By: María P. Angel
In the last four years, the U.S. public policy debate about privacy has revolved around different proposals for comprehensive privacy legislation, both at the federal and state level. Since the California Consumer Privacy Act (CCPA) passed in 2018, more than half of the states in the U.S. have proposed comprehensive privacy bills. Similarly, during this timeframe, dozens of privacy-related bills have worked their way through the halls of the U.S. Congress.
Accordingly, U.S. policymakers’ efforts regarding privacy have lately focused on: (i) granting individual data privacy rights; and (ii) requiring the implementation of internal compliance mechanisms within companies that collect, use, or transfer personal data. These measures look to empower consumers and make data collectors more accountable. This, as a response to the already-proven failure of privacy’s traditional notice-and-consent regime and as an attempt to come closer to GDPR-style protection.
From the outside, the American privacy community appears pleased to see these ongoing debates. Of course, controversies abound around the nuts and bolts of the proposals, especially when it comes to introducing a private right of action or selecting an opt-in or opt-out approach. In fact, these are some of the reasons why proposed bills have not been approved in past legislature sessions, as has repeatedly happened in the state of Washington. But, overall, it seems like all sectors agree that discussing these bills is the right way to go.
However, this is not necessarily the case for at least a big chunk of American privacy law scholars. A review of recent law review articles sheds light on what seems to be a common claim among the American privacy law scholarship: even if these comprehensive bills are passed, they will not have tackled the real problem. So, what is the real problem? Well, according to a considerable portion of scholars, there are at least two.
First: privacy has some social/relational dimensions that these legislation proposals fail to address. Besides individual data, people’s privacy decisions are made over shared data (data directly connected to other people) and interrelated data (data that can be used to infer data about others). For instance, my genetic data is shared, because it reveals my inherited or acquired genetic characteristics and those of my family members. Similarly, my behavioral characteristics are interrelated data, because they can be used to make inferences about other people classified in my same market segments (e.g., women, Latinas, lawyers, first-generation graduate students, etc.). Therefore, whenever I choose to share any of this information, I am not only deciding over my data but the data of others.
These relational dimensions, sometimes called by scholars as “networked privacy,” “privacy dependencies,” “privacy externalities,” or “data’s relationality,” cast doubt over the real usefulness of the individual privacy rights that lawmakers are currently working on. At least—privacy scholars claim—, they make evident the limitations of these rights, in an information economy where more and more data are shared and interrelated, and where, therefore, our privacy not only depends on our exercise of those rights but on the decisions and disclosures of other people.
Second: privacy violations are fueled by and result in power asymmetries that are not being challenged by these laws. Information is power—Neil Richards would say—and power is currently concentrated in the hands of a few tech companies who weaponize data-driven technologies to influence and manipulate us. Even more, different scandals have made evident that data can be a tool of oppression and subordination, “whether it is used to train totalitarian facial recognition models surveil protestors, send people to jail, or subjugate vulnerable populations.” Therefore, it has become evident that privacy “is [really] about how power is distributed and wielded.”
As Ari Waldman posits, compliance mechanisms like the ones currently discussed by legislators “do not upset traditional structures of power.” Rather, by reinforcing already entrenched powers, they seem to ignore more structural questions about power differentials and justice. In other words, they are simply not designed to rein in data extraction.
As a result, a big portion of American privacy law scholars have been calling for what Woodrow Hartzog and Neil Richards call “the third way,” and which Ari Waldman has referred to as “a ‘third wave’ for Privacy Law.” Basically, they suggest legislators to consider adopting a more holistic solution, “a more nimble, layered, and inclusive approach that protects personal data but also looks beyond it to account for things that data protection often fails to consider: power, relationships, abusive practices, and data externalities.” This would include, for example, implementing duties of data loyalty, adopting a radically democratic approach to data governance, and augmenting individual privacy rights with broader measures that are more societal and architectural in nature.
Are these proposals sufficiently developed to be considered possible and realistic alternatives? Shouldn’t these be complementary rather than alternative measures to the individual data privacy rights? Isn’t it already too late to recalculate the current legislative route? Is it even strategic to abandon this approach? Isn’t it too much to ask for privacy to rein in data exploitation? These are all valid questions that should be debated. But, at the very least, these scholarly arguments deserve to be heard and publicly discussed. Since the birth of the right to privacy in the U.S., privacy law scholarship has played a determinant role in the development of American privacy law. And this should be no exception.