| |
| META TOPICPARENT | name="FirstPaper" |
|---|
| |
<
< | *Data protection in France following the terrorist attacks in Paris: Nothing new under the sun*
Center text
| >
> | Law and Economics Applications to Privacy Law
Introduction
Professor Moglen has been accusing us students, and the vast majority of society in general, at surrendering freedom voluntarily, for the limited benefits of “shiny” products. According to Moglen, by inviting these products into our lives, we self-inflict harm, ranging from the “trivial” use of private information for commercial purposes; to the grave risk of persecution by those with power.
Under Moglen’s premise, I would like to suggest relevant theories from the fields of classical and behavioral law and economics (“L&E”) that are useful in understanding why people still choose to use these products. Furthermore, such analysis bears the potential to contribute to activists’ discussions on how to raise awareness to the harm people inflict upon themselves and society, and to persuade people to amend their behavior.
Classical L&E | | | | |
>
> | One possibly relevant theory, drawn from the field of classical L&E, is rational ignorance (or apathy) (Lemley 2001, Rational Ignorance at the Patent Office). Consumers might be rationally ignorant if they make an informed decision that the expected cost of further educating themselves about certain risks is higher than the expected harm. One might argue that our case is indeed such a case of economically rational behavior; if the harm from the use of personal information for commercial purposes does not bother many consumers, and the risk of persecution is extremely low. However, an economically rational actor operates based on the full information available to him (at no cost) and it does not seem to be the case here. The majority of consumers are not even aware of any risks involved and surely cannot perceive the harsh long-term societal risks they impose upon themselves. Therefore, many consumers do not have any dilemma concerning how much should they invest in exploring whether the product is “worth the risks.” | | | | |
<
< | Introduction | >
> | Therefore, I think other theories – from the field of behavioral L&E, which sets aside the assumption of rationality – could provide better insight here. | | | | |
<
< | The terrorist attacks that occurred in Paris between the 7th and the 9th of January 2015 have been called the “France’s 9/11” by certain international and French newspaper. If, from an operational point of view, these attacks largely differ from what happened in the United States in 2001, from a legal standpoint, however, they may trigger the same consequences, especially with regard to data protection. Indeed, the French government, as it has already mentioned, intends to reform several aspects of its national legislation in relation to data protection and has called for the European Union to act similarly. Listening at the speech of the French Prime Minister, one could not miss the references made to the Patriot Act enacted by the United States after 9/11. Although no legislative step has been undertaken yet, I believe that this situation deserves an overview. Therefore, I will consecutively address (i) the current French law on data protection and (ii) the purported reforms announced by the French government. | | | | |
<
< | i. The current French law on data protection | >
> | Behavioral L&E | | | | |
<
< | On 6th January 1978, France enacted the Law on Information Technology, Data Files and Civil Liberty. France was thus one of the first countries that adopted a law dealing with computers and freedoms. This law established the Commission Nationale de l’Informatique et des Libertés (“CNIL”), an independent administrative authority whose main goal is to ensure the protection of personal data. Since then, the Law of 1978 has been modified by the Law of 6th August 2004, which transposed the 95/46/EC Directive into national legislation.
The CNIL is one of the leading European authorities fighting for the protection of data protection. For instance, in its highly publicized decision against Google Spain on 13th May 2014, the European Court of Justice took up the economic approach adopted by the CNIL in its decision against Google on 3rd January of 2014.
Moreover, the French legal regime of data protection is of a criminal nature. Indeed, violation of the Law of 1978, as modified, may trigger fines up to ¤1,5 million for legal persons and up to ¤300,000 for natural persons as well as up to 5 years of imprisonment.
In addition, regarding the transfer of personal data outside the European Union, the CNIL, pursuant to the 95/46/EC Directive, has set out different procedures depending on the country to which personal data are transferred. Transfers of personal data to countries whose level of data protection are deemed to be equivalent to the European Union are easily accomplished by filing a form with the CNIL. However, it is strictly forbidden to transfer such data to countries where the level of protection is considered insufficient, unless the company undertaking a data transfer within its own structure has adopted Binding Corporate Rules or if the two companies that are parties to a data transfer have signed standard contractual clauses adopted by the European Commission.
The terrorist attacks in Paris have not called into question the missions or the existence of the CNIL. However, one could believe that the potential enactment of a purported French “Passenger Name Record” (“PNR”) system, as announced by the Prime Minister, would broaden the possibilities to collect, process and transfer personal data. | >
> | Consumers’ misperceptions | | | | |
<
< | ii. The purported reforms announced by the French government | >
> | Consumers tend to myopic behavior, ignoring small probabilities (Sunstein 2001, Probability Neglect: Emotions, Worst Cases, and Law) and optimism (Jolls 1998, A Behavioral Approach to Law and Economics). These well-recorded tendencies could potentially lead consumers to underestimate and disregard the risks of their use of such products. Consumers that tend to myopic behavior might disregard long-term effects of their decisions, and therefore will not fear for their personal freedom (even if they understand the gravity of such harm), as long as they consider it as more of a longer-term threat. Tendency to ignore small probabilities could result similarly, if consumers consider a future where they will be under eminent threat of persecution as a “state of nature” of low probability. Also, even if consumers realize that this is already an existing threat, they might still disregard it if they live where there is currently a very small chance of such an occurrence. Even if the consumer fully understands the gravity of being persecuted, he will not take it into account because he assigns 0% probability to such a scenario. Similarly, Optimism could bring a consumer, even if he understands the general grave risks involved, to think that “it wouldn’t happen to me.” | | | | |
<
< | In fact, the purported adoption of a PNR system by France would be nothing more than a scam since this system is already in place. Not surprisingly, the speech given by the Prime Minister following the terrorist attacks was merely political. Indeed, Article 7 of the Law on the fight against terrorism of 23rd January 2006 expressly authorized the collect and process of PNR data even though “sensitive” data, as defined by the Law of 6th January 1978, could not be used. Thus, for instance, the use of data revealing what meals passengers ordered was forbidden. Although this article has been abrogated, an equivalent provision remains in force in France. Moreover, for a long time, the French Code of Customs has enabled customs officers to “require the submission of papers and documents of any kind, relating to operations of interest for their services, regardless of the medium”. Consequently, customs officers are authorized to collect PNR data.
Furthermore, the Prime Minister also mentioned that France was contemplating the adoption of a “French Patriot Act”. Considering the domestic and European obstacles that the government would have to surmount, the transposition into French law of a US inspired Patriot Act is not really on the agenda.
Nevertheless, a controversial step towards the reinforcement of mass surveillance has already been made through the enactment of the Law on military programming of 18th December 2013. Accordingly, where authorized by the Prime Minister, police officers are allowed to collect any electronic data and to intercept any electronic communications for the purpose of identifying and preventing – in real time – potential threats to the national security. Despite the apparent violation of both the right to liberty and security and the right to privacy enshrined in the European Convention on Human Rights and whose constitutional value has been established by the Conseil Constitutionnel (French Supreme Court), the latter has upheld the preventive aspect of the Law, as described above. This Law entered into force on 1st January 2015. Yet, this legislative arsenal did not prevent terrorist attacks. Stiffening mass surveillance did not work in the first place but it makes no doubt that further legislative steps in this direction will be taken. | >
> | This leads to the conclusion that perhaps, in order for things to get better, they first have to get worse. As the situation will deteriorate, potentially more and more people will be exposed to stories about those harmed, and only such “availability” could eliminate these tendencies. If the government took your neighbor, you will know that it might also eventually come for you. Is it possible to fix these misperceptions in less painful ways? In the context of crime deterrence, it has been argued that in order to eliminate criminals’ perception of “I’ll never get caught” the police should make arrests as “loud” as possible, to reach other criminals’ attention and impact their perception of the arrest probability. Applying this logic here provides an additional justification to the need for activists to effectively communicate the risks to as many consumers as possible. | | | | |
<
< | Conclusion | | | | |
<
< | Surveillance has certainly been strengthened since the terrorist attacks but French law on data protection has not been formally impacted yet. However, it would be naïve to believe that the assault on privacy is over. Here is the paradox: rather than reinforcing our liberties whose scope has been temporarily reduced by the terrorist attacks, the legislative reforms will follow the same path. | >
> | Contract Design
Another contribution of behavioral L&E is to the understanding of information asymmetries and contract design. Researches on the exploitative nature of consumer contracts have had a significant impact on regulation and practices in different markets, such as home loans or mobile telecommunications (Bar-Gill 2009, The Law, Economics and Psychology of Subprime Mortgage Contracts). As far as I know, despite growing attention to the relations between companies such as Google and Facebook and their users, these contracts/privacy policies are still not being taken as seriously (by researchers and regulators) as more “classic” consumer contracts. The reason, I suspect, is the lack of money consideration; a very unpersuasive justification. To the contrary – because no money changes hands, these cases are even more prone to abusive practices – consumers are much better “trained” to identify “how much” are they paying in a deal, in comparison to “what they give.” Therefore, more efforts are required in order to promise sufficient disclosures that will overcome information asymmetries and allow consumers to truly realize what they sacrifice.
It is also important that consumers will understand that the freedoms that they give up have value (even monetary!). Researchers have identified an endowment effect: people tend to ascribe more value to what they own (Knetsch 1989, The Endowment Effect and Evidence of Nonreversible Indifferences Curves). Such an effect means that if consumers will have better understanding of the freedoms they lose and their worth, and develop a sense of ownership over them, Google will have much harder time taking them. With that regard, perhaps even the information on how much am I, as a consumer, is worth to Google, could affect my decision.
Conclusion
The application of (mainly behavioral) L&E into privacy law could improve the understanding of why consumers disregard the harms of their choices; and raise interesting ideas about how to promote change. Obviously, this paper has only touched upon several applications, and there is much room for further thinking.
| META TOPICMOVED | by="UdiKarklinsky" date="1425659661" from="CompPrivConst.TWikiGuestFirstPaper" to="CompPrivConst.UdiKarklinskyFirstPaper" |
|---|
|
|