Is Privacy Protection in the U.K. No Better Than in China?
A new Privacy International survey of 36 countries ranks the U.K. with China, Russia, Malaysia, and Singapore as an "endemic surveillance society." British Information Commissioner Richard Thomas is worried. "Two years ago," he says, "I warned that we were in danger of sleepwalking into a surveillance society. Today I fear that we are in fact waking up to a surveillance society that is already all around us."
The U.S., an "extensive surveillance society," fares only slightly better than the U.K. The survey deals only with privacy-related issues, of course, not with civil liberties generally. In that sense it's too narrow to accurately reflect the state of individual freedom in the countries surveyed. The U.K. may have more surveillance cameras per capita than China does, but when it comes to what governments do with the information they collect, the Chinese have a lot more cause for worry than the British do.
In another sense, the criteria for Privacy International's ranking are too broad. Citizens of the U.K. and the U.S., for example, have good reason to feel more secure against arbitrary government search and seizure than citizens of China and Russia do. And they are apt to be more concerned about that risk than, say, the chance that magazines to which they subscribe will sell their names and addresses to direct-mail merchants. Yet Privacy International's "statutory protection" and "privacy enforcement" categories include restrictions on the use of information people voluntarily divulge to private companies; it also has a category for "workplace monitoring" (a.k.a. keeping an eye on your employees). The inclusion of business regulations is one reason Canada and Germany (identified as countries with "significant protections and safeguards") do so much better in the ranking than the U.S.
I've long argued that it's a mistake to treat private use of voluntarily revealed information as a violation of privacy rights in the absence of an agreement restricting use of the data (which would include a company's official privacy policy) or special circumstances in which confidentiality is assumed (as with medical records or psychological counseling). The voluntary sharing of information as part of a commercial transaction is qualitatively different from the nonconsensual collection of information by the government. I have a choice about whether I want to let my grocery store track my purchases in exchange for discounts; I don't have a choice about whether the government searches my house or eavesdrops on my phone calls.
At the same time, the collection of information by private entities is undeniably worrisome when that information can be demanded by the government on a whim through devices such as administrative subpoenas. Because the Supreme Court has ruled that information you give to a private business is no longer yours as far as the Fourth Amendment is concerned, the government's access to that information is governed by a hodgepodge of statutes and regulations. As the NSA's phone call database shows, these rules have loopholes that allow the government to collect information that most Americans would consider private without any sort of court order. In the case of the phone call information (which included numbers dialed and call duration), any statutory violation was committed by the phone companies that surrendered the information, not the government agency that "requested" it.
That's an example of a business regulation aimed at preventing unjustified government surveillance. So while it's important to distinguish between the threats posed by the government and the threats posed by private entities, regulation of data sharing may be an important backstop when the courts and the legislature fail to restrict government directly.
