The Puzzling Nature of Privacy Harms and Goals

Broadly speaking, one’s privacy can be harmed by vertical means–the government, various levels of law enforcement, an employer, or a technology platform or service–or by lateral means, e.g., oneself or others who have one’s previously shared information.[i] These can be equally harmful, and may overlap such that a blameworthy privacy practice can be masked for some time, as in the case of Facebook and Cambridge Analytica. In that case, the latter obtained much of the data it needed to manipulate national elections from scraping Facebook’s lateral data — details on users’ identities, networks, and likes — from posts or shares of friends, or those of friends of friends.[ii] Thus, it can be more confusing to identify privacy harms to protect against or determine the value of the risk of data misuse than it is to subscribe ex-post blame to a breached company’s practices and demand that they do better.

On top of that, the value of exposed data without an instance of identity theft in a judicial proceeding is very low or nothing, even though data is now more valuable than gold in the private market.[iii] Possibly because of difficulties such as this, ripe cases by individuals against companies are a shockingly small pool compared to the amount of individuals who have had their data exposed after a breach, while litigated cases are an even smaller pool.[iv] This makes it very difficult for courts to make companies feel the pain of regret whenever their customers suffer because the company’s privacy practices led to a breach.

A. Defining the Goal of Privacy Protection

The methods for resolving these problems, especially in the United States, have to this point been overly simplistic and ill-suited to mitigate either the causes or the effects of privacy harms. For plaintiffs, proving standing and liability in the court system is very difficult because most cases won’t satisfy U.S. Constitution Article III standing for mere increased risk of identity theft due to exposed data. While the FTC can step in to enforce honest trade practices, this will generally not result in damages awards to those impacted by the breach, in favor of a fine against the company to store in government coffers or force-finance a better privacy program within the company.[v] Worse, if a company was breached but nonetheless acted in accordance with its privacy policy, the FTC’s ability is limited further.[vi] If consumers proceed to access a service despite a Terms of Service clause disclosing data-harvesting, they have effectively discharged the service’s liability and have chosen to bear the risk that that service won’t protect their data as best they can.[vii] The problem is, this notice and choice solution paradigm doesn’t solve any human problems. Firstly, some technologies and social networking abilities are essential for base needs in the modern world; secondly, some convincing literature maintains that humans are not equipped to use the current notice and choice paradigm effectively, as our cognitive skills cannot fully comprehend the ways that data assuredly given at one point can be sold and aggregated many different times to enable a non-approved use of that same data.[viii] While the United States has yet to fully embrace another structure besides notice and choice, creative solutions run the gamut, from requiring companies that engage in large carve-outs of their previous privacy practices to evidence it in new trademarks, to pbd, which, as discussed, emphasizes building more default privacy-forward features into products.[ix]

[i] Dierdre K. Mulligan & Jennifer King., Privacy Jurisprudence As An Instrument Of Social Change: Bridging the Gap Between Privacy and Design, 14 U. Pa. J. Const. L. 989, 997 (2012).

[ii] Kevin Granville, Facebook and Cambridge Analytica: What You Need to Know as Fallout Widens, The New York Times (Mar. 19, 2018), https://www.nytimes.com/2018/03/19/technology/facebook-cambridge-analytica-explained.html.

[iii] The World’s Most Valuable Resource is No Longer Oil, But Data, The Economist (May 6, 2017),https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.

[iv] Daniel J. Solove, Paul M. Schwartz, Information Privacy Law 812 (Rachel E. Barknow et al. eds., 6th ed. 2018).

[v] Id. at 846.

[vi] Id.

[vii] Id.

[viii] Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126 Harv. L. Rev. 1879, 1880–94 (2013).

[ix] Paul Ohm, Branding Privacy, 97 Minn. L. Rev. 907, 908–913 (2013); Birnhack, et. al., Privacy Mindset, Technological Mindset, 55 Jurimetrics 55, 114 (2014).