Andrea Matwyshyn, Information Paradoxes
Comment by: Fred Cate
Workshop draft abstract:
One of the long-standing conundrums in privacy law is the “privacy paradox” – consumers allege to value privacy and data security but yet are happy to share their personally identifiable information in exchange for convenience or low value consideration. Meanwhile, the law regarding who “owns” this shared information also presents a paradox of sorts: while companies who generate databases of consumer information assert a protectable intellectual property interest in these databases, they simultaneously assert that the data subjects have no protectable interest in the shared data. This presents an information ownership paradox. This article explores the tensions among copyright, tradesecret, contract law, and data privacy/security law inherent in these two paradoxes.
Borrowing ideas from the work of Pierre Bourdieu, copyright and contract, this article alleges that no paradox necessarily exists in either scenario: each side’s position is rooted in the same desire to control use. The rights of both companies and individuals with respect to information can be recharacterized as rights to selectively embed data into economic contexts. As such, this article crafts an approach to resolving the privacy paradox and information ownership paradox, and it proposes a legal regime for redress of information harms. It argues that the two dominant legal approaches to categorizing aggregated information bundles about humans — as fully alienable property, on the one hand, and as an absolute dignitary right of control, on the other hand – need a theoretical middle ground focused on control of context. This new approach recognizes that the value of information is inherently socially embedded, not individual. Without causing any upheaval to existing intellectual property rights in databases, a strong data protection regime can exist through blending legal approaches found in copyright and contract. Concretely, the proposed approach involves three elements. First, state legislatures should provide consumers and licensors with a right of deletion in instances of a data steward’s information loss. Second, breaches of privacy policies should be allowed to proceed as breach of contract actions. The burden of proof in cases of harms arising from information loss should be shifted to the information steward, while affording that steward an affirmative defense of reasonable data care. Finally, this new approach calls for states to assign a minimum statutory value for information harms, modeled on copyright law. Such an approach would not only assist consumers in defending their right to embed data but also offer companies a right of recourse when they are forced to internalize costs imposed on them through third parties’ failed data stewardship.