Page 37 - Privacy in a Cyber Age Policy and Practice
P. 37
22 PRIVACY IN A CYBER AGE
21
in the very conceptual and legal status of privacy.” (Many other scholars
22
have also criticized the third-party doctrine. )
Another doctrine that speaks to the cybernation challenge in effect
takes the opposite tack. It assumes that personal information belongs to
the person to whom it applies, that the individual has a right to keep this
information private that extends beyond primary collection, and that only
the person can agree to secondary usages of the information—even when
23
they have already consented to primary collection. (Some refer to this
doctrine as the fundamental rights approach; others refer to it as the infor-
mation as property approach.) Europeans often cite this doctrine, which is
at the foundation of the European Data Protection Directive and the Euro-
24
pean General Data Protection Regulation ; for this reason, this chapter
refers to it as the European approach.
At first blush, it may seem that the European approach governs a wholly
different area of privacy than the CAPD, which, to reiterate, deals with
the right to privacy vis-à-vis the government rather than vis-à-vis pri-
vate actors such as marketers and data brokers. The European model is
nonetheless relevant because it turns out that, to generalize, governments
regularly use personal information collected by private actors. Thus, the
limitations imposed on private actors affect the scope of government
intrusions. To illustrate: It is difficult to imagine the conditions, short of
an extreme national emergency, under which the U.S. government could
require all American citizens to turn over to law enforcement records of
their purchases on the Internet, their e-mails, and their other transactions.
However, because the same American citizens “disclose” this information
to private corporations, and these corporations aggregate this information,
the government, in effect, can use the resulting databases without seeking
permission for these secondary usages. 25
The drafters of the European approach, however, realized that if the
European Union were to follow its limitations on secondary usages, many
common goods would suffer greatly. They hence introduced a large num-
ber of areas in which secondary usages of personal information do not
26
require consent. According to the European approach, the government
need not ask the consent of those whose personal information it collects
and uses if the collection is for a considerable list of public purposes, such
as public health or security. Thus, the Data Protection Directive excludes
from its requirement that “controllers” gain personal consent to record and
process personal information in any instance in which “the processing is
carried out under a contract, or in the context of a quasi-contractual rela-
tionship of trust, with the data subject and is necessary for its discharge,”
when “the data come from sources generally available to the public and
their processing is intended solely for correspondence purposes,” and
