Cray X-MP/24 (serial no. 115) used by NSA (Photo credit: Wikipedia)
A recent story on the BBC highlighted the number of data breaches reported by Welsh local government councils. Aside from the questions about the breaches, how they can be prevented, and whether the reporting mechanism encourages or discourages organisations from self-reporting, a deeper question about digital privacy emerges. Does the Data Protection Act, a breach of it, or digital privacy even matter?
When a breach occurs and whether or not the organisation tells them or the regulatory, we face a problem. After the initial anger, though, the subject or victim suddenly realize they are literally powerless in the face of the breach of the principle or the law. They have little basis for which to seek redress. Yes, they can file a complaint with the organisation. Yes, they can get the regulator, the Information Commissioner Office (ICO) interested in taking enforcement action, but that does not satisfy their injury. The data is still lost.
A data breach or lost data, so what?
At that moment, we start to see what is missing from the moral panics created by the Snowden affair and from the HMRC debacle. So far, we have to ask who has been harmed and what types of harm have the people who suffered the breach experienced? I do not mean that people are not upset by a council losing their data, or the NSA accessing their data, or even the HMRC losing their personal details, but what is the harm? As we reflect on this point, we start to realize that the loss of personal data is relatively inconsequential aside from the annoyance factor. We have to consider that our current digital development is relatively primitive so we have not seen the full range of ways that our personal data, even a small amount of it, can (and will be) exploited by the state or the private sector.[1] The reason being is that there is a difficulty in showing the harm to our digital person in a way that we can show the harm to our physical person from a faulty toaster or a flawed car design where millions of cars recalled when someone gets hurt.
Privacy will not be created or defended by a regulator
Now, before someone asks the silly question that comes with discussions like this, “Well, would you want your data lost or published”, the obvious answer is no. However, that is not the question. The issue is what the redress is for someone who suffers a data breach or has their personal data exploited in ways they did not expect or want. So far, the redress is at best indirect. You can get the organisation to apologize. You may even find one or two that seek to pay you a small amount of money to avoid the hassle of dealing with any legal claims or the bureaucratic paperwork associated with dealing with a regulator. Look at how the banks regularly pay money as mitigation in regulatory investigations. A similar approach, from the regulator’s view is the use of deferred prosecutions.[2] The approach does offer tactical and strategic advantages for both parties except it does not satisfy the aggrieved. In other words, their access to justice is limited to what the regulator feels is in the public interest, which gives us an insight into the coming problems with personal data.
Leaving aside the regulatory pressures, the individual will have a hard time showing damage and distress unless they have experienced it directly, immediately and physically.[3] The problem, at least from those wishing to assert privacy as being control over personal information, is to define or suggest what damage occurs from losing your bank details or your pension details (remember the breach with the contractor who decided to dispose of them in the skip, the personal data was considered minor), thus personal data lost, but no big deal (yes it was a big deal for the Council and the ICO) but for the individuals affected, they had to live with it.[4]
Privacy but what is the damage and distress?
What further adds to the inadequacy of asserting privacy is based on control over personal data is that the loss of control or abuse of that control are not grounded in torts or the injuries to the digital person (or even the physical person) that are easy to know or quantify. In the UK, anyone seeking compensation must be able to show distress and damage.[5] For the most part, the distress never amounts to the damages required to create the basis for a compensation claim. We can see this in the care.data furore. In this case, the public, or at least the data protection savvy part of the public, were concerned that the health data made available to health care providers would create discrimination against people with health problems.[6] So far, we cannot quantify or identify immediate individual harms based upon the companies having access to the database. We can feel or believe that it is unfair, but we rarely if ever have laws that say “The community feel aggrieved and thus this is harm”. Instead, we look for individual harms have Mr. X or Ms Y suffered as a result and can they demonstrate it. The problem though is how do you demonstrate that Facebook is discriminating against you in their service provision because you happen to like or dislike something? What would be your evidence, what would be the harm you would show?
The bureaucratic tyranny at the heart of the modern state.
We arrive with the hidden issue. We seem to overlook or forget that data sharing and the use of our personal data for the public interest is embedded in much of the UK legislation.[7] So we may have a situation where we may be seeing our crime rates getting lower (or our health improving) because the police and the government, including local authorities, (or the medical professionals) no longer see as many problems, the fear or risk aversion from breaching the DPA are disappearing, and the willingness to share increases, *even at the expense of people’s rights*. As no one knows about it or even if they did the public interest supports the government (even if it does not condone it) or the effort to challenge by the individual is so far removed or difficult (if you are being done for murder are you really going to focus on the potential data breach?) the sharing becomes easier. Thus, we see a bureaucratic tyranny emerging that is as silent and efficient as parliament has wanted given the number of laws that encourage (without demanding or explicitly requiring) sharing because they all serve the common good (even though they might have individual cases of harm). From the perspective of the state, such legislation is the minimum it will tolerate for it does not want anything that will inhibit its ability to act. To an extent this is what the public want, but it shows the tension, if not the failure, of liberalism as the individual “rights” have to be balanced against state “authority”, especially as the state ensures the individual’s rights.
Share because it is better to trample a few rights than have a murder.
One need only note the near seismic shift since the Bichard Enquiry on the police approach to sharing. One could put it crudely to say that the shift has been from share very little to share everything. The logic for the police being it is better to have the occasional person complain about rights being trampled (Mr. Catt[8]) than to explain to everyone why their failure to share allowed someone like (Mr. Huntley) to kill young girls[9] or a relative kill a child (Victoria Climbie).[10] At the same time, we see this tension in the NHS, trying to protect Sensitive Personal Data (health data) (your data is confidential you will consent to any use of it)[11] even as the UK government wants to open up health databases to be harvested and exploited for the public good.
We come to the realization that the UK’s excellent medical databases become another resource to be exploited by the state. Instead of coal or North Sea oil, the UK will use their data (the personal data of its citizens) as their comparative advantage, the natural resource, to be exploited to make the UK economy run.[12]
The dual impasse inadequate laws to deal with being the standing reserve
Thus, we arrive at a dual impasse. First our laws are developed for our physical person. We do not yet have a way to protect our digital person except to the point it relates to our physical person. Thus, as the demands on our digital person grow and we find it difficult to trace it back to our physical person and even if we do we find it difficult to show the harm. Any attempt so far has shown the incoherence of the concept of privacy and leave unresolved the horrific consequences of reducing us to a digital person. Second, we want to protect personal data (the autonomous individual is sacrosanct so we must believe from Mr Snowden) except that it (the individual) is now the standing reserve to be harvested so that the economy and the state, can deliver better outcomes and deliver the services the public want.[13]
The terms and conditions of the modern state.
What we now have is the dawning realization that the terms and conditions of the modern state are coming due. Our personal data, beyond taxes, is what makes the state move and we want the state (and the wider economy) to continue to provide us with our benefits so that our rights are enforced and expanded and we want our Facebook, Google, and Amazon preferences tailored to us as individuals. Even if we wanted to recast the social contract, how can we if we do not, and never have, controlled our personal data as these breaches demonstrate and the right to be forgotten reminds us?
[1] Yes, we can show examples of people suffering bad things. But for the vast majority of breaches, we still do not have a clear cause and effect between breach and harm, which is the point I am arguing. (The harm from the Snowden issue is not on the wheat, but on the chaff. They have probably harvested my details but so far neither Seal Team 6 nor the SAS has been in contact nor do I expect them to be.)
[2] See for example this analysis which suggests that they are used excessively for fear of a criminal conviction becoming a “death penalty” Markoff, Gabriel, Arthur Andersen and the Myth of the Corporate Death Penalty: Corporate Criminal Convictions in the Twenty-First Century (August 20, 2012). 15 University of Pennsylvania Journal of Business Law 797 (2013). Available at SSRN: http://ssrn.com/abstract=2132242 or http://dx.doi.org/10.2139/ssrn.2132242 As well as a similar analysis that suggest that it is open to abuse. Uhlmann, David M., Deferred Prosecution and Non-Prosecution Agreements and the Erosion of Corporate Criminal Liability (October 1, 2013). Maryland Law Review, Vol. 72, No. 4, 2013; U of Michigan Public Law Research Paper No. 352. Available at SSRN: http://ssrn.com/abstract=2334230
[3]Yes, there is a recent case where a group of people sued Islington Council and sought damages for having to move because their personal details were disclosed. However, this is one case in the thousands of data breaches that have been reported. Perhaps, most of these cases are resolved beneath this level, the small payments to avoid the drawn out legal or bureaucratic processes (the crude cost-benefit approach), but that seems unlikely given that the public sector, in particular, are loath to spend money as freely as the financial sector or rather the financial sector calculates the cost benefit analysis quicker or has less ego in trying to solve a problem. J
[4] As this analysis shows, there is a weakness at the heart of the ICO’s enforcement system. http://amberhawk.typepad.com/amberhawk/2013/08/does-quashing-the-scottish-borders-monetary-penalty-mean-a-change-to-ico-enforcement-policy.html
[5] The central case in this issue is Johnson v. Medical Defence Union. See this blog for analysis of recent developments on this area as it relates to Data Protection law in the UK. http://informationrightsandwrongs.com/2013/05/17/damages-under-s13-data-protection-act-an-opportunity-lost/
[6] The data sharing programme was halted until the communication could be improved and the concerns by interested parties were addressed. http://www.telegraph.co.uk/health/healthnews/10634539/Crisis-of-confidence-in-NHS-database-warn-GPs.html
[7] See for example, Children’s Act 2004 section 11 http://www.legislation.gov.uk/ukpga/2004/31/section/11 See for example, Crime and Disorder Act 1998 section 17 http://www.legislation.gov.uk/ukpga/1998/37/section/17 coupled with section 115 http://www.legislation.gov.uk/ukpga/1998/37/section/115
[8] Mr Catt is a non-violent campaigner who found out that his DNA was on a police extremist database even though he had done nothing criminal to warrant the inclusion on the database. http://www.bbc.co.uk/news/uk-england-sussex-21783596
[9] See the Bichard Inquiry http://en.wikipedia.org/wiki/Bichard_report following the Soham murders. http://en.wikipedia.org/wiki/Soham_murders
[10] http://en.wikipedia.org/wiki/Murder_of_Victoria_Climbi%C3%A9
[11] http://www.hscic.gov.uk/confguideorg
[12] See for example Francis Maude’s award from the Demographics Users Group in 2011 https://www.gov.uk/government/news/top-companies-commend-francis-maude-for-open-data More generally consider the report from World Economic Forum http://www.weforum.org/reports/personal-data-emergence-new-asset-class
[13] Martin Heidegger foresaw this development in his work on the Question Concern Technology which he presented in 1955. In the essay the key passage for our concerns now is the following This danger attests itself to us in two ways. As soon as what is unconcealed no longer concerns man even as object, but does, rather, exclusively as standing-reserve, and man in the midst of the objectlessness is nothing but the orderer of the standing reserve, ten he comes to the very brink of a precipitous fall; that is, he comes to the point where he himself will have to be taken as standing-reserve. P.26-27 (Harper Torchbook Martin Heidegger The Question Concerning Technology and other essays.)
Related articles
Thoughts on management 