A Review of Ronald Krotoszynski, Jr., Privacy Revisited (Oxford 2016)
I began thinking seriously about privacy issues in 1984—appropriately, I suppose, given that year’s Orwellian connotations.
At the time, discussions about privacy law and policy tended to be highly parochial, in two senses.
First, they tended to be strongly geographically localized—for example, comparing the statutory privacy law of New York with the common law privacy of Michigan.
Second, they tended to be conceptually localized—for example, analyzing privacy as a protection afforded by tort law or as a right of substantive due process or as insulation from unreasonable searches and seizures or as a legislative restriction on institutional data usage.
A cliché declares that the Internet changed everything. I’m skeptical about that claim, but at a minimum it clearly changed the workability of these parochial frameworks.
As an initial matter, the Internet forced us to think about privacy not just locally but globally.
Over time, the Internet transformed the vast majority of enterprises into entities with an international presence. For example, most local publishers became international publishers by virtue of their web presence.
Consider: when I entered practice in 1984, a consumer could get my client’s newspaper, The Detroit News, in Michigan, northern Ohio, and Windsor, Canada, and that was about it. Now its content is available to anyone, anywhere in the world, who can access its website.
Corporations and other enterprises suddenly had to start thinking about the requirements of foreign legal regimes—at least to the extent that they had assets or personnel abroad.
If these developments escaped anyone’s notice, that was corrected in 2014 when the Court of Justice of the European Union ruled in the so called "Google Spain case" that a Spanish citizen had a privacy right (often misnamed a “right to be forgotten”) that was enforceable against U.S.-based Google. As a result, Google has had to devote substantial resources to processing de-indexing requests from individuals hungry for more obscurity than the Internet otherwise offers them.
But these developments did not just unsettle our geographic parochialism. They also challenged the prevailing approach of separating privacy into distinct doctrinal compartments.
The court in Google Spain proceeded as if it had developed an overarching and unified theory of privacy that could be applied generally to lots of different kinds of information—literally, the entire universe of information available on the Internet.
In that sense, the ruling raised—even if indirectly—a number of foundational questions for all of us: Is that court’s theory viable and intellectually coherent? When we talk about privacy, are we talking about one thing or many things? Are there other possible unified theories of what privacy is and what it protects? Does U.S. privacy law reflect such a theory? Or does U.S. privacy law simply lump together under one label a variety of concepts that are, on close inspection, largely unrelated?
As a result of all this change, there is an urgent need for resources to help us think about privacy in the transnational context—and not just about the competing legal regimes, but also about the cultural and social norms that drive them and the vision of privacy that they reflect.
A number of books have made important contributions on this front; in my view, one of the best is Ronald Krotoszynski’s Privacy Revisited: A Global Perspective on the Right to Be Left Alone (Oxford 2016). It is, in my view, essential reading for anyone interested in the privacy field today.
Prefaces are often optional reading, but the preface to this book provides critical context for the discussion that follows. In it, Krotoszynski identifies a number of themes that should inform any comparative inquiry into privacy law and policy. I will mention a few here, framed as questions:
* What are the respective roles of legislatures and the courts in creating and interpreting privacy law?
* Is privacy a negative or positive right?
* Is proportionality analysis—that is, balancing—useful to privacy law?
* Is privacy about dignity, reputation, personal honor, or all of these, or something else altogether?
* Is privacy simply a civility norm? If so, is it appropriate to enforce it through the law?
* Privacy from whom? The government? Private actors? Both?
* Is privacy in tension with free expression or does it facilitate that right—for example, by resisting the surveillance state?
Different legal regimes have answered these questions in different ways.
After an introductory chapter that stresses the protean nature of privacy law and policy, the book embarks on its comparative project. The ensuing chapters take a close look at privacy law in the United States, Canada, South Africa, the United Kingdom, and as interpreted by the European Court.
A short review cannot explore these nuanced and well-researched chapters in detail. But it may be worth highlighting some of the provocative differences between U.S. and European privacy law that Krotoszynski discusses.
Let’s start here: U.S. privacy law is an assemblage of distinct doctrines protecting various interests that are, perhaps, not obviously related.
These include autonomy interests (for example, protected by the substantive due process right to terminate a pregnancy), interests against government invasiveness (for example, protected by the fourth amendment right to be free from unreasonable searches and seizures), property interests (for example, protected by the claim of intrusion in tort law and by the law of trespass), interests related to the control over personal information (for example, protected by the public disclosure claim in tort law and by statutes like HIPAA and FERPA), and so on.
Given this wide range of purported privacy protections, one might assume that U.S. law would align fairly well with that of other regimes that have construed privacy rights expansively, like that being developed by the European Court. But that is not the case. To the contrary, as Krotoszynski observes, “In a very real sense, privacy in the EU and privacy in the United States have relatively little to do with each other.”
This is so in a variety of respects.
Because the Supreme Court of the United States has interpreted the First Amendment as providing such broad and resilient protection to free expression, that right trumps competing privacy interests much more often under U.S. law than European law.
Further, the U.S. has shown relatively little interest in some issues that have deeply concerned European authorities, such as data mining. This may be the result of distinctively American anxieties about government overreach into economically profitable activity.
The European Court has recognized a right to be “private in public.” This is a notion that a U.S. court would view as incoherent. For example, Krotoszynski discusses the Egeland & Hanseid v. Norway case (where the court upheld a privacy claim by women who were convicted of three counts of murder and complained over having their picture taken outside the courthouse) and Sciaccia v. Italy (where the court upheld a privacy claim over the publication of a photo of an arrested defendant who had not consented to the picture). The results in these cases are all but unthinkable in an American court.
In Europe, both courts and legislatures have shown a willingness to enforce civility norms. America, in contrast, essentially has “no law of civility.”
And the European jurisprudence is largely driven by proportionality analysis: once the court finds that the right to privacy has been violated, then its role is to balance the degree of the infringement against the state’s justification for the regulation or action. For a variety of reasons, U.S. courts have generally been skeptical of ad hoc balancing tests, particularly where rights claims are involved.
It seems clear that everyone has more thinking to do.
Krotoszynski suggests in his conclusion that privacy and free speech interests are probably more reconcilable than our current jurisprudence recognizes.
But the E.U. approach is also far from perfect: there are good reasons to be concerned about applying balancing tests to matters of such import; such tests tend to yield uneven and unpredictable results, and we see this reflected in the apparent inconsistency of the E.U. decisions in this area.
This much is absolutely clear:
* Competing, and perhaps conflicting, privacy regimes will be bumping into each other with increasing frequency.
* We must talk with and learn from each other.
* We need the sort of excellent comparative work that Krotoszynski’s book embodies.
* To borrow from the title of a book published twenty years ago about the emergence of multiculturalism: in the field of privacy, we must all be internationalists now.