I organized the World Bank Data Privacy Day, which was held Wednesday, January 25, 2023 (9 AM – 12:30 PM ET).
The event topics included:
I also have a cartoon for last year.
I posted a draft of my new article, Murky Consent: An Approach to the Fictions of Consent in Privacy Law. It is just a draft, and I welcome feedback.
You can download it for free here:
Here’s the abstract:
Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic” – it transforms things that would be illegal and immoral into lawful and legitimate activities. Regarding privacy, consent authorizes and legitimizes a wide range of data collection and processing.
There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates, where organizations post a notice of their privacy practices and then people are deemed to have consented if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.
Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems – people are ill-equipped to make decisions about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.
In this Article, I contend that in most circumstances, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary – an on/off switch – but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.
Abandoning consent entirely in most situations involving privacy would involve the government making most decisions regarding personal data. But this approach would be problematic, as it would involve extensive government control and micromanaging, and it would curtail people’s autonomy. The law should allow space for people’s autonomy over their decisions, even when those decisions are deeply flawed. The law should thus strive to reach a middle ground, providing a sandbox for free play but with strong guardrails to protect against harms.
Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Instead of providing extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. This would allow for a degree of individual autonomy but with powerful guardrails to limit exploitative and harmful behavior by the organizations collecting and using personal data. In the Article, I propose some key guardrails to use with murky consent.
It’s a new year in privacy, and as usual, there are many things to watch. Here are 5 burning questions:
Continue Reading
I posted a draft of my new article, Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data. It is just a draft, and I welcome feedback.
You can download it for free here:
Here’s the abstract:
Heightened protection for sensitive data is becoming quite trendy in privacy laws around the world. Originating in European Union (EU) data protection law and included in the EU’s General Data Protection Regulation (GDPR), sensitive data singles out certain categories of personal data for extra protection. Commonly recognized special categories of sensitive data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation and sex life, biometric data, and genetic data.
Although heightened protection for sensitive data appropriately recognizes that not all situations involving personal data should be protected uniformly, the sensitive data approach is a dead end. The sensitive data categories are arbitrary and lack any coherent theory for identifying them. The borderlines of many categories are so blurry that they are useless. Moreover, it is easy to use non-sensitive data as a proxy for certain types of sensitive data.
Personal data is akin to a grand tapestry, with different types of data interwoven to a degree that makes it impossible to separate out the strands. With Big Data and powerful machine learning algorithms, most non-sensitive data can give rise to inferences about sensitive data. In many privacy laws, data that can give rise to inferences about sensitive data is also protected as sensitive data. Arguably, then, nearly all personal data can be sensitive, and the sensitive data categories can swallow up everything. As a result, most organizations are currently processing a vast amount of data in violation of the laws.
This Article argues that the problems with the sensitive data approach make it unworkable and counterproductive — as well as expose a deeper flaw at the root of many privacy laws. These laws make a fundamental conceptual mistake — they embrace the idea that the nature of personal data is a sufficiently useful focal point for the law. But nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does. Personal data is harmful when its use causes harm or creates a risk of harm. It is not harmful if it is not used in a way to cause harm or risk of harm.
To be effective, privacy law must focus on use, harm, and risk rather than on the nature of personal data. The implications of this point extend far beyond sensitive data provisions. In many elements of privacy laws, protections should be based on the use of personal data and proportionate to the harm and risk involved with those uses.
Here are the highlights of my new privacy training courses from 2022.
Here’s a privacy cartoon for the holidays.
Here’s a roundup of my scholarship and writings for 2022.
BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT
(Oxford U. Press 2022) (with Woodrow Harzog)
Free chapter: Unifying Privacy and Data Security
PRIVACY LAW FUNDAMENTALS
(IAPP 6th ed. 2022) (with Paul Schwartz)
Free chapter: An Overview of Privacy Law
If you couldn’t make it to my recent webinar on privacy training, you can watch the replay here. I had a great discussion with Leila Golchehreh of Relyance AI on building a successful privacy program.
This webinar focused on themes from Danielle Citron’s new book, The Fight for Privacy: online harassment and hate, Section 230, and how privacy invasions disproportionately are targeted at women. We discussed the implications of Dobbs, where the U.S. Supreme Court struck down the right to abortion. As Elizabeth Joh points out in a recent article, the world post-Dobbs is very different from the world pre-Roe. We are living in a surveillance society, and the government has unprecedented powers to monitor people’s intimate lives. You can watch it here.
– Daniel Solove, GW Law
– Danielle Citron, Virginia Law
– Mary Anne Franks, Miami Law
– Jolynn Dellinger, Duke Law
– Elizabeth Joh, UC Davis Law
– Allyson Haynes Stuart, Charleston Law
Recommended Reading
DANIELLE CITRON, THE FIGHT FOR PRIVACY
Danielle Keats Citron & Mary Anne Franks, The Internet as Speech Machine and Other Myths Confounding Section 230 Reform
MARY ANNE FRANKS, THE CULT OF THE CONSTITUTION
Elizabeth E. Joh, Dobbs Online: Digital Rights as Abortion Rights
Jolynn Dellinger & Stephanie Pell, The Impotence of the Fourth Amendment in a Post-Roe World
Allyson Haynes Stuart, Privacy in Discovery After Dobbs
