The first lecture from Law 3040X.03, Privacy and Access to Information Law. This lecture was given in January 2013 at Osgoode Hall Law School, York University. The rest of our slides are for students only.
Consequentialism is the class of normative ethical theories holding that the consequences of one's conduct are the ultimate basis for any judgment about the rightness of that conduct. Thus, from a consequentialist standpoint, a morally right act (or omission) is one that will produce a good outcome, or consequence.Consequentialism is usually distinguished from deontological ethics (or deontology), in that deontology derives the rightness or wrongness of one's conduct from the character of the behaviour itself rather than the outcomes of the conduct. It is also distinguished from virtue ethics, which focuses on the character of the agent rather than on the nature or consequences of the act (or omission) itself, and pragmatic ethics which treats morality like science: advancing socially over the course of many lifetimes, such that any moral criterion is subject to revision.
As an empirical matter, individuals have a number of practical interests which may be seriously harmed by invasions of their privacy, including social standing, employment prospects and the maintenance of relationships.
Privacy and Access to Information Law - Lecture 1
LECTURE 1: INTRODUCTION Privacy and Access to Information || JamesLaw Williams
Agenda1. Introductions2. Overview of the syllabus3. Basics of privacy and access to information
Syllabus Main points: This course is about: research and writing critical perspectives on law It is NOT like the other first year courses we present the fundamental material we present perspectives you do research that interests you readings are largely secondary literature
Syllabus (2) The content will vary slightly according to interests The website is the source of truth for content Grading Attendance Participation In-class participation Course blog Term paper
Privacy in the News:BC Health Privacy Breach Affects Millions The personal-health data of more than five million British Columbians has been accessed without proper authorization, and in the most serious cases, the provincial government says it will notify more than 38,000 individuals of the breaches by letter. health data — excluding personal names, social insurance numbers or financial information — was saved on USB sticks and shared with researchers or contractors without the proper permission or protocols. Also included was data from Statistics Canadas Canadian Community Health Survey, including information on the mental, physical and sexual health of individuals, as well as their lifestyles and the use of health services.
Privacy in the News:Government faces class-action lawsuits over student loan borrowers lost data Two class-action lawsuits are being filed after Human Resources and Skills Development Canada lost a portable hard drive containing personal information about more than half a million people who took out student loans. Read more: The department said last week the device contained data on 583,000 Canada Student Loans Program borrowers from 2000 to 2006. The missing files include student names, social insurance numbers, dates of birth, contact information and loan balances of borrowers, as well as the personal contact information of 250 department employees.
Access to Information in theNewsCourt tells province to make IBM deal public A judge has shot down the B.C. government’s request to keep secret some of a multimillion- dollar computer contract signed with technology giant IBM. Thursday’s decision by B.C. Supreme Court Justice J. Keith Bracken came after an eight-year legal battle by the government, which said the contract contained sensitive information that could threaten government security if it were made public. Bracken dismissed government arguments and sided with B.C.’s information and privacy commissioner, who had previously ordered the contract released in full.
Access to Information in theNews:B.C. taken to task for failure to inform public The provincial government routinely fails its legal duty to promptly inform citizens of risks to public health and safety, warn legal scholars at the University of Victoria. …public bodies are required to act “without delay” in publicly disclosing information about any “risk of significant harm to the environment or to the health or safety of the public.” This duty overrides any other provisions in the law and requires authorities to disclose even if there has been no specific request for information. But authorities appear to apply too narrow and restrictive an interpretation of what the act requires, the researchers say. For example, the researchers found that despite numerous reports that a dam near Oliver in the Okanagan valley was in danger of collapse, provincial authorities made no apparent effort to warn residents “despite knowing of the threat for decades.” When the dam did collapse on June 13, 2010, it triggered a huge mudslide that destroyed houses, farmland and farm equipment… “If the dam had collapsed at night when residents were asleep, some would likely have died.”
Privacy in the newsStore video cameras failing to comply with privacy laws Andrew Clement, co-founder of the Identity, Privacy and Security Institute, found that not a single video camera in Eaton’s Centre complied with the signage requirements of PIPEDA Under the law, stores are required to post signs outside their entrances that alert customers to the use of video surveillance, its purpose and a contact number so people can find out how they can obtain a copy of any footage that contains their image. Of the hundreds of cameras on the properties…only about 30 per cent had any kind of sign alerting people to their use and none met even the minimum standards required under the law.
Privacy in the NewsPrivacy watchdog sounds alarm on Conservative e-snooping legislation Jennifer Stoddart wrote the Harper government to register her “deep concerns” about these new surveillance powers and note that it has so far failed to demonstrate why this is the best course of action. “These bills went far beyond simply maintaining investigative capacity or modernizing search powers,” Ms. Stoddart said in her letter. “Rather, they added significant new capabilities for investigators to track, and search and seize digital information about individuals. “
Access in the newsAre BC police chiefs evading the law? They’re the two most prominent and influential policing organizations in BC, appearing frequently in public promoting their strong positions on criminal justice reform, use of tasers, drug laws, or expanding police powers. But little else is widely known about the BC Association of Chiefs of Police (BCACP) and its smaller sister, the BC Association of Municipal Chiefs of Police (BCAMCP). What are their mandates? Who funds them? What do they do? Both associations have been meeting up to 10 times a year for at least 30 years, but they aren’t incorporated non- profit organizations. they look like a “public body” as defined by FIPPA, consisting of public servants performing their public duties on the public dime.
(continued)During a 2004 legislative review of FIPPA, BC Information and Privacy Commissioner David Loukidelis publicly released his rebuttal to a confidential BCAMCP submission.So detailed is his letter, it gives the impression Loukidelis was trying to alert the public about the BCAMCP’s attitudes.Loukidelis vehemently criticized the BCAMCP for making numerous factual errors and “unsubstantiated allegations” in their (ultimately unsuccessful) efforts to persuade legislators to exclude all municipal police forces from freedom of information laws.Loukidelis noted the BCAMCP had five years earlier made the same proposal, and he warned of the dangers of putting police forces beyond “public scrutiny” and “accountability.”
Privacy in the newsPolice drones prompt privacy concerns Drones are cheaper to build and fly than helicopters, making them a cost-effective option for police departments looking to gain a birds eye view of a scene. But privacy groups are sounding alarm that there arent enough legal safeguards in place to prevent drones from being used for mass surveillance. The Federal Aviation Administration has predicted that by the end of the decade, 30,000 commercial and government drones could be flying over U.S. skies.
(continued) The FAAs standard authorization requires drones to be flown only during the day, below 400 feet and within the line of sight of the drone operator. Sanchez said Miami-Dades drones are limited to 300 feet above the ground and are not allowed to fly over populated areas or near downtown high-rises. But those restrictions are about preventing collisions and keeping the skies safe—not protecting privacy.
(continued) "Drones should only be used if subject to a powerful framework that regulates their use in order to avoid abuse and invasions of privacy," Chris Calabrese, a legislative counsel for the ACLU. He argued police should only fly drones over private property if they have a warrant, information collected with drones should be promptly destroyed when its no longer needed and domestic drones should not carry any weapons. Lawmakers have introduced several bills this session to limit police use of drones.
Privacy in the newsGermany fights Facebook over privacy violations A German state data protection agency has threatened Facebooks billionaire founder and chief executive Mark Zuckerberg with a €20,000 (£16,000) fine if Facebook does not allow Germans to have anonymous accounts on the social network. Under German law, media services, including Facebook, must offer users the choice of using a pseudonym. In 2011, Schleswig-Holstein banned local organisations and companies from using
Data protection in the newsU.S. Tech Firms Facing Stronger European Data Protection Measures Over the last year, representatives of the US government and American technology companies have repeatedly traveled to Europe in the hopes of containing an effort by the European Commission to strengthen data protection rules for citizens of the EU It would grant EU citizens a fundamental new right: data portability or a citizen’s right to easily transfer her own personal posts, photos, and video from one online service site to another. Companies that violated the rule would be liable to penalties of up to 2 percent of worldwide revenues.
Access in the newsPrivacy commissioner rips justice ministry for 68-month delay Saskatchewans information and privacy commissioner is calling a 68-month delay "unconscionable" in the case of a man asking for government records about himself. "I am struck by the profound lack of respect shown for the applicant and his right to access records that are fundamentally about him," Dickson wrote in the report. He noted that the Justice Ministry has a budget of $162 million, but only pays for four full-time employees to deal with freedom of information requests to itself and other departments.
Privacy in the newsPrivacy commissioner to review centralized ID cards British Columbia is introducing a high-tech identification card for everyone from infants to the elderly to replace the old CareCard health system, and add driver’s licences and other government services. Vincent Gogolek, the executive director of the BC Freedom of Information and Privacy Association, said the Liberal government does not have a stellar track record when it comes to introducing high-tech programs Last July, former children’s minister Mary McNeil conceded the government’s $182-million Integrated Case Management program to improve information flow in the child-welfare system needed repair after a report from the Independent Representative for Children and Youth concluded the database was deeply flawed and put children at risk. “Is it as secure as the Integrated Case Management system?” said Mr. Gogolek. “That‟s the last thing they did where they had massive data-sharing, and that blew up as soon as they introduced it.”
Privacy in the newsVCH terminates employee for privacy breach Vancouver Coastal Health (VCH) has terminated an employee for breaching the privacy of five media personalities in Vancouver. This was the result of an investigation into inappropriate access to the electronic health records. The incident arose during a routine audit of patient file access by VCH’s Privacy Office. Such audits occur on a regular basis and look for signs that an employee or physician may be accessing records for non-clinical reasons. In late-November, an audit found an employee had looked into the personal data of five patients. When questioned, they stated they had looked at the records for “curiosity”.
Privacy in the newsSupreme Court rules employees have right to privacy on work computers Workplace computers contain so much personal information nowadays that employees have a legitimate expectation of privacy in using them, the SCC said in a major ruling Friday. An individual’s Internet browsing history alone is capable of exposing her most intimate likes, dislikes, activities and thoughts. “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected,” Mr. Justice Morris Fish said… the seriousness of an offence and workplace computer policies are sufficient to override the right to privacy.
Introduction to Privacy We will begin our discussion of Access next class We could spend an entire course on this topic Privacy is a highly contested notion There is a vast philosophical and legal literature There are also treatments of it in: Economics Psychology Anthropologyand Sociology Computer science
What is privacy? The concept of privacy is found in some of the oldest written texts: the Qur’an, the Talmud, and the New Testament, and in ancient Chinese and Greek law. For instance, the concept appears in Aristotles distinction between the public sphere of political activity and the private sphere associated with family and domestic life. In modern times, privacy has been recognised as a human right by the General Assembly of the United Nations, and rights to privacy have been either explicitly stated or implicitly recognised in the Constitutions of various nation states.
What is privacy? Although undoubtedly a concept of great importance, privacy has proven notoriously difficult to define. Scholars and jurists fight over the meaning, value and scope of the concept of privacy In the words of Daniel Solove, privacy appears to be a sweeping concept, encompassing ”freedom of thought, control over one‟s body, solitude in one‟s home, control over personal information, freedom from surveillance, protection of one‟s reputation, and protection from searches and interrogations.”
What is privacy?In early Anglo-american law, privacy protection was justified largely on moral grounds. Distinguish: 1. descriptive accounts of privacy, describing what is in fact protected as private, from 2. normative accounts of privacy defending its value and the extent to which it should be protected.Some people speak of privacy interests, while others speak of rights.
What is privacy?Skeptical and critical accounts of privacy: nothing special about privacy, because any interest protected as private can be equally well explained and protected by other interests or rights privacy interests are not distinctive because the personal interests they protect are economically inefficient not grounded in any adequate legal doctrinePositive accounts: Privacy is merely control over information about oneself Privacy is a broader concept required for human dignity Privacy is crucial for intimacy A value that accords us the ability to control the access others have to us A set of norms necessary not only to control access but also to enhance personal expression and choice
Types of privacy interestTerritorial privacy: this type of privacy interest relates to control over one’s spatial environment. Claims of this sort have been regulated in the western legal tradition by rules relating to property. Violations of territorial privacy can result from trespass, video surveillance and remote or hidden listening devices.Privacy of the body: this type of privacy interest relates to control over one’s person. Claims of this sort are typically addressed in law through prohibitions against unlawful confinement, assault, battery, and unwarranted search and seizure. Violations can arise through these means, as well as more subtle acts, such as genetic testing.Informational privacy: this type of privacy interest relates to an individual’s control over information relating to them. It is based on the idea that information about an individual is in a fundamental way her own, for her to communicate or retain as she sees fit.
The basis of privacyIn general, there are two categories of justification for the importance of privacy interests: Utilitarian accounts of privacy are by far the most numerous, and focus on the effects that privacy interests have on the utility of individuals or groups. They justify privacy by reference to its effects. Deontological accounts ground privacy interests in other norms that individuals or groups possess. Deontological theories concentrate on the character of actions, rather
RationalesPersonal Development: As an example, John Stuart Mill argued that there is a close correlation between the availability of a protected zone of privacy, and an individual’s ability to freely develop her individuality and creativity.Integrity and Identity: Some commentators believe that an individual’s integrity (and the development and preservation of personal identity) require the protection of a zone of privacy within which the ultimate secrets of one’s “core” self remain inviolable against unwanted intrusion or observation.Alleviating Stress: Alan Westin noted that social life is frequently stressful, and generates tensions which would be unmanageable unless the individual had opportunities for periods of privacy.
RationalesPrivacy and Human Dignity: (Bloustein) It is possible to give a general theory of individual privacy that reconciles its divergent strands. “Inviolate personality” is the social value protected by privacy. It defines ones essence as a human being and it includes individual dignity and integrity, personal autonomy and independence. Respect for these values is what grounds and unifies the concept of privacy.Privacy and Intimacy: (Fried) Fried defines privacy narrowly as control over information about oneself. He extends this definition, however, arguing that privacy has intrinsic value, and is necessarily related to and fundamental for ones development as an individual with a moral and social personality able to form intimate relationships involving respect, love, friendship and trust. Privacy is valuable because it allows one control over information about oneself, which allows one to maintain varying degrees of intimacy.
RationalesEnabling Social Relations: We saw above that some have argued that privacy is valuable because it provides the rational context of a number of ends, including love, trust, friendship and self-respect. It is a necessary element of these ends, and not an ancillary one. A number of commentators defend views of privacy that link closely with accounts stressing privacy as required for intimacy, emphasizing not just intimacy but also more generally the importance of developing diverse interpersonal relationships with others. Rachels: Privacy accords us the ability to control who knows what about us and who has access to us, and thereby allows us to vary our behavior with different people so that we may maintain and control our various social relationships, many of which will not be intimate.
Rationales - ControlWilliam Parent. He defines privacy as the condition of not having undocumented personal information known or possessed by others. Parent stresses that he is defining the condition of privacy, as a moral value for people who prize individuality and freedom, and not a moral or legal right to privacy. In cases where no new information is acquired, Parent views the intrusion as irrelevant to privacy, and better understood as an abridgment of anonymity, trespass, or harassment.Westin: the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.
RationalesAccess: Another group of theorists characterize privacy in terms of access. Some commentators describe privacy as exclusive access of a person to a realm of his or her own. Bok (1982) argues that privacy protects us from unwanted access by others — either physical access or personal information or attentionAs stated by the Canadian Commission on Freedom of Information and Individual Privacy, at least two aspects of personal autonomy are threatened by privacy invasions:1. our relationships with other individuals2. our relationships with institutions.
Critical PositionsThomson: Ultimately the right to privacy is merely a cluster of rights. Those rights in the cluster are always overlapped by, and can be fully explained by, property rights or rights to bodily security.Posner: Focusing on privacy as control over information about oneself, Posner argues that concealment or selective disclosure of information is usually to mislead or manipulate others, or for private economic gain, and thus protection of individual privacy is less defensible than others have thought because it does not maximize wealth.
Information Privacy Recall the informational aspect of privacy, which concerns an individual’s control over information relating to them. One of the earliest statements of informational privacy in the common law is due to Samuel Warren and Louis Brandeis. The two jurists stated that: “[t]he intensity and complexity of life...have rendered necessary some retreat from the world, and man, under the refining influence of culture has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.”
Information Privacy Warren and Brandeis were concerned with several new technologies that made the dissemination of personal information feasible on a broad scale - namely, portable photographic equipment and improved printing presses. The age of the “pen and brush” caricature and political cartoon had yielded to technology that could produce a black and white approximation of a photographic image on any paper surface. The concern over the rapid growth of information technology was picked up in the mid 20th century by Alan Westin, the father of modern data protection law. In Westin’s formulation, informational privacy is the “claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others”. Taking a cue from Warren and Brandeis, Westin stated that technological advances “now make it possible for government agencies and private persons to penetrate the privacy of homes, offices and vehicles; to survey individuals moving about in public places; and to monitor the basic channels of communication by telephone, telegraph, radio and television.”
Information PrivacyIn the words of the Commission on Freedom of Information and Individual Privacy: “[t]he development of modern forms of social organisation of increasing size and complexity, and the corresponding growth of large public and private institutions have given rise to an unprecedented growth in the collection, analysis and use of information. This increase in institutional needs for information has been coupled with remarkable gains in the sophistication and capacities of technologies used in the gathering, storage, analysis and dissemination of information. It is often said, with good reason, that we are living in an „information age‟. Personal information concerning individuals is now collected and used by large institutions to an extent that would have been inconceivable to previous generations.”
Information PrivacyD‟aoust: [t]he accumulation of personal information on an individual enables the creation of a composite image of that person that is often false and reductionist. More and more one hears of the electronic identity of a person... It becomes a determining factor of the individual’s potential for action and development. That identity could be stolen or appropriated. It serves to categorise a person. When doubt is cast- even if it is unfounded- on his or her integrity, that identity can prevent a person from travelling, from finding a place to live or a job, or to obtain insurance. The closer personal information comes to the biographical heart of a person, the more that information can have significant consequences on the shaping of identity and on imposing serious limitations.
Information Privacy According to Shafer, the ”ordinary citizen who, in earlier times, would have been known only in his or her own community, now leaves a „trail of data‟ behind with almost every project undertaken: the tax form completed; the social welfare claimed; the application for credit, insurance or a drivers license; or the purchase of consumer goods.”
Challenges a recurring theme in the development of privacy protection has been the inability of existing safeguards to deal with advances in technology. The simple physical protections existing during the time of Warren and Brandeis were threatened by the advent of the hand-held camera and improving printing technology. In the mid 20th century, Alan Westin suggested that the protections developed after Warren and Brandeis were inadequate to meet the challenges afforded by computers and other forms of information technology.
ChallengesSurging repositories: The amount of information at the disposal of private and public sector organisations has grown significantly. Rapid technological advances in storage capacity have enabled organisations to routinely manage databases that are inconceivably larger than the simple tools available in Alan Westin’s 1960. In the words of one commentator, “[u]ntil recently, data sets were small in size, typically containing fewer than ten variables. Data analysis traditionally revolved around graphs, charts and tables. But the real-time collection of data, based on thousands of variables, is practically impossible for anyone to analyze today without the aid of information systems. With such aid, however, the amount of information you can mine is astonishing.”
ChallengesAutomated decision-making: Second, an increasing amount of processing is happening in the absence of a relational setting between the individual and the institution in question. Government offices, banks and insurance agencies make decisions on eligibility for housing and other benefits at a distance, often with the use of automated decision support systems. In the words of the United States Privacy Protection Study Commission: “[t]he substitution of records for face-to-face contact in these relationships is what makes the situation today dramatically different from the way it was even as recently as 30 years ago. It is now commonplace for an individual to be asked to divulge information about himself for use by unseen strangers who make decisions about him that directly affect his everyday life. Furthermore, because so many of the services offered by organisations are, or have come to be considered, necessities, an individual has little choice to but submit to whatever demands for information about him an organisation may make.”
ChallengesSocial networking: A new generation of Internet applications has radically changed the way in which individuals maintain an online presence. The privacy implications of having vast amounts of personal data stored in social networking applications are significant
ChallengesUbiquitous computing: The growing sophistication and miniaturisation of computing hardware has led to the development of the field of ubiquitous computing. Ubicomp, as the field is known to practitioners, envisions the integration of small computing devices with buildings, clothing, appliances, and a host of other artifacts.
ChallengesKnowledge discovery / data mining: Lastly, the recent emergence of knowledge discovery in databases (“KDD”) has raised a host of new problems relating to privacy.
Wrap-up: some themes Does technology spell the end of privacy? What determines our ability to achieve privacy? What is the relationship between privacy and socio- economic status? What influences our conception and need for privacy? Is the desire for privacy universal? How does architecture reflect privacy interests? How does architecture determine privacy interests? How did the development of the welfare state influence privacy? What are the limits of legal approaches to privacy? How does privacy applies to groups / communities?
Next class Access to Information BasicTheory Cases Introduction to Research Perhaps the most important part of the course