Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his comment on a talk given at the ILCO conference in Halifax N.S.
This week I was spoke at the Institute of Law Clerks on Ontario Annual Conference in Halifax, N.S. My talk was titled: “Privacy Law in a Changing World.” Preparing for such a talk was a good opportunity to provide a broad overview of what I think are the key aspects of privacy law in a Canadian context.
Privacy is a notoriously difficult concept to define (and therefore protect). We all have our own subjective experience of what constitutes a privacy harm and this changes with social mores. For example, early privacy theorists were concerned about the dangers of privacy violations when photography was first invented. Today, everyone with a smartphone has a high-resolution camera.
Nevertheless, if we believe that having rights to privacy is important for human dignity and flourishing and should be protected, then we have to come up with legal definitions, however imperfect and inconsistently applied. The alternative to surveillance and tyranny.
There are lots of different theories of privacy. The dominant theory of privacy can be thought of as control-based. The idea is that individuals have control of the information that they choose to share and organizations have responsibilities to obtain their consent and ensure that their personal data is safeguarded. This assumes however, that the individual can appreciate the risks associated with sharing their personal data. It’s something of a paradox because while most people say that they want their privacy protected, they are willing give their data for free. Most people do not read privacy policies and are creatures of habit. Many companies exploit this aspect of human nature and their privacy statements are a testament to this fact. For the most part, privacy policies are written for the business and not for the consumer.
Alternate theories of privacy are context-based. Here, the relationship between the individual and the entity collecting, using and disclosing personal information is emphasized. When you share sensitive personal information with a doctor or a lawyer, there are implicit norms regarding data sharing in place.
If arriving at a determination of reasonableness is the destination, these theories offer different paths to getting there. Control-based theories can be applied in many different situations. But while ostensibly consistent, control-based theories produce recommendations that tend to be generic and lacking in nuance. Context-based theories by contrast seek to map out the relationship dynamics of information sharing. It’s process-oriented and iterative and seeks to give expression to the way in which we as humans share personal information. While highly responsive, context-based theories tend to generate unique solutions to specific privacy problems. They tend to be harder to replicate and are therefore resistant to generalization. This tends to produce inconsistencies in practice. This is important because privacy theories when applied, lead to privacy outcomes that are very different.
Having an understanding of the underlying theory is helpful when you are seeking to apply privacy law and essential when you’re seeking to reform it. It’s an ongoing debate that requires an understanding of the technology as well as what the social values that are being expressed through the law.
I spent the rest of the time on the practical aspects of privacy in the private sector (as this was most relevant to an audience of law clerks. This included a discussion of the Fair Information Practices, the GDPR, and data governance. This becomes much more straightforward when the theory is explained.
