In any industrialized society, including the United States, one of the things that we take for granted is our common agreement about property rights.
It’s something we learn about when we’re little kids, when we take another child’s toy and Mommy says to us, “Give that back. It belongs to the other child.” We learn not to take other people’s stuff, just as we don’t want other people taking ours.
Then you go to college, where you have roommates, and the boundaries get fuzzy. One day you return from class to find your roommate is wearing your jacket. “Did you go into my closet and take my jacket?” you ask.
Your roommate shrugs. “Sure. I thought it was okay. After all, we’re roommates, right?”
You lament your lack of privacy.
Having survived the uncomfortably fluid definition of “personal property” in the college dorm, we grow up and are introduced to more complex versions of property ownership, such as the title to our car and the deed to our house. These legal documents prove that we own the thing described, and give us legal protection.
With proof of ownership of your home and its contents, you have the right to control entry of people who want to get in. If someone knocks on your door and wants to come inside, you can say “no.” If they persist, or try to break in, you can call the police. Your rights of ownership give you two important benefits: You can control your property as you see fit, and you can do what you want in your home without other people knowing.
This is your “right to privacy.” It’s granted to you even when you rent an apartment on a temporary basis, or stay in a hotel room. By taking your money and giving you control of the property, the owner grants you the right to exclusive possession in your unit, and your landlord must ensure you can peacefully enjoy your home, without interference and without surreptitious observation.
Your Data Isn’t Your Property—But That’s Changing
There are many ways that people can find out how you live your life.
While what you do within your home is protected by privacy laws and social conventions, the minute you step outside into a public area you lose your right to privacy. You don’t own the space around you. If you fall down on the sidewalk and break your leg, you cannot expect that event to remain private—especially if you’re a celebrity. If you talk to your lawyer in a public restaurant, within earshot of other patrons, you forfeit the right to attorney-client privilege.
Unfortunately, the same conventions have applied to your personal health data. While your doctor is bound by patient confidentiality laws, they apply only to interactions between you and your doctor in a private setting. Any information that is delivered to a third party—the hospital, an insurance company, a drug company—enters a twilight zone of ownership. Your personal data—the diseases you’ve had, the drugs you’ve been prescribed, even your genetic information—in a very real sense leaves the four walls of your house and enters the public space outside.
It’s as if you’ve put your private papers in a box on the sidewalk. If they’re on the sidewalk, a public space, then you no longer control them. Any garbage picker can take that box and claim possession of its contents.
You can choose to put your box of personal information out on the sidewalk. You can also choose to keep it inside your house, or destroy it. This is because it’s your property.
Unfortunately, our current laws too often fail to specifically define your health data as your property. Once you interact with a health care provider, the resulting data actually becomes their property. Your insurance company, your hospital, your genetics testing agency can all claim that the data belongs to them. They can even sell it to other third parties. Most sellers claim that information that could identify you as the source of the data is scrubbed out, but you don’t know that for a fact.
Most U.S. health care providers must follow the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, a federal law that sets a baseline of protection for certain individually identifiable health information. But the Privacy Rule does not necessarily require covered health care providers to give patients the choice as to whether their health information may be disclosed to others. There are many ways to work around it.
The European Union General Data Protection Regulation went into effect in 2018, requiring companies to gain affirmative consent for any data collected from people who reside in Europe. GDPR is much more stringent than HIPAA, as it broadens the definition of personal data and covers any information associated with an “identified or identifiable natural person,” including computer IP addresses, photos, and credit card data.
The strengthening of personal data laws, and the emergence of mechanisms for individuals to assert their rights of property ownership, will go a long way towards closing a big loophole in your personal privacy, and help you keep your private information out of the public space.