Changing the Rules: General Principles for Data Use and Analysis

doi:10.1017/CBO9781107590205.006

4 - Changing the Rules: General Principles for Data Use and Analysis

Published online by Cambridge University Press: 05 July 2014

Paul Ohm

Edited by

Julia Lane ,

Victoria Stodden ,

Stefan Bender and

Helen Nissenbaum

Show author details

Paul Ohm: Affiliation:
University of Colorado
Julia Lane: Affiliation:
American Institutes for Research, Washington DC
Victoria Stodden: Affiliation:
Columbia University, New York
Stefan Bender: Affiliation:
Institute for Employment Research of the German Federal Employment Agency
Helen Nissenbaum: Affiliation:
New York University

Book contents

Get access

Summary

Introduction

How do information privacy laws regulate the use of big data techniques, if at all? Do these laws strike an appropriate balance between allowing the benefits of big data and protecting individual privacy? If not, how might we amend or extend laws to better strike this balance?

This chapter attempts to answer questions like these. It builds on Chapter 1 of this volume, by Strandburg, which focused primarily on legal rules governing the collection of data. This chapter will focus primarily on the law of the United States, although it will make comparisons to the laws of other jurisdictions, especially the European Union, which is well covered in Chapter 8 of this volume.

Most information privacy law focuses on collection or disclosure and not use. Once data has been legitimately obtained, few laws dictate what may be done with the information. The exceptions to this general pattern receive attention below; laws that govern use tend to focus on particular types of users, especially users that lawmakers have deemed owe obligations of confidentiality to data subjects. For example, law regulating the health and financial industries, industries that historically have evolved obligations of confidentiality, constrain not only collection and disclosure but also use.

This chapter argues that our current information privacy laws are failing to protect individuals from harm. The discussion focuses primarily on shortcomings in the law that relate to specific features of big data, although it also describes a few shortcomings that relate only tangentially to these features. All of these shortcomings expose some individuals to the risk of harm in certain circumstances. We need to develop ways to amend the laws to recalibrate the balance between analytics and risk of harm. Ultimately, the chapter proposes five general approaches for change.

Type: Chapter
Information: Privacy, Big Data, and the Public Good
Frameworks for Engagement
, pp. 96 - 111

DOI: https://doi.org/10.1017/CBO9781107590205.006 [Opens in a new window]

Publisher: Cambridge University Press

Print publication year: 2014

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

Book purchase

Temporarily unavailable

References

Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens (Washington, DC: U.S. Department of Health, Education and Welfare, 1973), 41–42Google Scholar

Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (September 23, 1980)

Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, Washington, DC, May 2000

Cate, Fred, “The Failure of the Fair Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Winn, Jane K. (Surrey, UK: Ashgate, 2006), 356Google Scholar

Schwartz, Paul M., “Preemption and Privacy,” Yale Law Journal 118 (2009): 902Google Scholar

Nissenbaum, Helen, Privacy in Context: Technology, Policy, and the Integrity of Social Life (Stanford, CA: Stanford University Press, 2009)Google Scholar

Keats Citron, Danielle, ‘Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age,” California Law Review 80 (2007): 241Google Scholar

Citron, Danielle Keats, “Technological Due Process,” Washington University Law Review 85 (2008): 1249Google Scholar

Solove, Daniel J., “Privacy and Power: Computer Databases and Metaphors for Information Privacy,” Stanford Law Review 53 (2001): 1393CrossRef Google Scholar

Ohm, Paul, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57 (2010): 1701Google Scholar

Stolfo, S. et al., eds., Insider Attack and Computer Security: Beyond the Hacker (New York: Springer, 2008)CrossRef

Schwartz, Paul M. and Treanor, William M., “The New Privacy,” Michigan Law Review 101 (2012): 2163–2181CrossRef Google Scholar

Cohen, Julie, Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (New Haven, CT: Yale University Press, 2012)Google Scholar

Richards, Neil, “Intellectual Privacy,” Texas Law Review 87 (2008): 387Google Scholar

Schwartz, Paul, “Internet Privacy and the State,” Connecticut Law Review 32 (2000): 815Google Scholar

Regan, Priscilla M., Legislating Privacy: Technology, Social Values, and Public Policy (Chapel Hill, NC: University of North Carolina Press, 1995)Google Scholar

Lanier, Jaron, You Are Not a Gadget: A Manifesto (New York: Knopf, 2010), 193Google Scholar

Schwartz, Paul M. and Solove, Daniel J., “The PII Problem: Privacy and a New Concept of Personally Identifiable Information,” NYU Law Review 86 (2011): 1814Google Scholar

Calo, Ryan, “Consumer Subject Review Boards: A Thought Experiment,” 66 Stanford Law Review Online66 (2013): 97Google Scholar