Giving People Property Rights In Data Will Not Solve Privacy, But...
from the property-rights-and-privacy dept
Online privacy can’t be solved by giving people new property rights in personal data. That idea is based on a raft of conceptual errors. But consumers are already exercising property rights, using them to negotiate the trade-offs involved in using online commercial products.
People mean a lot of different things when they say “privacy.” Let’s stipulate that the subject here is control of personal information. There are equal or more salient interests and concerns sometimes lumped in with privacy. These include the fairness and accuracy of big institutions’ algorithmic decision-making, concerns with commodification or commercialization of online life, and personal and financial security.
Consumers’ use of online services will always have privacy costs and risks. That tension is a competitive dimension of consumer Internet services that should never be “solved.” Why should it be? Some consumers are entirely rational to recognize the commercial and social benefits they get from sharing information. Many others don’t want their information out there. The costs and risks are too great in their personal calculi. Services will change over time, of course, and consumers’ interests will, too. Long live the privacy tension.
Online privacy is not an all-or-nothing proposition. People adjust their use of social media and online services based on perceived risks. They select among options, use services pseudonymously, and curtail and shade what they share. So, to the extent online media and services appear unsafe or irresponsible, they lose business and thus revenue. There is no market failure, in the sense used in economics.
Of course, there are failures of the common sort all around. People say they care about privacy, but don’t do much to protect it. Network effects and other economies of scale make for fewer options in online services and social media, so there are fewer privacy options, much less bespoke privacy policies. And companies sometimes fail to understand or abide by their privacy policies.
Those privacy policies are contracts. They divide up property rights in personal information very subtly—so subtly, indeed, that it might be worth reviewing what property is: a bundle of rights to possess, use, subdivide, trade or sell, abandon, destroy, profit, and exclude others from the things in the world.
The typical privacy policy vests the right to possess data with the service provider—a bailment, in legal terminology. The service provider gets certain rights to use the data, the right to generate and use non-personal information from the data, and so on. But the consumer maintains most rights to exclude others from data about them, which is all-important privacy protection. That’s subject to certain exceptions, such as responding to emergencies, protecting the network or service, and complying with valid legal processes.
When companies violate their privacy promises, they’re at risk from public enforcement actions—from Attorneys General and the Federal Trade Commission in the United States, for example—and lawsuits, including class actions. Payouts to consumers aren’t typically great because individualized damages aren’t great. But there are economies of scale here, too. Paying a little bit to a lot of people is expensive.
A solution? Hardly. It’s more like an ongoing conversation, administered collectively and episodically through consumption trends, news reporting, public awareness, consumer advocacy, lawsuits, legislative pressure, and more. It’s not a satisfactory conversation, but it probably beats politics and elections for discovering what consumers really want in the multi-dimensional tug-of-war among privacy, convenience, low prices, social interaction, security, and more.
There is appeal in declaring privacy a human right and determining to give people more of it, but privacy itself fits poorly into a fundamental-rights framework. People protect privacy in the shelter of other rights—common law and constitutional rights in the United States. They routinely dispense with privacy in favor of other interests. Privacy is better thought of as an economic good. Some people want a lot of it. Some people want less. There are endless varieties and flavors.
In contrast to what’s already happening, most of the discussion about property rights in personal data assumes that such rights must come from legislative action—a property-rights system designed by legal and sociological experts. But experts, advocates, and energetic lawmakers lack the capacity to discern how things are supposed to come out, especially given ongoing changes in both technology and consumers’ information wants and needs.
An interesting objection to creating new property rights in personal data is that people might continue to trade personal data, as they do now, for other goods such as low- or no-cost services. That complaint—that consumers might get what they want—reveals that most proposals to bestow new property rights from above are really information regulations in disguise. Were any such proposal implemented, it would contend strongly in the metaphysical contest to be the most intrusive yet impotent regulatory regime yet devised. Just look at the planned property-rights system in intellectual property legislation. Highly arguable net benefits come with a congeries of dangers to many values the Internet holds dear.
The better property rights system is the one we’ve got. Through it, real consumers are roughly and unsatisfactorily pursuing privacy as they will. They often—but not always—cede privacy in favor of other things they want more, learning the ideal mix of privacy and other goods through trial and error. In the end, the “privacy problem” will no more be solved than the “price problem,” the “quality problem,” or the “features problem.” Consumers will always want more and better stuff at a lower cost, whether costs are denominated in dollars, effort, time, or privacy.
Jim Harper is a visiting fellow at the American Enterprise Institute and a senior research fellow at the University of Arizona James E. Rogers College of Law.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: contracts, data, privacy, property rights
Reader Comments
Subscribe: RSS
View by: Thread
Property rights in data...
an interesting idea. But it seems as ripe for abuse to get "copyright" over data collections as notify and takedown in copyright law is abused as a tool of censorship. The law would have to be exceedingly narrow in scope, possibly to the point where it would be difficult to obtain ownership over data that is claimed to be "anonymized" but really isn't.
[ link to this | view in thread ]
I don't see how the "valid legal process" can be carried out in the presence of the transnational entity.
At least not with regards to data privacy...
[ link to this | view in thread ]
The problem with "privacy"
[ link to this | view in thread ]
Re: The problem with "privacy"
[ link to this | view in thread ]
A simpler solution
[ link to this | view in thread ]
If a company can sell my data, why am I not entitled to the money they made on it? Also, if my data are not a property right, then I ought to at least be able to forbid the aggregation of it by companies who then use it to sell an assessment of me, e.g. equifax and so on.
[ link to this | view in thread ]
Re:
If a company can sell my data, why am I not entitled to the money they made on it?
I think the question itself tells you the answer. You're making a big assumption -- that the data is "yours". You're assuming that there's a property right there. But does that always make sense? Is the data truly "yours"? If I run an online shop and I track what you've bought, whose "data" is that? Under a property rights regime, you could argue that it's yours because you made the purchase, but I might argue that it's mine, since I set up the store, sourced the product, and handled the transaction.
It gets tricky quite quickly.
Also, if my data are not a property right, then I ought to at least be able to forbid the aggregation of it by companies who then use it to sell an assessment of me, e.g. equifax and so on.
But that formulation is only possible if property rights are involved. Again, in the view of Equifax, for better or for worse, it's not "your" data. It's data they have collected on you. See the difference? That doesn't make equifax good, but it certainly means we need to think through things way beyond "they can't do that." Because if you just say that you don't want me to collect any data about you.. well, then I can't let you comment here any more, because the nature of commenting means you're providing some data.
There are middle grounds, but property rights and controlling data raises a lot more questions than it answers and you probably won't be thrilled with the end result.
[ link to this | view in thread ]
Re: The problem with "privacy"
[ link to this | view in thread ]
Re: Re:
I would agree that data taken in public setting where I have no privacy interest would not be my property. But data axquired from private financial transactions, internet service and other things where I do have a privacy interest ought to be my personal property. What I purchase, what I read and what I view is personal, In addition, if there is a property interest that makes it possible to sell my data, then there IS a property interest and it's only a matter of who is entitled to it.
[ link to this | view in thread ]