On-line Privacy : behaviour , paradox and the law ”

Privacy is historically not a well-protected or well-recognised concept in English law2. However, with the passing of The Human Rights Act 1998 (HRA), which effectively incorporated the 1950 European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) into UK law, our citizens are entitled to have their rights enforced and protected to the degree that the Act allows. As Warby et al rightly articulate, the significance of this development should not be underestimated3: following the HRA, domestic courts are required to mediate between one party’s right to respect for privacy4 under Article 8 and another party’s right to freedom of expression under Article 10. Accordingly, the balancing of Articles 8 and 10 has become an integral part of the “misuse of private information” construct, which requires consideration, firstly, of whether the claimant has a reasonable expectation of privacy in respect of the subject-matter in question, having regard to Article 8; and, secondly, whether the balancing of Articles 8 and 10 come down in favour of protection of this privacy or in favour of publication of the information?5 As the legal environment attests, the law in this area has developed in a largely sporadic fashion6 and, although there have been considerable developments, doctrinal uncertainties remain7. Technological advancement has complicated the issue because of the perception that it is now “either impossible or extremely costly for individuals to protect the same level of privacy that was once enjoyed”8. Wacks has noted that “Hardly a day passes without yet another onslaught on our privacy. Most conspicuous, of course, is the susceptibility of personal information online to myriad forms of abuse9. It is, indeed, well known that, since individuals increasingly use the internet to communicate


Introduction
Privacy is historically not a well-protected or well-recognised concept in English law2 .However, with the passing of The Human Rights Act 1998 (HRA), which effectively incorporated the 1950 European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) into UK law, our citizens are entitled to have their rights enforced and protected to the degree that the Act allows.As Warby et al rightly articulate, the significance of this development should not be underestimated3 : following the HRA, domestic courts are required to mediate between one party's right to respect for privacy 4 under Article 8 and another party's right to freedom of expression under Article 10.Accordingly, the balancing of Articles 8 and 10 has become an integral part of the "misuse of private information" construct, which requires consideration, firstly, of whether the claimant has a reasonable expectation of privacy in respect of the subject-matter in question, having regard to Article 8; and, secondly, whether the balancing of Articles 8 and 10 come down in favour of protection of this privacy or in favour of publication of the information? 5As the legal environment attests, the law in this area has developed in a largely sporadic fashion 6 and, although there have been considerable developments, doctrinal uncertainties remain 7 .Technological advancement has complicated the issue because of the perception that it is now "either impossible or extremely costly for individuals to protect the same level of privacy that was once enjoyed" 8 .Wacks has noted that "Hardly a day passes without yet another onslaught on our privacy.Most conspicuous, of course, is the susceptibility of personal information online to myriad forms of abuse 9 .It is, indeed, well known that, since individuals increasingly use the internet to communicate private information, the issue of privacy is bound to become more acute as this type of communicating continues to expand10 , not least because "privacy is not a simple matter, especially online privacy…" 11 Despite this, whilst recognising "that the enforcement of law and regulation online is problematic", in his report on the ethics of the press, Lord Justice Leveson shied away from deliberating on such issues, limiting only a handful of the report's 2000 pages to this topic 12 .The relationship, then, between privacy concerns, privacy behaviours and legal regulation is, therefore, a complex one.This paper attempts to unravel the relationship 13 .It is premised on the belief that online privacy has increased in importance because online communicating has become a social norm that requires not to be ignored.It therefore argues that privacy is intrinsically shaped by new communications media and the framework that seeks to protect it must appreciate the pervasiveness and very mechanics of online communications.In pursuit of its aims, this paper applies behavioural analysis in order to understand why people regularly overshare online and evaluates whether, since individuals continue to disclose and trade private information online, the concept of privacy has become superfluous.Accordingly, the "privacy paradox" is reasoned and a future privacy path, which allows for the award of a range of mandated discursive remedies, is explored.

Behavioural analysis
Nissenbaum suggests that online postings have come to be viewed by vast numbers of internet users as "mutual proxies for personal diaries" 14 and it is certainly the case that the internet is an attractive medium on which to communicate even the most private of information 15 .Users therefore regularly broadcast the minutiae of their lives and share it in blogs, status updates, tweets and the like 16 .Analysis of the behavioural aspects behind this trend are useful for two reasons -firstly because this informs debate about how we, as individuals, control the gathering and disclosure of our personal information 17 and secondly for demonstrating the ways in which the very dynamics and pervasiveness of new communications media have impacted the privacy landscape.This latter issue forms the context in which the subsequent section on "privacy paradox" is located.
In relation to the first point, one of the most advocated reasons as to why individuals may be agreeable to revealing information online is that users do not fully appreciate the consequences of their postings nor the size of the audience accessing their content 18 .This is tied in with the erroneous presumption that online behaviour, since it is among digital "friends", is private 19 .Hence, the sense of intimacy created by the very mechanics of online forums often leads to an over-sharing of information 20 .Ellison et al argue that the main purpose of participating in social networks is the exchange of highly personal information and the maintenance and expansion of one's social relationships and that it is in fulfilment of these continued connections that individuals are prepared to trade private information online in return for something else of equal or better value 21 .The popularity of online communicating can, therefore, in part be attributed to a variety of beneficial outcomes associated with one's social capital 22 .As Sellars argues, examples include a user allowing hundreds of potential online strangers to view a social networking profile in exchange for a glimpse of another users' holiday photographs, with the result that "there is an increasing trend for privacy to be viewed as a bargaining chip rather than as a brick wall around your private life" 23 .In online forums, users actively disclose information because it is often regarded as being akin to currency and hence is readily traded in exchange for the latest technological service 24 .
Whatever the impetus behind this gathering trend, it is clear that vast amounts of private information, about self and others, are, therefore, being accumulated in online forums and particularly on Social Networking Sites (SNSs).Since these are effectively public spaces, "much like the public road" 25 , this over-sharing makes it increasingly difficult for individuals to exert control over the gathering and disclosure of their personal information online once they have posted it.This has led to a number of high profile court cases.By way of example, in the Applause Stores 26 case, a user was ordered to pay damages for misuse of private information and libel following the creation of a false profile of the claimant on Facebook.Similarly, in Contostavlos v Mendahun 27 , which also involved misuse of private information, the claimant obtained an interim injunction to prevent the publication of a "sex tape" which had become available on the internet.The growing body of case law confirms that the increasing usage of social media to disclose personal information has implications for the privacy of the person(s) to whom the material relates28 .Wacks, moreover, asserts that recent advances in the power of computers have been decried as the nemesis of whatever vestiges of our privacy still survive 29 .This begs a subsequent analysis of whether, since it has become a social norm to post private information online, the concept of privacy has become superfluous and this issue is addressed below.

Privacy Paradox
Coined by Barnes, in 2006 30 , the "privacy paradox" describes the relationship between individuals' intentions to disclose personal information and their actual personal information disclosure behaviours 31 and illustrates that, despite expressing a concern about privacy, people often do very little to protect themselves.Such people, particularly in the context of online communications, appear to want and value privacy, yet simultaneously appear not to value or want it at all 32 .The paradox therefore affirms that privacy concerns do not sufficiently explain privacy behaviours in this forum 33 .The paradox has been welldocumented in literature, with "researchers consistently finding a contradiction between the privacy concerns that users express and their disclosure of personal information on SNSs" 34 .Based on their empirical evidence 35 , Dienlin and Trepte recently sought to evaluate whether the privacy paradox is now a relic of the past or whether it still exists 36 .Their conclusion is that the behaviours of SNS users are not as paradoxical as was once believed.However, the hypothesis remains relevant as long as both privacy concerns and privacy attitudes in relation to it are considered.In essence, then, the culture, custom and practice of users and their online behaviours should be included when evaluating the longevity of the paradox.
Scholars have long-argued that technological advancement has made it either impossible or extremely costly for individuals to protect the same level of privacy that was once enjoyed 37 and that, in an age of digital media, we do not really have any privacy.Sellars, for example, has doubted whether a value of online privacy exists at all given the propensity for privacy rights to be habitually traded 38 .Edwards, too, has posited that technology represents the most serious current threat to privacy 39 and that it is declining in significance 40 .Certainly, it may be argued that the trading of privacy rights by one individual will have consequences for all users since if one individual waives his or her rights, the level of privacy for all individuals ultimately decreases 41 .This is because, as Westin articulates, "self-invasion" from "those who tell all" prompts others to "ask all" 42 .However, that many users willingly post private information or are prepared to trade it by signing up to the latest online service is not the same as saying that they do not care about privacy or that privacy is any less important in this forum than it is offline.What it does suggest is that individuals need to work harder to retain their privacy and that privacy may not have a uniform value but, instead, reflects subjective societal sensitivities and perceptions, whichties in with Dienlin and Trepte's recent findings.Accordingly, it may be argued that, as a consequence of the fact that privacy is constantly being chipped away at online, and is therefore harder to protect, individuals appreciate it more.On this argument, individuals are becoming more aware of their privacy, and its value, than they used to be 43 .
The legal framework that seeks to protect privacy must, therefore, be fit for purpose in a technological age, being able, for example, to adequately process try to accommodate the types of communication that are often prevalent online.Of particular concern is posted trivia because there are arguably specific problems with demarcating this type of information for misuse of private information purposes, which emphasises reasonable expectations of privacy.In respect of trivial information, this might represent material over which a claimant could have a reasonable expectation of privacy.In Axel Springer AG v Germany 44 , the Grand Chamber determined that the concept of private life was a broad term not susceptible to exhaustive definition, covering the physical and psychological integrity of a person and could "therefore embrace multiple aspects of a person's identity, such as gender identification and sexual orientation, name or elements relating to a person's right to their image" 45 and there is evidence to suggest that domestic courts have taken a lax approach to the protection of what might be construed as "trivial information".For example, in Applause Stores, a person's date of birth represented a matter over which a claimant was found to have a reasonable expectation of privacy 46 .However, this approach to analysing information of a trivial nature is arguably overly broad and, hence, flawed 47 .
Accordingly, what follows is a suggestion as to how a claimant might achieve vindication following a privacy violation without access to the courts.

Discursive remedies
In awarding damages for misuse of private information, our domestic courts have placed emphasis on the objective severity of the privacy violation suffered by the claimant in this area 48 .Monetary awards have been typified by non-pecuniary losses by way of injury to feelings and mental distress 49 and there is an observed absence of claims for pecuniary losses 50 .In his determination, Eady J identified that, as with other awards of damages, those in respect of privacy violation require to be proportionate to the harm done and must not be arbitrary 51 .Thus, in Mosley, Eady J's reasoning suggests that quantification should be on the basis of selecting an amount "which marks the fact that an unlawful intrusion has taken place while affording some degree of solatium to the injured party.That is all that can be done in circumstances where the traditional object of restitutio is not available.At the same time, the figure selected should not be such that it could be interpreted as minimising the scale of the wrong done or the damage it has caused" 52 .Eady J himself emphasised the unsatisfactory level of the amount awarded, opining that "no amount of damages can fully compensate the Claimant for the damage done.He is hardly exaggerating when he says that his life was ruined.What can be achieved by a monetary award in the circumstances is limited" 53 .Gavison has commented that "For the genuine victim of a loss of privacy, damages and even injunctions are remedies of despair.A broken relationship, ... acute feelings of shame and degradation, cannot be undone through money damages.The only benefit may be a sense of vindication, and not all victims of invasions of privacy feel sufficiently strongly to seek such redress" 54 .This observation is particularly pertinent when what is being complained of is relatively trivial, though personal, information (and it should be borne in mind that what may be trivia to one person is another person's important information 55 ).Given the relative ease with which users are able to post this type of information about themselves, and others, online, it is arguable that, in the interests of the latter individuals, we require a quick process that would give a degree of vindication without having to go through the courts.My proposal is that a distinct range of mandated discursive remedies, such as corrections, retractions, and rights of reply published with due prominence, could be the answer here.This builds on a stance adopted by Mullis and Scott 56 , who posit that the law in relation to defamation (as opposed to privacy) would be enhanced by their utilisation.Such remedies are not unknown in defamation law, being available under Section 9 of the Defamation Act 1996 on the summary disposal of a claim under Section 8 57 .Pursuant to Section 9(1), a claimant may obtain such of the following as may be appropriate: (a) a declaration that the statement of which he complains was false and defamatory; (b) an order that the defendant publish or cause to be published a suitable correction and apology; (c) damages not exceeding £10,000; and (d) an order restraining the defendant from publishing or further publishing the matter complained of 58 .
However, the Defamation Act 2013 has not progressed discursive remedies further.Mullis and Scott lament this by observing that, despite the aptitude of discursive remedies in the context of online communications, the current defamation legislation shows a parliamentary failing "to … highlight that the veracity of even highly defamatory internet articles and postings had been contested" 59 .
Given that much of the content of online postings can be of a trivial nature and such postings may often include a defamatory element 60 , there is arguably a case for evaluating whether a part could to be played by such remedies in respect of online privacy violation.To an extent, this is already allowed for.Discursive remedies in the form of an apology are allowed for under Clause 1(ii) of The Independent Press Standards Organisation (IPSO) Editors' Code and IPSO has power to direct the prominence of a correction in respect of inaccurate information.IPSO, for example, recently forced The Times newspaper to publish a reference to a correction on its front page 61 .However, privacy scholars have not traditionally incorporated discursive remedies within future visions of domestic privacy protection -Raymond Wacks, for example, asserts that court-ordered apologies should be disregarded when evaluating privacy protection going forward, although there is little explanation as to why this should be the case 62 .
Whilst it is to be acknowledged that there are problems with finding a fit for discursive remedies in relation to privacy violation (see below), certain opportunities do present themselves.For example, given that the award of a discursive remedy would ensure that the public was aware of the errors contained in a publication 63 , it is straightforward to argue that such remedies might have particular application in instances where the private information revealed in a post is partly untrue.Not only would this not defeat the claim being heard in respect of privacy violation 64 , but, in those instances where the essence of a privacy violation claim is to set a false record straight, a discursive remedy, such as an apology or retraction posted with due prominence by the online service provider, might achieve the type of vindication that Gavison refers to above.
However, whilst such a resolution might satisfy those who have been the victims of inaccuracy, it cannot make private information private once again.This is because "[o]nce a private fact has been made public it is difficult for further action by the defendant to mitigate the damage caused to the claimant by the disclosure.Although contrition by a defendant may reduce the hurt to the claimant's feelings to some degree, an apology for the publication of the private information is not the same as an apology for a libel.Depending on the circumstances, an apology in the former case may be incapable of providing anything approaching the consolation that an apology and retraction would afford in the case of a libel.A reputation can be vindicated, but once a private fact is known it cannot be removed from the public domain by further publication… Gratuitous further reference to the disclosures might even make matters worse". 65In defamation, where the contested information is proven to be false, a claimant may receive vindication following a public declaration of the falsity of the information.Vindication may be achieved in such circumstances by challenging a falsehood without demanding damages 66 .In 2008, for example, author Salman Rushdie won a libel case in respect of various allegations but decided not to claim damages, content with a declaration of falsity 67 .Since the essence of a libel claim is that the allegations were untrue, the authoritative finding by a court of their falsity largely restores a damaged reputation 68 (although others might find damages more attractive).
Ultimately, it is in respect of truthful private information that it is to be acknowledged that there are fundamental problems with extending Mullis and Scott's hypothesis.Whilst a retraction or withdrawal might be available in respect of such information, the discerning reader would be likely to notice the absence of a declaration that the information was untrue and this would invariably lead to conclusions being drawn relating to the truth of the observation.However, this shortcoming may be addressed in the actual structuring of the remedy itself.For example, one might envisage a stripped down procedure in which the remedy available was a discursive one, such as a statement of retraction that was required to be put up by the online service provider.This could automatically appear following a search of the prohibited material and might be a statement such as "Material has been removed from this page because it violated the law", with an appropriate apology, but without the option of obtaining a declaration of falsity.Under such an approach, it is conceivable that a claim in privacy violation could be heard, not by a court, but, instead, by an authorised body or ombudsman.For a claim to be made, the claimant would need to prove that the private information complained of had been communicated, but the claimant would not be allowed to prove that the information was false.The remedy would lie solely in the securing of a statement of retraction with an appropriate apology.Since there would be no other remedy available, this would overcome any concern that the absence of an admission that the information was false would be interpreted as confirmation that it was true: the absence of such a statement would be simply a consequence of the fact that it was not available under the streamlined action 69 .
In conclusion, therefore, there is merit in further exploring the part that could be played by discursive remedies in the future protection of privacy.It is notable, for example, that, in the Applause Stores case, the court recognised that "[H]ad the defendant apologised at an early stage, [the claimant] would have accepted that apology and avoided going through the stress and expense of litigation" 70 .Accordingly, such remedies, particularly in their streamlined form and in relation to trivial material, could be a broadly effective measure in the armoury of privacy protection without requiring a determination by a court.Given the increased emphasis placed on privacy in a technological age, the inclusion of streamlined discursive remedies adds value to an already hotly contested debate. 69The landscape is also complicated by the recent EU Court of Justice ruling in Case C-131/12 Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD) (OJ C 212/4, 13 May 2014) that there exists a 'right to be forgotten' which enables individuals to compel search engine operators to ensure certain data are not shown in search results made using that individual's name.See , further, González Fuster, G, "Fighting For Your Right to What Exactly?The Convoluted Case Law of the EU Court of Justice on Privacy and/or Personal Data Protection" Birkbeck Law Review 2014 2(2) 70 Applause Store Productions Limited, Matthew Firsht v Grant Raphael [2008] EWHC 1781 (QB), [2008] Info.TLR 318 [69].