Harvard Law Review Harvard Law Review Harvard Law Review

Cyberlaw / Internet

Toward a Positive Theory of Privacy Law

Privacy protections create winners and losers. So does the absence of privacy protections. The distributive implications of governmental decisions regarding privacy are often very significant, but they can be subtle too. Policy and academic debates over privacy rules tend not to emphasize the distributive dimensions of those rules, and many privacy advocates mistakenly believe that all consumers and voters win when privacy is enhanced. At the same time, privacy skeptics who do discuss privacy in distributive terms sometimes score cheap rhetorical points by suggesting that only those with shameful secrets to hide benefit from privacy protections. Neither approach is appealing, and privacy scholars ought to do better.

This Article reveals some of the subtleties of privacy regulation, with a particular focus on the distributive consequences of privacy rules. The Article suggests that understanding the identities of privacy law’s real winners and losers is indispensable both to clarifying existing debates in the scholarship and to helping predict which interests will prevail in the institutions that formulate privacy rules. Drawing on public choice theory and median voter models, I begin to construct a positive account of why U.S. privacy law looks the way it does. I also suggest that a key structural aspect of U.S. privacy law – its absence of a catch-all privacy provision nimble enough to confront new threats – affects the attitudes of American voters and the balance of power among interest groups. Along the way, I make several other subsidiary contributions: I show why criminal history registries are quite likely to become increasingly granular over time, I examine the relationship between data mining and personality-based discrimination, and I explain how the U.S. political system might be just as biased in favor of citizens who do not value privacy as it is biased in favor of highly educated and high-income citizens.

Part I assesses the distributive implications of two privacy controversies: the extent to which public figures should be protected from the nonconsensual disclosure of information concerning their everyday activities, and the extent to which the law should suppress criminal history information. In both instances the United States is far less protective of privacy interests than Europe is, and, as a result, the U.S. government has received criticism both at home and abroad. The Part shows that defensible distributive judgments undergird the American positions. The European approach to celebrity privacy is highly regressive and causes elites and nonelites to have differential access to information that is valuable to both groups. The U.S. attitude toward criminal history information may be defended on pragmatic grounds: in the absence of transparent criminal history information, individuals may try to use pernicious proxies for criminal history, like race and gender. Part I then shows how these distributive implications affect the politics of privacy. To use one example, California’s interest groups are pushing that state toward European-style regulation, and there is an apparent emerging trend toward ever-increasing granularity in criminal history disclosures.

Part II analyzes the emerging issue of Big Data and consumer privacy. It posits that firms rely on Big Data (data mining and analytics) to tease out the individual personality characteristics that will affect the firms’ strategies about how to price products and deliver services to particular consumers. We cannot anticipate how the law will respond to the challenges posed by Big Data without assessing who gains and who loses by the shift toward new forms of personality discrimination, so the Article analyzes the likely winners and losers among voters and industry groups. The analysis focuses on population segments characterized by high levels of extraversion and sophistication, whose preferences and propensities to influence political decisions may deviate from those of introverts and unsophisticated individuals in important ways.

Part III reaches across the Atlantic, using Europe’s quite different legal regime for governing Big Data as a way to test some of the hypotheses articulated in Part II. Although U.S. and European laws differ significantly, the attitudes of Americans and Europeans toward privacy seem rather similar. The Article therefore posits that different public choice dynamics, especially the strength of business interests committed to data mining in the United States, are a more likely cause of the observed legal differences. But this conclusion raises the question of why European business interests committed to data mining do not have similar sway. The Article hypothesizes that structural aspects of U.S. and European privacy laws substantially affect the contents of those laws. In Europe, open-ended, omnibus privacy laws permit regulators to intervene immediately to address new privacy challenges. The sectoral U.S. approach, which lacks an effective catch-all provision, renders American law both reactive and slow to react. As a result, by the time U.S. regulators seek to challenge an envelope-pushing practice, interest groups supporting the practice have developed, social norms have adjusted to the practice, and a great deal of the sensitive information at issue has already been disclosed by consumers.

Part IV examines the National Do Not Call Registry, a rare case in which U.S. regulators were able to combat a substantial privacy harm despite these structural and interest-group dynamics. The fact that the Registry took more than a decade to be implemented, despite its enormous popularity with voters, shows just how difficult regulating privacy can be, especially since many other privacy regulations will create a substantial number of losing consumers who are likely to buttress the interests of prospective loser firms in opposing the new regulation.