So you can immediately see why the modern digital age (and especially the era of Big Data) has made things so confusing for regulators and lawmakers when it comes to data security and protecting personally identifiable information. Is it possible that notions of privacy are different in physical space than online? For example, people may think nothing of letting Google track their every movement via mobile Android devices, but they would never agree to being shadowed by an unknown person while driving around a city or going shopping. They would never allow a physical breach of their own home (imagine coming home and finding the front door broken down), but often fail to complain after an extensive data breach happens online.
Moreover, while people may not want government regulators peering into their bedrooms, they have absolutely no problem with letting an Amazon Echo device to do the same. They would never think of sharing sensitive information (such as health information) with an unknown third party, yet gladly transmit this same information to Google and Apple via fitness trackers. Moreover, they refuse to tighten up privacy settings even when informed of security breaches. So do governments and regulators have an obligation to protect people, especially when these same people may not realize the extent of the risk they might be facing?
How to introduce ethics and morality into data privacy regulation?
That’s where things get really interesting, because until now, government regulators have never framed privacy in terms of ethics or moral obligations. Instead, privacy has always been thought of a type of “human right” that needs to be respected and protected. As Buttarelli also pointed out in his ICDPPC speech, people did not think about ethics when drafting the European General Data Protection Regulation (GDPR), and did not debate the various ways that morality or moral obligations should influence the actions of governments.
What Buttarelli suggests is that regulators and lawmakers need to start thinking in terms of the fundamental values that underpin privacy and data protection. It is time, says Buttarelli, “to develop a clear and sustainable moral code moving forward.” We have now reached “a 50-50 moment for humanity in the digital age,” in which there has been digitization of almost everything. It is no longer possible to escape discussions of personal privacy because the practice of data collection is ubiquitous and woven into our daily lives.
What’s more, says Buttarelli, the next evolution of data privacy regulation must take into account scenarios involving privacy that today might be regarded as futuristic. For example, should humanoid robots also have a right to privacy? When machines instead of humans are doing the sentencing of criminals (a process that Buttarelli refers to as “algorithmic sentencing”), what data should be allowed in their decision-making processes?
Why the Privacy Paradox matters
Going forward, it’s possible to see why the Privacy Paradox is such an important theoretical construct for framing future debates about data privacy protection. For one, the Privacy Paradox raises questions about the types of biases and inconsistencies that cloud most people’s views of privacy. And, as Buttarelli argues, it also helps to stimulate debate about the moral and ethical ramifications of privacy regulation. If future regulators do not take into account morality and ethics when crafting new data protection laws, they might be going about it all wrong, and in so doing, fail to protect the very people they hope to serve.