Jennifer Valentino-DeVries of the Wall Street Journal recently interviewed Ryan Calo about his concept of “privacy harm.” I had posted a link to Ryan’s article earlier this month, but if you haven’t read it yet or would like to think more about his ideas — and I would hope that you do — you can read the interview here.
If we take Ryan’s view (as I understand it), some events might constitute privacy violations but not privacy harms. I had discussed some of this with him prior to the release of his first draft as I think that we should consider something a privacy harm if it weakens our ability to protect our privacy going forward. The fact that we may not know about a privacy violation or even know that we have been harmed does not mean that we have not been harmed.
Ryan offers a two-category classification of privacy harms (footnotes omitted):
I maintain that privacy harms fall into two categories. The first category is “subjective” in the sense of being internal to the person harmed. Subjective privacy harms are those that flow from the unwanted perception of observation. Subjective privacy harms can be acute or ongoing, can accrue to one individual or to many. They can range in severity from mild discomfort at the presence of a security camera to “mental pain and distress far greater than could be inflicted by mere bodily injury.” Generally to be considered harmful the observation must be unwanted. We hesitate to see subjective harm where, as often, the observation is welcome. But actual observation need not occur to cause harm; perception of observation can be enough.
The second category is “objective” in the sense of being external to the person harmed. This set of harms involves the forced or unanticipated use of information about a person against that person. Objective privacy harms can occur when personal information is used to justify an adverse action against a person, as when the government leverages data mining of sensitive personal information to block a citizen from air travel, or a neighbor forms a negative judgment from gossip. They can also occur when such information is used to commit a crime, such as identity theft or murder. To constitute harm, the use must be unanticipated or, if known to the victim, coerced. Again, however, no human being actually needs to see the personal information itself for it to be used against the victim.
Ryan’s conceptualization has some definite strong points, in my opinion, not the least of which is the notion that an individual can suffer a privacy harm even if no other human looks at the personal information in a database that is used to make decisions about people (such as whether they pose a threat to air safety). His conceptualization also acknowledges that all of us may feel a sense of subjective harm by knowing that our government may have us under surveillance without a warrant even if we have no proof that we have individually been the target of such surveillance. One of my main concerns about his approach is that his definition of privacy harm does not seem to encompass the effect of privacy or data breaches when the individual is not aware of the breach and the data have not (yet) been misused.
To illustrate my concerns about his approach, and as an analogy, suppose someone crashes their car into my house while everyone is away and suppose that the incident cracks the foundation of my home but I am not aware of it at the time and the house is still standing. To the extent that the structural integrity of my home has been weakened — even if I am not aware of it at the time — and that it might not withstand a subsequent rain storm without water coming in, I would argue that my home was harmed. Similarly, if a physician injects me using a dirty needle, I may not know that I have been harmed until I become ill and we discover the cause, but I would argue that I suffered a harm at the time of the injection — not just when I realized I was ill or the cause of it.
Yet if we move these types of scenarios into the privacy arena, under Ryan’s conceptualization of “privacy harm,” he might not agree that harm had occurred at the time of the original act. And if he does agree that anything that weakens or damages the integrity of the structural or physical system constitutes harm in those situations, why doesn’t he apply the same principles to privacy?
If I am interpreting Ryan’s position correctly, he might argue that if someone improperly sells my information to a third party, that might be a privacy violation, but I have not necessarily suffered a privacy harm if I do not know that the information has been sold and if the information is not then used against me. I would argue that harm occurred at the moment that others improperly came into possession of private information, and that the only issues left are the nature and extent of harm that occurred as a result of the act.
What do you think? And Ryan, if I’ve misunderstood your arguments or you see a flaw in my reasoning, please feel free to jump in and explain.
Thanks, Dissent. You have my view right. I don’t think of a risk of privacy harm to be a harm, anymore than a chance of rain is rain. We may want to takes steps against both (breach notification laws, an umbrella) but that question is independent of whether a harm has occurred. I think you are, with respect, overly wedded to the connection between a privacy violation and privacy harm.
Note that there is a subjective privacy harm, on my view, when I found out about a breach involving my data. I become nervous and apprehensive that it will be misused. I see this as analogous to assault in tort. Assault is the concern over battery, but actionable in its own right.
Hope this helps. Best,
Ryan
Thanks, Ryan.
I’m not saying that the risk of a privacy harm is a harm. I’m saying that in some cases, what you seem to consider (just) a risk of a privacy harm I would consider already a harm with or without the risk of additional future harm.
Am I wedded too closely to the connection between violation and harm? It’s certainly possible, and I do agree with you that there can be privacy violations where there is no actual privacy harm and that there can be privacy harm where there has been no privacy violation. My concern is just that your second definition/criterion excludes damage to the integrity of the system as a harm per se. That harm may be minimal or it may be followed by future or additional harm that the original act contributed to, but it is still a harm, in my view.
Of course, I am not a lawyer and am no longer surprised when the courts do not agree with me. They are often wrong. 🙂
We may have to agree to disagree on this one, and I look forward to reading others’ analyses and views over time. Your article certainly provided me with a lot of food for thought, and I thank you for that.
Best,
/Dissent
Well, you have a remarkably subtle grasp of privacy law, lawyer or not. And I believe no less an authority than Dan Solove would side with your view over mine here. Still, I can’t agree that damage to the integrity of a system is a privacy harm, specifically. Damage to a roof, though it may lead to flooding, is not flood damage.
Thanks again for the interest and thoughtful commentary. I really appreciate it.