Defining Our Terms
I have never reviewed a law journal article before, but a recent one is of great value to anyone following privacy. Don't be put off by the reputation that law journal articles have for monumental footnotes. This one is readable and worth reading. You can skip the footnotes.
Dan Solove, associate professor of law at George Washington University, wrote A Taxonomy of Privacy to identify privacy problems in a comprehensive, concrete manner. He succeeded brilliantly. You can find the article at http://ssrn.com/abstract=667622.
Why am I so enthusiastic? One major problem in this arena is that "privacy" has no clear, universally recognized meaning. An invasion of privacy can be just about any activity that makes people feel uncomfortable. It's hard to have a conversation about privacy if we lack the terminology to discuss the topic.
Professor Solove broke down the concept of privacy into 16 elements, organized under four basic groups of activities: 1) information collection; 2) information processing; 3) information dissemination; and 4) invasion.
The 16 elements are: 1) surveillance; 2) interrogation; 3) aggregation: 4) identification; 5) insecurity; 6) secondary use; 7) exclusion; 8) breach of confidentiality; 9) disclosure; 10) exposure; 11) increased accessibility; 12) blackmail; 13) appropriation; 14) distortion; 15) intrusion; and 16) decisional interference.
Professor Solove defines each element and shows the similarities, differences and relationships among the terms. He also offers a sample of how case law and statutes address the interests identified by each term.
The purpose is to identify and give meaning to all the different aspects that fall under the broad rubric of privacy. Not every activity that affects privacy causes harm, and not every harm is worthy of a legal remedy. We can recognize a privacy effect and debate the suitability of a remedy separately.
Let's take an example. Professor Solove identifies aggregation as one element in the information processing category. This may be the term of most interest to marketers and database compilers. Aggregation is "the gathering together of information about a person." The professor's definition is stated neutrally. He observes that aggregation became a national issue with the advent of computers. Modern databases carry aggregation to a much greater extent than in the past. People disclose data about themselves in different settings. It's the consolidation of the data from multiple sources that gives rise to concern.
A good example of aggregation is credit reporting, which combines information about credit and credit transactions from many sources. Credit reports provide a useful service that benefits both credit grantors and data subjects.
However, negative consequences can occur when data are aggregated. Credit reports are at times incomplete, out of date or wrong. The reports nevertheless are used to make major decisions about credit, employment, insurance and other important aspects of living. The potential demand for credit reports and the potential mischief are so great that we have a law restricting the use of credit reports to specific purposes. That illustrates both the power of aggregated records and a classic type of legal response.
The taxonomy lets us readily discuss the pros and cons of personal information in clearer terms. We can identify aggregation as an activity with privacy consequences, and we can consider whether those consequences are good or bad and whether they are worthy of legal remedies. We can intelligently debate aggregation effects separately from, say, disclosure effects.
Let's try another term. Professor Solove defines insecurity as the injury of being placed in a weakened state, of being made more vulnerable to a range of future harms. If your personal information was exposed to the world through a security breach, how are you harmed? The professor's terminology lets us say that you have been made more insecure as a result of the breach. Whether we as a society want to respond to that insecurity is a question. Many states have answered that question in the affirmative for some types of data breaches through notification laws.
Victims of a security breach also may be harmed because of breach of confidentiality, by disclosure and through increased accessibility. These are other terms defined in the article. By talking more precisely about privacy, we can make more precise choices about remedies, if any, that we want to offer to individuals.
The taxonomy is a great advance over prior attempts to categorize privacy. The four classic privacy torts defined more than 40 years ago are virtually prehistoric. They are rarely relevant to modern information privacy violations.
Another classic definition says that privacy is the right to control information about yourself. This is another approach that bears little relationship to the world today. With the presence of so many third-party record keepers, Americans only occasionally have any rights regarding their information, let alone an element of control.
My guess is that Professor Solove's article eventually will be recognized as a milestone in privacy scholarship. It should change for the better how we talk about privacy and how we think about privacy.