One of the arguments that some people make about privacy legislation is that individuals’ personal information should be treated as their property. At first blush, this may seem like an appealing idea. Why shouldn’t we be paid when companies use our data? But that’s the wrong approach to privacy.
Privacy is a human right.
This concept is the foundation for the privacy regulation around the world. In their landmark 1890 Harvard Law Review article, Samuel D. Warren and Louis D. Brandeis discuss how the concept of privacy must be thought of broadly, beyond the narrow confines of property rights, as a “right to be left alone.”
In 1948, the United Nations issued the Universal Declaration of Human Rights which states, in Article 12:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
The European General Data Protection Regulation (GDPR) also recognizes privacy as a right to which every person is entitled. It begins with this observation:
(1) The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
The GDPR goes on to describe specific rights of individuals to access, correct, port, and delete data about them, and to object to profiling using that data. None of this is predicated on the individuals’ owning the data. It is based on their rights to the protection of their personal data.
Many U.S. states enshrine the right to privacy in their constitutions. For instance, Article 1 Section 1 of the California state constitution says:
All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.
While it’s common to use phrases such as “your data” or “the consumer’s data” in talking about privacy, this is not meant in the sense of the data being property owned by the individual. It’s simply short-hand for data about the individual.
What’s wrong with the idea of treating data about individuals as their property?
Property is a commodity that you can sell or even give away. Privacy is a human right, however, not a commodity. We have other human rights – for instance, rights against discrimination in housing, credit, employment and education based on our race, sex, ethnicity and other personal characteristics. Should we be able to agree to trade away those rights in exchange for money or some kind of “freebie”? We don’t allow that because it wouldn’t be fair and runs contrary to our values. The people who would be most vulnerable to such offers are those who are the most disadvantaged to begin with: people who are struggling financially, people who are the least-educated, young people who don’t yet have a lot of life experience, and people with disabilities or other challenges that could make them easy to exploit.
When the Federal Communications Commission (FCC) was considering broadband privacy rules, many consumer, privacy, and civil rights groups, including CFA, urged it to bar internet service providers from offering consumers discounts or other incentives in exchange for giving up their privacy rights. As we explained:
Consumers also should not be asked to pay to protect their privacy. A recent survey showed that most Americans do not feel that trading their privacy for a discount is a fair deal. It is not. Tempted by the lure of a bargain, consumers may not take the time to understand and consider the consequences of opting in. Furthermore, for consumers who are struggling financially, it is not really a free choice. Pay-for-privacy would create a two-tier system in which consumers who can afford privacy will get it, and those who cannot will not. It is runs contrary to the public policy goals of inclusion and bridging the digital divide.
The FCC promised to examine this practice on a case-by-case basis; Congress’s repeal of the rules made the matter moot, but the danger remains. It is very concerning that the new California Consumer Privacy Act allows consumers to be enticed to waive some of their privacy rights in exchange for financial incentives, and this should be changed. When California Governor Newcomb floated the idea of “data dividend,” it was panned in the privacy community. CFA and 15 other consumer, privacy and civil rights groups have issued a framework for federal privacy legislation that explicitly prohibits “pay-for-privacy.”
Viewing our personal data as a commodity leads down the slippery slope to considering people as commodities that can be bought and sold. But we are not slaves to commercial interests. What’s more, we are seldom in an equal bargaining position with businesses, and that is especially true in privacy, which is highly subjective and where the harms are hard to predict or quantify. There is no way that we can realistically “price” giving up our privacy rights because the potential impact is unknown and unknowable. Furthermore, creating a marketplace for our personal information would require an Orwellian system for monitoring it, when what we want is to be able to go about our lives without our every move being tracked.
People may think of data about them as their data, and that’s fine. But what they are demanding is rights in regard to that data: the right to know what information is collected about them, how it’s used, with whom it’s shared, and for what purposes; the right to data accuracy and security; the right to be protected from data being collected and used in ways they don’t want and that could result in being treated unfairly; and the right to be able to hold companies accountable for violating their privacy. These rights should be the focus of legislative action in the states and Congress. The concept of personal information as property is a gimmick that has no place in our public policy.