Pages

Monday, October 03, 2016

A Grand Bargain to Protect Digital Privacy

Over at the Atlantic, Jonathan Zittrain and I have an essay explaining how to use the concept of information fiduciaries to regulate digital privacy. The idea is that, instead of simply declaring certain companies to be information fiduciaries, the federal government should offer them incentives to accept the designation and the obligations of trustworthiness and fair dealing that come with it:
There is an opportunity for a new, grand bargain organized around the idea of fiduciary responsibility.  Companies could take on the responsibilities of information fiduciaries: They would agree to a set of fair information practices, including security and privacy guarantees, and disclosure of breaches. They would promise not to leverage personal data to unfairly discriminate against or abuse the trust of end users. And they would not sell or distribute consumer information except to those who agreed to similar rules. In return, the federal government would preempt a wide range of state and local laws.
                                          
Compliance with state legislation and common law—and the threat of class-action suits and actions by state attorneys general—have become sufficiently burdensome that some companies, such as Microsoft, already have indicated that they are open to comprehensive federal privacy legislation that would preempt conflicting state regulation. Congress could respond with a “Digital Millennium Privacy Act” that offers a parallel trade-off to that of the DMCA [Digital Millennium Copyright Act]: accept the federal government’s rules of fair dealing and gain a safe harbor from uncertain legal liability, or stand pat with the status quo.

The DMPA would provide a predictable level of federal immunity for those companies willing to subscribe to the duties of an information fiduciary and accept a corresponding process to disclose and redress privacy and security violations. As with the DMCA, those companies unwilling to take the leap would be left no worse off than they are today—subject to the tender mercies of state and local governments. But those who accept the deal would gain the consistency and calculability of a single set of nationwide rules. Even without the public giving up on any hard-fought privacy rights recognized by a single state, a company could find that becoming an information fiduciary could be far less burdensome than having to respond to multiple and conflicting state and local obligations.

The idea also applies to algorithmic discrimination and manipulation.  Companies that employ algorithms in areas like finance, marketing, and employment decision making would be offered a safe harbor from state regulation if they accepted the obligations of information fiduciaries.