Craig Mundie recommends changing privacy laws and practices to focus more on preventing and mitigating the misuse of personal data than on limiting the collection and retention of such data (“Privacy Pragmatism,” March/April 2014). That would be a mistake: limits on the collection of personal data should remain central to the protection of privacy. Simply put, governments and organizations cannot abuse or lose control of personal data that they cannot collect or retain in the first place.
Mundie also believes that better control over the use of personal data would obviate the need for businesses to obtain individuals’ consent to collect their information. According to Mundie, consent is often too difficult to obtain in a world of “passive” data collection, complex data flows, and incomprehensible privacy policies. But the solution to such problems is not to eliminate consent or to lower the expectations one should have about how one’s data will be used. Individuals deserve the right to control what happens to their personal data at any given moment -- not only after someone else has obtained it, perhaps even without consent. Consent allows individuals to set conditions for the use of their data, access the information relating to them that others have obtained, verify the accuracy of that information, check to make sure companies comply with the rules, and seek redress for any harm that results from the misuse of their data. Remove consent, and the other privacy checks and balances collapse.
In place of such protections, Mundie proposes a draconian government oversight scheme in which regulators would impose mandatory registration, auditing, and presumably new sanctions on all organizations seeking to use personal data. Such a system would rely mostly on after-the-fact remedies for abuse. But when it comes to personal data, once the harm has been done, it
- Full website and iPad access
- Magazine issues
- New! Books from the Foreign Affairs Anthology Series