Can privacy laws do more harm than good?

New York last year introduced a peculiar new law prohibiting first responders and ambulance service providers from selling the personal information of their individual patients. How specific is that?

California’s new privacy law gives individuals the right to say no to the sale of their personal information by opting out of such activities on the website of every company that may be in possession of such information.

Here in Canada, we have over a dozen, privacy-related laws governing the use of personal information by municipalities, provinces, businesses and sectors.

Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.

– Plato

And although that’s effectively what is happening, do we need to create a climate where legislators are so desperate to be seen as doing something that they ban activities so specific that they effectively spell out how they can be circumvented? As if that weren’t enough, they carve out vast exclusions that make a dubious exercise even more unlikely to benefit from any attempt at enforcement.

To wit, the new New York law specifically targeting medical first responders goes on to further specify that “sales of personal and health data to health providers, the patient’s insurer, and other parties with appropriate legal authority” are not covered by the legislation.

Professional ethics notwithstanding, are we really at the point where we need to specifically make it illegal for healthcare workers to profit from victimizing patients by breaching their privacy rights?

If so, do we also pass laws for dentists to not sell selfies with unconscious patients to fetish websites, prevent school boards from conspiring with tech companies to monetize student information, stop banks from selling financial summaries of identifiable customers?

I understand sharing data within the circle of care, but sales?

The precepts of the law may be comprehended under these three points: to live honestly, to hurt no man willfully, and to render every man his due carefully.

– Aristotle

Is it rational to introduce a superfluous new law when existing legislation, including HIPAA, is already intended to protect patient and individual privacy rights?

In cases such as that of Canada’s mix of superficial privacy legislation coupled with antediluvian data protection precepts, where the mere mention of ‘privacy’ and ‘protection of personal information’ in the title consistently discourages attempts at critical review, should bills continue to be introduced and pushed into law? Or should we bolster the laws we currently have to eliminate loopholes and enable rapid resolution?

In other words, does it make sense to establish a set schedule for the revision and reform of existing legislation based on efficacy, effectiveness and enforceability, or should we consciously adopt a status quo where legislation only changes once catastrophic violations and data losses come to pass in the absence of effective enforcement?

Claudiu Popa
Claudiu Popa
Claudiu Popa is a security and privacy advisor to Canadian enterprises, associations and agencies. He is an author, speaker and lecturer. Connect with him on Twitter @datarisk, Facebook, G+ or LinkedIn.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.