January 8, 2015
In the segment, 60 Minutes reported how “today we are giving up more and more private information online without knowing that it’s being harvested and personalized and sold to lots of different people…our likes and dislikes, our closest friends, our bad habits, even your daily movements, both on and offline.” Apparently the information that tickles the fancy of data brokers includes your “religion, ethnicity, political affiliations, user names, income, and family medical history.
Worse still, “it’s not about what we know we’re sharing, it’s about what we don’t know is being collected and sold about us.” How many of the billion people who downloaded Angry Birds to their smart phones appreciate “the companies that gave them to you for free were using the apps to track your every movement and pass it along to other companies“?
The realisation that such a vast group is being targeted for data collection begs the question: how detailed is the information within this apparently self-regulated area?
Take the hypothetical situation where someone running in a marathon sets up a fundraising charity page. These pages often have a short excerpt to raise awareness about why the runner’s cause is worthwhile. If the publication speaks of a degenerative disease that runs in the family and this titbit is collected and stored in a dossier about that family, is it fair that it can later be purchased by one’s insurance company? This isn’t particularly far-fetched but perhaps internet users don’t readily connect the dots.
Consider the story of a retailer knowing before a father that his child (also a customer of the retailer) was pregnant. Who knew that the invisible masterminds behind the advertising function of the internet were so much more aware of us as their target audience than we were of them? Does it matter that we are the lab rats in a shopping experiment if the results directly benefit us? Such attention to detail can equip retailers with the ability to decipher what a potential customer wants before that individual is aware of the same. Maybe this skill should be commended. What might be stalking to some, could easily be considered as “good service” by others.
The anonymity of one’s virtual footprint has become an oxymoron.
As I look at pictures read the news on the Daily Mail, I might be co-hosting an online party where (un)invited gatecrashers solely want to know about my particular interests concerning the Daily Mail. How can I determine whether the Daily Mail is one of the companies that allows third parties to observe my movements? Is the website’s permission even necessary to facilitate data collection? What if that someone is persona non grata and also jots down my IP address and logs everything I look at for marketing purposes. Perhaps this does not seem that intrusive – but at what point do we become so dependent on the spoon-feeding of tailored ads that we stop exercising choice and succumb merely to suggestion? Or is it that currently there is simply too much information available for us to decipher single-handedly?
Mr Sparapani describes on 60 Minutes that “most retailers are finding out that they have a secondary source of income, which is that the data about their customers is probably just about as valuable, maybe even more so, than the actual product or service that they’re selling to the individual. So, there’s a whole new revenue stream that many companies have found.” This “shopaholic” never realised such information could trump the price of the product. Has information become the currency of choice? Can I offer to share my blood type instead of paying with cash/credit?
I see the perks of tailored marketing but I suppose I feel that I should have some choice in what information is hurled at me for the sake of enticing a sale. For example, I looked up divorce lawyers (to save my friend the trouble) and now the superfluous search continues to haunt my browsing experience in the form of web banners. My PC is plagued with information that is effectively old news. What ability do we as internet users have of correcting these dossiers being collected about us as individuals?
To a certain extent, the dossiers’ reliability is persuasively based on our subconscious truths minus the conscious element of human error or editing. Not all of the information will be correct but it will be based on our unregulated behaviour. Perhaps such information is worth more in the marketplace because it is more reliable and telling than the conscious information we as individuals choose to offer. Since certain aspects of collecting our data benefit our internet experience, does this mean we should sacrifice our privacy in the name of efficiency? If so, to what extent?
The name of the game is facilitating the commercial use of personal information and it is easy to pretend the players are nonentities. If personal information is published by the individual prior to it being acquired by a third party, does privacy have any teeth in this debate? Lord Nicholls explained in his dissenting opinion (Douglas v Hello!  UKHL 21, paragraph 255), “privacy can be invaded by further publication of information or photographs already disclosed to the public.” As true as this may be, this area of data collection is a can of worms.
What privacy right can be enforced if the private information is misused but remains semi-confidential so unbeknownst to us it is also in the hands of corporate entities we do not wish to share the information with? In such circumstances, if the private information is taken without an individual’s consent or knowledge and does not contribute to public interest, how can it be protected in practice? Short of buying the information yourself, how can you even determine what information is being collected and stored in your dossier?
Does an individual’s feeling of violation depend on who the buyer is? Techies are likely to argue such private information is purchased in the interests of national security, public safety or the economic well-being of the country world. Therefore does its collection and use contravene the right to respect for private and family life? Are such actions considered to be in accordance with the law and necessary in a democratic society? What line will be drawn between what is in the public interest and what is in fact just interesting to the public buyer?
How will privacy be shaped by freedom of expression [see here] when data brokers are placed in the balance? What weight will be attached to the method of obtaining the information and the fact that such information is geared towards opportunistic companies rather than public consumption?
The internet is not unilateral but interactive as we trade our personal information (debatably unintentionally) for the information we seek online. What legitimate expectation that one’s private life will be protected can be reasonably expected in the realm of the internet where we expel information like carbon dioxide? Not much of an expectation can exist if it is only the compilation of the data rather than its individual parts that cause angst.
How similar is the information shared on cyberspace to information revealed in other forums such as interviews? At times both actions concentrate on seeking the limelight. The question then becomes whether this information was in fact publicly available and obtaining it is deemed as lawful, or whether such information takes effort to piece together and is done so in a surreptitious way which is considered unlawful.
To ensure healthy debate, internet users at large need to be informed. This way, internet users (who double up as the product source) can contribute their input while policy makers consider what steps (if any) they should take in this sector. Currently I suspect the reason that so many internet users are “silent” on this issue is not acquiescence. Conceivably a huge number of internet users who (probably) believe they have a right to respect for their private life when using the internet are not aware that even their most mundane activities online have commercial value and this value is currently being exploited. Or perhaps, when it comes to the internet, the reasonably well-informed and reasonably observant internet user is more akin to a moron in a hurry. Such behaviour may signify accepting the trade of having free internet or may just highlight a careless attitude because of the freedom the internet provides.
Much confusion will also arise from the distinction between those who seek to protect their private information and those who seek to exploit it. In the US, the latter will enter the realm of publicity rights. In the UK, breach of confidence seems arguable either in the traditional trade secret sense or in terms of its half-brother, commercial confidential information.
The dichotomy between publicity and privacy seems to be separated respectively by an adequate remedy and the potential to cause permanent irreparable damage.
Take Douglas where “the award of damages eventually made to the Douglases, although unassailable in principle, was not at a level which, when measured against the effect of refusing them an interlocutory injunction, can fairly be characterised as adequate or satisfactory.” (Douglas  EWCA Civ 595 paragraphs 256-259) Commercial confidentiality however did very well for OK! where Hello! was liable for £1,033,156.
Enforcing privacy rights is a bit of a perverse paradox considering one must publicise the event one wishes to keep private. [For the poster boy of this conundrum, see here and here.]
Max Mosley triumphantly won his claim against News of the World but who had the last laugh? Mr Moseley’s award of damages were a record high but Eady J concluded in Mosley v News Group Newspaper Ltd  EWHC 1777 (QB), “It has to be recognised that no amount of damages can fully compensate the Claimant for the damage done. He is hardly exaggerating when he says that his life was ruined. What can be achieved by a monetary award in the circumstances is limited.”
Have we really “signed away rights and privileges that other generations fought for, undermining the very cornerstones of our personalities in the process”? Alex Preston discusses the complex mathematical formulae within the internet as “invisible and arcane” and yet acknowledges the individuals who choose to fight the good fight like Max Mosley suffer the consequences of the Streisand effect “where his very attempt to hide information about himself has led to its proliferation”. Preston taps into the popular public opinion where people passively relinquish private information because they don’t consider themselves interesting enough to be spied on. Similar to Preston, my mind wandered to the fanciful story of The Minority Report where “criminals are identified and arrested before they commit crimes”.
Preston also surmised, “perhaps the reason people don’t seem to mind that so much of their information is leaking from the private to the public sphere is not, as some would have it, that we are blind and docile, unable to see the complex web of commercial interests that surround us. Maybe it’s that we understand very clearly the transaction. The internet is free and we wish to keep it that way, so corporations have worked out how to make money out of something we are willing to give them in return – our privacy. We have traded our privacy for the wealth of information the web delivers to us, the convenience of online shopping, the global village of social media.”
Trade Secrets may seem attractive to these corporations. Of course this assumes that under section 39(2) of TRIPS the person is “lawfully in control of the information” which remains to be seen. Since governments are likely to be interested in such information, is there any incentive to legislate conservatively?
This data collection issue really hits the fan when you consider celebrities. If a data broker obtains an IP address and subsequently the identity of a celebrity, can they sell the information they collect to tabloids? Will paparazzi be able to exploit the location of their prey from their smartphone? As far as exclusive stories go, can breach of confidence or publicity rights save the day?
I predict the US concept of publicity rights is likely to fare well in this area as it enables an individual to control the commercial use of their name, image or likeness. This would apply where the characteristics of someone’s personality are used in a way where the individual is identifiable and such use is unauthorised and likely to cause damage to the value of those characteristics.
The “hot news” misappropriation doctrine is unlikely to make waves (See here where “the adoption of new technology that injures or destroys present business models is commonplace. Whether fair or not, that cannot, without more, be prevented by application of the misappropriation tort.”)
My Magic 8-Ball is not looking so optimistic across the pond where the UK may be stunted by its reluctance to adopt publicity rights. Breach of confidence in its traditional sense could arguably fail on the second hurdle of Coco v Clark (Engineers) Ltd  RPC 41 (“the information must have been communicated in circumstances importing an obligation of confidence”). People choose to go on the internet and may inadvertently share more than they realise. How can an obligation of confidence be imparted from this? Additionally Meggary J concluded in Coco “equity ought not to be invoked merely to protect trivial tittle-tattle, however confidential.” Where the issue is not strictly to do with misusing private information or trade secrets, it appears the crossbreed of commercial confidence in private information from Douglas v Hello! Ltd  UKHL 21 might rear its ugly head once more.
When Lord Phillips explained that the nature of an interest in privacy did not amount to an IP right [Douglas  EWCA Civ 595, paragraph 126-127], he turned to Lord Upjohn in “Boardman v Phipps  2 AC 46 at pp 127-8, when he said:
“The true test is to determine in what circumstances the information has been acquired. If it has been acquired in such circumstances that it would be a breach of confidence to disclose it to another then courts of equity will restrain the recipient from communicating it to another. In such cases such confidential information is often and for many years has been described as the property of the donor, the books of authority are full of such references: knowledge of secret processes, “know-how”, confidential information as to the prospects of a company or of someone’s intention or the expected results of some horse race based on stable or other confidential information. But in the end the real truth is that it is not property in any normal sense but equity will restrain its transmission to another if in breach of some confidential relationship.””
Unlike the Seigenthaler incident, there is no publication made available to the public for it to be capable of correction. In this case, you may only speculate what information has been retained about you. Although, one of the data broker companies interviewed on 60 Minutes decently allows you to view the “kind of information that we have about you“. Evidently, being the subject matter of their potential literary copyright and database has little bearing. Can companies acquire IP rights from private information merely because it is available for compilation? How will IP cater to this fast growing sector of the economy? Will it be piecemeal and haphazard as the law tries to grapple with the ever-evolving internet? This issue in terms of IP is particularly worthy of note in jurisdictions where IP rights automatically subsist.
In the UK, will data brokers infringe each other’s IP rights as they compile similar data about individuals? Their dossiers likely amount to a database where “there has been a substantial investment in obtaining, verifying or presenting the contents of the database.” [section 13 of The Copyright and Rights in Databases Regulations 1997] Although improbable, could individuals infringe these companies’ potential database rights if they “extract or reutilise all or a substantial part of the contents of the database” (section 16) about themselves? Perhaps there is solace in section 19(1) where “a lawful user of a database which has been made available to the public in any manner shall be entitled to extract or re-utilise insubstantial parts of the contents of the database for any purpose.” Then again not only must this be lawful but the parts taken can only be insubstantial. Would my medical history or income qualify as an insubstantial part? Without the safety net of “fair use” [see here], the sui generis database right is not one to trifle with. How will the common law develop the relationship of data brokers with their databases post-Football Dataco v Sportrader  EWCA Civ 27?
The dossiers will not enter the realm of a literary work under copyright unless original “by reason of the selection or arrangement of the contents of the database the database constitutes the author’s own intellectual creation.” [section 6 of the 1997 Regulations]
Under section 50D of the CDPA 1988, individuals would presumably be able to seek refuge when using content concerning their identity. The CDPA also provides the benefit of fair dealing defences such as section 28A (making of temporary copies) and section 29 for the purposes of research and private study.
In practice it is improbable that copyright and database rights would be used against individuals (aka the subject matter of the database) when this cloak and dagger industry shies away from making their product (that is personal and private information) available to the public to scrutinise.
If people do not want to wait for regulations to be ironed out by policy makers, can matters be taken into their own hands? Is it practical to create a compilation about yourself so that you can protect a substantial part of your private information by suing others for infringing your copyright or database rights when they copy, make available to the public or re-utilise the same selection of information? Is the use of such data by data brokers legal for the purpose of a defence? Could some parameters be established if InfoSoc crosses this black hole?
Due to the lack of transparency, I can only wonder how individual dossiers are sold. By name would seem foolproof. If goodwill attaches to my name from the demand of information about me, should I rush to register my name as a trade mark in respect of Class 35 of the Nice Classification? Will I fall foul of using my name as an instrument of fraud? That would be quite an unexpected twist from British Telecommunications plc v One in a Million Ltd  1 WLR 903. Am I not able to exploit my name and private information the way I see fit? Who knew the information of someone who is not a public figure would be in demand?
The right to be forgotten [see here] seems to offer protection despite its faults. It may not be easy to prove information is “inadequate, irrelevant or no longer relevant” if it is only the collection of the data rather than its individual parts that are controversial. Perhaps it would be “excessive” for the purposes of this developing right. This is a messy concept considering most of the information tracked is information you yourself leave on the internet for data brokers to collect. It is “relevant” information which is worth selling. Moreover, the information collected is not freely published on the internet and available for just anyone to find on a search engine.
60 Minutes explained that Google and Facebook “were not mentioned in our story because they don’t sell the information they gather about us. They keep it all to themselves.” And so the puzzle begins. Should data collection be regulated and, if so, how? Is it only those who use the collected information commercially who need to be regulated? What type of information (e.g. personal, private, confidential, valuable or “hot news”) being collected should be regulated? Where can this line be drawn? Will it be possible to contract out of any potential regulations? Finally, what sort of judgment can one exercise where the potential risk is not widely known?
To a technophobe like me, the internet is no man’s land. Of course people are aware of information breaches and leaks associated with the internet, however, data collection specifically is less established. The jury is still out on this dark horse. The illusion is to assume you have a cloak of invisibility or anonymity due to how ordinary your life may seem. “Why would anyone want to collect information about me?” seems to be the defence for such blissful ignorance. I wonder how individuals especially those who are not internet savvy can protect themselves regarding information they don’t wish to share.
While some might argue this is a collection of harmless information that users freely divulge on the internet, I think many members of the public would be concerned to know that information (perhaps private in specific circumstances) is being compiled about them personally or at least in relation to their IP address for third parties to purchase. The internet may sustain us but it also acts as a host where consumer protection and right to private life are blurred by lack of regulation. I reckon people who would like to try and lead private lives should “be able to see the information the companies have on them, be able to challenge it if it’s incorrect, and opt out of the system if they don’t want personal data collected” as Commissioner Julie Brill advocates on 60 Minutes. Sadly such transparency may be an unattainable ideal. Yet there is room for improvement. Awareness is the first step for internet users to salvage whatever autonomy exists within the virtual world.