Laura Quilter NISO Privacy Meeting #4 - June 19, 2015
Frameworks & Current
Issues in Library Privacy
NISO Privacy - June 19, 2015
Laura Quilter, MLS, JD
Where we’ve been,
where we are,
where we might go
broad approaches to date
privacy against governmental intrusion: 4th Amendment. 1st
Amendment connections to anonymous speech. (late 18th c.)
privacy torts (late 19th/early mid 20th c.)
Fair Information Practice Principles [FIPPs] (late 20th c.)
sectoral implementation in US : FCRA, FERPA, HIPAA,
library privacy statutes, data breach notiﬁcation statutes, etc.
more comprehensive implementation in EU: EU Data
Protection Directive, etc.
Fair Information Practice Principles
HEW, 1973 - attempting to establish a framework for
the use of information in the modern age; followed by
OECD, EU, and other organizations
fundamental premise underlying much modern privacy
regulation, but not usually implemented holistically
components: notice, choice/consent, access, integrity,
EU Data Protection Directive among the fullest
US FCRA, Fair Credit Reporting Act — typical in US for
providing consumers some modest implementations of access
and integrity, but very little notice, choice, or enforcement.
Gramm Leach Bliley (ﬁnancial data)
HIPAA (health data)
Data Breach Statutes provide an implementation of security.
Library privacy statutes: Waivers from FOIA; sometimes
protection from government intrusion; sometimes fuller
implementations of FIPPs
Reader privacy statutes:
AZ - expanded to ebooks
CA - booksellers & electronic booksellers records
protected; notice to users; reporting; exceptions
MO - ebooks added; 3rd party vendor records added
Are these issues manageable
through existing approaches?
Library Privacy Laws - revisions to cover ebooks; “readers”, 3rd party holders of records; vendors
USA PATRIOT Act & Freedom Act reforms (limits on bulk collection of data); legal challenges
to mass warrantless surveillance.
ECPA reform and the 3rd party business records doctrine.
Federal attacks on strong cryptography, demanding weak crypto, backdoors/keys.
Ubiquitous surveillance and record collection (e.g., RFID; video footage; logging).
Internationally: Varying approaches in UK & Europe already only increasing. In Europe, the new
“Right to be Forgotten”, and efforts by EU and most recently Canada to enforce law
FIPPs: Enforcement has been least-applied aspect;
expansion of regulatory enforcement or tort approaches
(negligence, duties owed to subjects of information
Q: How to implement as a general duty?
Q: How to handle distributed data (joint & several liability?)
Autonomy: Autonomy as a justiﬁcation for privacy has been
a basis for US reproductive rights law since late 20th
century, but rarely applied to informational privacy; 1st
Amendment protections for anonymous speech make a
Q: Value of privacy as “seclusion” lost?
Contextual privacy [Helen Nissenbaum] - Suggests
regulatory approach of notice & consent over migration
of data; strong controls around re-purposing.
Q: Erosion of privacy as a norm.
Q: Creation of new information (via data mining &
algorithmic control) may lead to lack of awareness, so
how to regulate?
Give up “privacy” and instead regulate misuse / harms.
Q: Value of privacy as “seclusion” utterly lost
Q: How to deﬁne misuse / harm? Is “price
discrimination” a harm to the consumer?
questions for Privacy Working Group
why do we care about privacy? autonomy? “intellectual privacy”? seclusion? modesty?
relation to other values, such as consumer rights, control of time?
what interests are we trading off? privacy, accessibility, cost, options, user-friendliness,
security, freedom of speech, others?
who is in charge of “networked” data? what are the responsibilities for putting in a little data
into a larger pool? e.g., RFID; data mined & combined with other data; leading to targeted
advertising & price discrimination
are commercial uses qualitatively different from noncommercial uses of other people’s data?
ought libraries be granted more scope because they are trusted, or less scope? for the
librarians: public & nonproﬁt institutions’ engagements with private commercial entities is
subject to scrutiny; if data is commercial, what can be fairly shared with commercial entities?
do the differing roles of academic libraries (supporting the most privileged users) and public
libraries (supporting the least privileged) suggest different duties and perspectives?
what are effective enforcement mechanisms? Because without enforcement, principles are