Understanding the Right to Privacy in the Age of Big Data

Contemporary social life depends on both sharing one’s personal information and exercising discretion in protecting personal information that has been shared. The rapidly increasing number of social interactions that require sharing personal information, facilitated by digital technology, has resulted in the exponential growth in the amount of data being stored digitally by both private and government entities, and in the need for effective cybersecurity measures to protect that data. If people increasingly come to believe that their data is not safe, it will diminish the social trust needed for a well-functioning society. This will require a sound theory of the right to privacy in a digital age.

In recent years, the American public has been shocked by a series of lapses in the collection and handling of personal data in the private sector. In 2017, the credit rating agency Equifax announced that the names, birth dates, and Social Security numbers of 143 million Americans had been exposed in a data breach. In 2018, the social media platform Facebook revealed that it had allowed an app developer (the creator of quizzes or games that run inside the Facebook platform) to share data on millions of users with the political consulting firm Cambridge Analytica. Also in 2018, journalists at Motherboard discovered that cell phone carriers such as Sprint, T-Mobile, and AT&T were selling users’ personal location data to data brokers, who in turn sold the information to bounty hunters who were able to use it to track the movements of identifiable individuals. In 2019 the bank Capital One revealed that the personal data of over 100 million customers had been accessed by a hacker. Meanwhile, the home security company Ring, which is owned by Amazon, has come under scrutiny for collecting and storing videos recorded from people’s doorsteps or within their homes and sharing these video recordings with police, who can keep and share them. Ring has also been criticized for a series of breaches in which hackers gain access to cameras inside people’s homes—although Ring blames customers for not following recommended guidelines for creating secure passwords.

These and similar cases are often framed in terms of the risks of identity theft or the danger of having one’s personal data shared with unwanted third parties; but they also pose a risk to the functioning of modern democratic society by damaging social trust.

These cases also highlight the dangers of surveillance and data collection in the private sector. Edward Snowden’s 2013 leak of the National Security Agency’s massive surveillance of Americans’ communications was shocking, but it also confirmed Americans’ existing fears of government snooping into their private lives à la George Orwell’s Nineteen Eighty-Four. The leak highlighted the need to protect Americans’ right to privacy from government surveillance or interference. It is less clear to Americans what the right to privacy means when that surveillance is carried out through interactions in the private sphere, however, and as a result Americans have underestimated how private actors—large corporations—can exercise power over individuals’ lives and undermine the just ordering of society through data collection and sharing.

The Christian moral tradition can make an important contribution to developing a more adequate understanding of the right to privacy. Privacy should not be understood exclusively in terms of individual autonomy, but rather in relational terms. The communication of information from one person to another is an essential part of social relationships. Privacy, along with the corresponding value of transparency, helps describe when that communication is just and when it is unjust. To contribute meaningfully to the discussion of privacy in the age of Big Data, however, Christians must overcome their own hesitations about the “right to privacy” that is linked, in particular, with the debate over abortion.

The Right to Privacy and Just Communication

It is well-known that the U.S. Supreme Court appealed to a right to privacy in its 1965 Griswold v. Connecticut decision that permitted the sale of birth control pills, and in its 1973 Roe v. Wade decision that legalized abortion. It associated this right with individual autonomy. Although this association has rendered the right to privacy problematic for many Christians, this should not lead us to conclude that there isn’t a real right to privacy. The issue is not simply the moral objection Christians have to abortion, but rather the absolute value placed on individual autonomy over other concerns. But the abuse of an idea or value—such as privacy—does not render it valueless.

The Christian moral tradition affirms that the human person is relational in nature. Persons are not simply autonomous individuals; belonging to and depending on relationships and communities is fundamental to what it means to be human. Likewise, we find fulfillment not in doing whatever we want, but in being of service to others. If the right to privacy is understood exclusively in terms of individual autonomy, without taking into consideration this relational aspect of human nature, then Christians are right to find such a right questionable.

Although Christians would be right to object to a right to privacy understood exclusively in terms of individual autonomy, this should not lead to the wholesale rejection of the idea. It would be tragic for Christians to abandon the notion of a right to privacy when we face so many risks from the gathering and sharing of data by both government and private entities. Indeed, especially in light of the incidents mentioned above, and of others like them, Americans increasingly recognize that a correct understanding of the right to privacy must involve more than just protecting individual autonomy and consent—it also must embody a particular kind of just relationship.

For example, Facebook can be criticized for allowing third parties to share users’ data without the latter’s consent, but would adding a new check box by which users consent to terms of service justly settle the matter? The Equifax breach was particularly egregious because Americans have no consent over whether their financial information is collected by the credit rating agencies; but Capitol One does not get off the hook for the breach of its data, because its customers should have been aware of the risks of using its products but consented to do so anyway.

A better starting point for grasping the right to privacy is the traditional Christian understanding of communication. The purpose of communication, in this view, is to share the truth with another. The Christian tradition, however, recognizes that certain truths can be justly or appropriately shared with some people but not with others. Therefore, communication is a relational activity whose justice is dependent on the particular type of relationship involved and on whether the sharing promotes what is truly good. For example, the prohibition against lying does not mean that one must always reveal the truth when asked; one can withhold the truth if the questioner does not have a right to it. Similarly, gossip is wrong because it takes information that was given in confidence (or obtained without permission) and shares it with others who do not have a right to it. This same principle is applied in situations where professionals must exercise confidentiality about the intimate details of people’s lives: the priest’s seal of confession, the attorney-client privilege, and doctor-patient confidentiality.

Although they were developed to address personal relationships and communications, these ethical concepts can be used to address the institutional questions of data collection and privacy that we face in the twenty-first century. One of the defining characteristics of modernity is the replacement of social relationships that had previously been based on personal trust with impersonal relationships founded on a more institutional form of trust. It is this institutional trust that necessitates the collection of personal data. In this context, the right to privacy refers to the expectation that personal information shared with an institution will be kept in confidence: it will not be shared with others and will be protected from intruders who do not have a right to it. Privacy must be balanced by transparency, the moral duty to share information to which others have a right.

The just balance between privacy and transparency depends on the relationships or institutions involved. A financial institution such as Capital One has the right to expect its customers to share their personal information if they are to be offered products such as loans or credit cards. But Capital One also has a fiduciary responsibility to protect that data. Ring users have a reasonable expectation that video recordings will not be shared with the police or others without just cause. Institutions must also be transparent about how they will use people’s data and what they are doing to protect that data.

The failures of Capital One, Ring, and others illustrate, however, that it cannot be left up to individual institutions to protect their clients’ privacy. We must therefore develop stronger legal institutions that embody the principles of both privacy and transparency. In 2016, the European Union established the General Data Protection Regulation (GDPR), which puts in place robust regulations on the collection and sharing of digital data and requires greater informed consent on the part of customers and clients before they provide data. Despite the administrative costs of its implementation, the GDPR represents a step in the right direction.

Clearly the principles of privacy and transparency embodied in regulations such as the GDPR are not exclusively, or even primarily, Christian. Nevertheless, Christians can be an important voice in conversations about the right to privacy as we continue to address data breaches and the irresponsible or unjust collecting and handling of personal data. The Christian moral tradition provides a solid foundation for the right to privacy by linking it to the act of communicating and sharing information, a fundamentally relational activity oriented toward both the personal and common good.