Law and Economics Seminar – Reaction Paper 6 (March 17)

1) Would in some instances mandatory and nonwaivable rules be a justified policy approach in privacy law?

The discussion proposed here builds on the idea of questioning the role of consent on

normative grounds, as several commentators mentioned in footnote 12 have done, taking into

account that privacy can be viewed as having a social value as well.

Siding with those commentators cited in the referred footnote, one could argue that

despite the general normative standard for allowing the dispositive role of consent in determining

privacy rights, in some instances having statutory limitations governing the role of consent in

privacy questions would be a justifiable policy approach.

This proposition does not deny the social desirability of granting a dispositive role for

consent as a sufficient element to allow the disclosure of private information in most cases, but

rather questions to what extent individual consent should be evaluated through judicial oversight

in some specific instances. In other words, there would be certain circumstances under which

resting solely on consent could provide insufficient privacy protection.

Some of these instances would involve consents to conduct of another party intended to

invade interests related to specific sensitive privacy rights that are liable to result in greater harm

for individuals, such as health data.

Besides, judicial oversight could also de advocated for those instances that involve a

relationship between a company and an individual who under a power imbalance is placed at a

clearly weaker position, where due to information asymmetry or economic pressure (e.g. an

employee that agrees to submit to workplace drug testing because he desperately needs the job)

the latter cannot rationally weight the consequences of agreeing to have his privacy invaded.

The rationale behind advocating in favor of judicial oversight for specific privacy rights

scenarios would mainly be the preservation of the social value that privacy has in addition to the

more explicit individual value.

The approach under analysis would consist in statutory provisions foreseeing that specific

privacy rights cannot be waived through an agreement between parties. In these cases, individual

would have to submit written consents during litigation, which could be closely monitored by

judges with the objective of assessing the meaningfulness of such consent.

Courts can evaluate the concrete circumstances of each case in order to determine, for

instance, (i) if the individual was properly informed of the consequences of allowing his personal

data to be used by the other party; (ii) if he consented against his will merely because of a lack of

bargaining power from his part; (iii) if crucial perspective needed for appreciating the situation

was available; (iv) if proper contractual options were offered (i.e. to contract with or without

privacy disclosure, as opposed to “all-or-nothing” contracts) etc.

Of course the proposition at hand has an important caveat, since it would add

considerable complexity and costs to companies interested in obtaining some types of private

data (by requiring the courts to intervene), as well uncertainty (since the judicial outcome could

be at best estimated within a reasonable range, but never known in advance with precision). The

question that policymakers thus have to face is whether the social benefits of requiring judicial

oversight of private data disclosure in some instances justify the inefficiencies that such

approach would inevitably cause.

2) Should the debate focus on the use of private data besides its collection?

Another issue that is marginally discussed in the paper but also raises interesting

concerns is whether the debate should involve the question of how effectively privacy law

protects the use and dissemination of data collected with the acquiescence of the individual.

Said concerns are justified by the flourishing of a dynamic and strong “database industry”

in the last couple decades and the related emergence of the internet as an environment where

individuals routinely share a plethora of personal information with companies (social networks,

e-sellers etc.), sometimes without proper awareness of how and by whom such information will

be used or even transferred to third parties.

As several commentators argue1, the patchwork of current US privacy rules could be

regarded as outdated and with limited effectiveness regarding the issue at hand, thereby failing to

fully protect individuals from the misuse of data that employers and companies collect from

them.

A possible approach to the problem would consist in passing a broad and comprehensive

federal law to effectively govern the use and dissemination of personal data collected by

companies and employers, complementing (or in part overriding) current regulations on the

issue, and possibly establishing a national agency to oversee the protection of such data and

place limits on its use and transfer to third parties, including but not limited to commercial

databases.

In an interesting comparative law perspective, the European legislation on privacy rights

seems to focus on the protection of data collected from individuals rather than on its collection,

as evidenced by the all-encompassing 1995 European Union Directive on Data Protection and

the strong role played by the European Data Protection Supervisor (EDPS)2.1 See, for instance, Daniel J. Solove and Chris Jay Hoofnagle, A Model Regime of Privacy Protection, 2005, p. 7-10, Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=699701&rec=1&srcabs=6819022 According to its website, the EDPS “is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies”. See http://www.edps.europa.eu/EDPSWEB/edps/pid/1?lang=en

Furthermore, one has to consider the fundamental lack of scholarly consensus regarding

the appropriate general definition of “privacy” on legal grounds, as the paper at hand points out.

Focusing on the use of private data collected by companies and employers could allow

policymakers to circumvent this complex issue and devise better strategies to protect privacy,

since even when individuals manifest informed and reasonable consent to the collection of their

personal information, the use of this information might be improperly handled.

Finally, analogously to the previous question, the one at hand would also have an obvious

downside, as enhancing the protection of personal data collected by companies and employers

could create considerable transactional costs and reduce US companies’ competitiveness in the

international market. Striking a balance between both values – privacy protection and economic

efficiency – is a complex task. Hence policymakers have to evaluate whether the social benefits

of increasing privacy protection (by limiting and controlling the use of personal data collected by

companies and employers) would justify such inefficiencies.