We went to hear an interesting talk by Dutch investigative journalist Brenno de Winter on privacy and related issues this weekend. It is part of a series of privacy related talks and workshops held in our town in this and coming weeks.

To me, as I blogged in 2006 after that year’s Reboot Conference privacy is a gift by the commons to the individual, and not so much an intrinsic individual thing. It allows the individual to be part of the commons, to act in the public sphere. It also means to me that privacy is part of what makes the commons work: withouth a certain expectation of privacy no-one can participate in the commons, resulting in the absence of commons.

privacy in public
Privacy in Public, photo by Susan Sermoneta, CC-BY

That doesn’t mean privacy can do without protection. The commons collapses easily, especially when your information is disconnected from your physical presence, as is usually the case in our digital age. Where the commons collapses, because i.e. the social distance increases, or contexts change or fully drop away, there rules and instruments are needed.

In that light Brenno shared a few notions I wanted to capture and put in this context of the commons:

  • The “If you have nothing to hide, why bother?” argument introduces a false dilemma. It puts the onus on the individual who seeks privacy, and not on whether the other entity complies with existing privacy rules and laws (=a responsible member of the commons). It may also well be what is ok now, will carry dire consequences in the future (e.g. homophobia in Uganda) when the character of the commons changes especially radically.
  • In the Netherlands there are no consequences for disregarding privacy rules around data inside a data-using entity (e.g. staff nosing around in data they have nothing to do with, like doctors looking up medical files from famous patients they are not treating themselves). Others can act as if outside the commons without social scrutiny.
  • Whenever there is a data security breach the data holder is generally portrayed as the victim, and not the people who’s personal data it is, or who are described by the data and who’s expectation of privacy in the commons got damaged. (as well as disregarding the fact that in the EU my personal data at company x is my data.)
  • The Dutch privacy watchdog CBP has 86 staff, compared to 1 million companies and government branches they need to watch. The watch dog has no teeth. The commons is mostly undefended.
  • Privacy has weak anchors in Dutch law. The commons is mostly undefended.
  • Why are there no (routine) impact assesments of measures that erode privacy in the name of security? If erosion of privacy is to be tolerated, the damage it constitutes to the commons needs to be not just balanced but surpassed by the benefits to the commons on other aspects.
  • All of these points are relevant to the question of how to maintain or extend the commons with rules and instruments, so that the gift of privacy can be given. By making sure the ‘infringing’ party is under similar social pressures to behave. By making sure we maintain a realistic balance when privacy needs to be temporarily eroded for the sake of the commons (that is the source of privacy).

    When privacy breaks down also the commons itself breaks down, as privacy is the pathway and the trust base for taking part in the public sphere.

    3 reactions on “On Privacy and the Commons

    1. Nice blog however one aspect that is not mentioned is that in my personal opinion (not that of my employer 🙂 current privacy law is flawed. The principles are good however the laws and rules implemented are ineffective and not always working (as we can all see). The concepts in law of regulation about data do not fit with the reality and diversity of data, an author of an OESO paper formulated it nicely,
      “In summary, the growing proportion of observed and inferred data challenges the concept that
      the nexus for governance is collection and the assumption that awareness goes naturally with

      • Thanks for that link Erik! Indeed, as mentioned in the post Dutch privacy is weakly anchored in law. The inferred data challenges are not addressed at all as you quote. Also the assumption that awareness comes with collection is indeed flawed. Currently we treat both openess and privacy as something to fix / address at the end of an information gathering process (e.g. when someone asks for the data under FOIA, or uses the data inappropiately) It’s a stopgap at the end, instead of designing for both openess and privacy right from the start (in our processes, our IT architecture, our data structures and data fields).

    Comments are closed.