Valuing Privacy Harms while Structuring Data Governance

Guest Blogger

For the Balkinization Symposium on Ignacio Cofone, The Privacy Fallacy: Harm and Power in the Information Economy Cambridge University Press (2023).

Frank Pasquale 

Ignacio Cofone’s The Privacy Fallacy is an important contribution to a rapidly growing literature on data protection. He critiques over-reliance on contract law in the governance of data, and the need for tort principles to compensate for (and deter) privacy harms. He articulates a complex theory of privacy liability that is capacious enough to address a wide range of harms arising out of data breaches, misuses of sensitive information, and other wrongs. This post is largely an appreciation of the book, with a few closing thoughts on two areas of future work it invites: better valuation of privacy harms, and more robust structures of data governance.

          Cofone sets the stage by arguing that a core legal rationale for the obligations and opportunities embedded in digital data transactions today is a lie. As he observes: 

Privacy consent is an illusion. Consent-based privacy protections allow corporations to do as they please with people’s data as long as they’re able to extract superficial agreement. We routinely experience this (lack of) protection when we mechanically click “I agree” to websites’ and apps’ terms of service. Individual consent provisions fail to address the harms produced by aggregated, inferred, and relational data. They ignore information asymmetry, lack of choices, and unequal bargaining (66). 

Far too many contracts “unshackle[] informational exploitation” rather than offering robust protections.

Aware of this, many voices in privacy law have tried to improve consent—for example, by making it more informed. Cofone calls these “traditionalist solutions,” and many do seem obsolete. The overwhelming weight of dark patterns and manipulation online, as well as the many offline pressures contributing to social acceleration, make it exceptionally difficult for any consumer to sagely weigh the costs and benefits of granting data to one entity and denying it to another. As Cofone argues, “information overload prevents us from realizing how much risk our information involves.”

This is a critically important set of observations, because it helps turn upside down the longstanding effort by to trivialize privacy injuries as speculative. Both in damages determinations and in standing doctrine, US courts are all too willing to deny or marginalize a claim based on a data breach or invasion of privacy because of the plaintiff’s inability to demonstrate the concrete and particular harm arising out of a particular offense. But that very same rationale--the great difficulty of predicting when and where data will be used against someone--also undermines the legitimacy of any contract premised on a data subject’s rational projection of the costs and benefits of the transaction.

While many scholars have exposed the hollow normative core of privacy policies, Cofone marshals arguments here with expertise and force. He also offers a quite conditional endorsement of reformist measures, judging that “moving privacy consent from an opt-out to an opt-in model, establishing contract law mechanisms, and reinforcing privacy notices….work as palliative solutions that are helpful only as long as they don’t distract from meaningful ones.”

So what are these meaningful forms of regulation? Cofone gives an overview of at least three. First, there should be prohibitions of “high-risk data practices, likely to be against collective best interests” (104). Presumably such high-risk practices would include several of the specific misuses of data Cofone profiles in the book, which give a “human face” to what is an often-abstract enterprise. Cofone also proposes that the “noncompliant corporation faces a fine (public enforcement), monetary damages (private right of action), or both” (105). The “both” option would be a useful upgrade to, for example, federal U.S. health privacy law enforcement, where at present the Health Insurance Portability and Accountability Act (HIPAA) only permits fines.

Second, Cofone counsels for more use of standards in privacy regulation, instead of rigid rules. Facing a fast-moving market for data, regulators need the broad authority inherent in authorities like “data minimization” standards, which “corporations to consider alternatives and adopt the one that requires the least data to achieve the desired outcome” (106). “Privacy by design” is another such standard, focused on the planning of product and service offerings.  Though firms will complain about standards’ indeterminacy, it is blackletter U.S. administrative law that agencies have some degree of discretion in choosing between rulemaking and adjudication to enforce a statute, absent some direct legislative mandate for one or the other approach. Moreover, as Cofone notes, repeated application will “flesh out” a standard.

Third, Cofone examines one particular overarching standard—that of a fiduciary—as a way of re-orienting data processors toward recognizing the best interests of those whose data they collect.  There has been fierce debate over the information fiduciary standard (as first developed by Jack Balkin) since Lina Khan and David Pozen published their “A Skeptical View of Information Fiduciaries” in 2019. Cofone acknowledges the value of the fiduciary approach, as well as the validity of some issues the critics raise. In Chapters 6 and 7 of the book he proposes alternative forms of liability for many troubling data practices, based on an analysis of a wide range of potential harms caused by negligent or reckless collection, analysis, and use of data.

Cofone’s list of objective data harms is worth quoting in full: 

Data harms include reputational harm (for example, when employers find inaccurate information about a job candidate), financial harm (such as identity theft), physical harm (like doxing, where the disclosure of personal information often leads to bodily harm), discrimination (for example, when a member of a nonvisible minority is outed), and harms to democracy (such as when someone’s tricked into voting for a candidate they wouldn’t have voted for otherwise). 

Cofone argues that all these harms involve actual adverse consequences to data subjects. (Some are also known as “consequential harms” in U.S. caselaw.) Rife with comparative insights, The Privacy Fallacy also demonstrates that they constitute “material harms” pursuant to the GDPR. Cofone creatively analogizes such harms to battery, and argues that, just as psychological harms arising out of a battery can be compensated, so too should psychological or subjective harms (arising out of the material and objective harms of data practices) be compensable. (This is a nice adjunct to arguments for greater recognition of subjective distress in Citron & Solove’s classic “Privacy Harms” article.) However, his survey of U.S., Canadian, and European rulings in the area shows that there are numerous hurdles to assuring compensation for the full range of privacy harms, as well as some important opportunities.

          For Cofone, there are numerous routes for assuring better remedies for privacy harms. On his account, “Liability can be brought through three legal pathways. First, when a data practice breaches a privacy or data protection statute (for example, breaching someone’s right to know). Second, through a violation of data security law (for example, failing to notify [data subjects about] a data breach [affecting them]). Third, through privacy torts in common law jurisdictions or the law of obligations in civil law jurisdictions (for example, intrusion upon seclusion)” (139).  He notes that while, on paper, the GDPR gives far greater scope for private rights of action than the U.S., most privacy enforcement in Europe is still public.

          To broaden the scope for privacy protection, Cofone proposes a private right of action [PRA] in privacy laws, broader and more forceful than extant PRAs in U.S. federal and state statutes, and those in the GDPR. A key reform appears to be legislation that guarantees that “the right to sue doesn’t hinge on material, consequential harm” (143). He also wants to ensure that the right to sue survives exculpatory clauses sure to be included in online terms of service. Cofone points to hopeful signs in Commonwealth countries’ privacy jurisprudence that expand privacy rights to address modern threats and respect modern mores.  He also tours the varied successes and failures of efforts to expand privacy liability beyond tangible, consequential harm, to include immaterial harm. For Cofone, “courts can and should focus on privacy harm, rather than consequential harms, produced by data practices that breach statutory rules or privacy policies – that is, taking the opposite direction of the US Supreme Court in the TransUnion case.” The remainder of the chapter examines whether liability’s basis should be negligence or no-fault, and the procedural dimensions of the expanded privacy liability Cofone proposes. 

Valuation and Governance in a Dual Remedial Regime  

          The Privacy Fallacy offers an ambitious vision for better vindicating privacy rights. It also suggests an expansive research agenda for future work. Two questions particularly intrigue me going forward. First, what methods of valuation might best ensure just remedies for wronged data subjects? Second, how should courts and regulators coordinate in order to rationally divide the labor of privacy protection?  We might explore each of these through the lens of a concrete example explored by Cofone throughout the book: the dating app Grindr’s sale of “its users’ personal information to third parties, which included sexual orientation and HIV status.”

          As for the first question, Cofone mentions that Grindr faced a “historic fine” imposed by the Norwegian DPA for its misdeeds: €9,600,000, or ten percent of its global revenue in 2020 (according to the DPA’s website). Cofone recommends dual remedial regimes, where victims of illegal data practices can sue in courts, while regulators pursue parallel administrative proceedings. One issue that arises out of this dual regime is how to coordinate damages, and their respective purposes. I am not certain as to whether DPAs keep the fines they collect, or seek to compensate victims with them, or some combination of those goals. I assume that, by proposing a dual remedial regime, Cofone would prefer for the DPAs to keep the fines (to better fund future investigations), at least up to a point, while encouraging courts to find proper levels of compensation—but more clarity on this point would be welcome.

          At the judicial level, proper levels of compensation are a fascinating topic. Cofone cites an article by Jojo Y.C. Mo with extensive discussion of remedies, and I hope the field follows both Mo’s and Cofone’s lead in exploring the proper level of punishment and compensation due. After another HIV-related privacy breach, Aetna (a US insurer) settled a case involving the illegal revelation of about 12,000 persons’ status for $17 million—roughly $1,400 per person had it been distributed equally. This figure is the same order of magnitude as the £3500 and £5000 privacy damages awards in Britain mentioned in Mo’s article. The £3500 case involved a famous model, who was photographed leaving a drug rehabilitation clinic, and who recovered damages for misuse of private information. The small award does not seem like adequate recompense for the anguish the model suffered. Nor does it seem likely to deter major media firms from engaging in similarly invasive conduct in the future. But Britain is a loser-pays legal system, and presumably the model incurred high attorneys fees to press her case.

I hope to see future work exploring the bases of privacy harm valuations. Perhaps they reflect the theories of probabilistic harm explored by Cofone. The Aetna breach occurred because “the fact that [affected data subjects] had been taking HIV drugs was revealed through the clear window of the envelope” sent to them, which contained a letter regarding a prior Aetna privacy violation. The settlement established a two-tier remedy framework, according to reporting on the case: 

As part of the payout, the law firms are setting aside at least $12 million for payments of at least $500 to the estimated 11,875 people who may have received a letter exposing that information. . . . A fund will be set up for those who experienced additional financial or emotional distress. Individuals will be able to claim up to $20,000. The rest of the money will go toward legal fees and costs. 

On one level, this seems like a sensible outcome. Some claimants may not have had any impact from the careless printing of the HIV-related information on the envelope window. The $500 award to them simply serves to deter misconduct, rather than to recompense harm. However, on the opposite end of the scale, the $20,000 figure seems inadequate to truly recompense plausible “worst case scenarios,” given the potential for stigma documented in the complaint.

For example, it is possible that one in a thousand persons had truly catastrophic results from the breach—say, being disowned, ostracized, shunned, or fired once the information spread. The distress and economic damage arising out of those catastrophic cases might be valued at $1 million or more. It is relatively easy to imagine tragic sequelae of a privacy violation—and the unimaginative can find instruction in the facts of Doe v. Medlantic. But this raises other difficult questions. For example, when should class action settlements be shared equally by members of the class, and when should those who are particularly harmed receive more? Perhaps the latter lost their right to make their own individual case when they failed to opt out. But fuller consideration of these issues would enrich future discussions of the privacy class actions which Cofone endorses.

A second question that arose for me after reading The Privacy Fallacy was the proper coordination of non-monetary, judicial remedies with regulators’ demands. It seems that plaintiffs who demand equitable remedies are in a sense acting as private attorneys general (in U.S. parlance). To offer a concrete example: PRAs in California filed pursuant to the California Consumer Privacy Act (CCPA) may give rise to equitable remedies that duplicate, exceed, or fall short of relevant regulatory requirements crafted by the California Privacy Protection Agency (CPPA). It would seem advisable for courts to at least consult these regulatory requirements. And when courts prescribe equitable remedies whose demands exceed what regulators presently demand, that should be an opportunity for the CPPA to re-examine whether its own regulations are too lax.

It is to Cofone’s great credit that The Privacy Fallacy raises such intriguing questions. The book clearly advances our understanding of the difficult challenges ahead in balancing the rights of businesses and consumers, as well as the responsibilities of supranational, national, and subnational regulators. I look forward to Cofone’s further work in the area, as his remarkably cosmopolitan perspective and passion for social justice greatly enriches contemporary privacy law discourse.