Sizing Privacy Harm

Sizing Privacy Harm

Michael John Long is an LLM candidate advancing to the PhD at Osgoode Hall Law School

In a recent blog posted on the IP Osgoode website I considered the ruling in City of Ontario v. Quon; a case in which the U.S. Supreme Court ruled on the issue of the privacy of employee text messages sent using employer issued equipment.  In the Quon decision, the justices unanimously ruled that the search of the employee's personal messages on his government owned device did not violate his constitutional rights.  In conversations following the blog I noticed that the topic of discussion often shifted, and rather quickly, from the expectation of privacy directly to the violation of privacy, and all with little regard for the grey area involved, the area of harm.

In Ryan Calo’s recent essay, The Boundaries of Privacy Harm, he urges that closer consideration be paid to the notion of privacy harm as ‘no person need commit a privacy violation for privacy harm to occur (and vice versa).’  In his article he defines both the subjective and objective aspects of privacy harm in order to establish the concept as its own entity, one separate from privacy violations.  He notes that the two categories of harm are distinct and yet related, ‘just as assault is the apprehension of battery, so is the unwanted perception of observation largely an apprehension of information-driven injury.’  The subjective and objective categories can be thought of as the anticipation and consequence of a loss of control over personal information, respectively.

Subjective privacy harms are those experienced from the ‘unwanted perception of observation,’ and can range from singular to ongoing events, from individuals to groups, from mild discomfort to great mental pain and so on and so forth.  An important distinction is that generally, to be considered harmful, the observation must be unwanted, and yet, actual observation does not need to occur to cause harm; ‘perception of observation can be enough.’

Objective privacy harm involves ‘the forced or unanticipated use of information about a person against that person.’  This harm occurs when personal information is used adversely against that person, such as when ‘the government leverages data mining of sensitive personal information to block a citizen from air travel, or a neighbour forms a negative judgment from gossip.’  Another example is when personal information is used to commit identity theft or murder.  In order to constitute harm, use of the personal information must be unanticipated or coerced, and again actual observation does not need to occur for information to be used against a victim.

Calo’s aim in the essay is quite simple and is espoused in his comment that privacy harm is a ‘crucial but under-theorized aspect of an important issue.’  In the essay he aims to discover both the ‘mechanism and scope' of privacy harm in order to attain conceptual clarity.  More than that however, he wishes to discover the boundaries within which privacy harm occurs, which will be useful for ‘scholars, courts and regulators attempting to vindicate and protect privacy and other values.’  The approach which Calo has adopted ‘uncouples’ privacy harm from privacy violation thus creating a limiting principle in order to distinguish the former from other values, as well as create a rule of recognition which helps to identify privacy harm when no other violation is present.

What can be said about The Boundaries of Privacy Harm is apropos when compared to what Calo says in his essay about Daniel Solove, a leading privacy scholar, who rejects that privacy should be reduced to any one or more concepts.  Although Calo ultimately believes that without a ‘limiting principle or rule of recognition we give up the ability to deny that certain harms have anything to do with privacy... which in turn can be useful in protecting privacy,’ he notes that ‘there is no denying the value of the complete, nuanced, and interconnected picture of privacy that Solove’s taxonomy presents.’  In the same way Calo recognizes that his referenced author ‘delivers what he promises’ so too should we recognize that Calo delivers on his aim to provide an understanding of the mechanics and sizing of privacy harm.