Whenever I am notified of yet another data breach, I typically receive a complimentary one-year enroll- ment in a credit monitoring service. Great, I think. Free is always best! However,
the monitoring is truly of little consequence given that my personally identifiable information (PII) has slipped
into cyber darkness once again. I feel
a sense of disappointment as I think
about how much the cyberspace landscape has changed over the last 40-plus
years and how little our nation’s privacy
laws have done to keep up with this
The last sweeping privacy-related
change in the United States was the passage of the Privacy Act
of 1974. A lot has changed since the paper-based processes of
the 1970s, and we need a serious debate about what constitutes privacy in the digital age.
As new privacy concerns have surfaced, U.S. legislators
have responded with a piecemeal approach that has produced limited success. The Health Insurance Portability and
Accountability Act (HIPAA) of 1996 provides the first nationwide regulations for the use and disclosure of an individual’s
health information, while the Gramm-Leach-Bliley Act (1999)
protects an individual’s financial information,
and the Children’s Online Privacy Protection
Rule (1998) prohibits the online collection of
personal information of children under age 13.
Other sectors, such as retail, primarily are self-policing, with enforcement constrained to a
comprehensive, overarching legal framework
and the hodgepodge of privacy measures based on common-law tradition sets the United States apart from the rest of the
Consider the data privacy challenges we face today. This
includes information derived from smart city technologies,
or collected by personal assistants such as Amazon’s Alexa
or Google’s Home, or from overprivileged applications on
smartphones and data stored in the cloud. It seems that no
one foresaw information privacy concerns stemming from
this technology revolution whereby data is collected across the
Internet of Things and amassed at an exponential rate.
Initially, the Privacy Act of 1974 set the standard for fair
information practices, serving as a catalyst for legislation
in Canada and Europe. But it only restricted what information the U.S. government could collect and did not apply to
commercial entities. The way you know something is terribly wrong is when the government declares that opening
someone else’s mail is a felony, but collecting data on your
network activity is fair game.
Europe has leapfrogged the United States in this arena
and leads the way in defining privacy laws. Last year, the
Cutting the Gordian Knot of Privacy
BY MAJ. GEN. EARL D. MAT THEWS, USAF (RET.) European Parliament approved the General Data Protec-
tion Regulation (GDPR), which strengthens and unifies data
protection laws for individuals within the European Union.
Enforcement of the GDPR will begin in 2018, and organizations not in compliance will face heavy penalties, such as
fines of up to 4 percent of annual gross revenue or 20 million
euros, whichever is greater.
Some experts have declared that privacy in the digital
realm is dead. I beg to differ. It might be in an evolutionary state, but privacy is unquestionably not dead. It is not
mutually exclusive to either the private or public sector, to
economic development or national security. Privacy remains
a fundamental expectation for individuals. America’s expectation of privacy is a permanent challenge requiring national
resolve and continued response.
It is helpful to view privacy concerns through the lens
of a common taxonomy to advance the dialogue. Daniel
Solove, a leading U.S. expert in cybersecurity and privacy
law, posits four main categories of concern for consideration: information collection (surveillance, interrogation);
information processing (aggregation, identification, use);
information dissemination (disclosure, exposure, distortion); and invasion (intrusion, decisional interference).
Additionally, asking the right questions is perhaps the most
important consideration to move the discussion forward.
Why do people fail to read privacy policies? If they do read
and understand them, then why do they often lack enough
experience to make an informed choice? Why do privacy
policies often serve more as a liability disclaimer for the
government and industry than as a guarantee of privacy for
citizens and consumers? Adopting transparent data privacy
and protection policies that are
brief, well-stated and clear-cut
might be a good start to addressing these questions.
Clearly, the time has come to
cut the Gordian knot of privacy
as it relates to cybersecurity. To
successfully protect America, its intellectual capital and its
citizens, we must continue the thoughtful debate about privacy in the digital age.
Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director
of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of Hewlett Packard Enterprise’s Enterprise Security Solutions Group for HPE Enterprise Services, U.S. Public Sector.
The views expressed are his alone.
To share or comment
on this article go to
The last sweeping privacy-related change in the United States
was the passage of the Privacy Act of 1974. A lot has changed
since the paper-based processes of the 1970s, and we need a
serious debate about what constitutes privacy in the digital age.