Redefining "Privacy" for the Pros

“I hate the term privacy.”

Years ago, I remember my former boss and mentor, Mac McCullough, made such a bold and declarative statement. How could he say such a thing? “Privacy” had long been our vocational calling. “Why? What do you mean?” I asked. 

“Because we don’t do privacy. A customer walks into a store, decides to purchase a pair of shoes and socks, hands over their credit card to pay along with a coupon they received to get a discount. There’s no ‘privacy’ here. Instead what you have is an exchange of information for goods and services.”

Initially I defended the terminology. Privacy has such a nice ring to it. But as time has gone by, I am starting to think he was onto something.  

What is “Privacy”?

For those of us who consider ourselves #privacypros, it’s important to understand what “privacy” is vs. what it is not, which may mean redefining our role. The scope of what professionals do in this field is wide-ranging, but many hold to the European conception that privacy is a dignitary right focused on knowledge that someone may or may not possess about a person. As the European Data Protection Supervisor states: “In this notion of dignity, privacy or the right to a private life, to be autonomous, in control of information about yourself, to be let alone, plays a pivotal role. Privacy is not only an individual right but also a social value.” 

In America, the most well known version of privacy is “the right to be left alone.” This originates from a 19th century law review article written by Samuel Warren and Louis Brandeis. This version has persisted into today – if you Google search “what is privacy,” the search engine respond with the answer "the state or condition of being free from being observed or disturbed by others."

The Warren/Brandeis definition has been codified into US state tort laws (civil wrongs that cause a claimant to suffer a loss or harm resulting in legal liability) such as intrusion upon seclusion or public disclosure of private facts. The legal concerns are still prevalent when we consider issues with minimalist surveillance devices and infamous defamation cases. But how much of the typical privacy pro’s daily workload is primarily focused on these privacy torts? 

Even more telling, there is no recognized right to “privacy” in the US Constitution. Instead, privacy is entangled with concepts of freedom and liberty. This includes the 1st Amendment (anonymous speech and religious practices), the 4th Amendment (government protection against unreasonable searches and seizures), the 5th Amendment (protection against self-incrimination) and the 14th Amendment (due process). A constitutional right to privacy was a key issue in last year’s controversial Dobbs ruling. Advocates tried to argue that personal privacy is covered by the Constitutional right to liberty. However, the majority court explicitly pointed out a distinction between privacy vs. liberty in the context of reproductive justice: “As to precedent, citing a broad array of cases, the Court found support for a constitutional ‘right of personal privacy.’ But Roe conflated the right to shield information from disclosure and the right to make and implement important personal decisions without governmental interference.” The feminist privacy scholar Anita Allen confirmed this that this can be confusing terminology decades ago when she conceded that a “women’s ‘privacy’ is sometimes a misnomer for what would be better designated their ‘liberty.’” 

Difficult Definitions 

These muddied definitions end up causing more confusion as to what “privacy” really means. Pulsing some fellow peers, a consistent response to my question of “what is privacy,” the answer is that it’s a very subjective experience. What I consider private for myself or my family may be different than yours and based on a number of contextual factors. The word itself can also carry emotional weight, to the point that it can present a misguided perception as to how organizations actually process and handle information. 

For instance, most of the relevant regulations here require organizations to publish a “privacy policy” that explains how data is collected, used and shared. But as Professor Joseph Turow discovered, “Many people don’t actually read privacy policies; they simply look at the label. And the intuitive understanding - the cultural understanding - of the label is that when something says ‘privacy policy,’ it protects your privacy.” Meta attempted to change this when, for many years, they called this required statement a “Data Use Policy” on its Facebook platform. However, they are back to calling it a privacy policy due to explicit regulatory requirements. 

Perhaps part of the confusion around the word privacy vs. the practice is that the “privacy” centric regulations enacted in the last several decades are more specifically focused on data processing activities. In the US, there are sector specific laws that cover data types – such as financial data covered by the Gramm Leach Bliley Act (GLBA), health data protected under the Health Insurance Portability and Accountability Act (HIPAA) and credit/employment data protected under the Fair Credit Reporting Act (FCRA). These laws are not about someone’s dignity or a constitutional right to privacy, but are instead concerned with the sensitive data collected and disclosed about people. The Federal Trade Commission does not look at privacy holistically, but is instead focused on consumer protection concerns when it comes to deceptive or unfair data processing activities. Even the growing offspring of comprehensive state privacy laws are concerned with “consumer rights” around data access, deletion, consent and downstream data flows. 

Potential “Privacy” Alternatives

A common alternative to privacy is using data protection. This terminology has been explicitly codified into laws like the EU’s General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados (LGPD). Data protection goes beyond the dignitary concerns of privacy to focus on ensuring that the relevant information is protected. One peer I spoke with described herself as a “data protection expert” since this is a more outcome-oriented phrase, can make for more achievable organizational metrics and is easier for multiple parties to understand. Others believe that a key difference is that privacy focuses on who has access to information while data protection is (literally) focused on protecting that information.

However, the term does come with its limitations. “Data protection” suggests something security related. Recently proposed privacy frameworks are heading the way of implementing privacy with security-like controls designed to protect data. But that is precisely the point –  data security is focused on protecting data from unauthorized access or exploitation. There is an important relationship between these functions, though security is less concerned with whether data is fairly handled, shared and used. 

McCullough's proposed alternative to privacy was responsible information management. This terminology stems from an approach that relied upon frameworks such as the Fair Information Practice Principles (FIPPs). Here, the focus is on how data is fairly and responsibly used throughout its lifecycle – from its initial collection to its eventual disposal. This terminology works in that it can incorporate the growing number of issues that my fellow practitioners are saddled with: from data ethics, to algorithmic transparency and derivative uses of data for AI purposes. However, it is also limited in that it implies a management or governance functionality. At a high level, data governance is concerned with a broader data domain such as metadata exchanges, visibility into data pipelines and good quality data sets. Data governance usually enables privacy practices to be executed as part of the data management process via classification and lineage. It also looks to the privacy office in defining how to manage data so as to meet regulatory requirements.  

So then what are we left with…“Personal Data Lawyer?” “Data Processing Expert”? Or as the saying goes, if it ain’t (fully) broke then don’t fix it? Perhaps “privacy” is still the appropriate terminology for the time being, though one that is more limited and better defined. For instance, many of us would agree that we practice information privacy – this aligns with the late scholar Alan Westin’s definition of privacy as “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others."  Information privacy is different from other types of privacy, primarily focused on how and why information is collected and used about people. 

All that being said, information privacy may still not be quite accurate. Many of us are tasked with challenges outside of information control such as ethical uses of data, artificial intelligence and ESG initiatives. Our teams are saddled with questions of what organizations should do with data, even if it’s not a pure privacy, data protection or governance issue. So then what is the ultimate answer? I wish I had one right now…But given that we are all witnessing major shifts occurring with data and technology, I recommend we come together as a community to better understand and define our professional practice.