the 19th century:
Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right ‘to be let alone.’ …Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops’ [Warren and Brandeis, 1890].
Figure 2.1: The Kodak Camera. George Eastman’s “Snap Camera” made it suddenly simple to take anybody’s image on a public street without their consent.
In this context, Warren and Brandeis’ quote of Luke 12(2–3) (in a translation slightly different from the Bible [Carroll and Prickett, 2008]) sounds like an prescient description of the new possibilities of mobile and pervasive computing. Clearly, neither the Evangelist Luke nor Warren and Brandeis had anything like modern mobile and pervasive computing in mind. In Warren and Brandeis’ case, however, it actually was a reference to a then novel technology—photography. Before 1890, getting one’s picture taken usually required visiting a photographer in their studio and sitting still for a considerable amount of time, otherwise the picture would be blurred. But on October 18, 1884, George Eastmann, the founder of the Eastman Kodak Company, received U.S.-Patent #306 594 for his invention of the modern photographic film. Instead of having to use a large tripod-mounted camera with heavy glass plates in the studio, everybody could now take Kodak’s “Snap Camera” (see Figure 2.1) out to the streets and take a snapshot of just about anybody—without their consent. It was this rise of unsolicited pictures, which more and more often found their way into the pages of the (at the same time rapidly expanding) tabloid newspapers, that prompted Warren and Brandeis to paint this dark picture of a world without privacy.
Today’s developments of smartphones, wearable devices, smart labels, memory amplifiers, and IoT-enabled smart “things” seem to mirror the sudden technology shifts experienced by Warren and Brandeis, opening up new forms of social interactions that change the way we experienced our privacy in the past. However, Warren and Brandeis’ “right to be let alone” looks hardly practical today: with the multitude of interactions in today’s world, we find ourselves constantly in need of dealing with people (or better: services) that do not know us in person, hence require some form of personal information from us in order to judge whether such an interaction would be beneficial. From opening bank accounts, applying for credit, obtaining a personal yearly pass for trains or public transportation, or buying goods online—we constantly have to “connect” with others (i.e., give out our personal information) in order to participate in today’s life. Even when we are not explicitly providing information about ourselves we constantly leave digital traces. Such traces range from what websites we visit or what news articles we read, to surveillance and traffic cameras recording our whereabouts, to our smartphones revealing our location to mobile carriers, app developers and advertisers. Preserving our privacy through isolation is just not as much of an option anymore as it was over a 100 years ago.
Privacy as a Right
Warren and Brandeis’ work put privacy on the legal map, yet it took another half century before privacy made further legal inroads. After the end of the Second World War, in which Nazi Germany had used detailed citizen records to identify unwanted subjects of all kinds [Flaherty, 1989], privacy became a key human right across a number of international treaties—the most prominent being the Universal Declaration of Human Rights, adopted by the United Nations in 1948, which states in its Article 12 that [United Nations, 1948]:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Similar protections can be found in Article 8 of the Council of Europe’s Convention of 1950 [Council of Europe, 1950], and again in 2000 with the European Union’s Charter of Fundamental Rights [European Parliament, 2000], which for the first time in the European Union’s history sets out in a single text the whole range of civil, political, economic, and social rights of European citizens and all persons living in the European Union [Solove and Rotenberg, 2003]. Article 8 of the Charter, concerning the Protection of Personal Data, states the following [European Parliament, 2000].
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
The rise of the Internet and the World Wide Web in the early 1990s had prompted many to proclaim the demise of national legal frameworks, as their enforcement in a borderless cyberspace seemed difficult at least.3 However, the opposite effect could be observed: at the beginning of the 21st century, many national privacy laws have not only been adjusted to the technical realities of the Internet, but also received a substantial international harmonization facilitating cross-border enforcement.
Today, more than 100 years after Warren and Brandeis laid the foundation for modern data protection laws, two distinctive principles for legal privacy protection have emerged: the European approach of favoring comprehensive, all-encompassing data protection legislation that governs both the private and the public sector, and the sectoral approach popular in the United States that favors sector-by-sector regulation in response to industry-specific needs and concerns in conjunction with voluntary industry self-regulation. In both approaches, however, privacy protection is broadly modeled around what is known as “Fair Information Practice Principles.”
The Fair Information Practice Principles
If one would want to put a date to it, modern privacy legislation was probably born in the late 1960s and early 1970s, when governments first began to systematically make use of computers in administration. Alan Westin’s book Privacy and Freedom published in 1967 [Westin, 1967] had a significant impact on how policymakers in the next decades would address privacy. Clarke [2000] reports how a 1970 German translation of Westin’s book significantly influenced the world’s first privacy law, the “Datenschutzgesetz” (data protection law) of the West German state Hesse. In the U.S., a Westin-inspired 1973 report of the United States Department for Health Education and Welfare (HEW) set forth a code of Fair Information Practice (FIP), which has become a cornerstone of U.S. privacy law [Privacy Rights Clearinghouse, 2004], and has become equally popular worldwide. The five principles are as follows [HEW Advisory Committee, 1973].
1. There must be no personal data record keeping systems whose very existence is secret.
2. There must be a way for an individual to find out what information about him is in a record and how it is used.
3. There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
4. There must be a way for an individual to correct or amend a record of identifiable information about him.
5. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.
In the early 1980s, the Organization for Economic
