Who’s balancing privacy against public health and everything else?

Concerns over the use of location tracking and contact tracing of infected individuals to help mitigate the spread of COVID-19 have once again placed “privacy” at the forefront of public attention. And even though Congress declared privacy to be a fundamental right in 1974, it established no cabinet office or institutional framework to focus on the role of data protection and digital technology in our society. Consequently, during these days of COVID-19, there is no senior government official responsible for taking account of and balancing the trade-offs between privacy and public health. And while the present pandemic has focused a spotlight on the costs and benefits of prioritizing privacy, the tension between protecting personal data at the expense of just about everything else is getting increasingly complicated.

Think about how privacy — broadly understood as the conditions necessary to allow respect for human dignity and personal autonomy — is implicated in our current technology dilemmas: Location privacy versus controlling contagion; communications privacy versus preventing terrorism; data privacy versus technological innovation; consumer autonomy versus predictive personalization on the internet; citizen autonomy versus economic growth fostered by automated decision-making, “big data” and artificial intelligence; and freedoms to speak, think and see versus online disinformation, manipulation and cyberstalking.

Our current regulation of privacy is too narrowly focused on “privacy bureaucracy,” and not on the big picture about what uses of personal information can actually injure people where it hurts — their health and safety, their pocketbook and their peace of mind and freedom of thought. Right now, we have no policy makers who are responsible for weighing both tangible and intangible privacy risks against the promise of innovative technology. Since no one is exercising policy judgment and performing cost-benefit analysis to get the privacy balance right, we will almost certainly get it wrong.

The problem is particularly apparent in the European Union. As in the U.S., privacy and data protection are recognized as fundamental — but not absolute — human rights. The EU’s relatively new General Data Protection Regulation expressly contemplates trade-offs: “[t]he right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” Unfortunately, however, despite the EU’s lip service to “proportionality,” no regulator has the responsibility to strike a reasonable balance. Instead, internet users are besieged with insufferable cookie banners, and companies have to comply with detailed rules that are often more burdensome than beneficial.

And California has done likewise. The state’s new consumer privacy act, while not as bureaucratic as the EU’s GDPR, is a minefield of potential privacy foot faults. In fact, it is not even clear what privacy harms that state’s law is protecting its citizens against.

At the federal level, the Federal Trade Commission is supposed to be the privacy expert, but it is actually independent of the White House. While such independence is sometimes a good thing, it means the FTC cannot speak for the administration. That might be too bad because this agency is actually subject to a statute that requires careful risk-benefit balancing. Specifically, the FTC Act prohibits unfair data or technology practices only if they are “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Doesn’t that make sense?

Another sensible model for privacy was provided in the aftermath of 9/11. Like the coronavirus pandemic now, most people then supported greater government surveillance to combat terrorism — but Americans didn’t want to sacrifice privacy either. Accordingly, compensating privacy controls were added to prevent overreach and abuse. Congress established the Privacy and Civil Liberties Oversight Board (PCLOB) in 2004. The statute captured the trade-off exquisitely: “In conducting the war on terrorism, the Federal Government may need additional powers and may need to enhance the use of its existing powers… This potential shift of power and authority to the Federal Government calls for an enhanced system of checks and balances to protect the precious liberties that are vital to our way of life.” PLCOB was thus authorized both to advise and oversee the president and agency heads so that “concerns with respect to privacy and civil liberties are appropriately considered in the implementation of laws, regulations, and executive branch policies related to efforts to protect the Nation against terrorism.”

We need that type of thinking again now. 

Given the increasing privacy implications of the digital age, Congress should set up a new agency modeled to some extent on PCLOB’s mandate. What we need, essentially, is a digital privacy bureau within the Executive Office of the President to help navigate privacy and data protection. The privacy office would play a role in using data wisely to combat the coronavirus pandemic today and to prepare us to deal with the likes of artificial intelligence tomorrow. Establishing an institutional home for these issues in the administration would yield more thoughtful and effective policy.

A high-level privacy and technology office won’t necessarily solve all of our digital dilemmas, but it would be a good place to think ahead. Quite simply, if the U.S. is going to lead the world to a smarter place on digital privacy, we need to have a privacy leader.

Alan Charles Raul practices Privacy and Cybersecurity law with Sidley Austin LLP in Washington D.C. He previously served as Vice Chairman of the White House Privacy and Civil Liberties Oversight Board.