Some commentators new to the privacy debate are quick to offer what they think is a clever idea: assign property rights over personal information to the user and let the marketplace decide what happens next. Whether this idea is meritorious has big implications for how we think about things like data portability and consent. Turns out it’s wrong.
During one of the recent Federal Trade Commission (FTC) workshops on competition policy, economist Dennis Carlton and others suggested that defining who has property rights in data is a key to properly analyzing data issues in antitrust and that a natural place to start would be that the individual owns the data including health care information and maybe search data as well. European competition policy head Commissioner Margrethe Vestager raised the same idea in public remarks during her visit to Washington last month, suggesting that it was the basis for the General Data Protection Regulation’s data-portability provision, which allows the data subject to transmit “their” data to another service provider. In a later interview, she repeated this idea that “we all own our data” as if it were an obvious truism.
Once it’s clear that individuals own their information, so the argument goes, others can pay them to use the information for various purposes. Privacy policy would need to do little more than assure that consumers have full information about what might be done with their information. Under this rubric, the key to privacy becomes notice-and-consent mechanisms to provide people with full information and the opportunity to choose.
Let’s take a look at the many ways privacy scholars have discredited this idea.
Who owns the information?
Privacy advocate and scholar Bob Gellman illustrates the intractability of this problem with an example of how medical information can simultaneously belong to a patient, the patient’s family, the school, pharmacy, supermarket, pediatrician, drug manufacturer, social media platform, various web sites, Internet tracking and advertising companies and Internet service providers. Each of these actors has an interest in the same information about a child’s illness.
This example generalizes because almost all information about people concerns their interaction with others. If I bought something from you, then you sold it to me. People are social creatures and most of what they do is in relationship with other people.
Author Larry Downes emphasizes the point that when information is about more than one person, it is impossible to determine how a property right should be allocated: “Would it be shared property, owned equally by everyone referenced? If not, would any one person hold a veto?”
As a result, importing a property regime to solve privacy issues doesn’t get you very far. You might as well just set out the rights and responsibilities of the different parties regarding notices, choices, access, correction and deletion and other privacy measures.
Privacy law scholar Julie Cohen thinks that treating privacy as property won’t vindicate the values of autonomy and participation in social life that undergird privacy because differences in bargaining power and information make it hard to view individual choices about personal information in the marketplace as reflective of genuine preferences. Individuals cannot possibly know all the potential uses of information. Data collectors, not individuals, set the terms of the bargain.
She proposes instead conditions for consent designed to ensure that it is full, free, voluntary and reflective of genuine preferences. Consent cannot be for unknown or unspecified uses; consent should automatically be withdrawn after a set period of time; and transfers to third-parties should require separate and additional acts of consent. These conditions for consent would not be present in the simple notion that people own their own information and can do whatever they want with it.
Privacy as Ownership Is Economically Foolish
Privacy scholar Helen Nissenbaum suggests that the cost of getting consent might make it impossible to engage in even the most socially beneficial uses such as medical research that can put an end to dangerous diseases.
For Nissenbaum, privacy is about defending the integrity of our social institutions and practices through upholding social norms defining the appropriate flow of information. Teachers, doctors, lawyers, therapists and priests all know that personal information has been entrusted to them so that they can play important social roles and that their use of the information is linked essentially to the context of fulfilling the expectations of those social roles. It is not a matter of contract or agreement, or individual choice but of traditional norms entrenched in social practices.
Former Seventh Circuit Court Judge Richard Posner thinks privacy as ownership would impose unmanageable transaction costs. How, for example, could a magazine exploit the economic value of its subscriber list if it needed permission from each subscriber to sell it? The cost of obtaining consent would exceed the economic value of the list.
Posner also insists that the law should not ratify a general right to conceal information about oneself. Others need access to personal information to form an accurate picture of the people with whom they interact. The case for assigning ownership of all personal information to the data subject is “no better than that for permitting fraud in the sale of goods.”
Larry Downes generalizes the point that data-subject ownership of information would almost always create “transaction costs higher than the value of the transaction.” Downes also points out that assigning ownership of information to the data subject would reduce incentives to create valuable business records. Why would any company put resources into creating records if they automatically fall under the control of millions of diverse individuals whose pattern of decisions over what to do with the information – including, of course, simply destroying the record – would make the system unmanageable?
Downes further points out the dangers to freedom of expression in allocating to individuals “a property right to any fact that relates to or describes them.” How would journalists ever write about people if they had to get individual consent? Court cases like Haynes v. Knopf hold that general privacy rights do not prevent authors from using factual information about people in their writings. And the Supreme Court case Sorrell v. IMS stands for the proposition that the collection, dissemination and use of information, even personal information, is protected by the First Amendment.
Policy Implications
These are not abstract or idle questions. The European Data Protection Regulation and the California Consumer Privacy Act contain data-portability provisions that would allow people to transfer “their” information to third parties
An immediate implication is that a customer could ask to transfer his entire transaction history from Walmart to Target. It is not hard to imagine companies offering incentives for customers to bring with them their records from other businesses. Indeed, they might start to make it a condition of doing business with them at all. Furthermore, information intermediaries are likely to develop who could compile vast amounts of commercial records by persuading people to transfer “their” records from the companies with whom they do business.
The commercial implications of this right have hardly been appreciated yet, and privacy regulators might still be persuaded that this is not what they had in mind after all. But one thing is certain: this version of data portability will not increase the level of privacy protection.
It seems instead to lead to a data sharing world akin to the “transparent society” science-fiction writer David Brin imagined several years ago. The ultimate tendency of thinking of privacy as individual control and ownership is therefore not what its advocates might have hoped or intended.
It is a privacy nightmare rather than a privacy paradise.
