For the tenth year, FPF’s annual Privacy Papers for Policymakers program is presenting to lawmakers and regulators award-winning research representing a diversity of perspectives. Among the papers to be honored at an event at the Hart Senate Office Building on February 6, 2020 is Privacy’s Constitutional Moment and the Limits of Data Protection by Woodrow Hartzog of Northeastern University School of Law and Neil Richards of the Washington University School of Law. Whatever your perspective on potential federal privacy legislation, you’ll find this paper to be thought-provoking.
The authors present a case for national privacy legislation that looks beyond data protection and fair information processing (FIPs) principles – the central elements of the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
They argue that privacy faces a “constitutional moment” that presents an opportunity to define the structure of our budding digital society. Their position is that while data-protection-focused legislation represents an important step, data protection alone is insufficient. Instead, they suggest an approach to privacy that addresses corporate matters, trustworthy relationships, data collection and processing, and personal data’s externalities.
Corporate Privacy Matters
Hartzog and Richards argue that a framework for privacy legislation should address market power and corporate structures. For example, they write: “Privacy law should be concerned with a number of corporate matters, including limiting how the corporate form is used to shield bad actors from personal liability.” By empowering privacy officers within the corporate structure with more decision-making abilities and protection from executive pushback, policymakers could promote improved corporate responsibility. Additionally, the paper proposes increased antitrust enforcement to broadly limit the power of corporations.
The authors recommend passing legislation designed to protect the trust that people place in companies when they share personal information. Legislation could foster discretion, honesty, and loyalty to create trusting relationships between data collectors and individuals. Hartzog and Richards explain that “If companies are to keep the trust they have been given, it is not enough to be merely passively ‘open’ or ‘transparent.’ Trust requires an affirmative obligation of honesty to correct misinterpretations and to actively dispel notions of mistaken trust.”
Information Collection and Processing
Though the authors argue that the GDPR alone would be inadequate in the United States, they recognize the importance of data protection. They recommend stricter limits on data collection, rigid mandatory deletion requirements, and the prioritization of obscurity to improve upon the data protection foundations present in the GDPR.
The External Impacts of Data Collection
The authors claim that the effects of data collection go far beyond the individual, impacting the environment, mental health, civil rights, and democratic values – concerns that could be addressed in privacy legislation.
If you’re interested in “outside-the-box” thinking about the foundations of potential privacy legislation, you’ll want to read the full paper.
The Privacy Papers for Policymakers project’s goal is to put diverse academic perspectives in front of policymakers to inform the development of privacy legislation. You can view all of this year’s award-winning papers on the FPF website. For more information or to RSVP, please visit this page.