Reprinted with permission from the American Bar Association, The Journal of the Section of Litigation.
Famously, the United States Constitution does not say a word about privacy, let alone articulate a right by that name. Likewise, there is no right of privacy mentioned in the Declaration of Independence, even if the enumerated rights of “life, liberty and the pursuit of happiness” are expressly said not to be exhaustive of the rights human beings are endowed with by nature. In accusing George III of tyranny, that fundamental charter of our regime could easily have mentioned an invasion of privacy, but the more political elements of taxation and interference with publicly enjoyed freedoms seem to be the greater impetus leading the Americans to “dissolve the political bands” connecting them to England. In more modern times, the efforts of the U.S. Supreme Court to locate a right of privacy in the text of the Bill of Rights have been labored at best. Not for nothing has the Court had to refer to the penumbras of the emanations of the First Amendment or draw inferences from the Fourth and Ninth Amendments to establish a right that seems somehow to be wholly absent from the text itself.
Still, that a right of privacy might not be provided for, indeed guaranteed, by our system of government would come as a shock to most people. And rightly so. Privacy is not stated expressly or separately because our entire conception of the modern state is one that depends on a division between the state and the individual person, between governmental pursuits and private ones. One of the greatest innovations in modern politics is that, as suggested by John Locke in his Letter Concerning Toleration, religion and other controversial opinions can be “privatized”; that is, relegated to a sphere in which they are unlikely to affect or distort, or be controlled by, government and public activity. We have our public lives and our private ones, each with its own territory. Appeals to getting the government out of the bedroom, or one’s thinking, still resonate. Pace President Obama, the Declaration makes clear that the role of government is in fact to preserve this distinction, to protect our rights, including our right of privacy, not implement them, which we might find to be an unwarranted, and unwanted, intrusion into what’s ours alone.
The Beginnings of Privacy
It was not always so. In ancient times, there was no such clear distinction between private and public life. Quite the contrary. The 300 who died at Thermopylae warding off the Persians wanted to be known, not by their names, but as “Spartans.” Socrates sought to deprive his ruling class of any privacy whatsoever; they would eat together, bunk together, procreate together. As Socrates showed us, matters of religious belief were a public concern, even in the more free-wheeling, and self-directed, Athens. In fact, the regime was understood to be such a direct influencer of individual life that the Greek word “idios,” the root of our word “idiot,” meant a “private person,” with much the same implication as our English derivative. Those who kept away from public life were regarded as oddballs, crackpots, not to say philosophers. Socrates compares the latter to an addled stargazer who is so in love with her own contemplation of the heavens as to have no interest in using her skill to steer to safety the very ship of state in which she herself is a passenger.
This is not our way. The doctrine of the self, started by Locke’s forerunners, got a helpful boost from his privatization strategy. The purpose was to minimize the motive for conflict in the modern age, rather than entitling our private lives. But the distinction was essential. Because the crux of the distinction was less the preservation of the self than of peace in society, the line between the public and the private has not always been drawn where it is today. Much of the judicial decision making of the second half of the 20th century, however, can be understood as directed to adjusting that line self-ward, moving it more sharply in favor of individual rights, carving out a larger share of privacy from the reaches of governmental edict or control. Reproductive rights, abortion rights, gender rights, sexual preference rights, not to mention free speech rights, have all been the subject of consideration and expansion by the Court in the last 50 years or more. In foreclosing, or beating back further, any governmental intrusions into our privacy, these developments have gone together with a less noticeable, but far more significant, expansion of what we think of as belonging to the self, as opposed to the community, thereby aggrandizing the individual over the social and governmental in our world.
There is cause for celebration in the triumph of our individual rights. Still, there are lingering concerns too. We are shocked almost daily to learn at how little privacy we now really have. Consider what happened in England, after the poisoning by Russian agents of Sergei Skripal, the former spy who settled in England. Within months, the British government was able to produce an almost unbroken video record of every movement by his would-be assassins, from the time they got off the plane from Russia, through their “sightseeing” trip to Skripal’s home in Salisbury (ostensibly just to see the cathedral), and then back again to Heathrow, boarding the plane that returned them to their homeland. Not much privacy there.
It’s significant, of course, that in Great Britain, despite a common Lockean heritage, there are none of the scruples we have in the United States about publicly owned and operated spy cameras. But surveillance in the United States is not really so far behind. It was still possible for the police, within two days of the Boston Marathon bombing, to cull through privately owned closed circuit TV footage and pinpoint, amidst the thousands gathered at the race finish line, the two brothers allegedly responsible for the attack. Early in 2019, shortly after the TV actor Jussie Smollett said he had been mugged by apparent Trump supporters in the darkest, most out-of-the-way area of Chicago’s downtown, authorities had near-contemporaneous footage of the two brothers said to have been the perpetrators of the attack. Further video proof seems to have exposed them as co-perpetrators of an alleged fraud.
The difference between surveillance in England and that in the United States— from governmental to private—subtly calls to mind what, in the United States at least, is now the biggest challenge to our privacy. Although concerns about what the government knows about our private lives have certainly not disappeared, the focus now has shifted to what other non-governmental actors in society, particularly corporate entities, might have access to. Those targeted ads that show up on your computer screen reflecting earlier searches you’ve done are just the tip of the iceberg. Ask any marketing specialist what your favorite retail enterprises know about you—your buying habits, your likelihood of returning items, how frequently you complain—and the results may astound you. Political campaigns now routinely harvest information about you that includes, from online searches alone, the sites you frequent, the movies you watch, the food you eat, and much more, all of which allows them to develop a profile of your opinions and likely voting preferences that may be said to know you better than you know yourself.
Some of this is self-inflicted. Every day another story appears of someone done in by his or her own Instagram account. In some cases, the internet has fooled people into eliminating or suppressing their sense of shame, to the extent it operates at all anymore, causing them to reveal semi-publicly the details of their private lives. Even without such disclosures, routine conversations and posts on social media are a treasure trove for the snoopers and the merely curious out there. Some filtration is necessary to judge this information accurately, as people tend to put only the most positive images of themselves on their accounts, albeit sometimes believing that what makes them seem worthy of pity can be a positive. But the willingness to share intimate details is confounding indeed. If there is so little privacy, we ourselves are often at fault.
But not entirely. Leave aside that we have (or at least had) no reason to suspect that our free use of the internet might lead to such angular effects. In many instances, the privacy intrusions brought about by technology are hardly a matter of choice. Many companies have gone to thumb prints or eye scans or similar techniques to log in employees at their places of work. Simple security measures in your place of business will allow others to know how often and when you clocked in and clocked out. Your employer knows when you turned your company computer on and when you logged off. And your company email is your employer’s alone. Data are accumulating about you, without your explicit permission or even your knowledge, virtually every moment of your day.
With this vast record of private activity has come still another odd phenomenon. Almost perversely, the governmental authorities we previously feared most from a privacy standpoint are being asked to police invasions of privacy from others around us, to keep our information from becoming known. Government has now leaped to the task, adopting rules specifying what can and cannot be collected, how data are stored, and in what way information can subsequently be used. Sometimes this is for the benefit of the public and sometimes for the benefit of the government. When and how the authorities can access your personal cellphone should be a matter of concern for all. Do you know?
The Role of Government
The larger question is whether the government, even with the best intentions, can and will do this well or will make a mess of it. An old joke has it that the worst disaster to have befallen American government was the invention of the air conditioner, which allowed Congress, which used to recess from March to December, to stay in session in tropical Washington, D.C., all year long. The greater opportunity by our government and other governments worldwide to pass legislation has resulted in greater quantity without ensuring, perhaps even substituting for, quality. In Europe, the General Data Protection Regulation, or GDPR, have willy-nilly deemed huge amounts of routine communications private or protected, without much consideration given to what is genuinely private and what is not. If some of the motive may have been to frustrate discovery emanating from American shores, that hardly improves upon its value.
Undaunted, California has now ad-opted a broad confidentiality regime, the California Consumer Privacy Act (CCPA), which mimics the GDPR and restricts from view much information that previously was deemed of little concern. This has produced a kind of double whammy for litigation. One is it interferes with the logic of discovery, where disclosure is thought to stimulate settlement of claims. The other is to be a breeding ground for more litigation. As originally enacted, the CCPA provided no private right of action for aggrieved persons, unhappy that their data have been disclosed. All such claims were to go to the attorney general, who was provided with additional staff to monitor compliance. But almost immediately the drumbeat for private enforcement began.
Some idea of the impact of this can be garnered from the fate of the Biometric Information Privacy Act (BIPA) in Illinois. As the name suggests, this statute provides protection covering the gathering and storing of any kind of biometric information, eye scans, thumb prints, facial profiles, or the like, and provides statutory penalties for willful and non-willful violations. Among laws passed by states that have taken an interest in biometric information, the Illinois law was the first to allow private persons and their lawyers to sue for a violation. A recent Illinois Supreme Court decision, meanwhile, has determined that the Illinois legislature did not intend to limit recoveries to “actual harm.” That is, the mere fact of a violation can lead to liability.
Predictably, the result was a deluge of litigation, with new cases being filed every day. And not just in Illinois. Cases have been filed all across the country relying on the Illinois law. It hasn’t helped that the legislature did not take many pains to say exactly what constitutes and does not constitute “biometric information,” excepting only that it excludes mere photographs. But what if someone were to compile the biometrics available from even one photograph, not to mention from the stream of photographs we call video? Can that be a violation too, despite the legislative carve-out? The plethora of claims and the uncertainties of the litigation have now led Illinois to think of rescinding the private right of action. But is that any more sensible?
The CCPA and BIPA are part of a general movement to regulate invasions of privacy through specialized legislation. But the question is whether government knows what it is doing. The point here is not that these laws are good or bad. The point is that the new environment—where we have a combination of multiple private actors and new legislation enacted by a government lacking itself both the best record of protecting privacy and the most careful consideration of what should be private and what not—seems to becoming the problem itself. More careful thinking is necessary about not just where the line should be drawn but how it is to be enforced.
It behooves the public and the government to step back and do some genuine soul-searching. The first step is a reconsideration of what we want privacy to be and what distinction there is between what is voluntarily done and what is in-voluntarily done. Then, to ensure proper protection, there is a strong need to determine carefully what restrictions will make sense in light of all the various crosscurrents in society. We want to preserve our privacy, but should we protect those who themselves voluntarily breach it, and to what extent? We need to prevent the wholesale harvesting of personal data, but we do not want the privacy laws to be crippling what’s been achieved through discovery in encouraging the settlement of disputes, especially in the commercial context. Nor do we want to generate litigation unnecessarily. All good questions, these are, for our legislators and courts to consider. What privacy will be in the future hangs in the balance.