Since we read Privacy
in Atlantis, I’ve been thinking about the initial allocation of rights to
information. In that article, the authors conclude pretty quickly that the
rights to information about an individual ought to be initially allocated to
that individual. But I think this conclusion deserves a more robust discussion.
At its core, this debate is really about risks and rewards
offered by the use of information related to individuals. There’s a pretty good argument that the rewards of access to
information are so substantial that the default position ought to be to allocate
information rights to the public unless there is a reason not to. Jane
Yakowitz has written persuasively that data, at least de-identified data,
is a common good and public access ought to be maintained in most situations.
For example, Yakowitz notes that empirical research using public data was
responsible for de-bunking racist theories that Caucasians are cognitively
superior.
Economic
theory tells us that the most efficient rule is the one that has the fewest
exceptions because carving exceptions out the default rule is costly. So if we think that it is better to use data
related to individuals as a public good most of the time then we should default
to allocating information rights to the public. On the other hand, if we think
that most of the time data related to individuals presents the risk of harm, we
ought to allocate rights to individual information to the individuals
themselves. So it seems that, rather intuitively, we should make the initial
allocation of rights based on whether harms outweigh public goods.
My feeling is that we need not make this decision for all kinds of information at once.
We don’t need to have a single unifying theory of privacy for all pots of
information. Even though it might be economically efficient to have a single rule with minimal exceptions, it might not balance risks and rewards very well. A unified approach approach privileges theoretical consistency over reality,
which seems a bit silly to me. So if I was running the world, I’d identify pots
of information where the balance clearly goes in one direction. For example,
health information and financial information are particularly sensitive and so
the risks are high. For this reason, we ought to initially allocate rights to
that information to the individual and robustly protect those rights. By contrast, information about individuals’
shopping or television viewing patterns has high economic value and presents relatively
minimal risks so this information should be able to be freely used.
So the problem comes up at the margins—where the weighing of
harms and benefits isn’t obviously tilted in one direction.
One problem with this
analysis is that both the value of information in the public domain and the privacy
risks that that unauthorized uses of information are unpredictable. Given this
fact, maybe it’s not really a matter of deciding whether the risks or values are
larger, but a question of how we want to handle uncertainty. In environmental
regulation, there’s been a movement toward the application of the precautionary
principle which dictates that when harms are uncertain, the best course of
action is to assume the harms will materialize and protect against them. Some have suggested that the precautionary principle is a good
model for privacy
regulation. I’m inclined against the
precautionary principle—at least when reflexively applied. It seems to me that
a more careful and context specific analysis or probable risks and rewards,
even while costly to conduct because of the inherent uncertainty involved,
will produce a better balance of individual rights and common goods.
Do you think this differs substantially from what we actually do? Because it seems like our current privacy regulations in the U.S. have largely done this, even if by accident. That is, we have much more robust protection for the sorts of sensitive data you mention, whereas most data about your purchasing habits (for example) can be used and often sold without your consent.
ReplyDeleteI also wonder if your view would change if you started from the assumption that there's no such thing as de-identified data (since it sounds like, if this isn't true already, it soon will be). I completely agree that privacy interests in data about TV viewing and purchasing habits are minimal when you assume that the data is de-identified and probably being used in the aggregate anyway. But my gut reaction is that the calculus changes a bit if all that information can be traced back to you. That might be wrong -- who's going to re-identify all that data anyway? -- but it may not be so far-fetched to think that dossiers detailing all the data collected about individuals could be produced. Should that be in the public domain? And if not, at what point do we start shifting the allocation of rights over seemingly innocuous data back to the individual?