigations conducted by the Drug Enforcement Administration in the US); MoD Inquiry After Laptop Stolen from Headquarters, BBC NEWS, Dec. 12, 2009, available at http://news.bbc.co.uk/2/hi/uk_news/8409363.stm (regarding the theft of a laptop from MoD headquarters in the UK); and Previous Cases of Missing Data, BBC NEWS, Dec. 12, 2009, available at http://news.bbc.co.uk/2/hi/uk_news/8409405.stm (regarding other instances of security failures involving laptops and sensitive UK government information).
310 NISSENBAUM, PRIVACY IN CONTEXT, supra note 278, at 79. 311 See generally Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for
Information Privacy, 53 STAN. L. REV., 1393 (2001) (regarding a conceptual overview of the imbalance of power between individuals and corporations).
312 See, e.g., Rosa Ehrenreich, Privacy and Power, 89 GEO. L. J., 2047, 2055 (2001) (regarding the unacknowledged role of power in privacy law).
313 NISSENBAUM, PRIVACY IN CONTEXT, supra note 278, at 80.
59
provided by the candidate’s ‘friends’ on Facebook.314 This ‘trial by friends’ would
thus be considered an informational injustice because it not only takes information
from one context and applies it in another but the use of information in this way
ignores the crucial role of context and meekly accepts that what is being said is
representative of an individual.315 Finally, encroachment on moral autonomy is linked
to the situation just described as it seeks to protect an individual’s capacity to shape
his or hers own life without undue interference and pressure to conform to some
ascribed social norm.316
The relational and harm elements of a greater contextual approach are instructive
because it highlights some fundamental limits of information privacy law.
Information privacy should not just relate to problems regarding the governance of
a management process.
Information privacy is therefore a key issue in society
because it allows space for individuals to generate and fix their identity within a
wider social sphere.
317 Instead, information privacy should focus on problems
that are inherently related to social relationships and their management.318
Accordingly, within the context of data breaches and how information privacy law
responds to such issues, this article contends that a contextual approach is required
and a greater focus on privacy rather than information is needed. Contextualization
thus recognizes the wider relational and harm issues that can arise through a
context dependent analysis. Data breach concerns are not fixated to specific types of
personal information.319
314 See Daniel Solove, Googling Employees: Why Your Online Reputation Matters,
http://www.concurringopinions.com/archives/2010/03/googling-employees-why-your-online-reputation-matters.html (last visited Sept. 10, 2010) (outlining the details of the study).
Information privacy problems do not simply involve
providers, collectors and users of personal information. Regulatory and legislative
remedies do not merely entail simplistic solutions of redress in information
management processes. However, the problem with contextualization is that it
315 See, e.g., Solove, supra note 311, at 1421 (regarding the dangers of digital dossiers as how bureaucracies relate database information to an accurate and entire view of individuals).
316 NISSENBAUM, PRIVACY IN CONTEXT, supra note 278, at 80. 317 See PRISCILLA M. REGAN, LEGISLATING PRIVACY: TECHNOLOGY, SOCIAL VALUES, AND
PUBLIC POLICY 230 (The University of North Carolina Press 1995) (“privacy is becoming less an attribute of individuals and records and more an attribute of social relationships and information systems or communication systems")
318 BENNETT & RAAB, GOVERNANCE OF PRIVACY, supra note 20, at 25. 319 See, e.g., ST. AMANT, supra note 80, at 523 (highlighting that the revelation of personal
health information can be as detrimental to an individual as financial information).
60
requires a much greater legislative, regulatory and judicial input that information
privacy law currently allows. This point is addressed in the final sub-section of the
article in which a different view of the important role that data breach notification
could have within the regulatory guise of protecting critical information
infrastructures.
C. FROM DATA BREACH NOTIFICATION TO THE PROTECTION OF CRITICAL
INFORMATION INFRASTRUCTURES
As highlighted throughout this article, data breach notification laws are intended to
fix the specific problem of identity theft threats arising from data breaches involving
personal information through the mandatory notification of breaches to individuals.
The laws also have an auxiliary aim of producing socially optimal side effects
through the enhancement of corporate information security practices. Previous
sections of this article have highlighted the limits of data breach notification law in
sectoral regimes and data breach notification schemes implemented within
comprehensive information privacy legal frameworks. Despite the issues
highlighted in this article, it must be noted that data breach notification laws appear
to have been a resounding success.320
Data breach notification law inherits the same concerns of information privacy law
because it predominantly regards information management rather than the
preservation, protection and resolution of social relationships regarding disputes
over personal information. Moreover, within data breach notification laws
They have unearthed a previously hidden
social problem that has the capacity to negatively affect the lives of millions of
people. Information privacy laws as applied in both sectoral and comprehensive
frameworks are seriously lacking regards the imposition of legal obligations
entailing the adequate protection of personal information. Accordingly, data breach
notification laws have potential value and possibly much to offer. In concluding this
article, the author asserts that the real problem with data breach notification is that
the concept is too narrow because it has a limited notion of harm and it is
purposively constrained by an overly context independent approach to the type of
information regulated.
320 See, e.g., Winn, supra note 75, at 1133 (noting the “tidal wave” of notifications thus
making the “problem of inadequate information security . . . visible” while detailing potential problems with data breach notification law).
61
themselves, there is a large degree of blame attached to the breached organization
within the limits of a proscribed accountability framework. The breached
organization is deemed to be at fault and as a result needs to provide notification of
its failings. Notification is consequently heavily influenced by the concept of
reputational sanction.321 However, not all organizations are to blame extensively
particularly in situations involving sophisticated hackers.322 Some data breaches,
such as the ChoicePoint incident323 highlighted above, are based on situations
involving the provision of inadequate security measures but it needs to be
recognized that some data breaches involving hacking attacks are ground-breaking
in their levels of sophistication.324
Data breach notification laws attempt to resolve the complex problem of adequate
corporate information security measures in a rudimentary way by mandatory
notification. However, this remedy does not directly address the underlying issues
of ineffective corporate security or indeed whether notification to individuals is an
effective remedy.
325 Mandatory notification as a remedy simply cannot sufficiently
account for the contextual realities of data breaches that regard complex security,
social and legal concerns. As highlighted above, a certain type of personal
information breached in one incident may have a different type of harm to the same
information released in another data breach.326
321 Schwartz & Janger, Notification of Data Security Breaches, supra note 85, at 917. (stating
that a significant focus of data breach notification law has been “to impose a reputational sanction on breached entities).
The issue of data breach notification
322 See, e.g., Skinner, supra note 75, at 10 (regarding the complexities of intrusion detection in relation to phishing attacks); KRIS ERIKSON & PHILIP N HOWARD, The Information Vulnerability Landscape. Compromising Positions: Organizational and Hacker Responsibility for Exposed Digital Records, in HARBORING DATA: INFORMATION SECURITY, LAW, AND THE CORPORATION 46, (Andrea M. Matwyshyn ed., 2009) (reviewing 813 publicly reported security breach incidents between 1980 and 2007 and confirming that a small percentage of incidents involve organizations that are “unwilling and unwitting victims of a malicious hacker”).
323 See ELECTRONIC PRIVACY INFORMATION CENTER, Choicepoint (2008), at http://epic.org/privacy/choicepoint/
324 See, e.g., Kim Zetter, Google Hack Attack Was Ultra Sophisticated, New Details Show, WIRED. (2010), http://www.wired.com/threatlevel/2010/01/operation-aurora (regarding details of a recent Chinese hacking attack perpetrated on Google, Adobe and other leading US companies that was “unprecedented tactics that combined encryption, stealth programming and an unknown hole in Internet Explorer”).
325 See Schwartz & Janger, Notification of Data Security Breaches, supra note 85, at 947 (“Notification letters supply only incomplete, discontinuous, and non-comparative information about data security”).
326 See discussion supra Part IV.B
62
is therefore inherently contextual and requires comprehensive case by case analysis
regarding the identification of potential harms and the application of potential
remedies. However, this in turn requires much greater regulatory oversight than
that currently envisaged in either sectoral or comprehensive legal frameworks
because data breach notification is primarily directed towards the mitigation of
identity theft. Data breach notification law attempts to provide instant consumer
redress, but in doing so, it misses the potentially important role that the law could
have regarding the wider implications of adequate protections of personal
information within the fortification of critical information infrastructures.327
Fig. 3 – The role of data breach notification in light of critical information infrastructure protection
Data
breach notification should be viewed in a comprehensively different perspective
that regards different levels of social activity and a re-evaluation of the law’s role.
Figure 3 below provides a diagrammatical representation.
327 See, e.g., Picanso, supra note 83, at 358 (linking network attacks on personal data to
critical information infrastructures).
63
In Figure 3, three levels of social activity are adduced: micro, meso and macro.328
The micro level refers to the arena of human agency in which hackers attack
organizational databases of personal information, employees lose laptops and
organizational employees notify individuals who take action to protect themselves.
These are the base-level actions that generate issues and concerns regarding
breaches of personal information. The meso level is the middle ground,329 the
decision making arena in which corporate decisions regarding information security
are made. These decisions are crucial regarding the advent of data breaches as they
involve declarations of intent regarding the implementation of adequate protections
involving personal information. The possibility that a data breach could arise is
heavily influenced by the decisions made in the meso level. For example, if an
organization decides to implement adequate security measures and policies then it
is less likely that a breach will occur and vice versa. The decision arena of a smaller
number of persons can consequently have a major impact on a much wider number
of individuals at the micro level. Finally, the macro level regards the ground of
structures and super-structures. In this case, it is the construct of critical information
infrastructures, the underlying information and communication systems upon
which both organizations and individuals are now so dependent.330
328 See also ANDREA M. MATWYSHYN, HARBORING DATA: INFORMATION SECURITY, LAW, AND
THE CORPORATION 3-13 (STANFORD LAW BOOKS. 2009) (regarding a different perspective of the social macro, meso and micro levels entailing corporate information security).
Again, those
decisions made in the meso level have the capacity to impact upon the macro level
as vulnerabilities arising from corporate actions can traverse both upwardly and
downwardly through different levels. For example, a major data breach involving
329 See, e.g., D.W. PARSONS, PUBLIC POLICY: AN INTRODUCTION TO THE THEORY AND PRACTICE OF POLICY ANALYSIS (EDWARD ELGAR. 1995) (“Meso analysis is a middle-range or bridging level of analysis which is focused on the linkage between the definition of problems, the setting of agendas and the decision-making and implementation processes.”).
330 Myriam Dunn Cavelty, Critical Information Infrastructure: Vulnerabilities, Threats and Responses, 3 DISARMAMENT FORUM, 3 (2007) (outlining the reasons behind critical information infrastructure protection and highlighting that these infrastructures are critical because “their incapacitation or destruction would have a debilitating impact on the national security and the economic and social welfare of a state”); Andrew Rathmell, Protecting Critical Information Infrastructures, 20 COMP. & SEC., 44 (2001) (regarding the implications of the “information revolution” for the protection of state infrastructures); See Eugene Nickolov, Critical Information Infrastructure Protection: Analysis, Evaluation and Expectations, 17 INFO. & SEC., 105 (2005) (highlighting the dependency of modern societies on the availability and reliability of technological infrastructures).
64
security failures in one infrastructure can have an impact on many other
infrastructures including the irreparable damage of consumer trust. 331
The actions and decisions of different levels can impact upon the structures within
which both human and organizational actors reside. Data breaches are consequently
linked to corporate information security management procedures which in turn
reinforce or reduce protections related to critical information infrastructures.
Accordingly, data breaches are a reflection of corporate information security
inadequacies and the latter become weaknesses that need to be addressed in critical
information infrastructures. A simple corporate decision to use an outdated type of
encryption protocol on its wireless communication system can therefore lead to
mass notification to millions of individuals and major upheaval in the banking
sector simply because a team of sophisticated identity theft criminals gained
unauthorized access to personal information held by the retailer.
332
The introduction of contextualization highlights that data breach notification is only
one complex system within an enmeshed environment of many complex systems
that interact and impact upon each other. The primary focus on the single issue of
identity theft partially recognizes some of these complexities but it does not attempt
to represent them in sufficient complexity or depth. Some authors have made the
link between data breach notification and the onset of a newly developing legal
331 See, e.g., Schwartz & Janger, Notification of Data Security Breaches, supra note 85, at 928
(referring to the data security externality “where a data security breach at one company may cause harm at another company in a way that is untraceable or for which there is no legal recourse”). See also PHILIP E. AUERSWALD, et al., Where Private Efficiency Meet Public Vunerability: The Critical Infrastructure Challenge, in SEEDS OF DISASTER, ROOTS OF RESPONSE: HOW PRIVATE ACTION CAN REDUCE PUBLIC VULNERABILITY 8, (Philip E. Auerswald ed., 2006) (highlighting that no corporation is an island and the ripple effect of security breaches across economic sectors).
332 See, e.g., MATWYSHYN, supra note 328, at 3. (outlining the simplicity of the initial attack perpetrated on TJX Maxx that was easily avoidable); Kim Zetter, TJX Hacker Charged With Heartland, Hannaford Breaches,WIRED. (2009), at http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/ (regarding further sophisticated attacks in the TJX incident which the attackers were able to penetrate most levels of data storage and the legal implications that flowed from the attacks).
65
field, information security law.333 Equally, a link between corporate information
security measures and the protection of critical information infrastructures has also
been made.334
This article contends that data breach notification law needs to be considered
contextually as part of a much wider problem that goes beyond the issue of identity
theft mitigation. Moreover, the body of laws should not be viewed as a ‘be all and
end all’ solution to problems relating to the inadequate protection of personal
information by corporations. Data breach notification laws are extremely useful at
highlighting problems but that does not mean they necessarily have the regulatory
tools to remedy the problems that they uncover. Instead, it is more likely that the
laws provide a transitory passage that attempts to take regulation from the
identification of a significant problem (e.g. inadequate information security of
personal information that requires notification) eventually to a potential solution
(e.g. the implementation of effective security measures and competent monitoring).
Notification is therefore only one element of the issue and should not be deemed as
the issue in itself.
Despite the fact that these links have been recognized, data breach
notification laws have continued to have a specific and limited remit.
Schwartz and Janger in their influential article on regulatory structures for data
breach notification emphasized this problem in considerable depth.335 They
examined three regulatory models currently in operation and suggested a fourth
model, the Co-ordinated Response Architecture (CRA) as a hybrid of the strengths
and weaknesses of existing regimes.336 The CRA has a system of two-tier disclosure.
333 See generally Smedinghoff, The State of Information Security Law: A Focus on the Key Legal
Trends, supra note 99; BH Nearon, et al., Life After Sarbannes-Oxley: The Merger of Information Security and Accountability, 45 JURIMETRICS J. 379, (2005); Kenneth A. Bamberger, Technologies of Compliance: Risk and Regulation in a Digital Age, 88 TEX. L. REV. 669, (2010); Andrea M Matwyshyn, Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation 3 BERKELEY BUS. L.J. 129 (2005); Winn, supra note 75.
334 See generally MATWYSHYN, HARBORING DATA: INFORMATION SECURITY, LAW, AND THE CORPORATION., supra note 328; PHILIP E. AUERSWALD, SEEDS OF DISASTER, ROOTS OF RESPONSE: HOW PRIVATE ACTION CAN REDUCE PUBLIC VULNERABILITY (Cambridge University Press. 2006); Thomas J. Smedinghoff, The Developing U.S. Legal Standard for Cybersecurity, 4 SED. C. J. 109 (2003).
335 See generally Schwartz & Janger, Notification of Data Security Breaches supra note 85. 336 See id. at 959-69.
66
337 The first tier requires the breached organization to notify the CRA which then
determines whether customer notification is required based on the likelihood of
information misuse. 338 Unlike current data breach notification laws, information
misuse is to be construed broadly and does not simply relate to identity theft risks.
If notification is required, the CRA will co-ordinate the sharing of information about
a data breach, oversee the organization’s investigation and response and monitor
notification decisions.339 The emphasis of the CRA model is mitigation response and
notification encouragement that seeks organizational co-operation without losing
the threat of reputational sanction.340
The protection of individuals at the micro level of society is clearly important but of
equal importance is the protection of the macro information infrastructures that
facilitate societal interactions and transactions. An authority such as the CRA
designed for the purpose of ensuring critical information infrastructure protection
would undoubtedly engender a greater regulatory focus but that emphasis can be
readily justified when viewed through the lens of consumer and infrastructure
protection via the encouragement and enforcement of adequate information security
measures. Data breach notification laws are important but that importance goes
beyond the specified remit of identity theft and goes to the heart of information-
based societies. It involves the preservation of information pathways founded on
human relations and maintained through information infrastructures. Data breach
notification provides gives a glimpse of these wider issues that unfortunately get
subsumed by contested arguments relating to consumer protection and corporate
compliance cost minimization. A revision of data breach notification, and indeed
information privacy, is required that moves beyond the limited application of
individual rights to the societal interests everyone has regarding the protection of
personal information and the modes of information exchange. However, a macro
perspective reveals complex structures that are difficult to regulate but nonetheless
The mitigation response element is clearly
crucial and the authors recognize that notification has a wider role to play within
social, technical and legal structures.
337 See also Burdon, et al., Encryption Safe Harbours, supra note 71; Schwartz & Janger,
Notification of Data Security Breaches, supra note 85 at 960 (advocating for a two-tier system of notification in relation to encryption safe harbors).
338 Schwartz & Janger, Notification of Data Security Breaches, supra note 85 at 960. 339 Id. at 962-63, 65. 340 Id. at 959-69.
67
still require governance. The forms of legal governance are not yet adequately
defined and the issues raised by data breach notification laws indicate that there is
still much distance to travel.
VI. CONCLUSION
This article contends that both information privacy and data breach notification
laws appear to have a similar purpose that involves the protection of personal
information. However, both laws have fundamental differences between them and
shared weaknesses within them. In some ways, data breach notification is too
conceptually complex as it is multifaceted, expansive in its foundation from the
California law and this expansiveness is confined by a focus on compliance cost
mitigation. Alternatively, information privacy suffers from the opposite effect. The
concept is too limited in focus because it attempts to regulate the process of personal
information exchange and that provides a constraint on what is a privacy issue.
Data breach notification in both sectoral and comprehensive approaches may
therefore be a potentially expansive bolt-on which is implemented by a narrow
focused law in an attempt to ascribe limited rights pertaining to an individual’s
involvement in the collection, storage and use of their personal information. The
introduction of contextualization highlights that both laws are predicated on
certainty in order to reduce the ambiguous nature of privacy. Nonetheless, both
laws need to include the social context of human relationships that underpin
personal information exchange processes.
The application of contextualization promotes a revision of both data breach
notification and information privacy laws that moves beyond notions of individual
rights related to controls over personal information to societal protections of
essential information infrastructures. To do so will require new modes of regulation
and the development of new types of law. These are complex issues especially if one
considers that the process of personal information exchange is innately human and
subject to the application of different contexts. Data breach notification law begins
to reveal these complexities and in doing so highlights the limits of current
information privacy laws. However, data breach notification is not a ‘be all and end
all’ solution in itself but merely provides a signpost for a journey to be undertaken.
Quite how that journey will manifest remains to be seen but it is seemingly clear
that the first steps have been taken. It is likely that different directions will be
68
charted based on the application of sectoral and comprehensive regimes but this
article has attempted to show that future journeys should be mindful of the
requirement for contextualization given the inherent tensions and weaknesses of
both data breach notification and information privacy laws.
278
CHAPTER 9 - GENERAL DISCUSSION
The final chapter of the thesis outlines the logical progression of the six articles and
demonstrates the overall investigation of compatibility. Section 9.1 describes how
the articles form a coherent investigation with reference to the research questions
introduced in chapter 1. The articles are linked together in three different stages of
research:
1. Identification of key compatibility issues in relation to data breach
notification and information privacy law;
2. Investigation of the conceptual and operational foundations of both data
breach notification and information privacy laws; and
3. Synthesis of research findings to examine the extent both laws are
compatible with each other.
Section 9.2 then outlines the significance of the research findings. Section 9.3 briefly
highlights some identified limitations of the study and section 9.4 suggests possible
areas of future research. Finally, section 9.5 briefly concludes the thesis.
9.1 LINKING THE ARTICLES: LOGICAL PROGRESSION
The progression of the thesis was guided by the three research questions previously
introduced in chapter 1. For ease of reference, the questions are repeated below. The
key research question of the thesis is:
1. To what extent are US mandatory data breach notification laws compatible
with information privacy laws?
The supplementary research questions are:
2. What are the key issues relating to the compatibility of US mandatory data
breach notification laws and information privacy law?
3. What are the conceptual and operational foundations of:
A. US mandatory data breach notification laws?; and
B. Information privacy laws, particularly comprehensive legal
frameworks such as Australia?
Figure 1 below provides a diagrammatical representation of how the articles are
linked together in the stages of the research to address the research questions. Each
279
square represents an article and the three stages are labelled and divided by dashed
lines. The supplementary questions were addressed first which enabled an
examination of the main research question towards the end of the research.
Figure 1 – Linking the Articles by Research Question
9.1.1 IDENTIFICATION OF KEY COMPATIBILITY ISSUES
The first stage identifies the key legal issues that pertain to data breach notification
law in general and its relationship with information privacy law in particular. As
highlighted above, issues were identified from both an Australian stakeholder
perspective in article one, Stakeholder Perspectives and a legal perspective in article
two, Mandatory Notification.
Stakeholder Perspectives details findings of 18 interviews conducted with 22 research
participants from the public and private sectors. The purpose of the research was to
ascertain the attitudes and expectations of industry towards the management and
reporting of Australian data breaches. Professor Bill Lane and Dr Evonne Miller
conducted the interviews and the re-analysis of interview data was conducted by
the author. Insight was sought on a range of topics that included current
280
organisational procedures in relation to the reporting of data breaches, the extent of
data breaches in Australia and opinions related to the proposed implementation of
an Australian data breach notification scheme.
The research findings highlight a number of concerns raised by the participants
with regard to the notification of Australian data breaches. These concerns were
essential to the formulation of future research conducted in the thesis. For example,
apprehensions were raised about the implementation of regulation based on
mandatory reporting especially when the extent and the scale of data breaches were
unknown in Australia. Furthermore, whilst it was acknowledged that the
implementation of US state-based laws appeared to be relatively smooth,
participants nonetheless had concerns about the effectiveness of the US laws. In
turn, most participants recognised that the issues behind notification can be
conceptually complex and commented that data breach notification laws provided
an over-simplified solution. Data breach notification laws themselves were not
viewed as a complete remedial solution and their success lay in their ability to
unearth previously unknown and serious problems relating to the ineffectiveness of
corporate information security protections of personal information. Furthermore,
some participants questioned the effectiveness of the remedies provided by data
breach notification laws and doubted whether pure notification strategies would
supply sufficient remedies without any further consideration of consumer
education. Not surprisingly, compliance cost issues also figured heavily.
Overall, the research participants were guarded about the prospect of a mandatory
data breach notification scheme in Australia. Whilst most participants could see
some potential benefits that could arise from a data breach notification law, they
were nonetheless apprehensive about the development of an appropriate regulatory
response and thus expressed universal caution in terms of the speed of
implementation. Quite surprisingly, most participants, including statutory
regulators, were willing to forgo a degree of certainty at the start of the
implementation process in order to develop a data breach notification law that
adequately reflected the complexities of balancing corporate concerns with
consumer protection and privacy issues.
281
The findings detailed in Stakeholder Perspectives are significant to the thesis because
the article identifies issues that are prevalent on the ground but, more importantly,
the article highlights that those issues go beyond privacy problems. The participants
mirrored a number of concerns raised in the US literature which suggested that the
development of an Australian mandatory data breach notification scheme would
impact upon a number of areas that go beyond the scope of the Privacy Act. These
issues were identified in greater depth from a legal perspective in the second article,
Mandatory Notification.
Mandatory Notification identifies key legal issues and also provides an introductory
overview to some conceptual and operational applications of data breach
notification law. Primarily, in terms of identifying issues, the article examined in
greater depth the US literature and revealed similar concerns identified by the
research participants in Stakeholder Perspectives. Accordingly, Mandatory Notification
is central to the overall thesis because it set the scene for a wider investigation of the
compatibility between data breach notification and information privacy law by
questioning whether data breach notification is a privacy problem.
The investigation of the US literature revealed that data breach notification is
considered a multi-faceted problem that involves privacy, identity theft, corporate
governance and consumer protection issues. The article therefore raises the question
of whether a law that consists of these divergent purposes can be implemented via
amendments to a legislative framework that solely focuses on information privacy.
Mandatory Notification also raises significant questions about whether the OPC is the
appropriate body to monitor a data breach notification scheme. The requirements
for mandatory reporting are very different to a regulatory model, predicated on
‘light touch’ regulation, which has thus far characterised the OPC’s approach.
Mandatory Notification explores these issues in greater depth through an
investigation of the conceptual and operational foundations of data breach
notification law and thus recognises the important differences between sectoral and
comprehensive legal frameworks for information privacy law.
282
9.1.2 INVESTIGATION OF CONCEPTUAL AND OPERATIONAL
FOUNDATIONS
The investigation of conceptual and operational foundations was undertaken in
articles’ two, three, four and five. The first two articles in this research stage, article
two, Mandatory Notification and article three, Encryption Safe Harbours investigate
data breach notification law. Article four, Conceptual Basis and article five, First
Generation Laws examine information privacy law. As highlighted above, the
purpose of this investigation was to identify and examine some key differences
between both laws to determine the degree of compatibility between data breach
notification and information privacy laws in stage 3.
9.1.2.1 DATA BREACH NOTIFICATION LAW
Mandatory Notification raises the question about whether data breach notification
laws founded on the basis of sectoral information privacy regimes in the US are
readily transposable to comprehensive information privacy legal frameworks, such
as Australia and the EU. The article demonstrated several contradictions that arise
from the proposed implementation of a data breach notification scheme in both
jurisdictions.
US state-based data breach notification laws regulate specific types of personal
information for the purposes of data breach notification. Accordingly, regulated
personal information under most state-based laws refers to the combination of an
individual’s name in conjunction with one or more other identifying information
items such as a social security number, state driver licence or ID number, financial
account number details, medical or health insurance details. The definition of
personal information signifies a key underlying rationale of the US data breach
notification laws that organisational notification provides individuals with a means
to protect themselves from adverse consequences of unauthorised acquisition of
their personal information specifically in the form of identity theft or identity fraud
related crimes. What is or what is not perceived as personal information is
accordingly deliberately constrained to specified combinations of personally related
information.
283
Mandatory Notification examines data breach notification in the EU and concludes
that a different approach to the classification of personal information was adopted.
The EU’s updated e-Privacy Directive incorporates the definition of personal data
found in the Data Protection Directive. The classification of personal information is
to be construed broadly for data breach notification purposes and therefore goes
beyond identity theft issues. Accordingly, the EU has opted for a different approach
to Australia and the US regarding the type of information to be regulated because it
does not include a specifically modified definition of personal information for data
breach notification purposes. These methods of categorisation represent differences
between context dependent and context independent approaches to the
classification of personal information in information privacy laws which were
explored in greater depth in Conceptual Basis.
The different emphasis placed on the legislative vehicle for implementation of a
data breach scheme in the EU and in Australia was also examined. The EU has
decided not to implement a data breach notification scheme through the Data
Protection Directive even though that would be the most obvious vehicle for
implementation. Instead, the EU has opted to update its existing breach
requirements through the limited scope of the e-Privacy Directive which only
regulates publicly available electronic communications services. This in itself has
been the cause of much political contention within the EU’s legislative bodies. Data
breach notification appears to be viewed as an adjunct to the wider aims of data
protection in the EU even though it shares obvious and fundamental similarities
regarding the protection of personal information. The ALRC, on the other hand,
have placed data breach notification at the centre of information privacy regulation
but paradoxically the OPC does not have either the cultural, technical or legal
resources to enforce breaches of personal information unlike most national data
protection authorities in the EU.
Mandatory Notification also identifies a major concern that relates to the adequate
quantification of problem scope. The review of the US literature demonstrated that
the perceived scale of the data breach problem influenced the development of
regulatory responses. This leads to a regulatory conundrum that concerns the initial
implementation of data breach notification laws and the notification triggers that are
adopted. Different notification triggers produce higher or lower levels of
284
notifications. Acquisition-based triggers, such as the California law, have a tendency
to produce higher numbers of reporting because notification is required when there
is an actual or reasonable belief of unauthorised acquisition of personal information.
Risk-based triggers, on the other hand, require lower levels of reporting because
notification is only required where a risk arises from a data breach. Different laws
establish risk in different ways but mostly it is left to the breached organisation to
determine whether a risk is likely to arise.
The conundrum arises because acquisition-based triggers are more likely to unearth
the scale of problems but both EU and Australian proposals recommend risk-based
triggers. One of the potential benefits of an acquisition-based data breach
notification scheme is that it provides a better quantification of problem scale
because a greater number of data breaches are notified. However, both the EU and
Australia has bypassed these potential opportunities in favour of regulatory
concerns relating to the compliance implications of ‘unnecessary’ notifications. It is
possible that successful data breach notification laws require a degree of trial and
error at the onset of implementation and this point was certainly borne out by the
research participants in Stakeholder Perspectives. Notification triggers were
consequently identified as a key conceptual component that required further
analysis.
Mandatory Notification concludes that the seemingly simple concept of data breach
notification law produced complex results because the law tries to balance two
conflicting concepts, namely, the provision of effective consumer protection and the
prioritisation of corporate compliance cost mitigation. Accordingly, whilst data
breach notification laws have been successful at highlighting a significant problem,
they may not provide effective remedies to resolve the problems they find due to
their conflicting conceptual base. Mandatory Notification therefore identifies a
number of concerns that related to the conceptual and operational functioning of
data breach notification laws that were addressed in greater depth in the third
article, Encryption Safe Harbours. Mandatory Notification also laid the foundation for
an examination of the development of data breach notification laws from the
perspective of sectoral versus comprehensive approaches to information privacy
law, which was examined in significant depth in the final article, Contextualizing
Tensions and Weaknesses.
285
Encryption Safe Harbours examines the important issues of notification triggers and
the type of encryption safe harbour selected in the US, the EU and in Australia. The
article demonstrates that the choice of trigger and safe harbour is important because
it reveals underlying conceptualisations about the role of data breach notification
law in different jurisdictions. Encryption Safe Harbours again assists with laying the
foundation for the review of sectoral versus comprehensive information privacy
regimes undertaken in Contextualizing Tensions and Weaknesses. Moreover, Encryption
Safe Harbours provides the basis to explore the conceptual and operational issues of
data breach notification law identified in Mandatory Notification.
The issue of safe harbour and trigger selection is important because it sets the
parameters for notification and thus determines compliance obligations for
organisations. A general safe harbour exists in most data breach notification laws
that involve encryption. If an organisation suffers a data breach, but the personal
information is encrypted, then that organisation does not have to notify individuals
because it is deemed there is little or no identity theft risk arising from the
unauthorised acquisition. The encryption safe harbour therefore serves two
purposes: to reduce the risks of unnecessary notification and to provide an
encouragement for organisations to adopt encryption technologies thus improving
their information security practices. The choice of notification trigger and the
selection of encryption safe harbour are linked because, as highlighted in Mandatory
Notification, both safe harbour and trigger choice will ultimately impact upon the
number and type of data breaches to be notified. The selection and use of encryption
safe harbours and notification triggers consequently provides an insight into the
underlying rationale of data breach notification law in different jurisdictions.
The analysis undertaken in Encryption Safe Harbours significantly extends previous
research that provided a brief overview of 2007 state and federal legislative
developments.398
398 See Jones, above n 46, 555.
Three types of safe harbour were previously identified. They were:
exemptions; rebuttable presumptions; and factor-based analysis. Exemptions
exempt notification based on the notion that encrypted data is secure and does not
pose a risk. Rebuttable presumptions create a presumption that encrypted data is
secure and unauthorised acquisitions do not have to be notified. However, this
presumption can be rebutted by facts to the contrary. Factor-based analysis requires
286
breached organisations to demonstrate that the encryption adopted was effective
before notification is exempted. Two types of notification trigger were also
previously identified. They are the acquisition and risk-based triggers previously
examined in Mandatory Notification. Encryption Safe Harbours also identifies a third
type of trigger, a two-tier trigger, that requires initial notification to regulators and
subsequent notification to individuals based on a risk assessment conducted by the
regulators in conjunction with the breached organisation.
Encryption Safe Harbours reveals that all US state-based data breach notification laws
contain exemptions but these laws contain a mix of acquisition and risk-based
triggers. Two types of exemption were also identified. The first directly followed the
California exemption based on the simple formulation of ‘unencrypted personal
information.’ Subsequent states followed the California exemption but
supplemented the definition by overlaying additional statutory terms. The second
type of exemption rejected the California definition and attempted to explicitly
define encryption. Research findings demonstrate that different states defined
encryption in several different ways. At the US federal level, a number of different
bills had been put forward which contained all three types of safe harbour. There
was a clear preference for rebuttable presumptions and risk-based triggers in later
bills including those that had passed a congressional vote either by one of the
Houses of Congress or by one of their constituent committees. Finally, both the EU
and Australia proposed a different type of regime that consisted of factor-based
analysis and a two-tier trigger.
The critique of encryption safe harbours and notification triggers demonstrates that
different data breach notification regimes treated the issue of safe harbour and
trigger use in different ways. Different jurisdictions therefore made dissimilar
assumptions about the efficacy of encryption as a technological measure to secure
personal information. Encryption Safe Harbours contends that the use of an
appropriate encryption safe harbour should be based on two elements. First, a
competent review of the circumstances of each breach must be conducted by the
breached organisation and a review is conducted on a case-by-case basis. The
review must include all information security management protections and should
not simply focus on encryption. Second, the onus for reliance on a safe harbour
287
must be on the breached organisation because encryption should not simply be
viewed as a security silver bullet.
Research findings indicate that US state-based laws favour exemptions and
consequently assume that encrypted personal information is always secure. At the
other end of the spectrum, the EU and Australia adopted factor-based safe harbours
that assume the opposite. Encryption Safe Harbours therefore asserts that encryption
exemptions, particularly based on the California exemption and notification trigger,
were potentially prone to loopholes as any type of encryption would give rise to a
safe harbour regardless of whether it is effective or not. This point is dealt with in
further depth below at sub-section 9.2 regarding the significance of research
findings.
The fact the US adopted different regimes to the EU and Australia was significant
because it highlighted that existing information privacy legal frameworks could
shape the application of data breach notification law. As such, both Encryption Safe
Harbours and Mandatory Notification point to a number of information privacy law
related issues. First, contextualisation is important as the circumstances of each data
breach is potentially unique and must be assessed on a case-by-case basis. Second,
an overt focus on the type of information to be regulated can produce anomalies.
Third, data breach situations involve complex relationships. A data breach
involving the same information in one situation can have a totally different effect in
another situation depending on the context of the breach. Both articles therefore lay
the groundwork for a critical review of the conceptual basis of information privacy
law that focused on contextualisation issues in the classification of personal
information and the social relationships involved in personal information exchange
processes. These issues were examined in article four, Conceptual Basis and article
five, First Generation Laws respectively.
It should also be noted that First Generation Laws also examines the complex issue of
privacy invasive geo-mashups. Accordingly, not all parts of the article are relevant
for the purposes of the thesis. Nevertheless, the coverage of the British National
Party (BNP) data breach and the subsequent analysis flowing from that incident
were essential to the thesis through the identification of multiple relationships and
the introductory exploration of contextualisation. Both elements founded the
288
analytical base for Contextualizing Tensions and Weaknesses which is the core of the
thesis.
9.1.2.2 INFORMATION PRIVACY LAW
Conceptual Basis investigates the role of contextualisation in the classification of
personal information. The issue of what is or is not personal information is central
to information privacy law because it determines the regulatory scope and
application of such laws. The article demonstrated that even though information
privacy laws essentially derive from the same genesis they nonetheless have
different approaches to how personal information is classified. Moreover, the article
revealed that contextualisation was a key element of categorisation particularly in
comprehensive information privacy legal regimes, such as Australia.
Conceptual Basis relied heavily for its analysis on a report produced by Professor
Sharon Booth (‘the Booth Report’) and her colleagues at the University of Sheffield
on behalf of the UK’s ICO.399 The Booth Report investigated how different data
protection400
The two conceptual schemas represented different approaches to the
contextualisation of personal information. A context independent schema attempts to
remove or minimise the role of social context in the classification of personal
information. The advantage of this schema is that it is possible to definitively define
what information is personal information. The context independent schema was
then broken down into two models that represented different approaches to
authorities classified personal information and identified how personal
information was conceptualised. The researchers conducted two surveys. The first
surveyed 18 data protection authorities and the second was completed by 11 data
protection authorities who also completed the first survey. The researchers
determined two conceptual schemas that consisted of four operational models.
Research findings suggested data protection authorities classified personal
information using different conceptual bases and consequently there was no
uncontested and coherent definition of personal information amongst international
jurisdictions.
399 S Booth et al, What are ‘Personal Data’? A Study Conducted for the UK Information Commissioner (The University of Sheffield, 2004). 400 For the purposes of this chapter and the thesis, the legal concepts of data protection and information privacy are used interchangeably.
289
information privacy law regulation. The first required harm in the form of either
identity revealment and the second viewed harm as the production of an actual
negative effect on an individual’s privacy. A context dependent schema takes the
opposite approach as it contends that personal information can only be classified by
an examination of the social context in which it is produced. Accordingly, it is
impossible to create definitive lists of what is personal information because
classification is dependent on circumstances that are inherently subjective.
Information that is personal information in one context may not produce the same
result in another context and vice versa. Two operational models were also adduced
based on the same criterion as context independent models.
Conceptual Basis then identifies and classifies different definitions of personal
information in Australian privacy law and applied the Booth Report models to
ascertain the conceptual basis for the classification. The findings revealed that
definitions of personal information in Australian privacy law are founded on both
context dependent and independent elements. However, different definitions
favour different emphases so some laws have a heavier context independent
component than others and vice versa. Furthermore, a review of relevant case law
indicated that judicial constructions of personal information were also derived in
different ways that attempted to incorporate or minimise contextualisation.
Conceptual Basis contends that classifications of personal information in statutory
definitions and judicial pronouncements were done so without recourse to a
coherent conceptual base. The article therefore suggests that the Booth Report
models could provide a base to examine the disparate and sporadic development of
personal information definitions in Australian privacy law that would lead to a
greater jurisprudential discourse on this fundamental topic.
Conceptual Basis provides an important component to the thesis because it
demonstrates the importance of contextualisation in information privacy law and it
suggests that information privacy regulation is overtly focused on the type of
information regulated, rather than the social context, or relationships, involved in
the production of personal information. The article therefore provides a platform for
further research into the limits of information focused regulation and the
importance of incorporating social relationships which was examined in greater
depth in First Generation Laws.
290
First Generation Laws extends the examination of the conceptual basis of information
privacy law. The article provides an overview of the historical development of
information privacy law and adopts Zittrain’s concept of Privacy 2.0401
Zittrain has two principal criticisms of first generation information privacy laws.
First, new patterns of personal information exchange are more complex and multi-
faceted than the traditional processes envisaged by first generation laws developed
in the 1970’s. The first information privacy laws were typically concerned with
restricting the power of large corporations and governmental organisations that
related to the development of automated personal data collection and computerised
personal data management. Second, individuals as well as organisations now have
the capabilities to cause information privacy infringements despite the fact that
most information privacy laws only regulate organisations. As such, the regulatory
focus of first generation information privacy laws is no longer appropriate to all
settings, particularly those involving the generative nature of the Internet. The once
clear cut boundaries of personal information exchange are now blurred to the extent
that inchoate collections of far-flung individuals now have the same computing
capacities as large-scale organisations.
to examine
the limits of first generation of information privacy laws. The historical overview
examines the development of information privacy law from the founding legal
instruments of the 1970’s through to the development of information privacy
principles. The foundational base of information privacy principles indicated that
the dominant regulatory concerns regarded issues related to the collection, storage
and use of personal information. Historically, the basis of information privacy
regulation therefore concentrated on finding a balance between the concerns of
individuals and the fulfilment of organisational business practices. A balance was
possible under first generation laws because the process of personal information
exchange was predictable, stable and largely static at the inception of the laws.
However, personal information exchange processes are no longer predictable or
stable as highlighted by Privacy 2.0.
First Generation Laws contends that information privacy law is predicated on the
regulation of three stakeholder groups involved in personal information exchange
process: providers; collectors; and users of personal information. Legal controls, 401 Zittrain, above n 357, 65.
291
based on information privacy principles, attempt to regulate activities between each
group and thus create chains of accountability that link each party. These chains
ensure that personal information was collected, stored and used within designated
legal boundaries. These binary relationships are the conceptual symbols of
information privacy law but new social and technical developments pay little
respect to the foundation blocks of first generation laws.
Instead, contested disputes over personal information now involve amorphous
collectives of individuals that form transient data collecting groups and use
personal information in unimagined scenarios. First Generation Laws consequently
highlights the shift from binary to multiple relationships which increases the scope
for privacy problems to emerge through informal personal information
dissemination pathways. These multiple relationships became evident by the
analysis of the BNP data breach.
First Generation Laws demonstrates that the main privacy concern of the breach,
publication on the Internet, took place by individuals that lay outside of the binary
chains of accountability in information privacy laws. There was no relationship
between the providers of the personal information, namely the BNP members and
the eventual re-users, geo-mashup creators, so there was no regulatory redress
available for the former against the latter under first generation laws. Many of the
information privacy principles available under information privacy law simply did
not materialise due to the absence of a binary relationship between the BNP
members, the BNP and the membership list re-users. A key link in the chain of
accountability was never formed which shows the limits of information privacy
law’s accountability framework. First Generation Laws contends that the founding
blocks of first generation regulation – personal information, records, databases, data
subjects, collectors and users – are now so diffuse that these core concepts no longer
apply with exactness. The article agrees with Zittrain’s analysis of the problem but
departs from his form of remedy that was based purely on self-regulatory measures
and better user education. Instead, First Generation Laws put forward a series of
social, technical and legal recommendations.
First Generation Laws is integral to the overall thesis because it demonstrates that
social relationships are a key component of information privacy regulation yet
292
information privacy laws do not govern them directly. Information privacy laws
instead govern specified forms of information that is exchanged in ascertainable
information management processes. First Generation Laws therefore demonstrates
that information privacy law needs to pay greater conceptual heed to social
relationships and once again highlights that contextualisation is a major component
of information privacy analysis. The article also showed a number of weaknesses of
information privacy law predicated on binary chains of accountability, particularly
in light of data breaches on the Internet. These issues, in conjunction with the
findings of the articles, were explored and expanded upon in the final article,
Contextualizing Tensions and Weaknesses.
9.1.3 SYNTHESIS OF FINDINGS
Contextualizing Tensions and Weaknesses synthesises the findings of the previous five
articles to examine the compatibility of data breach notification and information
privacy laws. The article identifies vertical tensions between both laws based on
sectoral and comprehensive distinctions that result in remedies focused on market-
based initiatives or rights-based protections. Horizontal weaknesses within both
laws were also identified, generated by an overt focus on the regulation of
information types and the implementation of ‘one-size- fits-all legal remedies. The
article contends that these tensions and weaknesses can be ameliorated through the
explicit incorporation of contextualisation, directed by Nissenbaum’s concept of
Contextual Integrity,402
Contextualizing Tensions and Weaknesses provides a brief overview of the legislative
development of both laws, which reveals similarities and differences between both
legal concepts, as identified in the previous five articles. Both laws have an obvious
interest in the protection of personal information and they concern the provision of
information to individuals about how their personal information is handled.
However, despite these similarities, considerable differences exist that are
fundamental to the conceptual foundations and operational bases of both laws.
that promotes a revision of data breach notification law and
information privacy law.
402 Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life, above n 375.
293
The elucidation of vertical tensions entailed an examination of the sectoral approach
to information privacy adopted in the US and the comprehensive approach adopted
in the EU, Australia and in other jurisdictions, as highlighted in Mandatory
Notification and Encryption Safe Harbours. Contextualizing Tensions and Weaknesses
determines from the literature that the implementation of information privacy law
had taken essentially different tracks even though the genesis of the law resorts
from similar foundations. Data breach notification law is a reflection of these
differences as it was developed in the sectoral environment of the US. The article
therefore highlights that the purpose of data breach notification law is different to
that of comprehensive information privacy laws.
The former provides a specific fix for a particular problem, namely the mitigation of
identity theft risks arising from data breaches of personal information, whereas the
latter provides limited rights-based protections to individuals regarding
involvement in personal information exchange processes. This results in
contradictory approaches to implementation. Data breach notification law in
comprehensive information privacy regimes highlights the failings of information
privacy principles particularly related to the security of personal information. At the
same time, the comprehensive nature of data breach notification law originates from
failings in the sectoral approach to information privacy. These differences in
application also produce different regulatory priorities related to the provision of
individual protections and the minimisation of corporate cost compliance.
Encryption Safe Harbours identifies this issue regarding the use of encryption in data
breach notification laws and Contextualising Tensions and Weaknesses develops the
argument further. Contextualising Tensions and Weaknesses contends that the
application of encryption safe harbours in data breach notification laws in sectoral
and comprehensive regimes differed. US laws tend to adopt market-based remedies
that are conscious of compliance cost minimisation and comprehensive information
privacy regimes tend to focus on the preservation of individual protections.
The article contends that the use of encryption exemptions in US state-based laws is
directly linked to corporate compliance cost reduction and the development of
market incentives to enhance corporate information security measures. A similar
concern was identified at the US federal level through the use of rebuttable
294
presumptions. Encryption safe harbours in US data breach notification laws and
proposals are therefore an adjunct to the mitigation of identity theft and were
developed to counterbalance corporate fears related to the compliance implications
of unnecessary notification. Conversely, contested discussion in the EU focused on
the removal of encryption safe harbours because notification was deemed necessary
to facilitate consumer protection. Safe harbours to notification should only be based
on the principle of risk assessment rather than exemptions based on technical
protection measures. Comprehensive information privacy law regimes focus on the
ex ante purpose of data breach notification by encouraging the adoption of
appropriate technologies to protect personal information. The sectoral regime of the
US, on the other hand, uses encryption to promote the ex post aim of data breach
notification that places a greater importance on the minimisation of corporate cost
compliance. These different motivations reflect the expansive scope of rights-based
protections found in information privacy laws and the narrow approach of market-
based initiatives found in data breach notification laws.
Contextualizing Tensions and Weaknesses examines three illustrative data breaches,
including the BNP data breach, to demonstrate the horizontal weaknesses within
data breach notification and information privacy laws. The data breaches were used
to investigate common limitations of both laws. The analysis of shared weaknesses
built heavily on the research from the previous thesis articles and specifically
applies findings from Conceptual Basis and First Generation Laws. The examination
therefore focuses on the limits of regulation based on ‘one size fits all’ chains of
accountability and the limitations of an information-based regulatory focus that
produce restricted notions of harm.
Contextualizing Tensions and Weaknesses applies the three data breaches to Bennett
and Raab’s Fallibility Matrix403
403 Bennett and Raab, above n 263, 26.
to demonstrate that each data breach emerge in
different ways and contain different contexts. Accordingly, whilst data breaches
appear to have similar circumstances, because they involve the insertion of outside
third parties into the accountability framework of information privacy law, they are
nonetheless caused by different actions and thus produce different outcomes. The
three data breaches demonstrate that the insertion of an outside third party was
unpredictable, complex and multi-faceted. Limitations in both laws therefore
295
emerge because the restrictive nature of each law’s accountability framework does
not adequately account for the social, legal and technical complexities of data
breaches. These problems are accentuated because remedial responses provided by
both laws treat different causes and outcomes in exactly the same way.
Information privacy laws struggle to operate effectively with the insertion of
unexpected third parties into the contextual mix of data breaches because, as First
Generation Laws highlights, they are predicated on predictable binary relationships.
The unpredictability of some data breach scenarios highlights that information
privacy law overtly focuses on the process of personal information exchange at the
expense of governing the relationships and social contexts involved in that process.
The focus on process produces information privacy laws that are manageable and
can thus be implemented as a regulatory set of information privacy principles, but it
relegates the protection of privacy to limited circumstances and hence reduces the
scope of legal redress.
Data breach notification laws suffer less from these concerns due to their limited
purpose. They are less concerned about the process of personal information
exchange and the regulation of parties in that process. However, data breach
notification laws do share the same weakness of information privacy laws because
they provide limited remedies, in this instance, notification. Contextualizing Tensions
and Weaknesses asserts that a wider remedial focus is required to provide
appropriate remedies based on the context of each individual data breach. To do so,
would require a deeper contextual analysis conducted on a case-by-case basis. In
turn, this form of analysis would require a change of emphasis in both laws that
moves away from the regulation of specified types of information. Issues of context
independence and dependence therefore came to the fore as previously outlined in
Conceptual Basis.
Contextualizing Tensions and Weaknesses demonstrates that information privacy and
data breach notification laws have different approaches to the inclusion or exclusion
of social context in the classification of regulable information. Information privacy
laws have a wider outlook that generally builds on context dependency and is
flexible about what information will be regulated. Data breach notification laws, on
the other hand, regulate certain types of information from a context independent
296
approach that seeks to negate the application of context-based analysis. The reason
that both laws use different types of information-based regulation mechanisms is
due to their different purposes. Data breach notification laws regulate a specific type
of information to mitigate a certain problem whereas information privacy laws
regulate a wider type of information for a potentially wider purpose. As such, both
laws regulate personal information to preclude certain harms but the harms that
they seek to prevent are relatively limited. Furthermore, the focus on context
independency can produce anomalies. The BNP data breach, for example, would
not generally be covered by the letter of most US data breach notification laws even
though the breach produced significant ramifications for individual BNP members.
Put simply, the type of information breached in the BNP data breach would not
necessarily trigger an obligation to notify because it would not give rise to an
obvious risk of identity theft.
Contextualizing Tensions and Weaknesses therefore contends that data breach
notification laws, regardless of whether they are implemented in sectoral or
comprehensive regimes, have such a limited view of what constitutes harm that
they preclude a range of data breaches even though material harms and risks can
arise. Accordingly, sectoral-based data breach notification law has potential
weaknesses when implemented within comprehensive frameworks. The effect of a
purely context independent approach is to minimise the scope of data breach
notification either by developing restrictive forms of personal information or by
reducing the scope of coverage to particular sectors. However, this minimisation can
reduce the effective potential of data breach notification because it provides
restrictions to the obligation to notify. Data breach notification can work in
comprehensive information privacy frameworks but it will produce anomalies if it
is implemented from a context independent perspective.
The complex issue of contextualisation is consequently fundamental to the
effectiveness of regulatory remedies in relation to data breaches and Contextualizing
Tensions and Weaknesses examines this point its concluding section. A persistent
theme through the thesis’s previous five articles was the contextual nature of
information privacy and data breach notification laws. Contextualizing Tensions and
Weaknesses contends that the introduction of a contextual analysis should lead to a
revision of both laws. First, the article shows that information privacy law, in
297
relation to data breaches, was only concerned about a loss of organisational control
in relation to personal information. However, Contextualizing Tensions and
Weaknesses highlights that privacy problems really emerge from the breakdown of
social relationships and these relationships vary between different contexts and
different data breaches.
Contextualizing Tensions and Weaknesses asserts that the conceptual and operational
limits of information privacy law need to be acknowledged. Data breaches involve
multiple rather than binary relationships that are outside traditional information
privacy regulatory frameworks founded on chains of accountability. Accordingly,
the issue of data breach notification in information privacy law is not about the
length or strength of an accountability chain between singular parties. Rather, the
issue of data breach notification regards how information privacy law attempts to
identify and reconcile situations that are deemed to be ‘privacy problems.’ This is
the ultimate limitation of information privacy law because it deems that
management processes rather than the governance of social relationships is the
problem. Regulatory remedies focus on the provision of limited rights of control or
access to that process as opposed to the provision of remedies to actual privacy
problems centred on social contexts and human relationships. Information privacy
law should therefore not just relate to problems regarding the governance of a
management process but should instead be about problems that are inherently
related to social relationships and their management.
The introduction of contextualisation also revises the role of data breach notification
law. The limited purpose of data breach notification is in itself a major weakness of
the law as demonstrated in Contextualizing Tensions and Weaknesses, Mandatory
Notification and Encryption Safe Harbours. Contextualizing Tensions and Weaknesses
contends that data breach notification law is conceptually too broad and
operationally too narrow which produces limited notions of harm that are
purposively constrained by a context independent approach. Data breach
notification law does not adequately resolve the complex problem of corporate
information security because mandatory notification as a remedy simply cannot
account for the contextual realities of data breaches. Effective regulation needs to
incorporate context and thus requires case-by-case analysis. However, to do so
would require significantly greater regulatory oversight than that currently
298
envisaged in both sectoral and comprehensive regimes. Increased regulation can be
justified however if data breach notification law is revised to involve the protection
of critical information infrastructures.
Data breach notification should therefore be viewed in a comprehensively different
perspective that regards different levels of social activity and a re-evaluation of the
law’s role. The law needs to be considered contextually as part of a much wider
problem that goes beyond the issue of identity theft mitigation. Mandatory
notification of data breaches is only one component of a wider issue and thus data
breach notification law should not be deemed as the issue in itself. As such,
Contextualizing Tensions and Weaknesses concludes that a revision of data breach
notification and information privacy law is required. The revision moves beyond
the limited application of individual rights and shifts regulatory focus to the societal
interests that pertain to the protection of personal information and the
infrastructures of information exchange.
9.1.4 SUMMARY - ASSESSMENT OF COMPATIBILITY
In order to make an assessment of compatibility between data breach notification
and information privacy law it was first necessary to identify some key issues
arising from the onset of data breach notification law. Stakeholder Perspectives started
this process that was concluded by Mandatory Notification. For the purposes of this
research, the most interesting issue to examine was whether data breach notification
was itself an information privacy issue. This notion guided the remaining research
and focused attention towards an examination of the conceptual and operational
foundations of both laws. Mandatory Notification and Encryption Safe Harbours did so
from the perspective of data breach notification law. Conceptual Basis and First
Generation Laws did so for information privacy law.
The investigation reveals significant similarities and differences between both laws.
Pivotal were several aspects. First, the distinction between sectoral and
comprehensive information privacy regimes was important as it shaped the
development of US data breach notification laws and subsequent implementable
scope in other jurisdictions. Second, the sectoral versus comprehensive distinction
manifested in different emphases about the purpose of data breach notification that
produced different forms of remedy. The further distinction of market-based
299
initiatives found in US data breach notification laws compared to rights-based
protections found in the EU and Australia is a prime example. Third, both laws are
predicated on the regulation of personal information exchange processes even
though both laws regulate from different perspectives, namely, a context
independent or context dependent approach. Fourth, both laws have limited notions
of harm that is further constrained by restrictive accountability frameworks. Finally,
Contextualizing Tensions and Weaknesses demonstrates the weaknesses in both laws
through a synthesis of previous research findings within the framework of
contextualisation.
To what extent is data breach notification law compatible with information privacy law
therefore? Data breach notification law is more compatible with information privacy
law in some respects than others. Apparent compatibilities exist as both laws have
an interest in the protection of personal information. However, further and deeper
analysis reveals that ostensible similarities are founded on some significant
differences.
Data breach notification law, viewed from the perspective of sectoral versus
comprehensive information privacy regimes, provides a contradictory picture about
how it has been applied. In the US, data breach notification law is a comprehensive
measure to remedy deficiencies arising from the sectoral approach to information
privacy. The comprehensiveness of the law is evident because it generally applies to
all types of organisations regardless of industrial sector. However, the application of
this comprehensive element is nevertheless constrained by focusing notification to
specified circumstances that give rise to identity theft and therefore involve
restrictive combinations of personal information. Conversely, data breach
notification law in comprehensive regimes is a sectoral measure to remedy
deficiencies in the application of information privacy principles that regard
organisational obligations to secure personal information. In effect, the notifications
resultant from the advent of data breach notification laws have demonstrated that
the application of security related principles are simply not working both in terms
of the volume of incidents and the number of persons affected.
Data breach notification law is consequently either a comprehensive facet to a
sectoral approach or a sectoral adjunct to a comprehensive regime. These are major
300
differences which explain why the sectoral approach of data breach notification law
sits rather uncomfortably in comprehensive frameworks and the comprehensive
element of universal coverage generates such compliance cost related concerns in
the US. However, whilst there are considerable differences between both laws they
are not so great to make them incompatible with each other. The similarities
between both laws are sufficient to forge compatibilities but it is likely that the
distinctions between them will produce anomalies particularly if data breach
notification and information privacy law is applied from a perspective that negates
contextualisation.
9.2 SIGNIFICANCE OF THE RESEARCH
The body of research that encompasses the thesis provides a significant contribution
to the literature in several ways.
It is the first investigation of data breach notification issues in Australia. Only one
article was published on data breach notification in Australia prior to the
publication of the articles derived from the thesis. The thesis and the constituent
articles therefore provide the first in-depth investigation of data breach notification
issues in relation to Australian privacy law. Furthermore, Stakeholder Perspectives is
the first in the Australian literature, and one of only a handful of publications
internationally, that attempts to ascertain the issues and concerns of data breach
notification from an industry perspective. The exploratory research conducted in
Stakeholder Perspectives and the subsequent analysis is so far unique in Australia.
As a body of work, the thesis articles also make a contribution to the data breach
notification and information privacy law literatures. As regards the former, the
collected works provide one of the deepest analyses thus far undertaken to critically
examine the relationship between data breach notification and information privacy
laws. The thesis therefore brings together a number of concepts portrayed in both
literatures and is unique in the synthesis adopted. The issue of contextualisation has
been an implicit issue in much of the data breach notification literature but
Contextualizing Tensions and Weaknesses is the first article to explicitly apply
contextual notions to data breaches. The use of Bennett and Raab’s Fallibility Matrix
in conjunction with Nissenbaum’s theory of Contextual Integrity is therefore novel.
301
The articles on the concept of information privacy law also make original
contributions. Conceptual Basis is the first article in the Australian literature to
formally investigate the conceptual basis of personal information in Australian
privacy law. It is also the first article internationally to apply the models developed
in the Booth Report in the privacy law literature. The resultant analysis of both
statutory definitions and judicial decisions is original. The article’s contention that
classifications of personal information are conceptually incoherent is novel. The
identification of different judicial perspectives related to the categorisation of
personal information is also an original finding. Conceptual Basis is thus the first
article to specifically examine the issue of context dependency in the classification of
personal information even though it is an integral part of Australian privacy law.
First Generation Laws is one of the first articles in the literature to develop the
concept of multiple relationships in information privacy law from the perspective of
Zittrain’s Privacy 2.0. The article is the first to label the movement from binary to
multiple relationships within the context of regulatory structures predicated on
chains of accountability.
The data breach notification articles also make contributions to the literature.
Mandatory Notification is the first article to critically examine data breach notification
in the EU’s e-Privacy Directive. The article highlights potential problems relating to
notification requirements that could lead to the introduction of two parallel
notification schemes which could impact upon the Directive’s effectiveness.
Encryption Safe Harbours is also the first article to comprehensively investigate the
use of encryption safe harbours in data breach notification laws. The findings of the
research provide a new perspective to the use of encryption in data breach
notification law, which reveals critical insights about the conceptual purpose and
operational function of different legal regimes.
Finally, Contextualizing Tensions and Weaknesses makes a number of significant
findings. The identification of vertical tensions and horizontal weaknesses is unique.
The introduction of contextualisation to data breach notification is also novel and
thus the findings in relation to the future development of data breach notification
are original. The cementation of the link between the micro, meso and macro levels
of data breach notification, corporate information security and critical infrastructure
302
protection is also innovative. This link substantially develops upon the existing
literature and for the first time brings together different disciplinary perspectives.
Finally, the depth of analysis in relation to the sectoral and comprehensive
implications of data breach notification also expands previous research.
9.3 LIMITATIONS OF THE RESEARCH
The thesis is largely founded on doctrinal and analytical research, with the
exception of the interviews conducted in Stakeholder Perspectives. Mandatory
Notification stipulates the importance of accurately quantifying the scope of data
breaches in order to determine choice of an appropriate notification trigger.
Research into the vexing issue of quantification would have informed and
strengthened some of the contentions put forward in the six articles. Furthermore,
the findings of Stakeholder Perspectives are somewhat confined as the study
conducted was exploratory in nature and the qualitative findings were not intended
to be quantitatively extrapolated to a wider sample. The extent that the views
portrayed in Stakeholder Perspectives are generally representative of industry and
government perspectives is therefore open to question.
9.4 FUTURE RESEARCH DIRECTIONS
Contextualizing Tensions and Weaknesses suggests two primary areas for future
research that involve a revision of data breach notification law and an enhanced role
for contextualisation in information privacy law.
9.4.1 REVISING DATA BREACH NOTIFICATION LAW
A number of criticisms were made throughout the course of the thesis that relate to
the limited purpose of data breach notification law. Despite these criticisms, it has to
be acknowledged that data breach notification laws appear to have been a
resounding success. Data breach notification laws have potential value but the real
problem with the concept resides with the fact that the concept is too narrow
because it has a limited notion of harm and it is purposively restricted by a context
independent approach. The purpose of data breach notification law is to provide
instant consumer redress to mitigate potential identity theft threats. However, in
doing so, the law misses the potentially important role it could have regarding the
wider implications of adequate protections of personal information within the
303
fortification of critical information infrastructures. Some authors have made the link
between data breach notification and the onset of a newly developing legal field,
information security law. Equally, a link between corporate information security
measures and the protection of critical information infrastructures has also been
made. But thus far little or no research has been conducted into the links between
data breach notification, corporate information security measures and critical
information infrastructure protection. Research in this area could provide rich
insights into some of the formative components of our information societies which
are no doubt going to develop further and take on greater importance during the
course of time.
9.4.2 CONTEXTUALISING INFORMATION PRIVACY LAW
Equally, the thesis made a number of criticisms about the restrictive scope of
information privacy law that focuses too much on types of information and the
management of personal information exchange processes rather than social
relationships and social contexts. The introduction of contextualisation immediately
expands the limited notion of harms currently in operation and thus shifts the
concept of information privacy from (a) a law that regulates personal information to
protect individual privacy to (b) a law that protects privacy through the governance
of relationships involved in the production of personal information. Information
privacy problems therefore do not simply involve providers, collectors and users of
personal information. Regulatory and legislative remedies do not merely entail
simplistic solutions of redress in information management processes. However, the
problem with contextualisation is that it requires a much greater legislative,
regulatory and judicial input that information privacy law currently allows, as
highlighted in Conceptual Basis. Nonetheless, the contextual element of information
privacy law is already seen as an integral part of most comprehensive regimes and it
is likely to remain so as technological developments continue to push the
boundaries of what is personal information and how it is governed. Nissenbaum
has developed a wide-ranging framework for applying context to information
privacy problems but it has yet to be seen how that framework will translate to
existing and future legal regimes. To do so, could open many new avenues of
research as demonstrated by the introduction of contextualisation into data breach
notification law.
304
9.4.3 RECOMMENDATIONS FOR AN AUSTRALIAN DATA BREACH
NOTIFICATION LAW
The data breach notification recommendations proposed by the ALRC have been at
the heart of this thesis. It would be presumptuous to provide detailed comment and
recommendations about the implementation of a data breach notification scheme
via amendments to the Privacy Act without indication from the Australian
Government about whether and how the scheme will be applied. Nevertheless,
some general recommendations can be made from the findings.
Stakeholder Perspectives indicates that data breach notification is likely to be a
politically contentious issue. There is a general view that data breach notification
could have positive effects but this is tempered by fears of over regulation.
Moreover, statutory regulators were also guarded about the prospects of regulating
a mandatory notification scheme as it could greatly increase workloads without
sufficient budgetary or resource allocation support. The research participants were
universally hesitant about the idea of moving from nothing to a fully implemented
scheme and they were willing to forgo a degree of certainty to ensure the
implementation of effective legislation. These findings suggest that a wide ranging
consultation is required to fully understand industry and regulator views and to
respond accordingly.
Stakeholder Perspectives also indicates that notification itself has a limited remedial
value and more should be done to enhance consumer education in relation to the
mitigation of identity theft and the use of personal information in general.
Mandatory Notification questions whether the OPC is the appropriate organisation to
manage a mandatory data breach notification scheme. The body of research findings
demonstrate that data breach notification should not be viewed purely as an
information privacy problem regarding data breaches of certain types of
information. Furthermore, the operational base of the OPC has thus far been
founded on ‘light touch’ regulation which is incongruent with the concept of
mandatory notification. The introduction of a mandatory data breach notification
scheme through the Privacy Act is likely to require a review of the compulsion
powers granted to the OPC. Even if powers are granted, it is likely that the
305
introduction of data breach notification would require a greater willingness on the
part of the OPC to take strong and decisive regulatory action.
Encryption Safe Harbours validates and recommends the proposed factor-based
encryption safe harbour in conjunction with the proposed two-tier trigger. It is
entirely appropriate that breached organisations must account for their information
security practices before they can rely on the benefit of a safe harbour. The two-tier
trigger is also beneficial as it lays the foundations for a wider ranging regulatory
oversight that can then be expanded to the more extensive social issue of critical
information infrastructure protection. However, as highlighted previously in this
section, doubts persist as to whether the OPC is the body to fulfil that regulatory
function.
9.5 CONCLUDING REMARKS
This journey into the relationship between data breach notification and information
privacy laws has reveals a number of insights. There is a general weakness in both
concepts because too much emphasis is placed on the type of information regulated
rather than the social relationships that are involved in the information generation
process. As such, both laws would benefit from a greater contextual aspect. The
inclusion of a contextual analysis highlights the weaknesses of information privacy
law in regard to breaches of security involving personal information. Data breach
notification law attempts to resolve such problems in one way – mandatory
notification – but this remedy does not solve the underlying issues of ineffective
corporate information security adequately. Notification itself is not a particularly
effective remedy because it does not respect or support the relational realities of the
real-life situation that it attempts to regulate.
The focus of data breach notification law should be the breakdown of social
relationships and not losses of control in organisational management processes
regarding collection, storage and use of personal information. The identification of
multiple relationships brings this problem to the fore because the mechanics of data
breaches take place outside the chains of accountability created by information
privacy law. Moreover, it is difficult to extend the accountability framework of first
generation laws because the conceptual basis of these laws is too heavily predicated
on the regulation of types of information and information management processes.
306
Accordingly, data breach notification as an information privacy problem inherits the
same concerns of information privacy law because again it focuses on information
management rather than social relationships. Accountability within the chain
framework also has a measure of blame attached because the breached organisation
is deemed to be at fault and therefore needs to provide notification of its failings.
Notification is therefore heavily influenced by the concept of reputational sanction.
However, it has to be recognised that not all organisations are to blame extensively
particularly in situations involving sophisticated hackers.
The inclusion of these complex realities in the form of contextual analysis increases
the scope for context dependent approaches to information privacy law. Context
dependency is a key element of information privacy legal analysis. However, in
Australian law with regard to the classification of personal information, it is applied
inconsistently and without a conceptual base. Contextualisation predicated on
concepts such as Nissenbaum’s Contextual Integrity places context dependent
analysis at the centre of legal regulation. This in turn has important implications
about the analysis of data breaches that go to the implementation of adequate
corporate information security mechanisms and thus the choice of notification
triggers. Ultimately, an analysis of what is effective corporate information security
requires a case-by-case examination based on a continual process of evaluation that
is founded on sound information security principles, which will inevitably vary
from organisation to organisation, data breach to data breach and thus context to
context.
In conclusion, this thesis highlights both the expanses and limits of data breach
notification and information privacy laws. They are generally compatible but they
contain significant conceptual and operational differences that push the boundaries
of compatibility. Data breach notification law is too conceptually complex as it is
multifaceted, expansive in its foundation from the California law and this
expansiveness is constrained by a focus on compliance cost mitigation.
Alternatively, information privacy law suffers from the opposite effect. The concept
is too limited in focus because it only attempts to regulate the personal information
exchange process and that provides a constraint on what can implemented through
it. As highlighted throughout this thesis, and the articles that form the body of
research, data breach notification law is a journey that has started but a long
307
distance has yet to be travelled before the full implications of the law, and its effect
on established information privacy legal frameworks, are realised.
308
BIBLIOGRAPHY
ARTICLES/BOOKS/REPORTS
Acquisti, A, Friedman, A and Telang, R, 'Is There a Cost to Privacy Breaches? An Event Study' (Paper presented at the 27th International Conference on Information Systems, Milwaukee, USA, 26-28 June, 2006). Advisory Committee to the Secretary of Health, Education & Welfare, US Federal GovernmentRecords Computers and the Rights of Citizens (1973). Allen, Anita L, 'Coercing Privacy' (1999) 40(3) William and Mary Law Review 723. Allen, Anita L, 'Privacy as Data Control: Conceptual, Practical and Moral Limits of the Paradigm' (2000) 32(3) Connecticut Law Review 861. Anderson, Ross J, 'Why Cryptosystems Fail' (1994) 37(11) Communications of the ACM 32. Article 29 Data Protection Working Party, The Future of Privacy - Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to Protection of Personal Data, WP168 (2009). Article 29 Data Protection Working Party, European Union, Opinion 4/2007 on the Concept of Personal Data, 01248/07/EN, WP 136 (2007). Attorney-General's Department, Commonwealth, Privacy Protection in the Private Sector, Discussion Paper No 0642208778 (1996). Attorney-General's Department, Commonwealth, A Privacy Scheme for the Private Sector (2000). Auerswald, Philip E et al, 'Where Private Efficiency Meet Public Vulnerability: The Critical Infrastructure Challenge' in Philip E Auerswald (ed), Seeds of Disaster, Roots of Response: How Private Action can Reduce Public Vulnerability (2006) 3. AusCERT, Australian Crime & Security Survey (2006). AusCERT, Australian Crime & Security Survey (2004). Austin, Lisa, 'Privacy and the Question of Technology' (2003) 22(2) Law and Philosophy 119. Australian Government, Enhancing Privacy Protection: First Stage Response to the Australian Law Reform Commission Report 108 - For Your Information: Australian Privacy Law and Practice (2009). Australian Law Reform Commission, Privacy, Report No 22 (1983). Australian Law Reform Commission, Privacy and Personal Information, Discussion Paper No 14 (1980). Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper No 72 (2007).
309
Australian Law Reform Commission, Review of Privacy: Issues Paper, [Issues Paper IP –No 31) (2006). Barkan, E, Biham, E and Keller, N, 'Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication' (2008) 21(3) Journal of Cryptology 392. Beaney, William M, 'The Right to Privacy and American Law' (1966) 3(2) Law and Contemporary Problems 253. Bellia, Patricia L, 'Federalization in Information Privacy Law' (2009) 118(5) Yale Law Journal 868. Bennett, Colin J, Regulating Privacy: Data Protection and Public Policy in Europe and the United States (1992). Bennett, Colin J and Raab, Charles D, 'The Adequacy of Privacy: The European Union Data Protection Directive and the North American Response' (1997) 13(3) Information Society 245. Bennett, Colin J and Raab, Charles D, The Governance of Privacy: Policy Instruments in Global Perspective (2nd
and updated ed, 2006).
Bingisser, Martin G, 'Data Privacy and Breach Reporting: Compliance with Varying State Laws' (2008) 4(3) Shidler Journal of Law, Commerce & Technology 1. Bishop, Derek A, 'No Harm No Foul: Limits on Damages Awards for Individuals Subject to a Data Breach' (2008) 4(4) Shidler Journal of Law, Commerce & Technology 1. Bishop, Derek A, 'To Serve and Protect: Do Businesses Have a Legal Duty to Protect Collections of Personal Information?' (2006) 3(2) Shidler Journal of Law, Commerce & Technology 1 . Black, Matt, 'Towards a Duty to Disclose Security Breaches' (2005) 8(7) Internet Law Bulletin 98. Burton, Sir Edmund, Report into the Loss of MOD Personal Data (Ministry of Defence, 2008). Bygrave, Lee, 'The Place of Privacy in Data Protection Law' (2001) 24(1) University of New South Wales Law Journal 277. Bygrave, Lee A, Data Protection Law: Approaching its Rationale, Logic and Limits (2002). Cabinet Office, Data Handling Procedures in Government: Final Report (2008). Campbell, Katherine et al, 'The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market' (2003) 11(3) Journal of Computer Security 431. Canadian Internet Policy and Public Interest Clinic, Approaches to Security Breach Notification: A White Paper (2007). Casey, Eoghan, 'Reporting Security Breaches - A Risk to be Avoided or Responsibility to be Embraced?' (2004) 1(3) Digital Investigation 159. Cate, Fred H, 'The Failure of Fair Information Practice Principles' in Jane K Winn (ed), Consumer Protection in the Age of the 'Information Economy', Markets and the Law (2006) 341.
310
Cate, Fred H, Information Security Breaches and the Threat to Consumers (2005) Hunton & Williams <http://www.hunton.com/files/tbl_s47Details/FileUpload265/1280/Information_Security_Breaches.pdf> at 20 August 2010. Cate, Fred H, Information Security Breaches: Looking Back and Thinking Ahead (2008) <http://www.hunton.com/files/tbl_s47Details/FileUpload265/2308/Information_Security_Breaches_Cate.pdf> at 19 March 2010. Cavoukian, Ann, A Discussion Paper on Privacy Externalities, Security Breach Notification and the Role of Independent Oversight (2009) Office of the Information and Privacy Commissioner, Ontario, Canada <http://www.ipc.on.ca/images/Resources/privacy_externalities.pdf> at 19 March 2010. Chalton, S, 'The Court of Appeal's Interpretation of "personal data" in Durant v FSA - a Welcome Clarification, or a Cat Amongst the Data Protection Pigeons?' (2004) 20(3) Computer Law & Security Report 175. Chandler, Jennifer, A, 'Negligence Liability for Breaches of Data Security' (2008) 23(2) Banking & Finance Law Review 223. Citron, Danielle Keats, 'Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age' (2007) 80 Southern California Law Review 241. Clarke, Roger, The Australian Privacy Act 1988 as an Implementation of the OECD Data Protection Guidelines (1989) <http://www.rogerclarke.com/DV/PActOECD.html> at 20 August 2010. Clarke, Roger, 'Human Identification in Information Systems: Management Challenges and Public Policy Issues' (1994) 4 Information Technology & People 6. Clarke, Roger, Introduction to Dataveillance and Information Privacy, and Definitions of Terms (2006) <http://www.rogerclarke.com/DV/Intro.html> at 20 August 2010. Clarke, Roger, The OECD Data Protection Guidelines: A Template for Evaluating Information Privacy Law and Proposals for Information Privacy Law (1989) <http://www.rogerclarke.com/DV/PaperOECD.html> at 20 August 2010. Clarke, Roger, Privacy: More Wobble-Board Than Balance-Beam (2004) <http://www.rogerclarke.com/DV/Wobble.html> at 20 August 2010. Cohen, Julie E, 'Examined Lives: Informational Privacy and the Subject as Object' (2000) 52(5) Stanford Law Review 1373. Committee on Data Protection, Great Britain, Report of the Committee on Data Protection ('Lindop Report') (1978). Committee on Privacy, Great Britain, Report of the Committee on Privacy ('Younger Report') (1972). Computer Security Institute and Federal Bureau of Investigation, Computer Crime and Security Survey (CSI/FBI, 2006).
311
Crumbley, R and Church, P, 'What is Personal Data? The House of Lords Identifies the Issues - Common Services Agency v Scottish Information Commissioner [2008] UKHL 47’ (2008) 24(6) Computer Law & Security Report 565. Curtin, C Matthew and Ayres, Lee T, Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry (2009) Interhack <http://web.interhack.com/publications/breach-taxonomy> at 20 August 2010. Darrow, Jonathan J and Lichtenstein, Stephen D, '"Do You Really Need My Social Security Number?" Data Collection Practices in the Digital Age' (2008) 10(1) North Carolina Journal of Law & Technology 1. Davies, Simon, 'Re-Engineering the Right to Privacy: How Privacy Has Been Transformed from a Right to a Commodity' in Philip Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape (1997) 143. Davies, Simon, 'Unprincipled Privacy: Why the Foundations of Data Protection Are Failing us' (2001) 24(1) University of New South Wales Law Journal 284. Deloitte, Global Security Survey: The Shifting Security Paradigm (2007). Department of Veterans Affairs Office of Inspector General, Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans (2006). Ehrenreich, Rosa, 'Privacy and Power' (2001) 89(6) Georgetown Law Journal 2047. Emigh, A, 'The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond' (2006) 1(3) Journal of Digital Forensic Practice 245. Epstein, Richard A and Brown, Thomas P, 'Cybersecurity in the Payment Card Industry' (2008) 75(1) The University of Chicago Law Review 203. Erikson, Kris and Howard, Philip N, 'A Case of Mistaken Identity? News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Digital Records' (2007) 12(4) Journal of Computer-Mediated Communication 1229. Erikson, Kris and Howard, Philip N, 'The Information Vulnerability Landscape. Compromising Positions: Organizational and Hacker Responsibility for Exposed Digital Records' in Andrea M Matwyshyn (ed), Harboring Data: Information Security, Law, and the Corporation (2009) 33. Faulkner, Brandon, 'Hacking into Data Breach Notification Laws' (2007) 59(5) Florida Law Review 1097. Fried, Charles, 'Privacy' (1968) 77 Yale Law Journal 475. Froomkin, A Michael, 'Government Data Breaches' (2009) 24(3) Berkeley Technology Law Journal 1019. Garcia, Flora J, 'Data Protection, Breach Notification, and the Interplay between State and Federal Law: The Experiments Need More Time' (2007) 17(3) Fordham Intellectual Property, Media & Entertainment Law Journal 693. Gatzlaff, Kevin M and McCullough, Kathleen A, 'The Effect of Data Breaches on Shareholder Wealth' (2010) 13(1) Risk Management and Insurance Review 61.
312
Gellman, Robert, 'Does Privacy Law Work?' in Philip Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape (1997) 193. Grant, Rebecca A and Bennett, Colin J, Visions of Privacy: Policy Choices for the Digital Age, Studies in Comparative Political Economy and Public Policy (1999). Graves, James T, 'Minnesota's PCI Law: A Small Step on the Path to a Statutory Duty of Data Security Due Care' (2008) 34(3) William Mitchell Law Review 1115. Greenleaf, Graham and Bygrave, Lee, 'Tasmania’s Privacy Law due to Start' (2005) 11(7) Privacy Law and Policy Reporter 202. Gutwirth, Serge, Poullet, Yves and De Hert, Paul, Reinventing Data Protection? (2009). Commonwealth of Australia, Parliament Debates, Senate, 16, August 2007, 18 (Senator Stott Despoja). Hasan, R and Yurcik, W, 'Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work' (Paper presented at the Workshop on the Economics of Securing the Information Infrastructure, Washington DC, 23 October 2006). Heitzenrater, Julie, 'Data Breach Notification Legislation: Recent Developments' (2008) Winter 2008-09 i/S: A Journal of Law and Policy for the Information Society 661. Honeywill, Sean C, 'Data Security and Data Breach Notification for Financial Institutions' (2006) 10 North Carolina Banking Institute 269. Hoofnagle, Chris J, 'Big Brother's Little Helpers: How Choicepoint and Other Commercial Data Brokers Collect, Process, and Package Your Data for Law Enforcement' (2006) 29 North Carolina Journal of International Law and Commercial Regulation 595. Hoofnagle, Chris J, 'Identity Theft: Making the Known Unknowns Known' (2007) 21(1) Harvard Journal of Law & Technology 98. Hoofnagle, Chris J, 'Privacy Self-Regulation: A Decade of Disappointment' in Jane K Winn (ed), Consumer Protection in the Age of the 'Information Economy', Markets and the Law (2006) 379. House Fiscal Agency, Legislative Analysis - Database Security Breach: Notify State Residents (2005). Housley, Russ and Arbaugh, William, 'Security Problems in 802.11-based Networks' (2003) 46(5) Communications of the ACM 31. Hutchins, John P et al, US Data Breach Notification Law: State by State (2007). ID Analytics, National Data Breach Analysis (2006). Information Commissioner's Office (UK), Data Protection Technical Guidance Determining What is Personal Data (2007). Information Commissioner's Office (UK), The ‘Durant’ Case and its Impact on the Interpretation of the Data Protection Act 1998 (2006).
313
Information Commissioner's Office (UK), Guidance on Data Security Breach Management (2008). Information Commissioner's Office (UK), Information Commissioner’s Guidance about the Issue of Monetary Penalties Prepared and Issued under Section 55C (1) of the Data Protection Act 1998 (2010). Ishiguro, M et al, 'The Effect of Information Security Incidents on Corporate Values in the Japanese Stock Market' (Paper presented at the Workshop on the Economics of Securing the Information Infrastructure, Washington DC, 23 October 2006). Jackson, Margaret and Hughes, Gordon L, Hughes on Data Protection in Australia (2nd
ed, 2001).
Jay, Rosemary and Hamilton, Angus, Data Protection Law and Practice (3rd
ed, 2007).
Johnson, Vincent R, 'Cybersecurity, Identity Theft, and the Limits of Tort Liability' (2005) 57 South Carolina Law Review 255. Jones, Andy, 'Lessons Not Learned on Data Disposal' (2009) 6(1-2) Digital Investigation 3. Jones, Michael E, 'Data Breaches: Recent Developments in the Public and Private Sectors' (2007) 3 i/S: A Journal of Law and Policy for the Information Society 555. Kang, Jerry, 'Information Privacy in Cyberspace Transactions' (1998) 50(4) Stanford Law Review 1193. Kannan, Karthik, Rees, Jackie and Sridhar, Sanjay, 'Market Reactions to Information Security Breach Announcements: An Empirical Analysis' (2007) 12(1) International Journal of Electronic Commerce 69. Katyal, Sonia, 'Privacy vs Piracy' (2004) 7 Yale Journal of Law & Technology 222. Kenneally, Erin, 'The Byte Stops Here: Duty and Liability for Negligent Internet Security' (2000) XVI(1) Computer Security Journal 1. Kerckhoffs, A, 'La Cryptographie Militaire' (1883) Journal des Sciences Militaires 5. Kiefer Peretti, Kimberly, 'Data Breaches: What the Underground World of "Carding" Reveals' (2009) 25(1) Santa Clara Computer and High Technology Law Journal 375. Kirby, Michael, 'Twenty-five Years of Evolving Information Privacy Law--Where Have We Come From and Where Are We Going?' (2003) 21(4) Prometheus 467. Ko, Myung and Dorantes, Carlos, 'The Impact of Information Security Breaches on Financial Performance of the Breached Firms: An Empirical Investigation' (2006) 17(2) Journal of Information Technology Management 13. Lazzarotti, Joseph A, 'The Emergence of State Data Privacy and Security Laws Affecting Employers' (2009) 25 Hofstra Labour & Employment Law Journal 482. Lee, Samuel, 'Breach Notification Laws: Notification Requirements and Data Safeguarding Now Apply to Everyone, Including Entrepreneurs' (2006) 1(1) Entrepreneurial Business Law Journal 125.
314
Legal and Constitutional References Committee, Department of the Senate, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005). Leith, Philip, 'The Socio-Legal Context of Privacy' (2006) 2 International Journal of Law in Context 105. Lenard, Thomas M and Rubin, Paul H, An Economic Analysis of Notification Requirements for Data Security Breaches (2005). Lessig, Lawrence, 'Privacy as Property' (2002) 69(1) Social Research 247. Levenson, Joshua R, 'Strength in Numbers: An Examination into the Liability of Corporate Entities for Consumer and Employee Data Breaches' (2008) 19 University of Florida Journal of Law and Public Policy 96. Liamputtong, Pranee and Ezzy, Douglas, Qualitative Research Methods (2nd
ed, 2005).
Lindsay, David, 'An Exploration of the Conceptual Basis of Privacy and the Implications for the Future of Australian Privacy Law' (2005) 29(1) Melbourne University Law Review 131. Lindsay, David, 'Misunderstanding ‘Personal Information’: Durant v Financial Services Authority' (2004) 10(10) Privacy Law and Policy Reporter 13. Litman, Jessica, 'Information Privacy/Information Property' (2000) 52 Stanford Law Review 1283. LoPucki, Lynn M, 'Did Privacy Cause Identity Theft?' (2003) 54(4) Hastings Law Journal 1277. Ludington, Sarah, 'Reining in the Data Traders: A Tort for the Misuse of Personal Information' (2006) 66 Maryland Law Review 140. Mannan, Mohammadand and van Oorschot, PC, Localization of Credential Information to Address Increasingly Inevitable Data Breaches (2008) School of Computer Science Carleton University <http://www.scs.carleton.ca/~mmannan/publications/nspw08-localization.pdf> at 28 April 2009. Mao, Wenbo, Modern Cryptography: Theory and Practice (2004). Margulis, Stephen T, 'On the Status and Contribution of Westin's and Altman's Theories of Privacy' (2003) 59(2) Journal of Social Issues 411. Markus, Stephen L, 'Unfair Warning: Breach Notification in the FCC's Enhanced Telephone Records Safeguards' (2008) 18 Cornell Journal of Law and Public Policy 247. Marx, Gary T, 'Murky Conceptual Waters: The Public and the Private' (2001) 3(3) Ethics and Information Technology 157. Matwyshyn, Andrea M, Harboring Data: Information Security, Law, and the Corporation (2009). Matwyshyn, Andrea M, ‘Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation’ (2005). 3 Berkeley Business Law Journal, 129. Mayer-Schonberger, Viktor, 'Generational Development of Data Protection in Europe' in Philip Agre and Marc Rotenberg (eds), Technology and Privacy: The New Landscape (1997) 219.
315
Menezes, A J, Van Oorschot, Paul C and Vanstone, Scott A, ‘Handbook of Applied Cryptography’ (1997) CRC Press Series on Discrete Mathematics and its Applications. Millar, Sheila A, 'Privacy and Security: Best Practices for Global Security' (2006) 5(1) Journal of International Trade Law & Policy 36. Miller, Arthur R, 'Personal Privacy in the Computer Age: The Challenge of a New Technology in an Information-Oriented Society' (1968) 67 Michigan Law Review 1091. Ministry of Justice (UK), Response to the Data Sharing Review Report (2008). Moor, James H, 'Towards a Theory of Privacy in the Information Age' (1997) 27(3) Computers and Society 27. Murphy, Richard S, 'Property Rights in Personal Information: An Economic Defense of Privacy' (1996) 84 Georgetown Law Journal 2381. Nearon, BH et al, 'Life After Sarbannes-Oxley: The Merger of Information Security and Accountability' (2005) 45(3) Jurimetrics Journal 379. Needles, Sara A, 'The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law' (2009) 88 North Carolina Law Review 267. Nehf, J, 'Recognizing the Societal Value in Information Privacy' (2003) 78(1) Washington Law Review 1. New South Wales Law Reform Commission, Privacy Legislation in New South Wales, Consultation Paper No 3 (2008). Nissenbaum, Helen, 'Privacy as Contextual Integrity' (2004) 79 Washington Law Review 119. Nissenbaum, Helen, Privacy in Context: Technology, Policy, and the Integrity of Social Life (2010). O'Connor, Kevin, 'The Federal Privacy Commissioner: Pursuing a Systemic Approach' (2001) 24(1) University of New South Wales Law Journal 255. OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980). Office of the Privacy Commissioner, Community Attitudes to Privacy (2007). Office of the Privacy Commissioner, Portable Storage Devices and Australian Government Agencies Personal Information Survey (2009). Office of the Privacy Commissioner, Submission to ALRC Review of Privacy DP72 (2007). Office of the Privacy Commissioner New Zealand, Key Steps for Agencies in Responding to Privacy Breaches and Privacy Breach Checklist (2008). O'Gorman, L, 'Comparing Passwords, Tokens, and Biometrics for User Authentication' (2003) 91(12) Proceedings of the IEEE 2021. Otto, P N, Anton, A I and Baumer, D L, 'The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information' (2007) 5(5) Security & Privacy, IEEE 15.
316
Oussayef, Karim Z, 'Selective Privacy: Facilitating Market-Based Solutions to Data Breaches by Standardizing Internet Privacy Policies' (2008) 14 Boston University Journal of Science & Technology Law 104. Parsons, D W, Public Policy: An Introduction to the Theory and Practice of Policy Analysis (1995). Paterson, Moira, Freedom of Information and Privacy in Australia: Government and Information Access in the Modern State (2005). Peek, Marcy E, 'Information Privacy and Corporate Power: Towards a Re-Imagination of Information Privacy Law' (2006) 37 Seton Hall Law Review 127. PGP, The Role of Encryption in Data Protection (2007) <http://download.pgp.com/pdfs/whitepapers/PGP-Cullinane-Webcast_WP_070205_F.pdf> at 20 March 2010. Picanso, Kathryn E, 'Protecting Information Security Under a Uniform Data Breach Notification Law' (2006) 75(1) Fordham Law Review 355. Ponemon Institute, 2007 Annual Study: Cost of a Data Breach (UK) (2008). Ponemon Institute, 2008 Annual Study: Cost of a Data Breach (Germany) (2009). Ponemon Institute, 2008 Annual Study: Cost of a Data Breach (UK) (2009). Ponemon Institute, 2008 Annual Study: Cost of a Data Breach (US) (2009). Ponemon Institute, The Cost of a Lost Laptop (2009). Ponemon Institute, Encryption Trends - Australia (2009). Ponemon Institute, National Survey on Data Security Breach Notification (2005). Ponemon Institute, US Enterprise Encryption Trends (2009). Post, Robert C, 'Three Concepts of Privacy' (2001) 89(6) Georgetown Law Journal 2087. Preston, Ethan and Turner, Paul, 'The Global Rise of a Duty to Disclose Information Security Breaches' (2004) 22 John Marshall Journal of Computer & Information Law 457. Prins, Corien, 'Property and Privacy: European Perspectives and the Commodification of our Identity' in Lucie M C R Guibault and P B Hugenholtz (eds), The Future of the Public Domain, Information Law (2006) 223. Raab, Charles, 'Privacy Issues as Limits to Access' in Georg Aichholzer and Herbert Burkert (eds), Public Sector Information in the Digital Age: Between Markets, Public Management and Citizens' Rights (2004) 23. Raab, Charles, 'Privacy Protection and ICT: Issues, Instruments and Concepts' in Robin Mansell (ed), The Oxford Handbook of Information and Communication Technologies (2007) 427. Raul, Alan Charles, Privacy and the Digital State: Balancing Public Information and Personal Privacy (2002). Raul, Alan Charles, Volpe, Frank R and Meyer, Gabriel S, 'Liability for Computer Glitches and Online Security Lapses' (2001) 6(31) Electronic Commerce & Law Report 849.
317
Regan, Priscilla, 'The United States' in James B Rule and Graham Greenleaf (eds), Global Privacy Protection: The First Generation (2008) 50. Regan, Prischia M, 'Federal Security Breach Notifications: Politics and Approaches' (2009) 24(3) Berkeley Technology Law Journal 1103. Regan, Prischia M, 'The Globalization of Privacy: Implications of Recent Changes in Europe' (1993) 52(3) American Journal of Economics & Sociology 257. Regan, Priscilla M, Legislating Privacy: Technology, Social Values, and Public Policy (1995). Reidenberg, Joel R, 'The Globalization of Privacy Solutions: The Movement Towards Obligatory Standards for Fair Information Practices' in Rebecca A Grant and Colin J Bennett (eds), Visions of Privacy: Policy Choices for the Digital Age (1999) 217. Reidenberg, Joel R, 'Lex Informatica: The Formulation of Information Policy Rules Through Technology' (1998) 76(3) Texas Law Review 553. Reidenberg, Joel R, 'Privacy in the Information Economy: A Fortress or Frontier for Individual Rights?' (1992) 44(2) Federal Communications Law Journal 195. Reidenberg, Joel R, 'Restoring Americans' Privacy in Electronic Commerce' (1999) 14 Berkeley Technology Law Journal 771. Roberds, William and Schreft, Stacey L, 'Data Breaches and Identity Theft' (2009) 56(7) Journal of Monetary Economics 918. Rode, Lilia, 'Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?' (2007) 43(5) Houston Law Review 1597. Romanosky, Sasha and Acquisti, Alessandro, 'Privacy Costs and Personal Data Protection: Economic and Legal Perspectives' (2009) 24(3) Berkeley Technology Law Journal 1061. Romanosky, Sasha, Telang, Rahul and Acquisti, Alessandro, Do Data Breach Disclosure Laws Reduce Identity Theft? (2008) SSRN <http://ssrn.com/paper=1268926> at 20 August 2010. Rotenberg, Marc, 'Fair Information Practices and the Architecture of Privacy' (2001) Stanford Technology Law Review <http://stlr.stanford.edu/pdf/rotenberg-fair-info-practices.pdf> at 10 August 2010. Roth, Paul, 'What is "Personal Information"?' (2002) 20 New Zealand Universities Law Review 40. Rule, James B, Privacy in Peril (2007). Rule, James B and Greenleaf, Graham, Global Privacy Protection: The First Generation (2008). Saxby, Stephen, 'UK Needs Stronger Regulation of Public Sector Data Policy' (2008) 24(1) Computer Law & Security Report 1. Scalet, Sarah D, The Five Most Shocking Things About the ChoicePoint Data Security Breach (2005) CSO <http://www.csoonline.com/article/220340/The_Five_Most_Shocking_Things_About_the_ChoicePoint_Data_Security_Breach?page=1> at 20 August 2010.
318
Schneider, Jacob W, 'Preventing Data Breaches: Alternative Approaches to Deter Negligent Handling of Consumer Data' (2009) 15 Boston University Journal of Science & Technology Law 279. Schoeman, Ferdinand David, Privacy and Social Freedom (1992). Schwartz, Paul M, 'Data Processing and Government Administration' (1992) 43 Hastings Law Journal 1321. Schwartz, Paul M, 'Internet Privacy and the State' (2000) 32(3) Connecticut Law Review 815. Schwartz, Paul M, 'Preemption and Privacy' (2009) 118 Yale Law Journal 902. Schwartz, Paul M, 'Privacy and Democracy in Cyberspace' (1999) 52(6) Vanderbilt Law Review 1609. Schwartz, Paul M, 'Privacy and Participation: Personal Information and Public Sector Regulation in the United States' (1995) 80 Iowa Law Review 557. Schwartz, Paul M and Janger, Edward J, 'Notification of Data Security Breaches' (2007) 105(5) Michigan Law Review 913. Scott, Robert J and Machal-Fulks, Julie, 'Ethical Considerations for Attorneys Responding to a Data-Security Breach' (2008) 6(2) Northwestern Journal of Technology and Intellectual Property 171. Shapiro, Brian and Baker, C Richard, 'Information Technology and the Social Construction of Information Privacy' (2001) 20(4-5) Journal of Accounting and Public Policy 295. Siegel, Kenneth M, 'Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age' (2007) 111(3) Penn State Law Review 779. Simitian, Joseph, 'How a Bill Becomes Law, Really' (2009) 24(3) Berkeley Technology Law Journal 1009. Simitis, Spiros, 'Reviewing Privacy in an Information Society' (1987) 135(3) University of Pennsylvania Law Review 707. Skinner, Timothy H, 'California’s Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation' (2003) 10(1) Richmond Journal of Law & Technology 1. Smedinghoff, T J, 'Cybersecurity Disclosure Requirements in the US: A New Trend?' (2003) 4(10) World Internet Law Report 1. Smedinghoff, Thomas J, 'Defining the US Legal Standard for Information Security' (2005) 6(4) World Internet Law Report 1. Smedinghoff, Thomas J, 'The Developing US Legal Standard for Cybersecurity' (2003) 4 Sedona Conference Journal 109. Smedinghoff, Thomas J, 'The New Law of Information Security: What Companies Need to Do Now' (2005) 22(11) Computer and Internet Lawyer 9.
319
Smedinghoff, Thomas J, 'Security Breach Notification - Adapting to the Regulatory Framework' (2005) 21(12) The Review of Banking & Financial Services 1. Smedinghoff, Thomas J, The State of Information Security Law: A Focus on the Key Legal Trends (2009). Smedinghoff, Thomas J, 'Trends in the Law of Information Security' (2005) 17(1) Intellectual Property & Technology Law Journal 1. Solove, Daniel J, 'Conceptualizing Privacy' (2002) 90(4) California Law Review 1087. Solove, Daniel J, 'Identity Theft, Privacy, and the Architecture of Vulnerability' (2003) 54 Hastings Law Journal 1227. Solove, Daniel J, 'The New Vulnerability: Data Security and Personal Information' in Margaret Jane Radin and Anupam Chander (eds), Securing Privacy in the Internet Age (2005) 111. Solove, Daniel J, 'Privacy and Power: Computer Databases and Metaphors for Information Privacy' (2001) 53(6) Stanford Law Review 1393. Solove, Daniel J, Understanding Privacy (2008). Solove, Daniel J and Hoofnagle, Chris J, 'Model Regime of Privacy Protection' (2006) University of Illinois Law Review 357. Solove, Daniel J, Rotenberg, Marc and Schwartz, Paul M, Information Privacy Law (2nd
ed, 2006).
Soma, John T, Courson, J Zachary and Cadkin, John, 'Corporate Privacy Trend: The "Value" of Personally Identifiable Information ("PII") Equals the "Value" of Financial Assets' (2009) 25(4) Richmond Journal of Law & Technology 1. Somogy, Derek J, 'Information Brokers and Privacy' (2006) 1(2/3) i/S: A Journal of Law and Policy for the Information Society 901. Sovern, Jeff, 'Jewel of Their Souls: Preventing Identity Theft through Loss Allocation Rules' (2003) 64 University of Pittsburgh Law Review 343. Srivastava, Aashish, Is the Pen Mightier than the Electronic Signature? The Australian Businesses' Perspective (PhD Thesis, Monash University, 2008). St Amant, Brendan, 'Misplaced Role of Identity Theft in Triggering Public Notice of Database Breaches' (2007) 44 Harvard Journal on Legislation 505. State of California Department of Consumer Affairs, Recommended Practices on Notice of Security Breach Involving Personal Information (2006). Stevens, Gina Marie, Federal Information Security and Data Breach Notification Laws (2008). Stevens, Gina Marie, Federal Information Security and Data Breach Notification Laws (2009). Stevens, Gina Marie, Information Security and Data Breach Notification Safeguards (2007). Swire, Peter P and Litan, Robert E, None of Your Business: World Data Flows, Electronic Commerce, and the European Privacy Directive (1998).
320
Symantec, Data Loss, Prevention and the Impact of Mandatory Reporting (2009). Symantec, Symantec Internet Security Threat Report: Trends for January 06–June 06 (2006). Synovate, 2006 Federal Trade Commission - Identity Theft Survey Report (2007). Synovate, Federal Trade Commission - Identity Theft Survey Report (2003). Tinseth, Andrew and Richlin, Dan, 'SB1386: One Year Later' (2005) 32(7) EDP Audit Control and Security Newsletter 1. Towle, Holly K, 'Identity Theft: Myths, Methods, and New Law' (2004) 30(2) Rutgers Computer & Technology Law Journal 237. Treasury Inspector General for Tax Administration, The Internal Revenue Service is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices (2007). Tucker, Greg, 'Frontiers of Information Privacy in Australia' (1992) 3(1) Journal of Law and Information Science 63. Turner, Michael, Towards a Rational Personal Data Breach Notification Regime (2006) PERC <http://www.infopolicy.org/files/downloads/data_breach.pdf> at 20 August 2010. United States Government Accountability Office, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (GAO-07-737, 2007). United States Government Accountability Office, Preventing and Responding to Improper Disclosures of Personal Information (GAO-07-737, 2006). van den Hoven, Jeroen, 'Information Technology, Privacy and the Protection of Personal Data' in Jeroen van den Hoven and John Weckert (eds), Information Technology and Moral Philosophy (2008) 301. van den Hoven, Jeroen, 'Privacy and the Varieties of Moral Wrong-Doing in an Information Age' (1997) 27(3) SIGCAS Computers & Society 33. Verizon Business, 2008 Data Breach Investigations Report (2008). Verizon Business, 2008 Data Breach Investigations Report: Supplemental Report (2008). Verizon Business, 2009 Data Breach Investigations Report (2009). Wacks, Raymond, Personal Information: Privacy and the Law (1993). Waldo, James, Lin, Herbert and Millett, Lynette I, Engaging Privacy and Information Technology in a Digital Age (2007). Waters, Nigel, Greenleaf, Graham and Roth, Paul, Interpreting the Security Principle (2006) UNSW <http://www.cyberlawcentre.org/ipp/wp/WP1%20Security.pdf> at 27 March 2010. Watts, M, 'Information, Data and Personal Data – Reflections on Durant v Financial Services Authority' (2006) 22(4) Computer Law & Security Report 320.
321
Westin, Alan F, Privacy and Freedom (1967). Westin, Alan F, 'Social and Political Dimensions of Privacy' (2003) 59(2) Journal of Social Issues 431. Westin, Alan F and Baker, Michael A, Databanks in a Free Society: Computers, Record-keeping and Privacy (1972). White, Anthony E, 'The Recognition of a Negligence Cause of Action for Victims of Identity Theft: Someone Stole my Identity, Now who is going to pay for it?' (2005) 88(4) Marquette Law Review 847. Winn, Jane, 'Are 'Better' Security Breach Notification Laws Possible?' (2009) 24(3) Berkeley Technology Law Journal 1133. Wood, David G, 'Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown' (GAO-07-737, 2007). Yan, J, Blackwell, A and Anderson, Ross, 'Password Memorability and Security: Empirical Results' (2004) 2(5) IEEE Security & Privacy 25. Yurcik, W and Hasan, R, 'Toward One Strong National Breach Disclosure Law – Justification and Requirements' (Paper presented at the Workshop on the Economics of Securing the Information Infrastructure, Washington DC, 23 October 2006). Zaidi, Kamaal, 'Identity Theft and Consumer Protection: Finding Sensible Approaches to Safeguard Personal Data in the United States and Canada' (2007) 19(2) Loyola Consumer Law Review 99. Zittrain, Jonathan, 'Privacy 2.0' (2008) The University of Chicago Legal Forum 65.
CASE LAW
Bell v Acxiom Corp, 2006 US Dist LEXIS 72477 (US). Bodil Lindqvist v Aklagarkammaren i Jonkoping (C-101/01) [2003] ECR. C Cockerill & Sons (Vic) Pty Ltd v The County Court of Victoria [2007] VSC 182. Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 (UK). Day v Lynn [2003] FCA 879. Durant v Financial Services Authority [2003] EWCA Civ 1746 (UK). Forbes v Wells Fargo Bank, NA, 420 F Supp 2d 1018 (US). Giordano v Wachovia Sec, LLC, 2006 US Dist LEXIS 52266 (US). GL v Director-General, Department of Education and Training [2003] NSWADT. Guin v Brazos Higher Educ Serv Corp, 2006 US Dist LEXIS 4846 (US) Jones v Commerce Bankcorp Inc et al, 2006 US Dist LEXIS 32067 (SDNY) (US).
322
Key v DSW, Inc, 2006 US Dist LEXIS 69887 (US). Le and Secretary, Department of Education, Science and Training [2006] AATA 208. Macquarie University v FM [2005] NSWCA 192. OD v Department of Education [2006] NSWADT 312. OPC v Banking Institution [2005] PrivCmrA 11. Own Motion Investigation v Bankruptcy Trustee Firm [2007] PrivCmrA 5. Own Motion Investigation v Medical Centre [2009] PrivCmrA 6. PN v Department of Education and Training [2006] NSWADT 122. Randolph et al v ING Life Insurance and Annuity Co 2007 US Dist LEXIS 11523 (DC). Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance (MEAA) [2004] FCA 637. Stollenwerk v Tri-West Healthcare Alliance, 2005 US Dist LEXIS 41054 (US). SW v Forests NSW [2006] NSWADT 74. United States of America v ChoicePoint Inc 06-CV-0198 (ND Ga 2006) (US). Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479. WL v La Trobe University [2005] VCAT 2592. WL v Randwick City Council [2007] NSWADT 12. Y v Director General, Department of Education and Training [2001] NSWADT 149.
LEGISLATION
6 DEL CODE ANN §§ 12B-101 (2005). 9 VT STAT ANN §§ 2430 (2007). 73 PA CONS STAT § 2303 (2006). 815 ILL COMP STAT 530/1 (2005). ALASKA STAT § 45.48.010 (Michie 2009). American Recovery and Reinvestment Act of 2009, Pub L No 111-5, Div A, Title XIII, §13402, 123 Stat 260. ARIZ REV STAT § 44-7501 (2007). ARK CODE ANN § 4-110-105 (Michie 2005).
323
Cabinet Administrative Instruction No 1 of 1989 (SA). CAL CIV CODE § 1789.29(a) (West 2003) COLO REV STAT § 6-1-716 (2006). Comprehensive Credit Services for Veterans Act of 2006, HR 5783, 109th Cong (2006). Comprehensive Identity Theft Protection Act of 2005, S 768, 109th Cong (2005). Comprehensive Veterans' Data Protection and Identity Theft Protection Act of 2006, HR 5588, 109th Cong (2006). CONN GEN STAT § 36a-701b (2006). Consumer Identity Protection and Security Act of 2005, S 1336, 109th Cong (2005). Consumer Identity Protection and Security Act of 2005, S 1461 IS, 109th Cong (2005). Consumer Notification and Financial Data Protection Act of 2005, HR 3374, 109th Cong (2005). Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data opened for signature 28 January 1981, ETS No 108 (entered into force 1 October 1985). Cyber-Security Enhancement and Consumer Data Protection Act of 2006, HR 5318, 109th Cong (2006). Cyber-Security Enhancement and Consumer Data Protection Act of 2007, HR 836, 110th Cong (2007). DC CODE ANN § 28-3851 (2007). Data Accountability and Trust Act of 2005, HR 4127, 109th Cong (2005). Data Accountability and Trust Act of 2007, HR 958, 110th Cong (2007). Data Accountability and Trust Act of 2009, HR 2221, 111th Cong (2009). Data Breach Notification Act of 2009, S 139, 111th Cong (2009). Data Matching Program (Assistance and Tax) Act 1990 (Cth). Data Protection Act 1998 (UK). Data Security Act of 2006, S 3568, 109th Cong (2006). Data Security Act of 2007, HR 1685, 110th Cong (2007). Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications).
324
Directive of the European Parliament and of the Council Amending Directive 2002/22/EC on Universal Service and Users' Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws. Drivers Privacy Protection Act of 1994, 18 USC § 2725 (1994). Federal Agency Data Breach Notification Act of 2006, HR 5838, 109th Cong (2006). Federal Agency Data Breach Protection Act of 2006, HR 6163, 109th Cong (2006). Federal Agency Data Breach Protection Act of 2007, HR 2124, 110th Cong (2007). Federal Agency Data Breach Protection Act of 2007, S 1558, 110th Cong (2007). Financial Privacy Breach Notification Act of 2005, S 1216, 109th Cong (2005). Financial Privacy Protection Act of 2005, S 1594, 109th Cong (2005). FLA STAT § 817.5681 (2005). Freedom of Information Act 1992 (WA). GA CODE ANN §§ 10-1-911 (2005). Gramm-Leach-Bliley Act, 15 USC §§ 6801-9 (2006). HAW REV STAT §§ 487N-1 (2007). Health Insurance Portability and Accountability Act of 1996, Pub L No 104-191, 110 Stat 1936 (1996). IDAHO CODE § 28-51-104 (Michie 2006). Identity Theft Bill, HR 3140, 109th Cong (2005). Identity Theft Protection Act of 2005, S 1408, 109th Cong (2005). Identity Theft Protection Act of 2007, S 1178, 110th Cong (2007). IND CODE §§ 24-4.9-3-1 (2006). Information Act 2002 (NT). Information Privacy Act 2000 (VIC). Information Privacy Act 2009 (QLD). Information Privacy Bill 2007 (WA). Invasion of Privacy Act 1971 (Qld). IOWA CODE § 715C.1 (2008). KAN STAT ANN §§ 50-7a01 (2006).
325
LA REV STAT ANN §§ 51:3071 (West 2005). Listening & Surveillance Devices Act 1972 (SA). MASS GEN LAWS 93H §1 (2007). MD CODE ANN §§ 14-3501 (2008). ME REV STAT ANN 10, §§ 210-B-1346 (West 2007). MICH COMP LAWS § 445.72 (2007). MINN STAT § 325E.61 (2006). MO REV STAT § 407.1500 (2009). MONT CODE ANN § 30-14-1704 (2006). NC GEN STAT §§ 75-60 (2005). ND CENT CODE §§ 51-30-01 (2005). NH REV STAT ANN §§ 359-C:19 (2007). NJ STAT ANN § 56:8-163 (West 2006). NY GEN BUS LAWS §§ 899-aa (2005). NEB REV STAT §§ 87-801 (2006). NEV REV STAT §§ 603A.010 (2006). Notification of Risk to Personal Data Act of 2005, HR 1069, 109th Cong (2005). Notification of Risk to Personal Data Act of 2005, S 751, 109th Cong (2005). Notification of Risk to Personal Data Act of 2005, S 1326, 109th Cong (2005). Notification of Risk to Personal Data Act of 2006, HR 5582, 109th Cong (2006). Notification of Risk to Personal Data Act of 2007, S 239, 110th Cong (2007). OHIO REV CODE ANN § 1349.19 (West 2005). OKLA STAT § 74-3113.1 (2006). OR REV STAT § 646A.600 (2007). Personal Data Privacy and Security Act of 2005, S 1332, 109th Cong (2005). Personal Data Privacy and Security Act of 2005, S 1789, 109th Cong (2005). Personal Data Privacy and Security Act of 2007, S 495, 110th Cong (2007). Personal Data Privacy and Security Act of 2009, S 1490, 111th Cong (2009).
326
Personal Data Protection Act of 2007, S 1202, 110th Cong (2007). Personal Information Protection and Electronic Documents Act 2000 (Can). Privacy Act 1973 (Can). Privacy Act 1973 (NZ). Privacy Act 1988 (Cth). Privacy Act of 1974, 5 § USC 552 (2006) (US). Privacy and Personal Information Protection Act 1998 (NSW). PROTECT Act, S 3173, 109th Cong (2005). RI GEN LAWS § 11-49.2-1 (2005). Resolution (73) 22 on the Protection of the Privacy of the Individuals vis-a-vis Electronic Data Banks in the Private Sector (1973). Resolution (74) 29 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector. SC CODE ANN § 39-1-90 (Law Co-op 2009). Sarbannes Oxley Act of 2002, Pub L 107-204, 116 Stat 745 (2002). Senate Bill No 1386 (Amended Senate) (2002) <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020320_amended_sen.pdf> at 4 May 2010. Senate Bill No. 1386 (Introduced) (2002) <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020212_introduced.pdf> at 4 May 2010. Social Security Number Fraudulent Use Notification Act of 2006, HR 5409, 109th Cong (2006). TENN CODE ANN § 47-18-2101 (2005). TEX BUS & COMM CODE §§ 48.001 (2005). UTAH CODE ANN §§ 13-42-101 (2006). VA CODE ANN § 18.2-186.6 (Michie 2008). Veterans' ID Theft Protection Act of 2006, HR 5487, 109th Cong (2006). The Video Privacy Protection Act of 1998, 18 USC § 2710. W VA CODE §§ 46A-2A-101 (2008). WASH REV CODE § 19.255.010 (2005). WIS STAT § 895.507 (2006).
327
WYO STAT ANN §§ 40-12-501 (Michie 2007). Opinion 1/2009 on the Proposals Amending Directive 2002/58/EC on Privacy and Electronic Communications (e-Privacy Directive). Assembly Committee on Business and Professions, Hearing Note SB1386 (2002). Assembly Committee on Judiciary, Senate Bill No 1386 (Committee Report) (2002) <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_cfa_20020617_141710_asm_comm.html> at 4 May 2010. Department of Health and Human Services, 45 CFR Parts 160 and 164 - Breach Notification for Unsecured Protected Health Information (2009). European Data Protection Supervisor, Opinion of the European Data Protection Supervisor on Promoting Trust in the Information Society by Fostering Data Protection and Privacy (2010). European Data Protection Supervisor, 'Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council Amending, Among Others, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications)' (2008). Office of Consumer Affairs and Business Regulation, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth (2009) Massachusetts Government <http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf> at 10 March 2010. Office of Consumer Affairs and Business Regulation, Office of Consumer Affairs Files Revised ID Theft Regulations (2009) Massachusetts Government <http://www.mass.gov/?pageID=ocapressrelease&L=1&L0=Home&sid=Eoca&b=pressrelease&f=20090212_idtheft&csid=Eoca> at 10 March 2010. Office of the Comptroller of the Currency et al, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (2005).
OTHER SOURCES
AeA New England Council, AeA Update: Massachusetts Data Breach Regulations (2008) <http://www.aeanet.org/AeACouncils/zpUnYyihJjBdaJkdVziIPsEPkNrmnYWy.pdf> at 10 March 2010. BBC News, ACPO Bans Police from Joining BNP (2004) <http://news.bbc.co.uk/2/hi/uk_news/3930175.stm> at 21 May 2010. BBC News, BNP Activists' Details Published (2008) <http://news.bbc.co.uk/2/hi/uk_news/7736405.stm> at 20 August 2010. BBC News, BNP List Arrest Pair are Bailed (2008) <http://news.bbc.co.uk/2/hi/uk_news/england/nottinghamshire/7775631.stm> at 20 August 2010. BBC News, BNP Members 'Targeted by Threats' (2008) <http://news.bbc.co.uk/2/hi/uk_news/politics/7736794.stm> at 20 August 2010.
328
BBC News, 'BNP Membership' Officer Sacked (2009) <http://news.bbc.co.uk/2/hi/uk_news/england/merseyside/7956824.stm> at 20 August 2010. BBC News, Church Asked to Ban BNP Members (2009) <http://news.bbc.co.uk/2/hi/uk_news/7838280.stm> at 20 August 2010. BBC News, MoD Inquiry After Laptop Stolen from Headquarters (2009) <http://news.bbc.co.uk/2/hi/uk_news/8409363.stm> at 17 March 2010. BBC News, Police Probe BNP Link to Car Fire (2008) <http://news.bbc.co.uk/2/hi/uk_news/england/bradford/7741270.stm> at 20 August 2010. BBC News, Previous Cases of Missing Data (2009) <http://news.bbc.co.uk/2/hi/uk_news/8409405.stm> at 17 March 2010. BBC News, Two Arrests over Leaked BNP List (2008) <http://news.bbc.co.uk/2/hi/uk_news/england/nottinghamshire/7768142.stm> at 20 August 2010. Blumenthal, Richard, Letter to Pfizer re Security Breach (2007) CT.gov <http://www.ct.gov/ag/lib/ag/consumers/pfizerdatabreachletter.pdf> at 3 June 2010. Bosworth, Martin H, Pfizer Keeps Data Breach Quiet (2007) Consumeraffairs.com <http://www.consumeraffairs.com/news04/2007/07/pfizer_data.html> at 3 June 2010. Business Software Alliance, About BSA and Members (2010) <http://www.bsa.org/country/BSA%20and%20Members.aspx> at 30 January 2010. Dearne, Karen, 'Data Breach Reporting a Scramble', The Australian (Melbourne), 27 May 2008. Dearne, Karen, 'Data Breach Hits 80% of Local Companies: Survey', The Australian (Melbourne), 22 October 2008. Dearne, Karen, 'Data in Danger', The Australian (Melbourne), 1 May 2007. Electronic Privacy Information Center, Choicepoint (2008) <http://epic.org/privacy/choicepoint/> at 23 April 2010. Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (2006) <http://www.ftc.gov/opa/2006/01/choicepoint.htm> at 23 April 2010. Feinstein, Senator Diane Press Release: Senator Feinstein Calls for Passage of Legislation to Require Prompt Notification When Personal Information Has Been Compromised by Data Breach (2006) <http://feinstein.senate.gov/public/index.cfm?FuseAction=NewsRoom.PressReleases&ContentRecord_id=7929faac-7e9c-9af9-71f4-d3142e230015&Region_id=&Issue_id=5b8dc16b-7e9c-9af9-7de7-22b24a491232> at 20 January 2010. Feinstein, Senator Diane Press Release: Senator Feinstein Reiterates Call for Passage of Strong ID Theft Legislation (2006) <http://www.feinstein.senate.gov/public/index.cfm?FuseAction=NewsRoom.PressRelease
329
s&ContentRecord_id=792a0134-7e9c-9af9-75ef-07abbb67d740&Region_id=&Issue_id=5b8dc16b-7e9c-9af9-7de7-22b24a491232
> at 20 January 2010.
Finextra, NAB Sends Customer Account Details to the Wrong People (2007) <http://www.finextra.com/fullstory.asp?id=16564> at 23 May 2010. Finextra, Westpac Cancels Cards after Security Scare (2007) <http://www.finextra.com/news/fullstory.aspx?newsitemid=17203> at 23 March 2010. Fraser, David T S, Breach Notification Amendments to PIPEDA Introduced in Parliament (2010) Canadian Privacy Law Blog <http://blog.privacylawyer.ca/2010/05/breach-notification-amendments-to.html> at 17 June 2010. Garner, Bryan A and Black, Henry Campbell, Black's Law Dictionary (9th
ed, 2009).
Harris Interactive, Many US Adults Claim to Have Been Notified that Personal Information Has Been Improperly Disclosed (2006) <http://www.harrisinteractive.com/harris_poll/index.asp?PID=708> at 9 June 2009. Hines, Nico, 'BNP Member Says Family Safety at Risk After Car Explodes Outside Home', The Times (London), 21 November 2008. Holleyman, Robert, Testimony Before the Subcommittee on Commerce, Trade and Consumer Protection House Committee on Energy and Commerce (2009). Hope, Christopher, 'How Many BNP activists Live in Your Town? Now You Can Find Out', The Times (London), 20 November 2008. Information Commissioner's Office (UK), Data Breaches to Incur up to £500 000 Penalty (2010) <http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf> at 23 July 2010. Information Commissioner's Office (UK), Report Data Breaches or Risk Tougher Sanctions, Warns the ICO (2010) <http://www.ico.gov.uk/upload/documents/pressreleases/2010/data_breaches_260110.pdf> at 23 July 2010. Isikoff, Michael, Missing: A Laptop of DEA Informants (2004) Newsweek <http://www.newsweek.com/id/53958> at 17 March 2010. Johnston, Ian, 'Two Held over BNP Member List Leak', The Independent (London), 6 December 2008. Kennedy, Dominic and Hines, Nico, 'Thousands in Fear after BNP Members List Leak', The Times (London), 19 November 2008. Kerber, Ross, 'TJX Reaches $40m settlement with Visa Over Data Breach', Boston Globe (Boston), 30 November 2007. Kirkup, James and Hope, Christopher, 'BNP Membership List Leaked onto Internet', The Daily Telegraph (London) 19 November 2008. Knapton, Sarah, 'Two Arrested over Leaking of BNP Membership List', The Telegraph (London), 5 December 2008.
330
Editorial'Radio Host Exposed in BNP Leak is Axed', London Evening Standard (London) 19 November 2008. Maurushat, Alana, Data Breach Notification Law Across the World from California to Australia (2009) Bepress Legal Repository <http://law.bepress.com/unswwps/flrps09/art11/> at 20 March 2010. Microsoft, Bitlocker (2009) <http://www.microsoft.com/windows/windows-7/features/bitlocker.aspx> at 20 March 2010. Miller, Nick, 'Data Leaks Under Review', Sydney Morning Herald (Sydney), 8 August 2006. National Conference of State Legislatures, State Security Breach Notification Laws (2009) <http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx> at 4 May 2010. NJ.com, NJ Accidentally Reveals Personal Data of 28K Unemployed Residents (2009) <http://www.nj.com/news/index.ssf/2009/05/3k_unemployed_nj_residents_may.html> at 20 August 2010. Nottingham Evening Post, BNP Expects more Arrests over Leaked Membership List (2008) <http://www.thisisnottingham.co.uk/crime/arrested-Notts-BNP-membership-leakarticle-527013-details/article.html> at 20 August 2010. Open Security Foundation, Dataloss DB (2009) <http://datalossdb.org/about> at 19 March 2010. Open Security Foundation, Dataloss Statistics (2009) <http://datalossdb.org/statistics> at 19 August 2010. Pereira, Joseph, 'Breaking The Code: How Credit-Card Data Went Out Wireless Door --- In Biggest Known Theft, Retailer's Weak Security Lost Millions of Numbers', The Wall Street Journal (New York), 4 May 2007, A1. Pfizer, FAQs Related to Pfizer Data Breach: Introduction (2007) <http://www.pfizer.com/contact/pfizer_data_breach_introduction.jsp> at 3 June 2010. Privacy Rights Clearinghouse, A Chronology of Data Breaches (2009) <http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP> at 21 March 2010. Rossi, Sandra, HSBC Australia Exposes Sensitive Customer Data (2007) Computerworld <http://www.computerworld.com.au/article/179967/hsbc_australia_exposes_sensitive_customer_data/> at 23 May 2010. Russell, Ben, 'BNP Membership List Published on Internet', The Independent (London), 19 November 2008. Samuelson Law Technology & Public Policy Clinic, Security Breach Notification Laws: Views from Chief Security Officers (2007) <http://groups.ischool.berkeley.edu/samuelsonclinic/files/cso_study.pdf> at 21 March 2010. Schreiber, Mark E and Young, Robert G, Aggressive New Massachusetts Data Breach Law and Proposed Security Rules Require Company Action (2008) Edwards Angell Palmer & Dodge
331
<http://www.eapdlaw.com/files/News/4322f87f-a398-4342-8c0b-33c977a22c54/Presentation/NewsAttachment/eb517cbf-4b50-4d70-a250-399e9596f7da/aggressive%20new%20massachusetts%20data%20law.pdf> at 10 March 2010. Soghoian, Chris, At&T, Microsoft Win as ID Theft Bill Eviscerated (2008) Cnet News <http://news.cnet.com/8301-13739_3-9870992-46.html>at 22 March 2010. Solove, Daniel J, Googling Employees: Why Your Online Reputation Matters (2010) Concurring Opinions <http://www.concurringopinions.com/archives/2010/03/googling-employees-why-your-online-reputation-matters.html>at 20 June 2010. Sturcke, James, Weaver, Matthew and Cobain, Ian, 'BNP Membership List Leaked Online', Guardian (Manchester), 18 November 2008. Robinson, I, The Sentinel, Death Threats for Politician after BNP Members List is Leaked (2008) <http://www.thisisstaffordshire.co.uk/news/Death-threats-follow-BNP-listarticle-488115-details/article.html> at 20 August 2010. Carter, J, This is Cornwall, Death Threats as BNP Members are Named (2008) <http://www.thisiscornwall.co.uk/northcornwall/Death-threats-BNP-members-named/article-499803-detail/article.html> 20 August 2010. TrueCrypt, Homepage (2009) <http://www.truecrypt.org/> at 20 March 2010. Tung, Liam, Westpac Accepts No Blame in Security Breach (2007) ZDNet Australia <http://www.zdnet.com.au/news/security/soa/Westpac-accepts-no-blame-in-security-breach/0,130061744,339280311,00.htm>at 20 August 2010. Vijayan, Jaikumar, Federal Data-protection Law Inches Forward (2009) Computerworld <http://www.computerworld.com/s/article/9140408/Federal_data_protection_law_inches_forward> at 17 June 2010. Vijayan, Jaikumar, Personal Data on 17 000 Pfizer Employees Exposed; P2P App Blamed (2007) Computerworld <http://www.computerworld.com/s/article/9024491/Personal_data_on_17_000_Pfizer_employees_exposed_P2P_app_blamed?taxonomyId=17&pageNumber=1> at 3 June 2010. Vijayan, Jaikumar, Pfizer Waited Six Weeks to Disclose Data Breach (2007) InfoWorld <http://www.infoworld.com/print/30268> at 3 June 2010. Watson, Ian, Privacy Issues for BNP Members (2008) BBC News <http://news.bbc.co.uk/2/hi/uk_news/politics/7737651.stm> at 20 August 2010. Zetter, Kim, Google Hack Attack Was Ultra Sophisticated, New Details Show (2010) Wired <http://www.wired.com/threatlevel/2010/01/operation-aurora> at 23 April 2010. Zetter, Kim, TJX Hacker Charged With Heartland, Hannaford Breaches (2009) Wired <http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/> at 23 April 2010.