Looi Teck Kheong considers privacy concerns in the present information age, where the existing technology enables personal information to be easily obtained, with or without one's consent and/or knowledge. The writer examines some vital areas lacking in legislative guidelines and takes a look at how the United States has attempted to regulate this area of personal information and privacy.
Unlike information relating to governmental matters which are expressly
protected from unauthorised disclosure under the Official Secrets Act,
information or private matters pertaining to individuals receives no such
blanket legislative protection in Singapore. There is also no common law
protection for torts of privacy in Singapore. Clerk & Lindsell on Torts
(17th ed) at page 19, para 1-23 states quite frankly:
It is trite law to restate that privacy remains an interest unprotected by the English law of Torts. However gross the invasion of the plaintiff's privacy, that violation of privacy is not itself a tort.
The position is, however, different from an English legislative viewpoint which protects privacy through the provisions of its Data Protection Act 1998. Likewise, many other Western countries have their own privacy legislation. These include Australia (Privacy Act 1988), Canada (Federal Privacy Act and Regulations), New Zealand (Privacy Act 1993), the United States (Privacy Act 1974) and several other European nations.
These laws allow an individual whose privacy rights are infringed to make a legal claim against anyone who publicly discloses private matters about the individual without his consent. The usual remedies available against such infringement would include lodging the necessary complaints to a relevant authority or to consider issuing injunctions to restrain such acts and to claim for a measure of damages for mental distress and other foreseeable damage.
What is Privacy?
According to Ronald Standler in his article 'Privacy Law in the USA' (http://www.rbs2.com/privacy.htm), privacy is defined as 'the expectation that confidential information disclosed in a private place will not be disclosed to third parties, when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.'
In the US, the rising prominence of the right of privacy along with the advent of technology was recognised as early as 1928 in a landmark dissenting decision of Justice Louis Brandeis in Olmstead v United States (1928) 277 US 438, where he observed at pages 473-474 that:
Subtler and more far-reaching means of invading privacy have become available … Ways may some day be developed by which the Government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home.
Although Justice Brandeis might then have spoken in the context of the Government with an Orwellian aura in mind, the present situation in the 21st Century has gone even further with technology being made accessible to private individuals. With the advent of the internet, sophisticated information retrieval and hacking software, miniature spying, eavesdropping and tapping devices and powerful broadcast ability, 'snooping activities' are no longer confined to public interest or politically motivated cases but also extended to purely day to day personal invasion of privacy, whether by employers, neighbours, colleagues, friends, etc.
In this regard, four invasion of privacy torts were formulated by Dean William L Prosser in the US in his article entitled 'Privacy' (1960) 48 Cal L Rev 383 and 'The Restatement (Second) of Torts' (1977) (SS652A-652I):
A person's privacy may be affected by the publication of personal information which was disclosed through online services to which he subscribed. Though many websites observe a strict privacy policy and will undertake not to disseminate personal information such as identity card numbers, credit card numbers, addresses, age, occupation, etc, to other third parties in commercial settings, there is no such prohibition or obligation for vendors here to observe such protocol.
In fact, have we not wondered how magazine publishers, bankers or investments companies (whether in cyberspace or in the traditional brick and mortar set-up) are able to obtain our addresses, telephone numbers, our spouses and children's names and their ages and occupations and even a tacit understanding of our (and our family's) reading habits and financial needs in their daily barrages of commercial and advertising blitzes to market their products and services?
Respect for Privacy in Singapore
To some extent, one may argue that anonymity in a variety of settings as imposed by the law in Singapore suggests that there is a fundamental respect for the individuals' right of privacy. For example, not all details of parties in certain court proceedings may be publicised in the media. This is true in the case of juvenile offences, where the identities of the offenders, by reason of their age, are not allowed to be disclosed in the local dailies. Likewise, identities of victims in molest and rape cases are also not revealed, including those of the perpetrators for fear that the disclosure will lead to the revelation of the victims' identities. Similarly, certain professional communications or records, such as that of the solicitor-client relationship and medical records of individuals, are mostly protected from disclosure unless public interest dictates that these be released.
However, in light of the growing dominance of technology in our lives, where eavesdropping and other snooping equipment are getting more sophisticated by the day, are the laws as they stand today sufficient to protect the privacy needs and rights of individuals here?
Protection of Privacy and Freedom of Speech
Whilst there may be many justifications for imposing privacy and freedom of speech protection, including the belief that a breach of privacy 'violates basic human rights, strips them of their dignity, causes serious emotional distress, interferes with their relations with family, friends, acquaintances, and business associates, and puts them at risk of crime', not everyone is of the view that informational privacy protection is necessarily good. For instance, Mr Eugene Volokh in his article entitled 'Freedom of Speech and Information Privacy: The Troubling Implications of a Right to Stop People from Speaking about You' (2000) 52 Stanford L Rev 1094 (reproduced in full at http://www.law.ucla.edu/faculty/volokh/privacy.htm) argues against informational privacy protection, citing mainly that:
most of the justifications given for information privacy speech restraints are directly applicable to other speech control proposals that have already been suggested, and accepting these justifications in the attractive case of information privacy speech restrictions would create a powerful precedent for those other restraints.
Be it as it may, in practical circumstances, there are many instances in which the rules of conduct of the affected parties are still not adequately delineated by reason of an absence of legislative guidelines in this growing area.
Lack of Legislative Guidelines
Employers' monitoring of employees' email
For example, to what extent can an employer monitor the e-mail activities of his employees? There have been cases where employees have been dismissed or disciplined for having misused or abuse their e-mail accounts by indulging in non-business related activities. The recently publicised Claire Swire episode is a good example, where six Norton Rose lawyers almost lost their jobs when they mass-circulated a privately written e-mail sent by Ms Swire to her boyfriend (who could not resist forwarding it to his colleagues) on her fellatic experience with him. There was no doubt that much mental anguish was caused to Ms Swire and much embarrassment was suffered by the firm as the contents of the e-mail spread like wild fire globally, spurred by the instantaneous and mass electronic communication technology of today.
The real issue is whether any of Ms Swire's rights, particularly her privacy rights, were infringed; if so, does she have a cause of action against her boyfriend, the six colleagues and the firm for having infringed her rights? Another issue is whether there is ground for the firm to terminate the contract of employment or to discipline the lawyers involved? It also raises the issue as to the extent to which an employer should be monitoring the use of e-mail in the workplace, in order to protect its own interest, ie to avoid any legal suits that may be initiated against it should any offending e-mail emanate from its servers. The law, as it stands now, is such that employees have no claim against their employers if their e-mail is monitored or downloaded by their employers. This is a highly unsatisfactory state of affairs as unscrupulous employers can easily go on a witch hunt in acrimonious cases.
What would the victim in a 'Claire Swire' case in Singapore do if faced with such a situation? Apart from being a subject of public ridicule, there are no legal remedies available for such grievances. The rule seems to be (at least, at this point in time) is not to put into the e-mail system such private and salacious matters if one's privacy is to be protected. However, this misses the point - that e-mail technology is here to stay. It has tremendous potential as a form of fast and reliable communication. Surely, there must be some rules or laws to guide users on what is an acceptable and an unacceptable usage of the medium. Offending usage of e-mail should be clearly identified so that remedies or penalties, where applicable, should be made available to aggrieved parties or perpetrators of an offence. Otherwise, the scope for the usage of e-mail may be limited.
Obtaining personal information from children
The next example would be the communication of personal information, especially those of young children to commercial or kiddies' websites. Information that may identify the young child and locate where he or she stays, or his or her daily whereabouts, should be mandated to be released only on consent or notice being given to the parents that such information is being sought. As things stand, the law is silent on such requirements and there are no prohibitions against such internet vendors from sharing this information with other operators of websites, whether in the same business or not, be it in Singapore or elsewhere.
The fear, of course, is the exposure of young children to criminal elements lurking both in cyberspace and in the real physical world. Quite apart from commercial websites, even innocent chat relay sites such as the IRC, ICQ and the like, should attract some form of regulation in terms of control over what information young people can release to those they are chatting with. Informational law restraints on these areas will no doubt be helpful in stemming the current rising spate of internet related crimes being committed against young people.
In the US, the Data Privacy Act 1997 'requires the interactive computer service industry to develop guidelines as to how they will notify consumers before collecting any "personally identifiable information"'. These would include allowing consumers to 'track the transfer of their personal information to third parties' and 'to obtain the consent of consumers before disclosing that information'. Parental consent is also required under the Act before information of children may be obtained by such providers. However, due to technical constraints, it is conceivably difficult for websites to identify the age of their users. Accordingly, to effectively implement privacy laws in Singapore, both legislative and technical expertise will have to work together hand in hand before such laws can be meaningfully enforced.
Surreptitious collection of personal information
Thirdly, the Internet is able to collect information about its users even if no information is released by them voluntarily. According to Solveig Singleton in 'Privacy as Censorship - A Skeptical View of Proposal to Regulate Privacy in the Private Sector' (http://www.org/pubs/pas/pa-295.html), recent computer technology has enabled many sites to 'surreptitiously collect and keep information such as a visitor's e-mail address' and his surfing habits.
Such surfing habits may be culled from the usage of 'cookies', which is a piece of information which the website sends to one's browser when one accesses information at the website. Each time one accesses the same website, the cookie will relate information back to the website for collation and study by the website vendors. This information may be used to customise the webpage settings to tailor to the website surfer's preferences. The objection to such a marketing technique is that the consumer should have a right to know whether a cookie is being released into his browser. Although there are some software products such as Cookie Cutter, Cookie Crusher, Cookie Pal and Cookie Master available to reject or manage cookies for one's computer, the point remains that the consumers' computers' hard drives should not be invaded by these cookies without their prior consent. Privacy laws on these areas may be helpful to control the usage of such invasive marketing techniques.
Other areas of privacy concerns
There is a whole host of other areas in which privacy issues may arise as a result of the usage of the internet. Accessing web pages may leave trails of one's historical website visits to be tracked by others. This is because the Hyper Text Transfer Protocol (HTTP) technology which web pages and surfers use to communicate leaves trails such as the website addresses or Uniform Resource Locators (URLs) that will eventually lead one to the sites visited by surfers.
Privacy concerns also arise when one uses certain browsers which are not secure. For example, hackers can penetrate even standard browsers such as Netscape or Microsoft when surfers are using them. These bugs in the software are usually fixed as soon as they are aware of them. Likewise, the security of credit card information sent during internet commerce transactions are as good as the security system installed. Whilst the Secure Socket Layer (SSL) may provide some comfort that such information cannot be intercepted during transmission, there is no guarantee that the storage of such information by the vendors or e-commerce banks is equally secure and safe from hackers.
Finally, sophisticated and miniature eavesdropping, tapping and spycam equipment are now available in the private market. The issue here is what action can be taken by people whose privacy has been invaded, against those who invaded their privacy through the use of such equipment? Whilst there may be criminal sanctions for the use of such equipment in the event of outrage of modesty of the individual concerned, the fact remains that the loss of privacy goes uncompensated or redressed in the civil courts. This is truly a lacuna in the law.
The Need for Legislative Regulation
There is cogent justification for the legislation of privacy laws in Singapore, but what exactly needs to be legislated? What are the guidelines that will bring about good legislative provisions in the control of such matters in Singapore and what should be the dominant motivation? Some guidance may be found in the final version (6 June 1995) of the United States Privacy Working Group Paper entitled 'Privacy and the National Information Infrastructure*: Principles for Providing and Using Personal Information' (*A task force appointed by President Clinton to carve out the principles of fair practice of informational use), which is found at http://www.gseis.ucla.edu/iclp/niiprivp.htm. These principles relating to the fair practice of use of information are set out in their entirety below.
Arising from the adoption and incorporation of, inter alia, such governing principles, the US has seen a proliferation of legislation relating to privacy bills introduced in 1997 in the US Congress, such as the Consumer Internet Privacy Protection Act, the Fair Health Information Practices Act, the Children's Privacy Protection and the Parental Empowerment Act, the Personal Information Privacy Act, the Social Security On-Line Privacy Protection Act, the American Family Privacy Act, the Communications Privacy and Consumer Empowerment Act, the Federal Internet Privacy Protection Act and the Data Privacy Act.
Notwithstanding the numerous pieces of legislation, according to Susan E Gindin in her article entitled 'Lost and Found in Cyberspace: Informational Privacy in the Age of the Internet' in the San Diego Law Review (http://www.info-law.com/lost.html), '[t]he right to informational privacy is unsettled'. In her view, the US still requires a comprehensive Federal policy guaranteeing individual rights in this domain and such policy must provide:
an enforcement mechanism which would establish sanctions against violators and offer redress for aggrieved individuals. Most effective would be legislation providing a private right of action for aggrieved individuals along with the administrative enforcement powers of a government regulatory authority.
Conclusion
In the final analysis, in addition to legislative controls and the implementation of enforcement mechanisms, the end consumer must also shoulder responsibility in the usage of online services and the disclosure of their personal particulars. They should exercise caution and consider whether the sites or parties to whom they are revealing their information are reputed to abide by the privacy policy statement displayed on their web pages. This essentially means that public education would be another component in making the public aware of their rights and responsibilities in the effective use of online and internet services for the betterment of society.
Given the experience and the development of countries such as the US, it may well be time that Singapore should consider the imposition of privacy legislation to address the lacuna that presently exist in her laws in order to deal effectively with the various privacy issues, especially in relation to informational privacy, which will become more and more pressing as the entire island becomes wired up in every aspect of its public and private sectors.
Looi Teck Kheong
Edmond Pereira & Partners
| Principles for Providing and Using Personal Information by the US Information Infrastructure Task Force, Information Policy Committee, Privacy Working Group. | ||
| I IA |
Three Fundamental Principles Information Privacy Principle Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy. |
|
| IB | Information Integrity Principle Personal information should not be improperly altered or destroyed. |
|
| IC | Information Quality Principle Personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used. |
|
| II IIA |
Principles for Users of Personal Information Acquisition Principles Information users should: |
|
| 1 | assess the impact on privacy in deciding whether to acquire, disclose, or use personal information; and | |
| 2 | acquire and keep only information reasonably expected to support current or planned activities. | |
| IIB | Notice Principle | |
| Information users who collect personal information directly from the individual should provide adequate, relevant information about: | ||
| 1 | why they are collecting the information; | |
| 2 | what the information is expected to be used for; | |
| 3 | what steps will be taken to protect its confidentiality, integrity, and quality; | |
| 4 | the consequences of providing or withholding information; and | |
| 5 | any rights of redress. | |
| IIC | Protection Principle | |
| Information users should use appropriate technical and managerial controls to protect the confidentiality and integrity of personal information. | ||
| IID | Fairness Principle | |
| Information users should not use personal information in ways that are incompatible with the individual's understanding of how it will be used unless there is a compelling public interest for such use. | ||
| IIE | Education Principle | |
| Information users should educate themselves and the public about how information privacy can be maintained. | ||
| III | Principles for Individuals who Provide Personal Information | |
| IIIA | Awareness Principle | |
| Individuals should obtain adequate, relevant information about: | ||
| 1 | why the information is being collected; | |
| 2 | what the information is expected to be used for; | |
| 3 | what steps will be taken to protect its confidentiality, integrity, and quality; | |
| 4 | the consequences of providing or withholding information; and | |
| 5 | any rights of redress. | |
| IIIB | Empowerment Principles | |
| Individuals should be able to safeguard their own privacy by having: | ||
| 1 | a means to obtain their personal information; | |
| 2 | a means to correct their personal information that lacks sufficient quality to ensure fairness in its use; | |
| 3 | the opportunity to use appropriate technical controls, such as encryption, to protect the confidentiality and integrity of communications and transactions; and | |
| 4 | the opportunity to remain anonymous when appropriate. | |
| IIIC | Redress Principle | |
| Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information. | ||