Taking Power Seriously: The Politics of Privacy

Guest Blogger

For the Balkinization Symposium on Ignacio Cofone, The Privacy Fallacy: Harm and Power in the Information Economy Cambridge University Press (2023).

Alicia Solow-Niederman

If you attend an information privacy law conference and say that privacy is power, you’re likely to be met with vigorous agreement.  Ignacio Cofone’s timely intervention, The Privacy Fallacy: Harm and Power in the Information Economy, adds to this scholarly consensus with a distinct spin.  Cofone’s core premise is that privacy law has erroneously looked to contract law, which provides a mistaken understanding of the power relationships and interactions between individuals and the entities who trade in their data.  Instead, we ought to look to tort law.  He argues that an approach grounded in tort law shifts away from privacy law’s fixation on providing individual choice and individual control rights, and towards a liability regime that better matches the actual relationships and power dynamics of our information economy.  As Cofone contends, “Privacy law’s challenge is no longer regulating individual choices, but rather regulating relationships of power” (p. 10).  This is especially true as artificial intelligence increasingly enables corporations and governments to process bits of unrelated data and draw inferences about individuals and about unrelated third parties – including in ways that no one person can reasonably be expected to control. 

I commend Cofone for his attention to power and agree that regulating power in the contemporary information economy requires “meaningful accountability for the powerful” (p. 165).  And I commend him for moving the conversation beyond acknowledgements that power matters, and for offering concrete legal hooks that might promote “harm-based privacy liability” (p. 139).  But I also worry that taking power seriously requires more. 

In the remainder of this blog post, I argue that confronting power dynamics in information privacy requires recognizing the politics of privacy.  My approach admittedly zooms out from the particulars of Cofone’s argument and instead focuses on a single concept: Power.  My intent, however, is not to disregard Cofone’s detailed prescriptions.  Rather, I take this tack because power is a leading player in Cofone’s account: It is not only part of the title, but also so central to the argument that there are 22 entries for it in the book’s index.  Consider this intervention a “yes, and” addition to Cofone’s argument.  Unless and until we accept that a robust, substantive understanding of privacy entails political tradeoffs, we cannot take concrete steps to curtail privacy harms.  And especially in an era of increasing partisan polarization, blinking this reality will water down any effort to redress privacy harms.

In making the claim that privacy involves politics, I intend two senses of the word “politics.”  The first derives from science, technology, and society (STS) studies; the second, from the colloquial use of the term.  The STS understanding of politics is nuanced and complex, but for present purposes, I adopt the working definition expressed by Langdon Winner in his essay, Do Artifacts Have Politics?: Politics refers to “arrangements of power and authority in human associations.”  The colloquial understanding is also multifaceted, but for present purposes, I adopt a working definition consistent with the dictionary’s denotation of the term: Politics refers to competition between political parties for control of the system of government.  Putting these two together, when I assert that privacy involves politics, I mean that it involves choices about how to organize society, and that these choices will often entail competing political parties’ claims about what privacy demands.  Privacy is thus inherently normative – in the sense that there are no neutral choices – and inherently partisan – in the sense that pursuing any choice requires selecting among competing visions of what society requires to provide robust protection against privacy harms. 

Now, I suspect that many of the same privacy scholars and advocates who would vigorously agree that privacy is power would shake their heads and contest this definition of privacy as political.  Indeed, the bipartisan nature of privacy reforms proposed in recent years has been a major selling point.  Not to mention seeming bipartisan consensus that we have just got to do something about children’s privacy.  We can all get behind privacy, even in an era of unprecedented polarization.  Or so the thinking goes. 

But I don’t think it’s so simple – at least not if we also believe that privacy is power.  The core difficulty is that the understandings of privacy that pass bipartisan muster are thin, procedural, and do not speak truth to power (to adopt a phrase at the heart of Julie Cohen’s incisive work).  Think of the “fair information principles” (FIPs), a backbone of data protection since the 1970s, particularly in Europe and OECD nations.  As Cofone discusses, the FIPs emphasize endowing individuals with rights, such as the right to access personal data, or the right to know when an entity has information about them.  One problem, however, is that “data rights” like these still put the onus on individuals.  They only seem empowering.  In reality, “they’re options that people lack time and knowledge to use frequently and the power to use effectively” (p. 94).  As privacy scholars have written at length, individual privacy rights are insufficient at best and a flawed approach at worst. 

A second, even more fundamental problem is that the FIPs “focus on procedure, not on substantive protections” (p. 98).  They aim to permit some baseline amount of data processing, with guardrails in place.  When a bipartisan bill embraces FIPs-inspired protections, its data processing protections may be important.  But procedural protections can’t resolve contested substantive issues, such as whether particular data should be processed at all.  Sometimes any processing risks “oppression and abuse,” as Woodrow Hartzog and Neil Richards have put the point.   What’s more, such procedures may be “performative” in ways that are “not necessarily good for privacy,” as Ari Ezra Waldman has argued.  They may be a façade, appearing to promise real protections that amount to little more than a form of legal “grey hole” in which individuals are still disempowered. 

Procedural interventions can only do so much.  Process can’t resolve contentious social questions.  It can’t strike the right balance between innovation and privacy protections.  It can’t ascertain whether the potential discriminatory and surveillance impact of facial recognition tools warrants a wholesale ban.  It can’t resolve whether kids need privacy from their parents, or whether parents need to protect kids’ privacy in a dangerous world.  And it can’t engage with a robust understanding of the full range of data-driven harms, such as the intimate privacy violations that Danielle Keats Citron and Mary Anne Franks have long fought to prevent and redress.  Making these tough calls, with an eye to all of the ways that privacy matters and whose privacy matters, isn’t about procedure.  It’s about political choices. 

And therein lies the bind.  To be most palatable, privacy reforms need to seem apolitical.  Procedural reforms tend to fit the bill.  But to engage with privacy as power and actually change power dynamics, privacy reforms must be political. 

Cofone’s account calls for attention to power, but he does not go far enough to recognize privacy’s inevitably political nature.  He rightly (in my book, at least) argues that policymakers should shift their attention to “more fundamental questions about whether certain types of data collection and processing should be permitted in the first place” (p. 103).  And he proceeds to call for regulators to focus on “harm-reduction,” with a blend of “substantive control-independent rules, risk-based legal standards, and accountability tied to harm” (p. 103). 

These changes, however, would demand underlying substantive judgment calls that are left unacknowledged in the text.  For instance, Cofone suggests that prohibiting high-risk practices requires a “collective process” (p. 104).  Yet this step necessitates a shared understanding of what is sufficiently high risk and whose interests matter.  By way of further example, Cofone suggests that data minimization is a “more standard-driven” data protection measure that “addresses risk systemically” (p. 106).  Yet data minimization is a politically contentious feature in many proposals because it limits what processors can do with data, and thus implicitly bakes in a normative judgment that society requires such restrictions, no matter how innovative or economically lucrative industry actors might believe their data processing could be.  Cofone recognizes that “standards work best when society agrees on the values to be protected” (p. 107).  Yet agreeing on those values entails political choices.  The more that regulatory interventions advocate thicker, more substantive interventions such as these, the more politically contested they become. 

Tradeoffs of this sort are, moreover, not limited to regulators.  When judicial actors resolve disputes, they draw on underlying understandings of “privacy’s social value” (p. 137).  These are, again, normative choices.  They entail tradeoffs that different partisan actors may strike differently.  They are, in a word, political. 

Cofone’s account opens the door to a richer understanding of privacy as power.  That is to his credit.  However, precisely because of the force of this argument, it’s important to develop it to its full extent.  To contend with privacy as power, we need to think hard about how particular privacy reforms are political.  Otherwise, we just aren’t taking power seriously. 

Alicia Solow-Niederman is an associate professor of law at the George Washington University Law School.  She wishes to thank Ari Ezra Waldman for reading a draft of this post.  She extends her gratitude to the scholars cited here and to a long, long list of privacy and law and tech scholars whose foundational work and support make her scholarship possible (and who are not listed only because of the space constraints of a brief blog post).  You can reach her by email at alicia.solowniederman@law.gwu.edu.