Aquinas taught that the law must use “force and fear” to restrain the “depraved” and cause those unmoved by words to “desist from evil-doing” and embrace virtue. Yet, the law often depends on virtue to succeed, especially where the law can be easily manipulated or circumvented. Privacy is one such area, particularly when it comes to AI.
In the UK, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) regulate the collection and use of personal data through a regime overseen by the UK’s information commissioner (ICO). There are many other laws relevant to AI and privacy.
On 30 July 2020, the ICO published guidance on best practices for data protection-compliant AI, and on 12 May 2022 launched a toolkit to provide practical support to organisations auditing the compliance of their AI systems. It calls on companies who use AI to process data transparently and in accordance with the expectations of data subjects. The ICO urges organisations to “ensure that consent is freely given, specific, informed and unambiguous, and involves a clear affirmative act on the part of the individuals.” In November 2022, the ICO released further guidance on how organisations can use AI and personal data in accordance with the UK’s data privacy regime.
The difficulty with consent is that users do not tend to read privacy notices, and often do not understand the technology or how their information can be used when aggregated with other data. Many also consent because they feel they need the technology or because they see no point in withholding consent because the battle for data protection has already been lost. These factors now shape our expectations. Yet allowing our data to be mined with impunity has profound impacts on how we make decisions and are treated as human beings.
The most recent ICO guidance acknowledges the difficulties of explaining AI to people, and offers guidance to overcome them, with the assistance of the Alan Turing Institute. Other recommendations include limiting data collection to what is necessary, addressing bias and discrimination at an early stage, and using humans to review AI outcomes. It remains to be seen how widely these guidelines will be adopted.
In addition to issues of transparency and consent, laws relating to data and privacy have few hard edges and often involve a difficult balancing exercise. Take the tort of the misuse of private information under English law. This covers the actual misuse of private information and intrusion into an individual’s privacy. The law has relevance to AI surveillance and online dissemination.
The basis for the tort in England is the Human Rights Act 1998 (HRA), which incorporates the European Convention on Human Rights into English law. The HRA enshrines the right to privacy (Article 8), but this is subject to exceptions aimed at preserving democracy. The right to privacy also needs to be balanced against the right to free expression, which itself is subject to exceptions (Article 10). Moreover, for a court to determine whether information is private in any given context, it will need to consider the reasonable expectations of the data subject having regard to factors such as the nature and content of the information obtained, how it was obtained, and the purpose of the intrusion.
The balancing of interests in this way is hard to legislate for and raises issues of values and morality. Peoples’ expectations, for example, vary, and sometimes what we expect is not what we ought to expect. To create a society where privacy is adequately protected requires its members not only to be law abiding, but to have an ethical perspective. Such perspective will be shaped by the values and traditions that find voice in any given society.
Judaism is greatly exercised by privacy and related ideas. The Hebrew Bible, for example, takes a firm line against gossip: “Do not go about as a talebearer among your people” (Leviticus 19:16). The principle has been applied to spying on others, including online, regardless of the target audience.
The Talmud further recognises a tort called Hezek Reiyah (damage by sight). The law developed from discussions about partners who share a courtyard or garden. If they agree to divide the property, they are required to build a wall to prevent one neighbour looking in on the other. The Talmud also forbids the building of houses that have windows that open towards a neighbour’s house.
The medieval commentator, Rabbi Shlomo Yitzchaki (Rashi) (1040-1105) explains that protecting privacy is a matter of protecting the rightful use of one’s property. People should be entitled to act in their homes out of the sight of others. Moses ben Nachman (Nachmanides) (1194-1270) associates Hezek Reiyah with the traditional concepts of modesty (zniut), avoiding jealousy (or the evil eye) (ayin hara), and gossip (rechilut).
The Talmud itself gives the biblical source for these laws as the statement of Balaam, the diviner, called upon by the King of Moab to curse the Israelites. His curse, however, emerged as a blessing. One such blessing was the declaration “How goodly are your tents O Jacob”, which the Rabbis saw as a reference to the fact that the Israelite tents did not face one another so that each family could preserve its privacy (Numbers 24:5; See also Numbers 24:2).
The above principles led to an expansion of privacy laws into other areas. In the thirteenth century, for example, Rabbi Meir of Rothenburg (Maharam) ruled that it was forbidden for people to read the post of another.
Laws like these cannot be easily transposed for modern society, but they are important because they reflect values which are often lost in the application of secular law. As Kenneth Bamberger and Ariel Evan Mayse have shown in a recent paper, Jewish law among other things operates on the supposition of mutual duties as opposed to individual rights, and is underpinned by the idea of individual dignity. The effect of these ideas is to impose a duty on each person in society to act to guard the dignity of another. The sense is that not everything that is accessible should be accessed, and not everything said in public should be disseminated.
Theology also provides depth to the practice of law. Much of the Jewish philosophical and mystical tradition describes God as hidden. The Zohar, the most important work of Kabbalah (Jewish mysticism), describes the world as being unable to contain the Torah (associated with divinity). By necessity, therefore the Torah is garbed, but not with just one garment but many.
The Zohar writes: “People without understanding see only the narratives, the garment. Those with somewhat more insight see also the body . But the truly wise … pierce all the way through to the soul, to the true Torah which is the root principle of all. These same will in the future merit to see into the very soul of the soul of the Torah.”
Rabbi Nachman of Bratslav (1772-1810), a Hasidic master, takes up a similar theme when he describes God’s concealment as taking two forms; the form of a single concealment and “a concealment within a concealment.” In the case of a single concealment, a person is aware of God but is unable to find him easily, but when God is hidden behind multiple concealments, a person is completely oblivious to God’s presence.
Individuals are reflections of the divine. They are sometimes concealed shallowly and sometimes on multiple levels. The act of data mining through online scraping or other ways implies that people can be known as an object can be known, but individuals cannot be fully known this way. They exist as worlds within worlds, constantly shifting. Uncovering one aspect leaves many others hidden. This hiddenness should be respected. To pry on what is hidden is also to disrespect the persona, the face a person shows to the world.
The Book of Proverbs teaches that a prudent person “conceals knowledge” whereas the heart of a fool proclaims his foolishness (Proverbs 12:13). Like God, the wise person sometimes holds back. When we resist the urge to pry into someone’s secrets, we exercise restraint so they can flourish and exist on their own terms. Hiddeness protects against manipulation and guarantees freedom. It also makes way for love because what we most often love in others is that which cannot be seen but exists beneath the surface and resists articulation. The law describes what is acceptable. Ethics point to what is ideal.
By way of example, Article 21 of the GDPR gives individuals rights to object to processing of their personal data, including profiling for direct marketing and other purposes. Article 22 of the GDPR gives individuals the right not to be subject to a solely automated decision-making process resulting in significant effects, albeit with some exceptions. Ways must also exist for subjects to express their view about automated decision-making and contest decisions where these apply.
See Joshua A. T. Fairfield & Christoph Engel, Privacy as a Public Good, in 65, Duke Law Journal. 385, 390 (2015); Linsey Barrett, Model(ing) Privacy: Empirical Approaches to Privacy Law and Governance, 35 in Santa Clara High Technology Law Journal 1, 17–20 (2018); Ehimare Okoyomon, et al., On the Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies, in The Workshop on Technology and Consumer Protection (2019).
PJS v News Group Newspapers Ltd UKSC 26. On 22 September 2021, the UK Government published the National AI Strategy. It suggests that the current approach to AI is inadequate and seeks to clarify the conditions around the use and reuse of personal data for research, while wanting to ensure transparency concerning the algorithms employed, the use to which data is put, and how ethical issues are addressed.
In 2021, for example, a claim was issued in the English High Court for misuse of private information following an alleged arrangement between Google and DeepMind and the Royal Free London NHS Foundation Trust. The allegation was that the tech companies obtained and used a substantial number of confidential medical records without patients’ knowledge or consent. See https://www.bbc.co.uk/news/technology-58761324
Although the law recognises various public-interest type exceptions. See for this and related topics R. Jonathan Ziring, Privacy to Oneself, For Curiosity’s Sake, https://www.etzion.org.il/en/philosophy/issues-jewish-thought/topical-issues-thought/violating-privacy-others-curiosity%E2%80%99s-sake and https://www.etzion.org.il/en/philosophy/issues-jewish-thought/topical-issues-thought/privacy-oneself-curiosity%E2%80%99s-sake
Kenneth A Bamberger and Ariel Evan Mayse. Pre-Modern Insights for Post-Modern Privacy: Jewish Law Lessons for the Big Data Age in Journal of Law and Religion 36, no. 3 (2021): 495–532.