Two reasons. Employment (for everyone not already rich) and rental homes (for everyone who doesn’t own one) are necessities. There are also horrendous, ongoing shortages of both employment (due to overregulation) and housing (due to the scam known as urban planning).

As a result, an employer or landlord can put whatever terms he likes in a contract, and 99 percent of us have no recourse but to sign it. After all, the next employer or landlord might not even decide to make you an offer — and good luck finding out why.

So if employers and landlords are not restricted this way, they can and will impose all sorts of rules on areas of your private life that are absolutely none of their business. For proof of this read just about any employment contract or lease.

Remember when Adolph Coors Co. was known for subjecting all its job applicants to lie-detector exams about their entire past including their sex lives? It took a federal law to make them stop the practice. Every time I see one of their “Love Train” TV ads I still want to throw a few of their own bottles at their CEO’s head. But without privacy protection laws, companies will soon be able to buy that same data from commercial database operators. The record may even be full of lies about you, but it’ll render you homeless just the same, and you’ll never know why or who’s to blame.

Anyone who says the solution is just to negotiate better is out of touch with reality — and is probably one of those Washington insiders who has never had to work for a living in his life.

As it happens, I’m just a guy commenting on a blog, and I’m not my company. So if you would just send the request in writing to my company’s mail adress, and I’m sure my company will be happy to supply the information to you within the 30-day time limit.

Sincerely, Martin

But sense you have a commercial enterprise, I’ll bite:

Given my right to request it under Chapter III, Section 18, of the Act of 14 April 2000 No. 31 relating to the processing of personal data, please inform me of the kind of processing of personal data your company is performing, and specifically: a) the name and address of the controller and of his representative, if any, b) who has the day-to-day responsibility for fulfilling the obligations of the controller, c) the purpose of the processing, d) descriptions of the categories of personal data that are processed, e) the sources of the data, and f) whether the personal data will be disclosed, and if so, the identity of the recipient.

You may post it here or send it to me at jharper at cato dot org and I’ll start a new thread about it.

This oughtta be fun!

But yes, I have used this law on several (at least three that I can think of) occasions in order to make companies delete information about me that they shouldn’t have, and were using for commercial purposes. On one occasion I reported the company (a small, dubious cell-phone-oriented internet portal, which is thankfully no longer around) to both the Data Inspectorate and the consumer protection doodad, the official name of which escapes me at the moment. Both institutions came through for me, and they forced the company to change its practices or face substantial daily fines (the doodad got there first, but the inspectorate could have done the same).

After I started my single-person company, it has gotten a bit harder to do, though. Being both a private individual and a public institution makes parts of my personal data publicly available. Which is as it should be, but does annoy me occasionally (e.g. with the damn phone salesmen, which I had reserved myself against previously – when they call me now, I make them delete their records of my number, but every now and then new ones trawl the public listings and find it.)

But I do think you’re reading Schneier wrong. Emails discussing this blog post, for instance, are obviously private communications and protected by current privacy laws anyway. I think he is quite simply arguing for a law curtailing the right of institutions to store data about you. It’s a great idea, and while I haven’t read all of this thread yet, I have yet to see a good argument against it.

If you’re asking why there isn’t a flood of lawsuits right now, I think it’s the first possibility you mention: because there isn’t very much in the way of damages. Only a tiny percentage of data breaches result in any identity fraud happening.

I, too, would be amenable to well-circumscribed class actions, pursuing actual damages only, but that’s hard to reach. It seems like half the world hates litigation, and the other half wants to use it as a quasi-regulatory tool and a source of jackpots.

That said, I prefer litigation to regulation because at least common law is self-correcting over time. Regulation represents the best guess of a legislature or bureaucracy about what the rules should be, which draws interest groups around it to freeze it in place, and it almost never changes. (I agree it’s a close call between the two options.)

Normally, if one person’s negligent act or omission injures another, the negligent person can be liable in tort. So, for instance, if you get distracted and drive into the back of someone else’s car, you can be legally liable for the damage you cause to their car. This same principle should apply to a corporation that injures someone by leaking that person’s sensitive data, unless there is some law that shields the corporation from liability. I don’t know whether such a law exists, but for the sake of argument let’s assume it doesn’t.

So, assuming these people are already liable in tort, the next question is why aren’t they changing their behavior under a flood of lawsuits?

Two possibilities come immediately to mind. The first is that no one person is hurt enough to justify the year or two of effort and $50K-$150K in legal fees it’d take to win a judgment. The classic solution to that sort of problem is to allow class actions: let a whole class of plaintiffs pool their similar claims, with one legal team leading the charge, and divvy up any damages they recover. I, personally, don’t have a big problem with class action lawsuits in the right circumstances, but the current political and legal climate seem to frown on them.

The second possibility is that those data collecting entities may be able to contract around liability. Maybe when you sign up for your credit card, for instance, the contract includes a clause that says, in effect, “you agree not to sue us if we lose your data.” But if all the credit card companies had a clause like that, then no one would end up suing them for data loss because the only way to get a credit card would be to agree to a contract waiving your right to sue. The classic solution to that kind of problem is to pass a consumer protection law which says, in effect, you can’t waive your right to sue someone who loses your data even if you want to waive that right. Again, I don’t have a big problem with consumer protection laws in the right circumstances, but they’re not the sort of thing I’d normally expect this forum to support.

Finally, if you’re interested in overall economic efficiency, litigation is usually a poor choice. It’s generally slow, expensive, and inefficient. There are times when it’s necessary or appropriate, but are you sure you really want it as your primary enforcement mechanism?

Maybe you think that there should be elaborate rules dictating what employers and landlords (and participants in all kinds of other markets) can consider, denying them the ability to control the nature of their society, but that sounds like the administrative nightmare I talked about. And it would be quite unfree.

As new technology removes these inabilities, it becomes imperative that the law either put them back in place, or introduce new laws to prevent employers and landlords from discriminating based on information of the types in my examples. Otherwise you are no longer free to have a private life that your boss or landlord doesn’t approve.

And discrimination about those things is going to be impossible to prove. That is why gathering the info needs to be banned.