Scholar argues that relying primarily on rights to protect privacy will fail to empower individuals or counter societal harms.
The right to know. The right to access. The right to correct. The right to delete.
Upon reading a list of these privacy rights, people may feel encouraged to take back control of their data. In an era when companies can use personal information to track visits to abortion clinics, discriminate in housing ads, and generate art that copies the style of existing artists, the right for people to control their own data can seem critical to many privacy advocates.
The centrality of individual rights is also clear in many privacy laws, including Europe’s General Data Protection Regulation, U.S. state privacy laws, and proposed federal legislation. But relying on individual rights as the primary way to protect privacy will fall short of achieving societal values, argues Daniel J. Solove, a professor at the George Washington University Law School, in an article.
“Privacy is about power,” Solove proclaims. And privacy rights cannot empower individuals nearly enough to close the power gap between people and the companies that possess individuals’ data.
Solove argues that any individual control is illusory because there is no way for individuals to exercise their privacy rights in a meaningful way. He characterizes privacy rights as creating an “endless burden” of unpaid, difficult, and time-consuming chores for individuals, so they do not scale. Solove explains that individuals would need to make separate requests for each privacy right to each of the hundreds of companies that collect their data, and then repeat this exercise regularly because companies are constantly collecting new data.
To rely on individual privacy rights is to send people on a “doomed quest,” according to Solove, because privacy rights are like using a “dagger” to fight an army. Solove argues that individuals cannot win this privacy war with primarily a rights-based approach.
Privacy rights also require people to manage their own privacy and Solove contends that individuals lack expertise and time to make complicated cost-benefit decisions about their data.
Solove states that the benefits are clear: access to new entertainment, information, products, and technologies. Meanwhile, Solove explains that risks are abstract and speculative. Solove emphasizes that “people are not data scientists,” so they have trouble understanding how their individual data choices can lead to adverse inferences about them or about a group to which they belong. Furthermore, Solove highlights that risks can change as a company collects more data, because the company can make more inferences about the individual that they can potentially use against the individual’s best interests.
Solove also argues that individual privacy rights are limited because they fail to address the societal dimensions of privacy.
Solove champions the role of individual privacy in contributing to shared societal goals, including democracy, civil society, freedom of speech, and nondiscrimination. But Solove explains that exercising an individual privacy right tends only to result in a company changing one individual’s record one time. And even if individuals remove their data, personal data are interrelated, Solove emphasizes, and companies can still use artificial intelligence to draw inferences about them and make decisions that impact them.
Solove acknowledges that individual privacy rights can sometimes force companies to improve privacy practices and compliance with privacy laws. But Solove maintains that these rights do little to make a dent in surveillance capitalism—the system by which companies profit from widespread collection and use of people’s personal data.
Instead, “control must come from society,” Solove argues.
To dig deeper, he analyzes each privacy right in the EU’s General Data Protection Regulation and discusses how they fail to meet privacy goals and empower people. For each privacy right, Solove proposes structural alternatives that can better meet the underlying societal goals of the individual right.
For example, Solove examines the right to correct data. He identifies one goal of this right as promoting accurate records, but he points out that this privacy right places the burden on individuals to request and proofread their own records, which may be updated frequently. Solove suggests that individuals may detect errors too late, if they discover them at all.
Courts have also proven unsupportive in enforcing privacy rights and have interpreted them narrowly, according to Solove. For example, some plaintiffs sued a credit reporting company in TransUnion v. Ramirez under the Fair Credit Reporting Act. That law requires “maximum possible accuracy” and grants a private right of action. The court held that a credit reporting agency that falsely indicated that more than 8,000 people were terrorists had potentially caused a “concrete injury” to people whose credit reports had been disclosed to others.
In contrast, plaintiffs whose inaccurate, terrorism-labelled records were not disclosed did not have standing to sue.
Given what Solove sees as the court’s evisceration of a duty for accuracy and the burden of the individual right to correction, he argues that a better structural solution to ensuring data quality would be to require a greater responsibility for companies and then for regulators to take proactive measures to enforce such responsibility. Solove emphasizes that the individual right of correction should be used as an occasional backstop, not as the primary way to ensure accurate records.
Solove argues that the right to correction also seeks to support accurate and appropriate decisions about people. He recognizes that privacy laws focus on data practices rather than substantive decisions, but clarifies that the most important goal for privacy law is to protect people from faulty decisions and promote societal values including fairness. Solove urges the use of privacy laws to ensure accurate data as a means to the larger end of ensuring quality decisions.
For every other privacy right, Solove maintains that effective privacy protections must be large-scale and structural. Due to the limitations of individual privacy rights, Solove argues that they can never be the primary mechanism for protecting privacy.
The risk, Solove warns, is that privacy rights will leave individuals with only a “mirage” of data protection and control.
