Things to Consider when Thinking about Data Privacy Rights
Privacy Plus+
Privacy, Technology and Perspective
Things to consider when thinking about data privacy rights. This week, we continue our shift from current events to focus on data privacy rights, and in particular, the rights of access and deletion of personal information.
As background, the laws of certain jurisdictions, such as the European Economic Area (“EEA”) under the EU General Data Protection Regulation (“GDPR”), vest individuals with certain “privacy rights” regarding their personal information. For full details describing the rights recognized by the GDPR, you can review the following guide hosted by the UK’s Information Commissioner Office: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
Rather than summarizing the “privacy rights” accorded under the GDPR, we just say that it seems to us that the GDPR (and other data-protection laws) go a long way toward collapsing the concept of privacy into “mere” property. Europe, California, and some other states speak of privacy as a fundamental right, but laws on both sides of the Atlantic seem nowadays to focus on an individual’s relationship to various data elements (name, address, IP address, etc.), rather than considering privacy holistically.
Of course, the privacy-as-property paradigm is popular, not least because it’s easy to understand and describe. Many people conceive of online privacy especially in terms of “personal information”—that is to say, particular data elements (e.g. information that you input into a webform). This is why we often hear the misplaced statement, “I own my data.”
But it seems to us that “ownership” of data elements is distinct from true privacy rights. Were privacy and property truly aligned, courts would recognize not just data as having monetary value, but also the rights of possession, control, exclusion, enjoyment, and disposition of data (these rights all being valuable parts of the “bundle of sticks” that every first year law student learns about in their Property class). Yet, U.S. case law, like In re Jet Blue Airways Litigation, 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005), generally holds that there is “no support of the proposition that personal information of an individual…ha[s] any value” (a dubious point today, but we can look at that later).
On the other hand, there is little argument anymore that privacy is valuable, just not as readily measurable in money. We think that it the value of privacy rights should be measured not by what the individual’s digital history would fetch on the open market, but by the gravity of what the rights at issue protect. Perhaps this is why the United States has HIPAA to protect health information, GLBA to protect financial information, FERPA to protect student information, and cases like Obergefell v. Hodges or Griswold v. Connecticut, which recognize privacy interests in intimate associations and decisions. In its most consequential incarnation, privacy is respect for others, and for relationships between people. At its core, it’s civility, trust and confidentiality. And not to put too dramatic a point at it, but privacy – aided in this country by the first, fourth, seventh, fifth, and fourteenth amendments – is what stands between the individual and the government.
As our federal legislators contemplate an omnibus U.S. privacy law, they should remember that the easy paradigm of privacy as property isn’t good enough. Data access and deletion might help individuals maintain some degree of control over their personal data elements, but those “rights” do not adequately honor privacy. In fact, data privacy rights are devalued when privacy is considered solely in the context of personal data elements that can be accessed or disposed of, transferred or conveyed.
Perhaps certain intellectual “property” disciplines have something to teach us in this regard. Consider trademark law, for example. People often say, “I own this mark,” or “this name.” (“That’s mine! How dare they use it, even for something totally unrelated!”) Yet trademarks are actually symbols of goodwill, signifying not necessarily what something is, but always pointing toward whose the thing is. Trademarks do this not to protect their “owner,” or to vindicate some property-esque right of the owner in the mark, but rather to protect the consumer from being mistaken, confused or deceived as to the source or affiliation of the goods and services she is about to buy. The law of trademarks does not have its origin in “property.” It’s one of the oldest consumer-protection concepts. Its origin lies in the law of deceit.
Or, consider trade secrets. Historically, the principal objective of trade secret law has been to enable groups of people to share developments among one another in trust, and thereby facilitate efficient development of new products and services. Until recently, the central focus of trade secret law was therefore the relationship among people who shared the trade secret, or to whom it was entrusted. There is no liability for developing independently what turns out to be somebody else’s trade secret; it is doing so in breach of a duty you owe to that person, or through improper means, that is an offense. (The Uniform Trade Secrets Act has moved toward a property-like tendency to look first at the nature of the putative secret, rather than first looking to the relationship between the parties, but it is not a pronounced move and anyway New York still relies on the venerable Restatement of Torts (1939).)
Access and rights of deletion – like trademark protections – point to and vindicate something larger than themselves, and larger than commercial “property.” And like trade secrets, they focus primarily on the relationship between people.
Let’s consider that, this summer.
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.