Next Generation Privacy: The Internet of Things, Data Exhaust, and Reforming Regulation by Risk of Harm

The disparities inherent in various national privacy laws have come into sharper contrast as access to information grows and formerly domestic markets become international. Information flow does not adhere to national boundary lines. Increasingly, laws that seek to protect informational privacy do not either. The European Union took a bold approach by limiting access to its markets for those who failed to observe its strict law designed to protect personal information. The 1995 Directive (and 2014 Regulatory Amendment) embody this approach as they: (1) broadly define personal information; (2) broadly define those who process and control personal information; (3) restrict transfer of personal information to those who cannot demonstrate compliance. Tellingly, the Directive does not limit its scope to certain industries or practices, but requires privacy controls across the board, regardless of whether the processor is a healthcare provider, pastry chef or girl scout. To many, the Directive has failed. While the global trend toward adopting laws similar to the Directive suggests that many States value privacy rights, commentators and empirical studies reveal significant shortcomings. The Directive outlaws harmless activities while allowing exceptions that threaten to swallow the rule. It is simultaneously over-inclusive and under-inclusive. National governments enjoy wide latitude to collect and use personal information under the guise of national security. Perhaps more concerning, technology continues to leapfrog. Information privacy is made continually more difficult with each new “app” and innovation. The Internet of Things is more probable than speculative. Radio-frequency identification is a predicate to computer identification and assimilation of everyday physical objects, enabling the use of these objects to be monitored and inventoried by computers. Tagging and monitoring objects could similarly be accomplished by other technologies like near field communication, barcodes, QR codes and digital watermarking, raising the legitimate argument that informational privacy—at least as envisioned in the 1995 Directive’s absolute terms—is impossible. Informational privacy cannot be accomplished by declaring it a fundamental right and outlawing all processing of personal information. To legally realise and enforce a privacy right in personal information, incremental, graduated, and practical legislation better achieve the goal than sweeping proclamations that have applications to actions unrelated to the harms associated with the absence of the right. With information privacy in particular, a capacious claim of right to all personal information undermines legal enforcement because the harms attending lack of privacy are too often ill-defined and misunderstood. As a result, legal realization of a claimed privacy right in the Age of Information should proceed incrementally and begin with the industries, practices, and processes that cause the most harm by flouting informational privacy. Data mining and data aggregation industries, for example, collect, aggregate and resell personal information without express consent. A targeted prohibition of this industry would reduce financial incentives of the most conspicuous violators and alleviate some of the most egregious privacy infractions. A graduated legal scheme also reduces undue and overbroad Internet regulation. While the right to privacy has been recognised and legally supported in one way or another for centuries, it has not faced the emerging and countervailing Age of Information until now. Current omnibus international legislation reflects the impossibility of legally protecting all privacy in the Age of Information; it also illustrates the need for a refined and practical legal scheme that gradually and directly targets the harms associated with privacy violations.