I am reproducing here my comment on Daniel Solove’s post in Concurring Opinions
Thanks Dan for your great post and this online symposium.
I am modestly adding my personal view on which I have been thinking for some times.
In terms of data flaw, the closest analogy to my mind is the automibile. Obviously, driving has advantages and inconvenient.
We have driving ‘codes’ and security measures. They are accidents, they are fines and insurance companies to compensate damages.
More from a European perspective, in some countries like France car insurance is compulsory.
Privacy is recognized as a Fundamental Right, also protected by the Article 8 of the European Convention of Human Rights.
The ease of broadcasting, collecting and data base creation, has shown a rise of issues with available data traffic.
The number of incidents where a breach of privacy has caused harm should, in my view, encourage to think of a code of practice for digital data traffic.
I have in mind the case of this lady who sued the phone company she held responsible for her broken marriage as they passed onto her husband the log of her ‘private’ conversations with her lover. http://www.telegraph.co.uk/news/worldnews/northamerica/canada/7738371/Woman-to-sue-phone-company-after-husband-discovered-affair-through-bill.html
Or the case of medical information leaked either to deny compensation or reveal medical information about Michael Jackson.(UCLA hospital fined over privacy breaches that sources say involve Michael Jackson’s records)http://www.pearltrees.com/#/N-s=1_839086&N-f=1_839086&N-play=1&N-u=1_72898&N-p=6513517
How many laptops or USB drivers with confidential data have been lost? http://blog.dataleakprevention.eu/
According to a recent study by the Ponemon Institute, the ‘actual breach incidents worldwide last year’ cost an average of $3.43 million for the organization.
These incidents of breach of privacy have all caused a harm of various degrees.
Coming back to the initial analogy, my suggestion is to evaluate the data subject’s rights of compensation according to the harm suffered and the attitude towards the risk.
– data can be collected with or without consent or even the knowledge of the data subject ;
– data subject would have suffered from an immediate or potential harm ;
– data collector/processor negligence to secure data can aggravate their liability and therefore subject to higher compensation.
These are some element to measure the degree of liability.
The EU reform of Data Protection Act is considering to create a harmonized data breach penalty and an obligation of notification.
I am wondering if, very similarly to the driving code, a data handling code could not create a set of rules and a greed of liability to compensate the harm and prejudice suffered by a data subject for intrusion of its privacy or more.
Base on this, a fine could be imposed in case of non-compliance to the principles of security for data handling in combination with individual compensation guaranteed by an insurance fund policy.