Giving People Property Rights In Data Will Not Solve Privacy, But...
Online privacy can't be solved bygiving people new property rights in personal data. That idea isbased on a raft of conceptual errors. But consumers are alreadyexercising property rights, using them to negotiate the trade-offsinvolved in using online commercial products.
People meana lot of different things when they say privacy."Let's stipulate that the subject here is control of personalinformation. There are equal or more salient interests and concernssometimes lumped in with privacy. These include the fairness andaccuracy of big institutions' algorithmic decision-making,concerns with commodification or commercialization of online life,and personal and financial security.
Consumers' use of online serviceswill always have privacy costs and risks. That tension is acompetitive dimension of consumer Internet services that should neverbe solved." Why should it be? Some consumers areentirely rational to recognize the commercial and social benefitsthey get from sharing information. Many others don't want theirinformation out there. The costs and risks are too great in theirpersonal calculi. Services will change over time, of course, andconsumers' interests will, too. Long live the privacy tension.
Online privacy is not an all-or-nothingproposition. People adjust their use of social media and onlineservices based on perceived risks. They select among options, useservices pseudonymously, and curtail and shade what they share. So,to the extent online media and services appear unsafe orirresponsible, they lose business and thus revenue. There is nomarket failure, in the sense usedin economics.
Of course, there are failures of thecommon sort all around. People say they care about privacy, but don'tdo much to protect it. Network effects and other economies of scalemake for fewer options in online services and social media, so thereare fewer privacy options, much less bespoke privacy policies. Andcompanies sometimes fail to understand or abide by their privacypolicies.
Those privacy policies are contracts.They divide up property rights in personal information very subtly-sosubtly, indeed, that it might be worth reviewing whatproperty is: a bundle of rights to possess, use,subdivide, trade or sell, abandon, destroy, profit, and excludeothers from the things in the world.
The typical privacy policy vests theright to possess data with the service provider-a bailment, inlegal terminology. The service provider gets certain rights to usethe data, the right to generate and use non-personal information fromthe data, and so on. But the consumer maintains most rights toexclude others from data about them, which is all-important privacyprotection. That's subject to certain exceptions, such asresponding to emergencies, protecting the network or service, andcomplying with valid legal processes.
When companies violate their privacypromises, they're at risk from public enforcement actions-fromAttorneys General and the Federal Trade Commission in the UnitedStates, for example-and lawsuits, including class actions.Payouts to consumers aren't typically great becauseindividualized damages aren't great. But there are economies ofscale here, too. Paying a little bit to a lot of people is expensive.
A solution? Hardly. It's morelike an ongoing conversation, administered collectively andepisodically through consumption trends, news reporting, publicawareness, consumer advocacy, lawsuits, legislative pressure, andmore. It's not a satisfactory conversation, but it probablybeats politics and elections for discovering what consumers reallywant in the multi-dimensional tug-of-war among privacy, convenience,low prices, social interaction, security, and more.
There is appeal in declaring privacy ahuman right and determining to give people more of it, but privacyitself fits poorly into a fundamental-rights framework. Peopleprotect privacy in the shelter of other rights-common law andconstitutional rights in the United States. They routinely dispensewith privacy in favor of other interests. Privacy is better thoughtof as an economic good. Some people want a lot of it. Some peoplewant less. There are endless varieties and flavors.
In contrast to what's alreadyhappening, most of the discussion about property rights in personaldata assumes that such rights must come from legislative action-aproperty-rights system designed by legal and sociological experts.But experts, advocates, and energetic lawmakers lack the capacity todiscern how things are supposed to come out, especially given ongoingchanges in both technology and consumers' information wants andneeds.
An interesting objection to creatingnew property rights in personal data is that people might continue totrade personal data, as they do now, for other goods such as low- orno-cost services. That complaint-that consumers might get whatthey want-reveals that most proposals to bestow new propertyrights from above are really information regulations in disguise.Were any such proposal implemented, it would contend strongly in themetaphysical contest to be the most intrusive yet impotent regulatoryregime yet devised. Just look at the planned property-rights systemin intellectual property legislation. Highly arguable net benefitscome with a congeries of dangers to many values the Internet holdsdear.
The better property rights system isthe one we've got. Through it, real consumers are roughly andunsatisfactorily pursuing privacy as they will. They often-butnot always-cede privacy in favor of other things they wantmore, learning the ideal mix of privacy and other goods through trialand error. In the end, the privacy problem" will no morebe solved than the price problem," the qualityproblem," or the features problem." Consumers willalways want more and better stuff at a lower cost, whether costs aredenominated in dollars, effort, time, or privacy.
Jim Harper is a visiting fellow at the American Enterprise Institute and a senior research fellow at the University of Arizona James E. Rogers College of Law.