June 19, 2015
NISO Consensus Framework to Support
Patron Privacy in Digital Library and Information Systems
http://www.niso.org/topics/tl/patron_privacy/
3. broad approaches to date
privacy against governmental intrusion: 4th Amendment. 1st
Amendment connections to anonymous speech. (late 18th c.)
privacy torts (late 19th/early mid 20th c.)
Fair Information Practice Principles [FIPPs] (late 20th c.)
sectoral implementation in US : FCRA, FERPA, HIPAA,
library privacy statutes, data breach notification statutes, etc.
more comprehensive implementation in EU: EU Data
Protection Directive, etc.
4. Fair Information Practice Principles
HEW, 1973 - attempting to establish a framework for
the use of information in the modern age; followed by
OECD, EU, and other organizations
fundamental premise underlying much modern privacy
regulation, but not usually implemented holistically
components: notice, choice/consent, access, integrity,
security, enforcement
5. FIPP implementations
EU Data Protection Directive among the fullest
implementations.
US FCRA, Fair Credit Reporting Act — typical in US for
providing consumers some modest implementations of access
and integrity, but very little notice, choice, or enforcement.
Gramm Leach Bliley (financial data)
HIPAA (health data)
Data Breach Statutes provide an implementation of security.
6. FIPP implementations
Library privacy statutes: Waivers from FOIA; sometimes
protection from government intrusion; sometimes fuller
implementations of FIPPs
Reader privacy statutes:
AZ - expanded to ebooks
CA - booksellers & electronic booksellers records
protected; notice to users; reporting; exceptions
MO - ebooks added; 3rd party vendor records added
7. Are these issues manageable
through existing approaches?
Library Privacy Laws - revisions to cover ebooks; “readers”, 3rd party holders of records; vendors
Nationally:
USA PATRIOT Act & Freedom Act reforms (limits on bulk collection of data); legal challenges
to mass warrantless surveillance.
ECPA reform and the 3rd party business records doctrine.
Federal attacks on strong cryptography, demanding weak crypto, backdoors/keys.
Ubiquitous surveillance and record collection (e.g., RFID; video footage; logging).
Data mining.
Internationally: Varying approaches in UK & Europe already only increasing. In Europe, the new
“Right to be Forgotten”, and efforts by EU and most recently Canada to enforce law
extraterritorially.
8. new approaches
FIPPs: Enforcement has been least-applied aspect;
expansion of regulatory enforcement or tort approaches
(negligence, duties owed to subjects of information
gathering).
Q: How to implement as a general duty?
Q: How to handle distributed data (joint & several liability?)
Autonomy: Autonomy as a justification for privacy has been
a basis for US reproductive rights law since late 20th
century, but rarely applied to informational privacy; 1st
Amendment protections for anonymous speech make a
potential nexus.
Q: Value of privacy as “seclusion” lost?
9. new approaches
Contextual privacy [Helen Nissenbaum] - Suggests
regulatory approach of notice & consent over migration
of data; strong controls around re-purposing.
Q: Erosion of privacy as a norm.
Q: Creation of new information (via data mining &
algorithmic control) may lead to lack of awareness, so
how to regulate?
Give up “privacy” and instead regulate misuse / harms.
Q: Value of privacy as “seclusion” utterly lost
Q: How to define misuse / harm? Is “price
discrimination” a harm to the consumer?
10. questions for Privacy Working Group
why do we care about privacy? autonomy? “intellectual privacy”? seclusion? modesty?
relation to other values, such as consumer rights, control of time?
what interests are we trading off? privacy, accessibility, cost, options, user-friendliness,
security, freedom of speech, others?
who is in charge of “networked” data? what are the responsibilities for putting in a little data
into a larger pool? e.g., RFID; data mined & combined with other data; leading to targeted
advertising & price discrimination
are commercial uses qualitatively different from noncommercial uses of other people’s data?
ought libraries be granted more scope because they are trusted, or less scope? for the
librarians: public & nonprofit institutions’ engagements with private commercial entities is
subject to scrutiny; if data is commercial, what can be fairly shared with commercial entities?
do the differing roles of academic libraries (supporting the most privileged users) and public
libraries (supporting the least privileged) suggest different duties and perspectives?
what are effective enforcement mechanisms? Because without enforcement, principles are
nearly meaningless.