“It’s All About Me” by Prashant Sahay
To my grandfather, privacy was a pretty simple concept. He believed that what we did in public spaces was public, everything else was private. If we played loud music at home, that was a private matter. But I had to turn the volume down when driving by a busy street corner. To his way of thinking, an individual’s personal information, likes and dislikes, political affiliation, health issues, friend lists, unless he or she advertised them in public, were all private matter. This was a simple minded yet surprisingly useful conception of privacy.
In contrast, since May 25th when GDPR went into effect, we have been inundated and puzzled by the complexity of privacy policies of websites we did not even realize collected so much personal information. These policies seem to be designed to comply with governing laws including GDPR in Europe as well as digital privacy statutes and regulations elsewhere. They will argue that you can exercise your right to be let alone by refusing to sign consent and opting out of their service. You are assured that there is no potential for substantial injury or harm because the website will safeguard your information. You are also assured that you have a right to see and amend your information in keeping with Fair Information Practice Principles. With GDPR, you also have a right to have your information deleted if you so desire.
The policies I have read check all of the legal boxes: governing laws, tenets of sound privacy practices and standards. And yet, these are deeply unsatisfying, as they do not seem to have a core theme. Dan Solove rightly likens the struggles of privacy as a concept to those of Jorge Luis Borges, the Argentine playwright who lived vicariously through the characters he created but who did not have a core of his own. Privacy, Solove observes, lacks a core and is a concept in disarray.
Solove sidestepped the challenge of defining what privacy is by addressing the ways in which it could be lost. Solove proposed his conception of privacy in the context of harms that materialize when privacy is lost. Solove’s conception begs an important question, though. If losing something is undesirable, shouldn’t what is lost be considered an asset?
I believe that conceptualizing personal information as an asset that belongs to the individual provides a core structure over which other privacy principles can be added. As a society, we are pretty good at developing, owning, renting, managing and accounting for assets. We can apply our body of knowledge and standards of practice related to private property rights and asset management to managing personal and private information. We can de-center companies and websites from the role of safeguarding privacy and place the individual at the center. In this conception, information about an individual will be an asset that is created by society but owned by the individual. The individual will authorize the use of personal information to be selective, targeted, and temporary. For example, the individual will allow a bank to use her information to determine whether she is creditworthy when she apples for credit and disallow the access when she closes the account. Of course, implementing selective, targeted and temporary disclosure of information would require greater interoperability between computer systems. Fortunately, there are new technologies on the horizon such as Blockchain and Enigma that facilitate such interoperability.
It is time we gave the control over personal information back to the individual and let him or her decide what information they want shared, with whom, and for how long. The individual also must take responsibility for her actions too. If he or she does something stupid in a public space or forum, do not expect people to forget it. You do not have a right to wipe out memories.