Cost of Privacy

1

• Cost of Privacy
• Prof. Lucas Bergkamp
• Center for Information Policy Leadership_at_
• Hunton Williams
• Erasmus University Rotterdam
• ERIM/PRIME Privacy for Business Workshop
• The Airlines Sector
• Rotterdam, 17 December 2004

2
Roadmap

• Regulatory Models for Privacy (data protection)
• Key Elements and Foundations of EU Data
  Protection Law
• Adverse Effects, Paradoxes, Costs
• Data and Security (Passenger Data)

3
Part I

• Regulatory Models
• for Privacy

4
Public and Private Privacy Law

• Public Law
• tends to be ex ante
• government-citizen
• no or limited individual tailoring "goverment
  knows best"
• enforceable irrespective of individual interest
  or harm
• criminal or administrative sanctions

• Private Law
• chiefly ex post
• citizen-citizen
• individual tailoring possible "individual knows
  best"
• enforceable if individual interest is affected
• injunction (in some instances) or damages

• Why is data protection law public law, rather
  than private law?
• If harm to privacy is subjective, private law
  would be preferable

5
Privacy Regulatory Models

• Government control over data flows and uses
• current EU model
• rules can always be enforced
• high level of protection, inflexible, expensive
• Property right in personal data
• enforcement only at request of affected
  individual
• transfer by consent, and under agreed conditions
  (e.g. as to use)
• medium level of protection, flexible, expensive
  (due to consents)

6
Privacy Regulatory Models

• No personal property right in data
• anyone may collect and use data for any purpose
• individual may refuse or provide data under
  conditions
• low level of protection, flexible, inexpensive
• What is the right mix of regulatory models?
• expensive government control model only if
  justified by high objective risk
• property right model only where no-property right
  is inappropriate
• no personal property right is default model

7
Privacy from Economic Perspective

• Production model is capatalist system
• Regulated market economy
• Regulation, i.e. government intervention, is
  justified in two situations
• to impose external cost on responsible person
• to provide "public goods" (non-rivalry,
  non-excludability)
• Lack of of data protection does not result in
  external cost
• Is privacy a public good?
• there is both rivalry and excludability
• ? How can privacy regulation be justified?

8
Privacy Demand and Need for Protection in
Information Society
P
90 80 70 60 50 40 30 20 10
3
1
2
0

10 20 30 40 50
60 70 80 90
Demand for privacy as function of wealth Need for
protection as function of wealth Level of privacy
imposed by law

• Three observations
• Privacy law delivers where there is no privacy
  demand (1)
• Privacy law delivers where there is no need for
  protection (2)
• Privacy law delivers where there is neither (3)

9
Part II

• Key Elements and
• Foundations of EU
• Data Protection
• Law

10
EU Data Protection Law

• Directive 95/46 on the protection of individuals
  with regard to processing of personal data
• Directive ___ concerning the processing of
  personal data and the protection of privacy in
  the electronic communications sector
• E-Commerce Directive
• refers to Data Protection Directive
• Miscellaneous other instruments

11
Key Provisions of EU Data Protection Law

• General prohibition on collection and processing
  of personal data
• subject to limited exceptions
• burden of proof is on data controller
• Where permitted, data processing is restricted
  (necessary, fair, purpose limitation, etc.)
• Special regime for sensitive data
• Transfers to non-EU jurisdictions are subject to
  specific transfer regimes

12
Key Provisions of EU Data Protection Law

• Rights of data subjects and corresponding
  obligations of data controllers (notice, choice,
  access, rectification, etc.)
• Procedural obligations (notification to
  government agencies)
• Covers all sectors of industry and commerce
• Applies to personal data broadly defined to
  include customer and employee data including
  coded data

13
Trends in EU Privacy Law

• Technology convergence forces change of law
• broader, comprehensive regimes
• technology-neutral law
• Harmonization of law
• move towards  opt-in only  approach

14
EU Data Protection Policys Human Right
Foundations

• Privacy is fundamental right
• 1950 European Convention of Human Rights, Article
  8 right to respect for family life, home,
  correspondence, and private life
• European Court of Human Rights (ECHR) interpreted
  right to private life extensively
• Right to private life has been accorded
   Drittwirkung  or horizontal effect

15
EU Data Protection Policys Human Right
Foundations

• In Niemitz v. Germany, the ECHR held that right
  to private life applies also to professional and
  business life
• Right to private life imposes both negative (e.g.
  not to collect  unnecessary  data) and positive
  obligations (e.g. to provide resources for
  exercise of right)
• Employee right to privacy implies right to
  reasonable use of employers resources for
  personal purposes

16
Implications of Human Right Foundations

• Privacy is priceless
• cost of privacy is irrelevant
• Privacy is inalienable
• customers and employees have unequal bargaining
  position
• need to be protected against potential abuse and
  may not waive rights

17
EU Data Protection Policys Human Right
Foundations

• Governmental discretion
• social justice in privacy administration requires
  government interpretation in many cases
• ad-hoc decision-making  government knows
  privacy violation when it sees one 
• social justice over legal certainty

18
EU Data Protection Policys Underlying Assumptions

• Information use
• business wants data to increase profits
• poses risk to consumer
•  Nature of Business
• profit-motive will cause corporations to
  disregard privacy
• consumers are victims of business practices

19
EU Data Protection Policys Underlying Assumptions

• Data protection offers high level of protection
  against  risks  and  harms 
• but what are the risks and harms?
• EU did not identify any risks or harms
• Known harms have been caused by state (e.g.
  Stasi-files)
• Citizens Against Government Waste found that
  private sector does better job than public sector
  in protecting data

20
EU Data Protection Policys Underlying Assumptions

• Typical examples of harms caused by companies
  involve
• trivial harms (e.g. receiving a brochure against
  ones wish) or
• hypothetical harms (e.g. supermarket sends data
  about someones food purchases to health insurer
  so that premium can be adjusted in function of
  health risk)
• Different in government context

21
Eu Data Protection Policys Underlying Assumptions

• Data Protection Promotes Autonomy
• Right to define oneself (German Supreme Courts
  concept of informational self-determination)
•  Face we want to present to the world 
• but this right limits other persons ability to
  learn about individuals less attractive side

22
EU Data Protection Policys Underlying Assumptions

• Data Protection Promotes Autonomy
• Autonomy requires opt-in
• EU does not take seriously risk that people
  misrepresent facts and defraud others ( identity
  theft )
• Nikon France v. Onos employer may not search
  employees  personal  files

23
EU Data Protection Policys Underlying Assumptions

• Government Abuse of Private Sector Data
• because government tends to abuse private sector
  data, there should be no data anywhere
• does governments malice justify imposing
  restrictions on private sector?
• if potential for abuse leads to eliminating
  valuable assets (e.g. biotechnology, guns, etc.),
  society will suffer
• does government failure justify further
  government intervention?
• is it effective, would privacy law have prevented
  the Holocaust?

24
EU Data Protection Policys Underlying Assumptions

• Government Abuse of Private Sector Data
• ironically, data protection laws provide liberal
  exceptions for government use
•  war against terrorism  may require more
  private sector data

25
Part III

• Adverse Effects,
• Paradoxes, Costs

26
Interim Conclusions

• Data Protection Directive was not conceived with
  e-commerce in mind, and raises numerous problems
  and legal uncertainty
• Government control and discretionary authority
  are inconsisent with innovative information
  society and consumer choice
• Data protection applies even if consumer does not
  want it, resulting in paternalism
• Privacy protection increases risk of fraud
• EC exports its consumer and data protection
  regime to the rest of the world, thus reducing
  availability of e-commerce services and making
  them more expensive
• ? How could this happen?

27
How does Information Society Differ from Old
Economy?

• Global market place
• Services economy
• Reduces transaction cost
• lower information and search cost
• lower contracting cost
• Empowers consumers
• more offers
• quicker
• easy comparison
• no "undue influence"
• E-traders offer a wide variety of privacy
  policies
• Technology permits consumer to impose his privacy
  preferences

28
EU Data Protection Policys Foundations

• Privacy is fundamental right
• privacy is "priceless" it is about values
• privacy is uniform and non-waivable
• Governmental discretion
• vague principles require government
  interpretation in many cases
• ad-hoc decision-making government knows privacy
  violation when it sees one
• social justice over legal certainty
• Consumer protection
• consumer is deemed to have unequal bargaining
  position, and to need protection against
  potential abuse
• paternalism over freedom

29
Paradoxes of EU Privacy Policy in Information
Society

• Consumer protection (EU) v. consumer empowerment
  (information society)
• Restricting competition choice (EU) v. enhancing
  competition (information society)
• Disincentives for innovation (EU) v. incentives
  for innovation (information society)
• Restricting consumer choice (EU) v. enhancing
  consumer choice (information society)
• Privacy over-regulation causes de facto
  under-regulation because excessive legal
  requirements are not enforced
• ? How can we begin to resolve these problems?

30
Privacy as a Fundamental Right

• Data protection is deemed justified as
  fundamental right
• democratic society requires individual right to
  communicate and participate
• unrestricted data processing undermines
  communication and participation
• information society and commercialization of
  personal data increases risk to individuals
• But shouldn't we identify and differentiate
  between various possible risks?
• what risks does privacy law reduce?
• Aren't there better ways to ensure individual
  right to communicate and participate?
• What about the trader's right to communicate?

31
Fundamental Issues

• Market or government?
• which meets consumer privacy demands best?
• what does consumer really want?
• why is privacy protection not an appropriate
  element of competition?
• private privacy protection initiatives
• What core of privacy (if any) should be
  non-waivable?
• public law, government control
• What default privacy protection regime do we
  need?
• private law, variable by contract
• if it meets needs of parties, it may be efficient
• if it is overly protective, it will increase
  transaction cost

32
Cost of Privacy

• Direct compliance cost
• Indirect cost
• Loss of opportunity
• Loss of benefits of free flow

33
Conclusions

• Opportunity cost of data protection has increased
  dramatically in information society, while need
  for protection has decreased
• Government control model and public law result in
  inflexible and expensive regime with unfavorable
  cost-benefit ratio
• Rethink government's role
• free data flows do not result in external cost,
  no market failure
• privacy is subjective and should be regulated
  primarily by private law
• targeted, public law approaches to preventing
  significant objective harm
• redesign system and recalibrate balance between
  pubic and private law

34
Part IV

• Data and Security

35
Data and Security

• Data are likely relevant to security
• what data?
• pertaining to whom?
• how much?
• right data timely provided may enhance security
• Alternatives to data collection?

36
Data and Security

• Government v. private sector
• no self-limiting mechanism in government
• Government has monopoly over force
• security is dominated by government
• but government needs help from private sector

37
Data and Security

• Conditions for data to be helpful to advancing
  security
• relevancy and volume of data
• governments ability to digest and act on data
• Balance between too much and too little data
• Shotgun or targeted collection

38
Data and Security

• Targeted collection from groups posing high
  security risks may make process more efficient
  and effective
• enhances relevancy
• but can high risk individuals avoid meeting
  profile?
• Targeted collection raises ethical issues
• is it fine to subject a person to this process
  based on his meeting profile?
• what guarantees are there for preventing misuse
  for other purposes?

39
Data and Security

• Fundamental questions
• will data collection by government work?
• is targeted collection based on profiles more
  effective or efficient and ethical?
• Passenger data
• what are guarantees against government misuse?

40
Data and Security

• Cost of Privacy
• who would want to maintain privacy for all if
  this results in higher security risks?
• too much privacy will be costly

41
Data and Security

• Cost of Privacy
• how to measure cost of privacy?
• no market value
• how to weigh costs and benefits of privacy
  against costs and benefits of security?
• problem of incommensurability
• surveys
• how reliable are they?

42
Conclusions

• There is cost to privacy protection
• In market setting, cost is self-limiting
• Governments monopoly over force and absence of
  self-limiting mechanism are differences that
  should have consequences
• Privacy versus security debate highlights
  problems of quantifying cost of privacy