The U.S. constitution grants citizens a right to privacy. But in this new era where our lives increasingly include computers and data capture, legislators, regulators and others are grappling to define how the public’s right to privacy translates to these mediums.
State and federal government bodies are working to address this challenge. California already has a data privacy law and is proposing related regulations. Members of the U.S. Congress have proposed a compromise bill that is moving through the legislative body. Advocates say finalizing these protections is urgent and suggest that the recent U.S. Supreme Court decision eliminating a women’s constitutional right to have an abortion offers a microcosm of potential risks.
We spoke to Sophia Baik, a postdoctoral scholar at UC Berkeley School of Information’s Center for Long-Term Cybersecurity, about data privacy and why it matters to the public. Baik, who will join the University of San Diego this fall as an assistant professor of communication and policy, also flagged policies and practices she’s concerned about in the data privacy space.
Q: What is data privacy?
A: Data privacy is usually defined as the capacity of an individual to determine what information about oneself can and should be known to others. This is a famous, popular definition provided by Alan Westin.
Now, there are also discussions about data privacy that look at horizontal and vertical relationships. There’s vertical or institutional data privacy. That’s data privacy of individuals from institutional entities such as governments or corporations. There’s also horizontal or social privacy, which often means data privacy of individuals from other individuals like your family members, friends, or co-workers.
Q: Why does it matter?
A: We can think of both tangible and intangible realms. For example, data privacy definitely influences how and to what extent our bodily decisions can be made, as well as how our personal thoughts, feelings or decisions are formed. Scholars have often emphasized the importance of privacy for personal autonomy, so that people can develop individuality and make choices about their life without any intrusions or manipulations from other individuals or entities. Privacy matters beyond the individual level, though. It also matters at a societal level, especially for democracy, because such autonomy is integral to constituting a public.
However, there are more and more discussions about the evolving information ecosystem, which is very connected, networked and complicated. It’s hard for any one individual to fully comprehend and make necessary informed choices every single time. There are these constant moving parts – other individuals and institutional entities – that can intentionally or unintentionally disclose and use information about oneself. That means one's privacy is really situated in a networked way. It is important to think of privacy more and more as a collective value. We need to find ways to protect it and more structurally move beyond some of the remaining unrealistic, heavy responsibility often imposed on individuals.
Q: You're talking about this shift to look at the collective responsibility related to data privacy. Why is this shift happening now? What does it signify about how data has become more reflective of our personal lives?
A: It is really, in part, due to the digital transformation of almost every aspect of our lives, which really enables the capacity to trace all those things you're doing. That could be interacting with friends or colleagues or random strangers or what we are liking, commenting or thinking about. Those actions are all left as digital traces. I'm not saying that we didn't have those data sources pre-internet era, but it is increasingly more convenient to accumulate higher volumes of data than ever before and identify thoughts across those data points. That makes it critical to understand the evolving landscape around privacy and how we should approach and protect privacy in this digital era. That's definitely something in play.
One thing we are starting to grapple with more and more at the societal level is how these data are used beyond the expectation of individuals and often against the rules or benefits of these individuals. Individuals are often called data subjects by rather powerful institutional entities – both government and corporate entities. There are more documented incidents or scandals like Cambridge Analytica that we all are aware of. Those have spurred broader public discussion and also influenced some of these laws that are being introduced.
Q: How does this relate to the recent U.S. Supreme Court decision overturning Roe v. Wade? How does this decision illustrate the state of data privacy issues?
A: Yes, that’s a very critical decision that is impacting lots of discussions around privacy, especially data privacy. There is more awareness about the data those apps you have been using – such as menstrual cycle tracking apps and all the similar health-tracking apps – have collected and how it can be used in ways to identify who might have attempted abortions or related activities.
Even though those data are health data, which is often categorized as sensitive data, they're not necessarily governed by existing legal frameworks, such as HIPAA [the Health Insurance Portability and Accountability Act of 1996]. That’s because these apps are considered retail health apps, not health providers. So it can get complicated figuring out how to govern the types of data they have been handling in the face of this recent decision.
Of course, there are increasing rights given to individuals in different states, and there are more discussions about having federal privacy legislation. Most recently, for example, California residents may be able to ask these companies to delete some of their data or opt out of some of the collection of the data. But then, many of these terms of services by companies speak about instances where – if they're asked by law enforcement – they may have to comply with those requests. So again, it's a very gray zone how those will be addressed moving forward.
Q: The U.S. Congress is considering federal legislation, and there are rules being drafted in California on data privacy. How do these government actions aim to protect us?
A: There are so many elements to talk about. Given our limited time, what I would like to highlight is that these laws are trying to provide a set of rights to individuals, so that either individuals can access what kinds of data have been collected about them, how they were collected and how those data are being used, as well as correct or delete some of this data.
The major roadblocks to having federal-level privacy legislation so far have been mostly two things: one is whether to include a private right of action [a clause that would allow individuals to sue companies for infringing on their privacy rights]. The other is state law preemption, [which would block a state law from having more restrictive requirements for companies than the federal law demands]. The most recent bipartisan privacy bill introduced in the Congress is called the American Data Privacy and Protection Act. It has made some compromises on the private right of action and state preemption, but the exact details are still up in the air. That's something to observe moving forward.
Q: What gaps still exist?
I personally feel that the ongoing limitations of some of these approaches is that they are still largely reliant on a notice-and-choice framework that really treats individuals as rational actors. I mean, that assumption itself is nothing bad. But the question is whether it is reasonable to expect individuals to make informed choices every single time. For example, all those cookie settings pop-ups come up that people just usually check without really reading. Sometimes, even if they try to read these pop-ups, it's designed in a way – often called dark patterns – that makes opting out of [data collection] more difficult than opting in. So there are still remaining structural problems around the so-called “choices” around privacy. These laws are not necessarily fixing those.
At the same time, I'd like to recognize some of the meaningful changes that are being seen in more recent proposed bills or legislation introduced. They do a better job addressing how to regulate data use in the case of automated decision-making, how to regulate processing of sensitive data, and how to regulate the selling and sharing of data. I see some great silver linings there. But overall, most of these approaches are still heavily based on the notice-and-choice consent framework. I feel that there needs to be more structural-level protections discussed and implemented, so that it's not just individuals’ responsibilities at the end of the day.
Q: Is there anything that you’d like to emphasize, clarify or add?
A: It’s important to discuss issues of privacy on a daily basis with friends or colleagues, because now privacy as a right is not just about the intimacy or about secrets. It's really about every element of our life being governed in a way that aligns with our individual and collective values. So it's an important issue that touches on many other issues. I encourage everybody to think about it and talk about it more regularly.