My new article, “Space Invaders: Intrusion in the Digital Age,” lays out the case against the Fair Information Practice principles (“FIPs”) and for continued reliance on tort to shape American privacy law.
The FIPs were originally articulated and presented to Congress in the 1973 HEW Report. The European Union’s Data Protection Directive draws heavily on FIPs, and now they have been incorporated into President Obama’s proposed Consumer Privacy Bill of Rights. But, notwithstanding the fact that the word “Fair”appears in their title, the FIPs are a misguided overreaction to computers and data. (Indeed, one subsection of the HEW Report is titled “Too Much Data.”)
The FIPs have two irredeemable flaws. First, they create property rights in accurate facts. FIPs require data minimization, purpose-limitation, and consent before information is shared or re-used. In other words, they allow people to exert exclusive control over the information that describes them. This too quickly subjugates the free flow of legitimately collected information to the private interests of individuals. Second, FIPs create error in the other direction, too. A person may fail to exert control over their information and suffer a predictable, avoidable downstream harm.
Instead of creating vast new information property rights, the U.S. should continue to use tort law to balance legitimate privacy interests against the public’s interests in information flow. This article shows how the old intrusion tort, the best incarnation of Warren & Brandeis’s “right to be let alone,” can be updated to curb some of the most disconcerting data practices.
From the introduction:
This Article makes two contributions to the scholarly discourse—one organizational, and one normative. First, it develops a new taxonomy that tracks the flow of data. Personal information passes through four distinct states where regulation can apply: observation, capture (when a record is created), dissemination, and use. While existing taxonomies organize the theories of information privacy across the harms experienced, the framework introduced here flips the orientation. First it determines how information can be regulated, and then it analyzes the nature of the harm. By focusing on the practical effects of regulation, the competing interests in privacy and information flow can be evaluated in a consistent manner.
Second, the Article employs the taxonomy to make normative claims about the current and future state of American privacy law among private actors. Popular privacy proposals, though politically expedient, will undermine the public’s interests in innovation and knowledge-production. In contrast, regulation targeting information flow at its source—at the point of observation—can be significantly expanded without running into conceptual pitfalls.
The intrusion tort is the quintessential example of a restriction on observation. This Article proposes an expansion of the intrusion tort to fit the modern technological landscape. Intrusion should provide recourse not for the creation of personal data, which is a necessary byproduct of well-functioning technologies, but for the observation of that data. Since the intrusion tort is conceptually adaptable to changing technology, legal enforcement of the right to seclusion can expand sensibly, outlawing the most disconcerting data practices without imposing unrealistic demands on industry and regulatory enforcement agencies.
A valuable side effect of this project is its vindication of American privacy law’s origins in tort. Because the contours of tort law are designed in reference to broader societal interests rather than the interest of a single particular victim, tort is in the best position to address new information problems. It can target and deter practices that eventually reveal themselves to be truly harmful without taking a premature position on how much data is “too much.”
Comments Off
Filed under: Anonymity, First Amendment, Internet & Society, Privacy, Scholarship