Giving People Property Rights In Data Will Not Solve Privacy, But…
from the property-rights-and-privacy dept
Online privacy can’t be solved by giving people new property rights in personal data. That idea is based on a raft of conceptual errors. But consumers are already exercising property rights, using them to negotiate the trade-offs involved in using online commercial products.
People mean a lot of different things when they say “privacy.” Let’s stipulate that the subject here is control of personal information. There are equal or more salient interests and concerns sometimes lumped in with privacy. These include the fairness and accuracy of big institutions’ algorithmic decision-making, concerns with commodification or commercialization of online life, and personal and financial security.
Consumers’ use of online services will always have privacy costs and risks. That tension is a competitive dimension of consumer Internet services that should never be “solved.” Why should it be? Some consumers are entirely rational to recognize the commercial and social benefits they get from sharing information. Many others don’t want their information out there. The costs and risks are too great in their personal calculi. Services will change over time, of course, and consumers’ interests will, too. Long live the privacy tension.
Online privacy is not an all-or-nothing proposition. People adjust their use of social media and online services based on perceived risks. They select among options, use services pseudonymously, and curtail and shade what they share. So, to the extent online media and services appear unsafe or irresponsible, they lose business and thus revenue. There is no market failure, in the sense used in economics.
Of course, there are failures of the common sort all around. People say they care about privacy, but don’t do much to protect it. Network effects and other economies of scale make for fewer options in online services and social media, so there are fewer privacy options, much less bespoke privacy policies. And companies sometimes fail to understand or abide by their privacy policies.
Those privacy policies are contracts. They divide up property rights in personal information very subtly—so subtly, indeed, that it might be worth reviewing what property is: a bundle of rights to possess, use, subdivide, trade or sell, abandon, destroy, profit, and exclude others from the things in the world.
The typical privacy policy vests the right to possess data with the service provider—a bailment, in legal terminology. The service provider gets certain rights to use the data, the right to generate and use non-personal information from the data, and so on. But the consumer maintains most rights to exclude others from data about them, which is all-important privacy protection. That’s subject to certain exceptions, such as responding to emergencies, protecting the network or service, and complying with valid legal processes.
When companies violate their privacy promises, they’re at risk from public enforcement actions—from Attorneys General and the Federal Trade Commission in the United States, for example—and lawsuits, including class actions. Payouts to consumers aren’t typically great because individualized damages aren’t great. But there are economies of scale here, too. Paying a little bit to a lot of people is expensive.
A solution? Hardly. It’s more like an ongoing conversation, administered collectively and episodically through consumption trends, news reporting, public awareness, consumer advocacy, lawsuits, legislative pressure, and more. It’s not a satisfactory conversation, but it probably beats politics and elections for discovering what consumers really want in the multi-dimensional tug-of-war among privacy, convenience, low prices, social interaction, security, and more.
There is appeal in declaring privacy a human right and determining to give people more of it, but privacy itself fits poorly into a fundamental-rights framework. People protect privacy in the shelter of other rights—common law and constitutional rights in the United States. They routinely dispense with privacy in favor of other interests. Privacy is better thought of as an economic good. Some people want a lot of it. Some people want less. There are endless varieties and flavors.
In contrast to what’s already happening, most of the discussion about property rights in personal data assumes that such rights must come from legislative action—a property-rights system designed by legal and sociological experts. But experts, advocates, and energetic lawmakers lack the capacity to discern how things are supposed to come out, especially given ongoing changes in both technology and consumers’ information wants and needs.
An interesting objection to creating new property rights in personal data is that people might continue to trade personal data, as they do now, for other goods such as low- or no-cost services. That complaint—that consumers might get what they want—reveals that most proposals to bestow new property rights from above are really information regulations in disguise. Were any such proposal implemented, it would contend strongly in the metaphysical contest to be the most intrusive yet impotent regulatory regime yet devised. Just look at the planned property-rights system in intellectual property legislation. Highly arguable net benefits come with a congeries of dangers to many values the Internet holds dear.
The better property rights system is the one we’ve got. Through it, real consumers are roughly and unsatisfactorily pursuing privacy as they will. They often—but not always—cede privacy in favor of other things they want more, learning the ideal mix of privacy and other goods through trial and error. In the end, the “privacy problem” will no more be solved than the “price problem,” the “quality problem,” or the “features problem.” Consumers will always want more and better stuff at a lower cost, whether costs are denominated in dollars, effort, time, or privacy.
Jim Harper is a visiting fellow at the American Enterprise Institute and a senior research fellow at the University of Arizona James E. Rogers College of Law.
Filed Under: contracts, data, privacy, property rights
Comments on “Giving People Property Rights In Data Will Not Solve Privacy, But…”
Property rights in data...
an interesting idea. But it seems as ripe for abuse to get "copyright" over data collections as notify and takedown in copyright law is abused as a tool of censorship. The law would have to be exceedingly narrow in scope, possibly to the point where it would be difficult to obtain ownership over data that is claimed to be "anonymized" but really isn’t.
I don’t see how the "valid legal process" can be carried out in the presence of the transnational entity.
At least not with regards to data privacy…
The problem with "privacy"
The problem with privacy is that it is as a concept somewhat incompatible with free speech. You cannot both have a right to prevent someone from talking about you and them also have a right to speak about you. Privacy and free speech are opposing rights, you have to pick one. Our constitution picked free speech.
There is some limited room for privacy in a free speech world when it comes to our own devices. For example, we can make it illegal to distribute apps that secretly spy on you. But if consent is involved and information freely shared thereafter, any “privacy right” becomes a speech restriction. Should that stand? I think not. GDPR is used to remove court cases from the internet. I think we shouldn’t have such things able to be buried by “privacy” if we want to keep citizens well informed. The right to privacy is the antithesis to an informed society.
The problem with "privacy"
The problem with privacy is that it is as a concept somewhat incompatible with free speech. You cannot both have a right to prevent someone from talking about you and them also have a right to speak about you. Privacy and free speech are opposing rights, you have to pick one. Our constitution picked free speech.
There is some limited room for privacy in a free speech world when it comes to our own devices. For example, we can make it illegal to distribute apps that secretly spy on you. But if consent is involved and information freely shared thereafter, any “privacy right” becomes a speech restriction. Should that stand? I think not. GDPR is used to remove court cases from the internet. I think we shouldn’t have such things able to be buried by “privacy” if we want to keep citizens well informed. The right to privacy is the antithesis to an informed society.
Re: The problem with "privacy"
Not saying you can’t have privacy in your own devices/papers. Just that the essence of privacy is the protection of your own devices and documents. Handing information over to a third party and claiming the right to prevent them from talking about it is the antithesis of free speech.
Re: The problem with "privacy"
I think your comment is well suited to governmental regulation aimed at privacy: “You (corporation) may not use or share this true information.” But privacy is as much a product of people withholding information from others or sharing it subject to restrictions.
When people conceal information about themselves, the First Amendment and free speech are not implicated. And when they share information subject to promises that restrict further sharing and use, that is also perfectly consistent with free speech law. People and companies can contract away their free speech rights, and they regularly do.
I, too, find it bizarre that there are laws requiring true information to be “disappeared” from public view. I think that can’t happen here in the U.S., but I’ve been wrong in my predictions about legal developments before.
A simpler solution
REQUIRE an option where they don’t track, monitize, distribute, etc. your data or even use it to “provide a better experience” tier which is paid.
Right now there is only the “free except you agree to give your soul to the devil when you die” contract. You can’t pay Apple, Google, Amazon, F**kbook to not privacy rape you, that is not an option.
Reminds me of the old Bertrand Russel joke:
BR: Would you go to bed with me for $1Million?
woman: well,… yes I would.
BR: Would you do it for $5? (early 20th century)
woman: What do you think I am?
BR: Madame, we have established what you are, we only disagree about the price.
I can fly, if I let the TSA grope my “junk” and be porn scanned. Completely voluntary. Or charter a private Jet (why can’t they crash into Trump Tower?).
A simpler solution
REQUIRE an option where they don’t track, monitize, distribute, etc. your data or even use it to “provide a better experience” tier which is paid.
Right now there is only the “free except you agree to give your soul to the devil when you die” contract. You can’t pay Apple, Google, Amazon, F**kbook to not privacy rape you, that is not an option.
Reminds me of the old Bertrand Russel joke:
BR: Would you go to bed with me for $1Million?
woman: well,… yes I would.
BR: Would you do it for $5? (early 20th century)
woman: What do you think I am?
BR: Madame, we have established what you are, we only disagree about the price.
I can fly, if I let the TSA grope my “junk” and be porn scanned. Completely voluntary. Or charter a private Jet (why can’t they crash into Trump Tower?).
If a company can sell my data, why am I not entitled to the money they made on it? Also, if my data are not a property right, then I ought to at least be able to forbid the aggregation of it by companies who then use it to sell an assessment of me, e.g. equifax and so on.
Re: Re:
If a company can sell my data, why am I not entitled to the money they made on it?
I think the question itself tells you the answer. You’re making a big assumption — that the data is "yours". You’re assuming that there’s a property right there. But does that always make sense? Is the data truly "yours"? If I run an online shop and I track what you’ve bought, whose "data" is that? Under a property rights regime, you could argue that it’s yours because you made the purchase, but I might argue that it’s mine, since I set up the store, sourced the product, and handled the transaction.
It gets tricky quite quickly.
Also, if my data are not a property right, then I ought to at least be able to forbid the aggregation of it by companies who then use it to sell an assessment of me, e.g. equifax and so on.
But that formulation is only possible if property rights are involved. Again, in the view of Equifax, for better or for worse, it’s not "your" data. It’s data they have collected on you. See the difference? That doesn’t make equifax good, but it certainly means we need to think through things way beyond "they can’t do that." Because if you just say that you don’t want me to collect any data about you.. well, then I can’t let you comment here any more, because the nature of commenting means you’re providing some data.
There are middle grounds, but property rights and controlling data raises a lot more questions than it answers and you probably won’t be thrilled with the end result.
Re: Re: Re:
I would agree that data taken in public setting where I have no privacy interest would not be my property. But data axquired from private financial transactions, internet service and other things where I do have a privacy interest ought to be my personal property. What I purchase, what I read and what I view is personal, In addition, if there is a property interest that makes it possible to sell my data, then there IS a property interest and it’s only a matter of who is entitled to it.
The problem with "privacy"
I think your comment is well suited to governmental regulation aimed at privacy: “You (corporation) may not use or share this true information.” But privacy is as much a product of people withholding information from others or sharing it subject to restrictions.
When people conceal information about themselves, the First Amendment and free speech are not implicated. And when they share information subject to promises that restrict further sharing and use, that is also perfectly consistent with free speech law. People and companies can contract away their free speech rights, and they regularly do.
I, too, find it bizarre that there are laws requiring true information to be “disappeared” from public view. I think that can’t happen here in the U.S., but I’ve been wrong in my predictions about legal developments before.