Privacy regulation is a failure.
Cambridge, MA. – The current U.S. approach to privacy regulation fails to account for the effects of information sharing created by the ascendance of technologies that permit things such as Big Data or fusion centers, said Daniel Solove, a noted privacy law researcher and a professor at George Washington University. He spoke Nov. 9 during a symposium on privacy and technology held by the Harvard Law Review.
The current model, which Solove dubbed the "privacy self-management approach," takes refuge in the notion of consent, he said.
"The basic concept is tell people that data is being collected, tell people what's going to happen with their data, how it's going to be used, how it might be disclosed, and let people decide whether or not they consent to those particular uses."
That model overlooks problems both cognitive and structural in nature, Solove said.
In the former category is the fact that few people read company privacy policies, a problem that isn't readily solvable since the policies are complicated because privacy is complex. Another cognitive problem is that people make incorrect assumptions about how their privacy is be protected and struggle to make risk-determinations about the privacy in the first place.
"People assess familiar dangers as riskier than unfamiliar ones, and one of the problems with privacy is that the dangers are not as familiar." How questions of privacy risk are framed, as well, can significantly change how people assess risk, Solove added.
It's possible that society might have a positive interest in some data being shared even if individuals say it's an invasion of privacy to do so. Additional regulation could also run the risk of stripping choices from individuals who want their data shared, Solove noted.
"Paternalism denies choice, also. It also denies consent. So no matter which way we go – we go with consent, we don't really get consent, and if we go with paternalism, we don't really get consent, either."
A possible way forward, Solove said, is to have regulations focus more on downstream uses of data "rather than trying to have the management at the time that people give up the data."
http://www.fiercegovernmentit.com/story/solove-privacy-regulation-failure/2012-11-11