Disentangling privacy from property: toward a deeper understanding of genetic privacy

With the mapping of the human genome, genetic privacy has become a concern to many. People care about genetic privacy because genes play an important role in shaping us--our genetic information is about us, and it is deeply connected to our sense of ourselves. In addition, unwanted disclosure of our genetic information, like a great deal of other personal information, makes us vulnerable to unwanted exposure, stigmatization, and discrimination. One recent approach to protecting genetic privacy is to create property rights in genetic information. This Article argues against that approach. Privacy and property are fundamentally different concepts. At heart, the term "property" connotes control within the marketplace and over something that is disaggregated or alienable from the self. "Privacy," in contrast, connotes control over access to the self as well as things close to, intimately connected to, and about the self. Given these different meanings, a regime of property rights in genetic information would impoverish our understanding of that information, ourselves, and the relationships we hope will be built around and through its disclosure. This Article explores our interests in genetic information in order to deepen our understanding of the ongoing discourse about the distinction between property and privacy. It develops a conception of genetic privacy with a strong relational component. We ordinarily share genetic information in the context of relationships in which disclosure is important to the relationship--family, intimate, doctor-patient, researcher-participant, employer-employee, and insurer-insured relationships. Such disclosure makes us vulnerable to and dependent on the person to whom we disclose it. As a result, trust is essential to the integrity of these relationships and our sharing of genetic information. Genetic privacy can protect our vulnerability in these relationships and enhance the trust we hope to have in them. Property, in contrast, by connoting commodification, disaggregation, and arms-length dealings, can negatively affect the self and harm these relationships. This Article concludes that a deeper understanding of genetic privacy calls for remedies for privacy violations that address dignitary harm and breach of trust, as opposed to market harms, as the property model suggests.     

Smartphone platforms as privacy regulators

A series of recent developments highlight the increasingly important role of online platforms in impacting data privacy in today's digital economy. Revelations and parliamentary hearings about privacy violations in Facebook's app and service partner ecosystem, EU Court of Justice judgments on joint responsibility of platforms and platform users, and the rise of smartphone app ecosystems where app behaviour is governed by app distribution platforms and operating systems, all show that platform policies can make or break the enjoyment of privacy by users. In this article, we examine these developments and explore the question of what can and should be the role of platforms in protecting data privacy of their users.The article first distinguishes the different roles that platforms can have in ensuring respect for data privacy in relevant ecosystems. These roles include governing access to data, design of relevant interfaces and privacy mechanisms, setting of legal and technical standards, policing behaviour of the platform's (business) users, coordinating responsibility for privacy issues between platform users and the platform, and direct and indirect enforcement of a platform's data privacy standards on relevant players. At a higher level, platforms can also perform a role by translating different international regulatory requirements into platform policies, thereby facilitating compliance of apps in different regulatory environments. And in all of this, platforms are striking a balance between ensuring the respect for data privacy in data-driven environments on the one hand and optimization of the value and business opportunities connected to the platform and underlying data for users of the platform on the other hand.After this analysis of platforms’ roles in protecting privacy, the article turns to the question of what should this role be and how to better integrate platforms in the current legal frameworks for data privacy in Europe and the US. The article will argue for a compromise between direct regulation of platforms and mere self-regulation, in arguing that platforms should be required to make official disclosures about their privacy-related policies and practices for their respective ecosystems. These disclosures should include statements about relevant conditions for access to data and the platform, the platform's standards with respect to privacy and the way in which these standards ensure or facilitate compliance with existing legal frameworks by platform users, and statements with respect to the risks of abuse of different data sources and platform tools and actions taken to prevent or police such abuses. We argue that such integration of platforms in current regulatory frameworks is both feasible and desirable. It would make the role that platforms already have in practice more explicit. This would help to highlight best practices, create more accountability and could save significant regulatory and compliance resources in bringing relevant information together in one place. In addition, it could provide clarity for business users of platforms, who are now sometimes confronted with restrictive decisions by platforms in ways that lack transparency and oversight.     

Chilling effects and transatlantic privacy

Can the European and American privacy divide be bridged? Bilyana Petkova, in this issue, offers compelling reasons to be sceptical. One recent solution, advanced by Pierluigi Perri and David Thaw, is that common concerns about chilling effects can bridge that divide. However, their discussion of chilling effects was narrow and their analysis limited to procedural transatlantic convergence. This essay explores this idea with a more systematic and sustained discussion of chilling effects theory and research, while arguing that chilling effects does, in fact, provide possibilities for substantive transatlantic privacy. I argue that “chilling effects” is often treated as an ahistorical singular idea but there are, in fact, three separate paradigms of chilling effects theory, research and understanding: (1) speech; (2) privacy and autonomy; and (3) collectivist. I set out each and argue that the conceptualisation of chilling effects exemplified by the second paradigm—focused on privacy‐related chilling effects—offers a shared normative and theoretical foundation to bridge the transatlantic privacy divide. I also explore how new chilling effects theory and research can impact substantive and procedural transatlantic privacy efforts, including re‐thinking consent; empowering stronger judicial enforcement of privacy claims; and balancing competing claims in substantive proposals like the Right to be Forgotten (RTBF).     

Recent developments in privacy legislation

In this article, Ruth Carey takes a critical look at recent privacy-of-personal-information legislation drafted in three Canadian provinces--Ontario, Alberta, and British Columbia. The article begins with a historical overview of international legal instruments and other privacy guidelines, and the Canadian experience with privacy protection. It then critically analyzes the provincial initiatives in the context of the federal Personal Information Protection and and Electronic Documents Act and accepted privacy principles. The article goes on to highlight certain types of legislative provisions of particular interest to people with HIV/AIDS and those who advocate on their behalf. It concludes that the numerous legislative initiatives underway in Canada provide an opportunity to alter the public discourse around the virus, thereby improving the lives of people with HIV/AIDS.     

Why privacy is at risk

Dr Chris Pounder has been professionally involved in delivering data protection services since the time of the Lindop Report in 1978. Here he argues for an express link between the data protection and human rights regimes. Amberhawk is a new company founded by Chris in 2008 with Sue Cullen as the vehicle for the continuation of the information law training business previously operated by Pinsent Masons LLP.     

Prescribing privacy: the uncertain role of the physician in the protection of patient privacy

Because medical records are now more comprehensive than ever before, they increasingly are being demanded for uses both inside and outside of the medical profession. Mr. Gellman contends that existing ethical and legal guidance is inadequate to aid physicians in dealing with the confidentiality issues raised when patient information is requested or demanded from them, and supports this contention by examining the dilemmas faced by physicians presented with such requests or demands. He concludes that ethical and judicial guidance will continue to be inadequate, and that the only practical way to develop suitable guidance is through legislation.     

Student privacy rights involving strip searches

The Fourth Amendment to the US Constitution provides protection of all citizens against unreasonable search and seizure. The US Supreme Court has affirmed that the basic purpose of the Fourth Amendment is to safeguard the privacy and security of individuals against unreasonable intrusive searches by governmental officials. Since students possess constitutional rights and public school officials are considered governmental officials for Fourth Amendment purposes, privacy protection is afforded students in public schools within reasonable limits. A reasonable search is one that clearly does not violate the constitutional rights of students. What is reasonable, however, depends on the context within which a search occurs. Strip searches involving students in public schools are the most intrusive form of all searches. Extreme caution should be exercised by school officials regarding these types of searches.     

Open-source intelligence and privacy by design

As demonstrated by other papers on this issue, open-source intelligence (OSINT) by state authorities poses challenges for privacy protection and intellectual-property enforcement. A possible strategy to address these challenges is to adapt the design of OSINT tools to embed normative requirements, in particular legal requirements. The experience of the VIRTUOSO platform will be used to illustrate this strategy. Ideally, the technical development process of OSINT tools is combined with legal and ethical safeguards in such a way that the resulting products have a legally compliant design, are acceptable within society (social embedding), and at the same time meet in a sufficiently flexible way the varying requirements of different end-user groups. This paper uses the analytic framework of privacy design strategies (minimise, separate, aggregate, hide, inform, control, enforce, and demonstrate), arguing that two approaches for embedding legal compliance seem promising to explore in particular. One approach is the concept of revocable privacy with spread responsibility. The other approach uses a policy mark-up language to define Enterprise Privacy Policies, which determine appropriate data handling.