Personal Privacy and Electronic Data Transfers

by David L. Perry, Ph.D.

From a speech given at a conference sponsored by the Electronic Funds Transfer Association (EFTA) on "The Puzzle of Data Security and Consumer Privacy," Washington, DC, 16 November 1992. At that time, Dr. Perry was a Consultant in Advisory Services for the Ethics Resource Center.

Every large corporation worries to some extent about the small number of employees who may be tempted to act in ways that benefit themselves at the expense of the company: stealing company equipment; embezzling funds; padding expense accounts; or accepting kickbacks from customers or suppliers. Managers try to reduce corporate vulnerability to those kinds of abuses by establishing controls, conducting periodic internal audits, and taking firm disciplinary action.

But in the consulting experience of the Ethics Resource Center, we often find that corporate managers rarely think about their vulnerability to a different kind of ethical risk: not the sort where an unscrupulous employee is lining his own pockets, but rather where otherwise decent and conscientious employees come to rationalize conduct that they know is ethically questionable, thinking they’re doing the company a favor: winning the contract; hitting their quarterly revenue targets; getting the edge on the competition; or negotiating the best deal from a supplier. Employees are also more likely to rationalize unethical conduct when they don’t receive clear ethical guidance from management, when the message they hear from their boss is "Get it done, whatever it takes," or when they see that messengers of bad news are routinely "shot."

To a certain extent, then, the message that I want to bring to the members of EFTA is the same message that our Center has communicated to companies in aerospace, pharmaceuticals, healthcare, transportation, and other industries. Ethics depends upon the right example being set by management. High ethical standards need to be communicated to new employees and new supervisors, and in areas where ethical problems typically arise (e.g., sales and marketing, procurement). Ethical considerations need to be woven into strategic planning and into the quarterly goals set for managers and employees. Attention must be paid to the kinds of performance that are incentivized and rewarded. And employees need a place to go when they have a question about how company standards apply in gray areas, or when they feel obligated to come forward to report unethical or illegal conduct but don’t feel comfortable going through normal channels.

I recognize, though, that many ethical issues arising in your industry are highly complex and controversial, and can’t be resolved simply by entreating people to manage their company in an ethical fashion or to watch out for unethical employees. I hope to shed some light on the strengths and weaknesses of a few significant ethical assumptions and arguments that I’ve found in industry literature.

Ethics is sometimes defined as critical reflection on moral beliefs, moral arguments, and personal character traits. We use the language of ethics to say whether an action or decision is right or wrong "all things considered," in judging ourselves and one another as compassionate, fair, greedy or cruel, and in evaluating the justice of laws and political systems.

The logic of moral argument itself takes different forms. Some arguments imply that the consequences of an action in terms of its benefits and harms ought to override other considerations in determining whether that action is right or wrong. Utilitarianism, which roughly speaking advocates the greatest good for the greatest number, is an ethical theory of this type. Other arguments suggest that the consequences of an action should not be the sole consideration, that telling the truth or keeping one’s promises should not be compromised by calculations of the sometimes unpleasant consequences of doing so.

We can see both types of moral logic coming into play in arguments about electronic transfers of personal data. Some people believe that nearly all types of personal information should not be transferred without the express consent of the "data subject." They are not swayed by arguments made by certain direct marketers, for instance, that an "opt-in" requirement of explicit consent would have the unpleasant consequences of increasing the amount of random junk mail that they receive and keeping them unaware of products that they would be likely to buy. Of course, not even the most entrepreneurial direct marketers publicly argue that all types of personal data should be bought and sold without restrictions. Only an unscrupulous hacker would advocate open season on medical records, e.g.

One also occasionally sees a certain amount of hypocrisy and foolishness among consumers. People who want to enjoy the benefits of having a credit card, yet at the same time want to preserve absolutely the privacy of information about their income and assets, are deceiving themselves. They can’t have it both ways. Others who have engaged in fraud or who simply have poor spending habits and are then refused credit by a wary bank may be shocked to learn that their unsavory credit history is accessible to potential creditors.

Part of the difficulty in reaching consensus in this field, though, is that sensitivities vary among individuals and cultures. Some peole don’t care whether information about their buying habits is easily accessible, while others feel deeply violated when they learn how that information can be obtained without their explicit consent. Europeans seem to be more sensitive in this area than Americans.

Perhaps if consumers were more informed about the likely uses of their personal data, as well as the controls in place to guard against improper transfers, they wouldn’t be as likely to push for stricter and more costly government regulations, or for a U.S. Data Protection Board to match those in Europe. A survey conducted for Equifax a few years ago seems to support this idea, in that when people were told about the benefits of data transfers, they became less nervous about their rights being violated.

I want to point out, though, a mistake that I believe U.S. industry has made in advocating its position. I’ll use by way of illustration the "Statement on the Protection of Personal Data" issued by the International Chamber of Commerce (printed in Transnational Data and Communications report, January-February 1992, pp. 37-41).

The ICC statement affirms the importance of protecting the privacy of personal data about individual citizens, but also argues that "excessive restrictions on the collection or use of such data could deny individuals many of the advantages they have come to expect from an information society" (37). The ICC statement also points out how multinational corporations could be crippled by restrictions on legitimate transfers of employee or customer information across national borders (39). So far, so good.

But in the ICC’s critique of a 1990 directive proposed by the Commission of the European Community (a directive which I do not support, by the way), the ICC statement says that the EC directive fails "to adequately balance the interest of privacy with the interest in the free flow of information" (38). This is confused. Privacy is more than simply an interest, it is a right--not an absolute one, I think, but a right nonetheless which should not be infringed without strong justification. By contrast, a company’s interest in transfers of personal data cannot bear the same sort of moral weight. Companies do have rights to certain information about employees, customers and suppliers, but few if any companies have the right to unlimited information about them. They may well have an interest in that information, they may value that information very highly, but that doesn’t prove that their interest is legitimate or that their desire could ever override consideration of individuals’ right to privacy.

The weakness of the ICC’s approach is especially clear in regard to its discussion of opting in versus opting out. One of the reasons used by the ICC to argue against an opt-in requirement is this:

An express consent requirement would increase the cost of providing any service that involves the processing of data about multiple data subjects. These costs would be passed on to the consumer and could effectively price many useful services out of the marketplace. (40)

The problem with this argument is that it implies that a right is only a right so long as it isn’t expensive. What the ICC should have said is that either individuals in fact do not have a right of express consent to certain uses of their personal data (and why they don’t), or that another more important right exists to override it. Interests and values cannot trump rights.

By way of illustration, imagine that a terrible crime has been committed in a small community. The local sheriff has arrested someone as a suspect, and a large and menacing mob has gathered, calling for the suspect to be hanged immediately from the nearest tree. In this case it would be wrong to say that the sheriff is morally compelled to balance the right of the suspect to due process of law with the community’s interest or desire to rid itself of this alleged criminal. If due process is indeed a right, it cannot be overridden by expediency or calculations of wider benefits and harms.

I’d like to propose a long-term agenda for this industry in the realm of data privacy and security, an agenda that has both a substantive element and a procedural element.

The substantive ethical question that needs to be addressed is this: What uses of personal data ought to require the express consent of the data subject? This is not a question that can be answered once for all time, since advances in technology continually create new opportunities and new risks.

This leads me to the procedural element of my proposed agenda, namely, to foster and inform an ongoing public debate about the substantive question of express consent. One possible model for this sort of conversation is the recent effort undertaken in Oregon to set priorities in allocating scarce medical resources. Now, the controversy generated by the list of medical treatments that the state would fund or not fund suggests that the procedure by which the list was generated may not have been flawless. Nevertheless, I trust that it enabled Oregon citizens to be considerably better informed about their healthcare choices, and thus better equipped to deliberate about rights and fairness in that arena.

Similarly, the American public would be greatly served by a dialogue engendered by the data communications industry. Consumers are still largely ignorant about the ways in which their personal information is gathered, transferred and traded. This ignorance leads to three sorts of problems. First, consumers are more likely to provide information to unscrupulous people, unaware of how it can be abused. Second, consumers are susceptible to fear-mongers who portray the growth of electronic data transfers as wholly ominous. And third, consumers are unable to deliberate adequately about their preferences and their rights.

I commend EFTA for encouraging industry reflection on important ethical issues, and hope that EFTA will be able to play a key role in enhancing public awareness and informed discussion.

This article is copyright by David L. Perry.