Use regulations offer no real protection, because businesses themselves get to choose what uses are appropriate. Worse yet, companies misusing data will have a huge legal loophole—the First Amendment. Companies have long argued that privacy rules are a form of censorship, and thus limits on use will be an abridgement of their free expression rights. The only workable situation for this problem is to require companies to contractually waive their First Amendment rights with respect to personal data.
The first U.S. privacy law, the Fair Credit Reporting Act of 1970, nicely demonstrates the pitfalls of use regulation. It places almost no limit on how data are collected and instead regulates how data are used in employment, credit, and tenancy. We have had 40 years of experience with the regime, and it governs our daily lives in important ways. Yet, in the various articles and whitepapers on the subject, the FCRA goes unmentioned.
At enactment, the FCRA was seen as a huge giveaway to industry. It created large, unaccountable bureaucracies that are notoriously unresponsive to consumers. Consumer reporting agencies regulated by the FCRA’s use-based approach used messy data and fuzzy logic in ways that produced error that was costly, but diffuse. CRAs were given broad immunity from defamation and invasion of privacy lawsuits in exchange for promises to treat individuals responsibly, but they have failed in this bargain. The use-regulation proposals just ignore this history.
In another wrinkle to the use-regulation landscape, under the PCAST framework, “analysis” of data is not considered a use. On its face, it seems reasonable to allow broad analysis of data so long as it is not incorporated into a company policy with consequences to individuals. But consider the recent Snowden revelations that analysts were looking at nude pictures of Americans, or the claims that Mark Zuckerberg of Facebook used the service to predict who was about to end a relationship. This knowledge was not used to implement any policy, yet we might not want governments and companies to be able to discover these things. By exempting analysis from privacy regulation, we valorize many data activities, even those motivated by puerile curiosity.
Use regulations, understood in context, are part of what appears to be a general strategy to eliminate legal responsibility for data companies. The proposals paint a rosy picture of responsibility, but a peek into litigation in data cases shows a systemic disrespect for law.
A recent petition to the Supreme Court fully unmasks the public policy efforts of technology companies. In Robins v. Spokeo, an unemployed man sued Spokeo for maintaining inaccurate records about him. Robins sued, arguing that Spokeo willfully violated the FCRA. However, Robins could not show that Spokeo contributed to his unemployment, nor could he show any economic injury. That lack of injury, according to the entire data industry (including Facebook, Google, and Yahoo, which filed an amicus brief on Spokeo’s behalf), should prevent Robins from suing.
In other words, even though Congress gave CRAs immunity from certain laws in exchange for fair treatment of individuals, and Spokeo is alleged to have deliberately violated those rights, Robins has no remedy.
The use-regulation policy proposal and the litigation in Spokeo adds up to a bullet-proof strategy:
1) Data companies can collect anything they want and analyze it however they please.
2) They are liable only for misuses of data, which businesses define themselves, narrowly.
3) If pressed, they can argue that use restrictions are unconstitutional censorship.
4) Companies can purposely engage in those misuses, and only be liable when it causes concrete injury.
Consider how the Target shopper who was identified as pregnant would fare under use regulations. The discovery that she was pregnant was an analysis, free from privacy rules, even if it was a fact she considered personal or wanted to keep secret. Sending pregnancy ads to her would be a use, but what firm would bar itself from such a use, even if the company knew that some would be embarrassed? In fact, if the firm wanted to use the data to charge her more for organic or natural products, it would be free to do so. If challenged by authorities, it could claim a violation of its First Amendment rights, and that the shopper was not harmed because she could have bought the products from a competitor.
The newfound support of privacy regulation among big businesses masks a radically deregulatory agenda. A regime that only pays attention to use erects a Potemkin Village of privacy. From a distance, it looks sound. But living within it we will find no shelter from the sun or rain.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.