Why Individual Rights Can't Protect Privacy
Daniel Solove
Professor, GW Law School + CEO, TeachPrivacy + Organizer, Privacy+Security Forum
Today, the California Privacy Protection Agency (CPPA) published a large advertisement in the San Francisco Chronicle encouraging people to exercise their privacy rights. "The ball is in your court," the ad declared. (H/T Paul Schwartz)
While I admire the CPPA's effort to educate, the notion that the ball is in the individuals' court is not a good one. This puts the on individuals to protect their privacy when they are ill-equipped to do so and then leads to blaming them when they fail to do so.
I wrote an article last year about how privacy laws rely too much on rights, which are not an effective way to bring data collection and use under control: The Limitations of Privacy Rights, 98 Notre Dame Law Review 975 (2023).
Individual privacy rights are often at the heart of information privacy and data protection laws. Unfortunately, rights are often asked to do far more work than they are capable of doing. Rights can only give individuals a small amount of power. Ultimately, rights are at most capable of being a supporting actor, a small component of a much larger architecture.
I advance three reasons why rights cannot serve as the bulwark of privacy protection.
The main goal of providing privacy rights aims to provide individuals with control over their personal data.? But this turns into a series of endless chores that are too onerous and difficult to do - and often rather pointless. When individuals fail to exercise their rights, then they are blamed for not caring about privacy.
领英推荐
As I wrote: "Rights can’t empower individuals enough to equalize the power imbalance between individuals and the organizations that collect and use their data. Effective privacy protection involves not just facilitating individual control but also bringing the collection, processing, and transfer of personal data under control."
Ultimately, for protecting privacy, the ball is not "in your court." It's the responsibility of the companies that gather, use, and transfer your personal information. It's the responsibility of the law to hold these companies accountable.
For more elaboration on these points, see my article: The Limitations of Privacy Rights, 98 Notre Dame L. Rev. 975 (2023). It is available free as a download here.
SUBSCRIBE TO MY NEWSLETTER
If you want to see all my cartoons, whiteboards, and writings, please subscribe to my free newsletter here.
Artificial Intelligence AI, Tech, Privacy and HIPAA Compliance and Cyber Security Attorney | Certified Information Privacy Professional/CIPP/United States/US Government/Canada
2 个月The quid pro quo for your personal data in the job market is Dickensian at best. You can’t apply for a job without giving over sensitive information now. I have abandoned many applications for over collecting sensitive information that is revealed deep into the process. There should be a list of data points that are not allowed to be collected. Race and ethnicity should not be collected just to apply.
Privacy compliance lead, technology practitioner, community builder, ethics steward, FIP, CIPP/US, CIPT, CIPP/E, CIPM, and HumanGPT
2 个月My first reaction to the article was CPPA privacy.ca.gov is informing the public by using a large advertisement in the San Francisco Chronicle is why? Who is subscribed and who is reading the SFC? Seems like the wrong place to find CA citizens to exercise (mostly digital) their privacy rights. I do agree with the ad's symbolism that it is a long shot being taken, potentially being blocked, that has a high probability of not going in.
Privacy lawyer turned product manager. Building the future of automotive privacy. Privacy @ Rivian // Previously @ Future of Privacy Forum, Sidewalk Labs, Fasken // CIPP-US & CIPP-EU
2 个月Agreed. This is why transparency and user control should be thoughtfully done. It's really easy to say companies should give as much information as possible and provide dozens of privacy controls, but that's actually pretty lazy and puts an unfair burden on end users.
Business Legal Executive (Privacy, Data Protection, AI and Data Law)
2 个月Great post Dan. I'd like to add that the cost to businesses to implement DSR systems is significant to SMEs. Undoubtedly privacy advocates would respond that compliance systems are merely a cost of processing personal data (and maintaining trust of your customers), but it is a legitimate endeavor to evaluate the cost side of the equation.
I find curious that rights -- a tool in the hands of individuals -- should be supplanted by some broad duty on the part of corporations, who seem entirely unmotivated to protect privacy. The real backstop would be direct privacy-protecting statutes, as you say, but that means a tool in the hands of politicians and administrators, who, if we abandon romance, are heavily influenced and guided by those corporations. And little do we learn about consumers' true privacy interests in legislative and regulatory fora. I've been pursuing a different course, as you may know, Daniel. Jane Bambauer and I will be arguing about it (very nicely) next week at an event in D.C. https://www.aei.org/events/propertizing-privacy-evaluating-the-merits-of-a-property-based-approach-to-personal-data-protection/