Employment lawyers should look beyond mere compliance with privacy regulation and engage in what I call “Proactive Privacy.”
Proactive Privacy is creating a privacy-aware corporate culture that educates all employees about privacy (and cybersecurity) and motivates them to be a part of that culture. In short, it extends your privacy demands beyond the punitive and into the normative. (Of course, clear policies and expectations remain critical!).
Why do this? Three reasons: to avoid regulation and litigation (or to reduce their impact); to ensure that you stay ahead of the rapidly evolving understanding of privacy in the wider community (your candidate and customer pool); and to provide a normative basis (buy-in) for your cybersecurity program (after all, that which is private is that which should be protected).
The first step in implementing Proactive Privacy depends on the answer to the toughest question: “What, exactly, is privacy?”
In fact, the core challenge in affecting Proactive Privacy is that the professional and the academic literature are simply not sufficiently clear about what privacy actually is. It is hard to build policies when one isn’t quite sure of the scope of the subject matter. Put differently, by Professor Daniel Solove:
But what does safeguarding “privacy” mean? Without an understanding of what the privacy problems are, how can privacy be addressed in a meaningful way?
In his article A Taxonomy of Privacy Professor Daniel Solove sets out a useful roadmap that can guide the practitioner in developing Proactive Privacy policies. Solove moves away from definitions and “toward the specific activities that pose privacy problems.”*
I’m sharing his thoughts because they are useful and will provide an excellent roadmap for policy creation.
Solove identifies four basic groups of harmful activities: “(1) information collection, (2) information processing, (3) information dissemination, and (4) invasion.“
Each has a number of subparts, which I will briefly review here.
- Surveillance: “the watching, listening to, or recording of an individual’s activities.”
- Interrogation: “questioning or probing for information.”
- Aggregation: “the combination of various pieces of data about a person.”
- Identification: “linking information to particular individuals.”
- Insecurity: “carelessness in protecting stored information from leaks and improper access.”
- Secondary use: “use of information collected for one purpose for a different purpose without… consent.”
- Exclusion: “the failure to allow the data subject to know about the data that others have about her.”
- Breach of confidentiality: “breaking a promise to keep a person’s information confidential.”
- Disclosure: “the revelation of truthful information about a person that impacts the way others judge her character.”
- Exposure: “the exposing to others of certain physical and emotional attributes about a person.”
- Increased accessibility: “amplifying the accessibility of information,” i.e., blackmail.
- Appropriation: “use of the data subject’s identity to serve the aims and interests of another.”
- Distortion: “the dissemination of false or misleading information about individuals.”
- Intrusion: “invasive acts that disturb one’s tranquility or solitude.”
- Decisional interference: an “incursion into the data subject’s decisions regarding her private affairs.**
*Although appealing, Solove’s task of “identify[ing] and understand[ing] the different kinds of socially recognized privacy violations” is, of necessity, dependent on a true definition of privacy (rather than just merely picking out privacy violations for a taxonomy). After all, how would one know what to include? However interesting this question, it is largely irrelevant for our purposes.
** Solove limits this to a government’s intrusion, but there is no reason to so limit this definition. From the point of view of an employee, an employer is sufficiently similar to the government for present purposes.