The different meanings of privacy law and practice

In our current ‘interesting’ times, the subject of internet privacy law and policy frequently arises within a variety of contexts. Among other things, we hear it mentioned in connection with the effort to combat covid 19, the effort to combat extremism and terrorism, concerns about undue influence in elections and sometimes, simply in connection with what is perceived to be ‘creepy’ oversight of people by businesses and governments.

The adoption of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are the most notable, but far from the only, effort to safeguard individual data subjects from what many perceive as excessive monitoring of their internet and related activity.

While all these concerns are important, I strongly believe that they implicate a variety of different considerations and that law and policymakers, and enforcement authorities need to separate them in their efforts to develop and apply appropriate rules and guidance.

Preserving individual freedom

I have previously argued that there are fundamental differences in the interests implicated in the oversight by commercial parties of internet users compared to such oversight by governments. Simply put, I believe that existing legislation erroneously equates governmental and commercial activity and that the much greater threat to individuals is posed by governmental surveillance.

Edward Snowden’s reports the US National Security Agency's and the use of Facebook data by Cambridge Analytica to influence the 2016 US elections were arguably the driving forces behind adoption of the GDPR, CCPA, and similar legislation. In these contexts, there is a good deal to be said for limitations on such oversight in an effort to preserve individual freedom.   

Yet, the rules of this legislation are felt to a great extent by commercial entities who are simply interested in using the trails of individuals’ activities to tailor their marketing efforts. In practice, private entities have expended much time and money to provide non-legalistic disclosures of information being collected; the rationale being intended uses of such information and implementing appropriate opt-in and opt-out mechanisms, with preservation of records of such elections. Along with these efforts are obligatory consultations with web designers and hosts regarding on-screen presentation.

One may struggle to see the social value in ensuring that individuals have proper disclosure of efforts to persuade them to buy things when they can simply disregard such efforts. What fundamental social interest, of the sort rightly concerning Snowden, is served by strict limitation of service of unwanted banner ads and related ad tech presentations? Individuals cannot readily disregard communications from governmental authorities, resulting from supposedly suspicious web usage and emails, but can easily do so with commercial entrees.

Covid and misdirected regulation

Compounding concerns with misdirected privacy regulation are covid-related smartphone apps to facilitate contact tracing which have been introduced with fairly minimal adoption in several US states and EU countries; so-called vaccine passports, which are intended to reflect whether and when someone receives a covid vaccine to allow travel and venue admittance; and most ominously, an Australian app which is used by police to determine whether persons are ‘properly’ social distancing and intervene if they are not.

While all can agree that vigorously fighting covid is essential for the preservation of our society, there is a discussion to be had around the extent to which abridgement of individuals’ freedom is in order in pursuit of this goal. However, the current discussion of privacy law is often conspicuously omitted when discussing the topic. The basic freedom-related rationale for privacy law is implicated to a much greater extent here than with commercial marketing efforts.

It is strongly recommended that the consideration of new or amended legislation and regulations under and enforcement of existing authority consider the differences in circumstances and implications presented by governmental and commercial actors. All interests are better served by close consideration of these differences than by treating ‘privacy’ as a monolithic area.          

Martin B. Robins is a partner at FisherBroyles, LLP in Chicago.