The history of privacy is deeply intertwined with the history of technology. A wealth of scholarly literature tracks and demonstrates how privacy as a normative concept has evolved in light of new information and communication technologies since the early modern period, when face-to-face interactions were challenged by urbanization and the rise of mass communication.1 In the beginning of the nineteenth century, a combination of societal changes, institutional developments, and technological advancements gave birth to a series of new threats to privacy. At the time, innovative technologies — including telegraph communications and portable cameras — were among the key drivers (interacting with other factors, such as increased literacy rates) that led to growing concerns about privacy protection. These developments also set the stage for Samuel Warren and later-Justice Louis Brandeis’s highly influential 1890 article The Right to Privacy,2 which was written, in large part, in response to the combined negative effects of the rise of the “yellow press” and the adaptation of “instantaneous photography” as privacy-invading practices and technologies.3 Similarly, advancements in information and communication technologies in the twentieth century, combined with other developments such as the rise of the welfare state, challenged existing notions of information privacy and led to renegotiations of the boundaries between the private and public spheres.
The development, adaptation, and use of innovative technologies that enabled and increased the collection and use of personal information later in the twentieth century were also among the key drivers that led to the birth of modern information privacy law in the early 1970s. Starting in the United States and then extending to Europe, the increased use of computers for information processing and storage by government agencies was an important factor that led to the first generation of modern privacy and data protection laws.4 Anchored in a set of Fair Information Practices,5 many of these laws were expanded, adjusted, and supplemented over the following decades in light of evolving technologies and changing institutional practices, which — together with other factors — resulted in an ever-growing cascade of privacy concerns. In the 1990s, for instance, the widespread adoption of internet technology as a global information and communication medium and the rise of the database industry led to a wave of legislative and regulatory interventions aimed at dealing with emerging privacy problems. More recent and more ambitious information-privacy reforms, such as the revision of the influential OECD Privacy Guidelines at the international level,6 the General Data Protection Regulation in the EU,7 and the proposed Consumer Privacy Bill of Rights Act in the United States,8 seek to update existing privacy norms for the digital age — again driven, in part, by new technologies and applications such as cloud computing and Big Data, among others.
Reflecting across centuries and geographies, one common thread emerges: advancements in information and communication technologies have largely been perceived as threats to privacy and often led policymakers to seek, and consumers to demand, additional privacy safeguards in the legal and regulatory arenas. This perspective on technology as a challenge to existing notions of, and safeguards for, information privacy is also reflective of the mindset of contemporary law and policymaking. Whether considering the implications of Big Data technologies, sensor networks and the Internet of Things, facial recognition technology, always-on wearable technologies with voice and video interfaces, virtual and augmented reality, or artificial intelligence, recent policy reports and regulatory analyses have identified privacy challenges as among the most pressing concerns.9
In considering this fundamentally defensive stance that privacy law has taken historically with regard to technology, it is important to note that law in the broader context of information and communication technology often transcends its traditional role as a constraint on behavior acting through the imposition of sanctions. In areas such as intellectual property and antitrust, law seeks to engage with technology in a more nuanced way by enabling or in some cases leveling desired innovative or disruptive activity.10 With this understanding of law as a functionally differentiated response system, and an acknowledgment that legal responses to technological innovation should not be understood as a simple stimulus-response mechanism, it is possible to identify a series of response patterns when examining the evolution of privacy law vis-à-vis technological change. At a general level, three analytically distinct, but in practice often overlapping, response modes can be identified.11
(1) When dealing with innovative technologies, the legal system — including privacy law — by default seeks to apply the old rules to the (new) problem resulting from the new technology and its uses (subsumption). U.S. courts’ application of privacy torts, for instance, when addressing complaints about improper collection, use, or disclosure by digital businesses such as Google and Facebook — largely relying on tort conceptions of privacy advanced in the late nineteenth century — is an illustration of this default response mode.12
(2) Where subsumption is considered insufficient given the novelty of issues raised by a new technology, the legal system might resort to innovation within its own system. One version of this response mode is to “upgrade” existing (privacy) norms gradually, typically by setting new precedent or by adjusting or complementing current norms (gradual innovation). Proposals to introduce a tort for the misuse of personal information by data traders,13 to provide legal recognition of data harms by extending developments from other areas of the law such as torts and contracts,14 and to enact a Consumer Privacy Bill of Rights Act,15 are examples of gradual legal innovations that leave core elements of the current regulatory approach unchanged.
(3) A more radical, paradigm-shifting approach is more deeply layered law reform where not only individual norms are updated but also entire approaches or instruments are changed. Examples in this category include proposals to reimagine privacy regimes based on models that emerged in the field of environmental law,16 to create an alternative dispute resolution scheme such as a “cyber court” system to deal with large-scale privacy threats in the digital age,17 or to introduce a “Digital Millennium Privacy Act” that would provide immunity for those companies willing to subscribe to a set of information fiduciary duties,18 to name just three illustrations.
Perhaps the most interesting, and arguably the most promising, approach to reprogramming privacy law in a more fundamental sense is linked to a potential paradigm shift: embracing the multifaceted, functional role of law and reframing technology, broadly defined, no longer (only) as a threat to privacy, but as part of the solution space. Precursors of such a potential shift date back to the 1970s, when researchers started to develop technical mechanisms under the header of “Privacy-Enhancing Technologies” (PETs) in response to privacy challenges associated with new information and communication technologies.19 Originally focused on identity protection and technical means to minimize data collection and processing without losing a system’s functionality, the scope of PETs and the available instruments have broadened over time to include encryption tools, privacy-preserving analysis techniques, data management tools, and other techniques covering the entire lifecycle of personal data. Starting in the 1990s, PETs as one instrument in the toolbox were put into a larger context by the introduction of Privacy by Design as a “systematic approach to designing any technology that embeds privacy into the underlying specification or architecture.”20 Still remaining a somewhat amorphous approach, Privacy by Design as an umbrella philosophy (as well as certain types of PETs) promotes a means to manage privacy challenges resulting from a wide range of emerging technologies, and has been adopted by law and policymakers on both sides of the Atlantic, with the EU General Data Protection Regulation among the most prominent examples.21
Law’s relatively recent “discovery” of technology as an approach to address the very privacy challenges technology (co-)creates has potential. The approach’s promise manifests itself not so much at the mechanical level of individual techniques and tools. Rather, it becomes visible when considering the types of perspectives an approach situated at the law/technology interface opens up when dealing with the privacy challenges of the digital age. Projecting from the past into the future, approaches like Privacy by Design signal a departure from binary notions of privacy and ad hoc balancing tests of competing interests toward more holistic and rigorous privacy risk assessment models that rely on modeling approaches from information security and an understanding of privacy that is informed by recent theoretical advances across different disciplines. A growing body of interdisciplinary research demonstrates the theoretical and practical promise of holistic analytical frameworks for a modern privacy analysis that incorporates recent research from fields such as computer science, statistics, law, and the social sciences.22 This promise does not mean that a blended approach has no issues; to the contrary, there are significant limitations including, among others, internal constraints, incentive misalignments, and broader normative challenges. Yet these challenges are properly understood as issues of operationalization and ought not automatically foreclose a reconceptualization of the relevant solution space.
In addition to advancing new tactical methods to conceptualize and evaluate privacy risk, embedding technology into (privacy) law can boost the development of new solutions to more strategically manage a broad range of privacy risks. Research initiatives across the country show how emerging technical privacy solutions, including sophisticated tools for data storage and access control, as well as advanced tools for data analysis and release, can play in concert with legal, organizational, and other safeguards to manage privacy risks across the different stages of the lifecycle of data.23 Consider, for instance, the important role encryption plays in securing access to and storage of data,24 or the technological development of a personal data store that enables individuals to exercise fine-grained control over where information about them is stored and how it is accessed.25 Differential privacy is a new formal mathematical framework for addressing privacy challenges associated with the statistical analysis of information maintained in databases.26 Secure multiparty computation, to add another example, is a method that enables parties to carry out a joint computation over their data in such a way that no single entity needs to hand a dataset to any other explicitly.27 While some of these technologies are still in development, others have been tested out in practice and are already recommended as best practices in selected fields of application.
In the digitally networked world, the regulation of information privacy has an inherently technical dimension. Such technological aspects have been the focus of intense study by computer scientists, resulting in a rich theoretical literature as well as practical tools for protecting privacy, but such discussion has by and large occurred in a space separate from the sphere of legal norms, regulations, policies, ethics codes, and best practices. A number of trends make it important and urgent to overcome the silos that have been created, to foster knowledge sharing between the two spheres, and to embrace technological approaches to support legal privacy across the different functions mentioned before.
Technological advances, for instance, are enabling new and sophisticated attacks that were unforeseen at the time that legal standards for privacy protection were drafted. Computer scientists have developed approaches that are robust not only against known modes of attack, but also against unknown future attacks, and are therefore well suited to address challenges posed by new technological threats to privacy.
Further, legal standards can result in wide variations in treatment of data across contexts, depending on the jurisdictions, industry sectors, actors, and categories of information involved. New frameworks for evaluating privacy threats based on both legal and scientific standards for privacy protection could be used to provide more comprehensive, consistent, and robust data privacy protection, thereby furthering end goals of the law.
Finally, traditional legal approaches for protecting privacy while transferring data, making data-release decisions, and drafting data-sharing agreements, among other activities, are time-intensive and not readily scalable to Big Data contexts. Technological approaches can be designed with compliance with legal standards and practices in mind, in order to help automate data-sharing decisions and ensure consistent privacy protection at a massive scale.
These and related examples indicate how law and technology can advance the state of the practice through a mutually productive relationship. Taken together, the development of privacy tools that aim to integrate legal and technical approaches could help pave the way for a more strategic and systematic way to conceptualize and orchestrate the contemporary interplay between law and technology in the field of information privacy. In concrete terms, this path could urge actors to incorporate modern legal and technological approaches in their privacy analysis frameworks and to adopt tiered-access models that integrate both legal and technical tools for privacy protection.28 When demonstrating a privacy technology’s compliance with legal standards for privacy protection, policymakers and technologists could seek to employ a hybrid of legal and technical reasoning.29 And regulatory systems and institutions could support additional research on policy reasoning, accountable systems, and computable policies for automating compliance with legal requirements and enforcement of privacy policies.30 Such integrated approaches recognize the rich roles that law can play alongside the technical space and hint at how more robust and effective privacy protections can emerge by melding different instruments and methods — both at the conceptual and implementation levels.
These developments might ultimately culminate in a more deeply layered recoding of privacy law that leverages the synergies between technological and legal perspectives and instruments and transcends the traditional response patterns discussed earlier in this Commentary in order to cope with the complex privacy-relevant challenges of our future. For example, in light of substantial definitional gaps between various technological and legal approaches to privacy, updating the law to better support new privacy technologies could require a fundamental reframing away from traditional legal notions such as “Personally Identifiable Information”31 and “de-identification.”32 Furthermore, legal standards could be redesigned to focus on the ends rather than the means of privacy protection, which are likely to continue to evolve rapidly. Rather than implicitly or explicitly endorsing traditional approaches like de-identification, updated legal standards might, for instance, adopt more general descriptions of the intended privacy goal, which would provide a clearer basis for demonstrating whether new classes of emerging privacy technologies are sufficient.
However, such a strategy requires significant investments in interdisciplinary education, research, and collaboration.33 Programs designed to stimulate collaboration and interdisciplinary learning have been developed at universities.34 Furthermore, technology positions in government, such as the Chief Technologist position at the Federal Trade Commission, and advisory panels such as the President’s Council of Advisors on Science and Technology, recognize the need for experts in computer science to inform the regulation of privacy and to serve as promising examples of cross-disciplinary communication and knowledge sharing in policy circles.35 Similarly, it is becoming increasingly important for technologists to understand legal and policy approaches to privacy protection so that they can implement measures that advance the specific goals of legal and regulatory privacy standards. Doing so will likely require policymakers to develop mechanisms and resources for communicating their shared understanding of the interface between law and technology to privacy practitioners. There is much yet to be uncovered: development of novel systems of governance requires not only interdisciplinary mutual understandings, but also deep inquiry into the most effective role for law and legal governance in such a dynamic, fast-changing system.
Reimagining the relationship between technology and privacy law in the digital age should be seen as a key component of a larger effort aimed at addressing the current digital privacy crisis more holistically. Under contemporary conditions of complexity and uncertainty, the solution space for the multifaceted privacy challenges of our time needs to do more than treat the symptoms of discrete privacy ills. It needs to combine approaches, strategies, and instruments that span all available modes of regulation in the digital space, including technology, markets, social norms, and the law. If pursued diligently and collaboratively, such a turn toward privacy governance could result in a future-oriented privacy framework that spans a broad set of norms, control mechanisms, and actors — “a system of information privacy protection that is much larger, more complex and varied, and likely more effective, than individual information privacy rights.”36 Through such nuanced intervention, the legal system (understood as more than merely a body of constraining laws) can more proactively play a key role in coordinating the various elements and actors in the new governance regime, and — above all — in ensuring the transparency, accountability, and legitimacy that allow democratic governance to flourish.
* Professor of Practice, Harvard Law School; Executive Director, Berkman Klein Center for Internet & Society, Harvard University. I thank Ryan Budish, Herbert Burkert, Alba Hancock, Gregory Muren, Alicia Solow-Niederman, David O’Brien, and Alexandra Wood for helpful comments. This Commentary has been inspired by work on the Privacy Tools for Sharing Research Data project, supported by the National Science Foundation under Grant No. 1237235.