The first category consists of PETs that require active implementation by a data controller. Given that the legal framework is focused on the roles and obligations of data controllers, this Article categorizes PETs depending on the degree of data controller involvement.
This Article asserts that policymakers should recognize and expand by appropriate regulatory measures the role of technologies that enable individuals to enforce their right to privacy as freedom from surveillance. Proponents of this view point-out that after disclosure, it is almost impossible to control how personal information is used, concluding that PETs should limit information disclosure. Under this approach, information disclosed to a data controller is compromised and can no longer be viewed as private. In fact, the technological community researching PETs departs from a diametrically opposed perception of a data controller, that of an adversary. The notion of the data controller as a trusted party is ill at ease with the anti-surveillance gist of constitutional privacy and PETs. Over the past two decades, the information privacy framework has shifted to imposing information stewardship (“accountability”) obligations on data controllers, who act as custodians of personal data. This Article shows that while PETs are aligned with the objectives of the constitutional framework, they are not in tune with all of the assumptions, principles and goals of the information privacy framework.
They are based on three common objectives: eliminating the single point of failure inherent in any trusted data controller, minimizing data collection, and subjecting system protocols to community based public scrutiny. PETs allow individuals to determine what information they disclose and to whom, so that only information they explicitly share is available to intended recipients.
In this Article, it is restricted to technologies specifically aimed at enabling individuals to engage in activities free from surveillance and interference. The term “PETs” has been used loosely to describe a broad range of privacy technologies. Conversely, if the law continues on its current trajectory, emphasizing organizational accountability and marginalizing data minimization and transparency, PETs would become unviable and individuals subject to increasingly stifling digital oversight. It argues that by embracing PETs, information privacy law can recalibrate to better protect individuals from surveillance and unwanted intrusions into their private lives. This Article demonstrates that an analysis of the assumptions and principles underlining privacy enhancing technologies (PETs) highlights the gap between the constitutional and information privacy frameworks. Indeed, such organizations are assumed by law to be trusted entities acting as stewards of individuals’ rights, essentially “information fiduciaries.” Yet unlike the constitutional framework, information privacy law provides little protection against the risk of surveillance by either governments or private sector entities. Over the past forty years, an additional legal framework has emerged to protect information privacy. It is based on suspicion of power and distrust in the state, which can unleash ominous intrusions into the private sphere to crush dissent and stifle democratic discourse and free speech. Constitutional privacy law in Europe and the United States establishes the right to privacy as freedom from government surveillance.