ENFORCING DIGITAL PRIVACY.

• Author: Yost, Brian

TABLE OF CONTENTS

1. INTRODUCTION 311 II. THE REGIME'S THEORETICAL AND PRACTICAL 313 UNDERPINNINGS A. A Dichotomy of Privacy Harms 314 B. Privacy Harm Insights from the United States' Sectoral 317 Approach III. PROPOSING A NEW REGIME 319 A. The Regime Itself. 319 B. Why Industry and Consumers Might Accept the Regime 324 1. State Law Preemption 324 2. Reduced Private Litigation and Transaction Costs 324 3. Better Vindication of Consumer Rights 327 IV. CONCLUSION 328 I. INTRODUCTION

   The near anarchy of digital privacy governance has come to a halt. Data breaches and widespread privacy violations have shown that the current regulatory landscape does not adequately protect consumers. More recent scandals have increased public urgency to address this problem. Equifax's 2017 data breach exposed 147 million Americans' personal data. (1) These millions may suffer identity theft, economic harm, and the autonomy injury of having sensitive information made public without their consent. And from 2014 through the 2016 U.S. presidential election, Cambridge Analytica illicitly harvested over 87 million Facebook user profiles and used this data to influence voting behavior. (2)

   Responding to these and many other privacy scandals, governments unveiled sweeping privacy regulations. Most notably in 2016, the European Union ("E.U.") approved the General Data Protection Regulation ("GDPR"), which fundamentally altered how companies can process an E.U. individual's data. (3) Two years later, California enacted the California Consumer Privacy Act ("CCPA"). (4) Once in force, the CCPA will regulate most aspects of data privacy and processing. (5) This contrasts sharply with the sectoral (and arguably deficient) federal privacy regime in the U.S. (6) At the federal level, several legislators have introduced omnibus privacy bills of varying scope. (7) Countless class action lawsuits have sought damages for privacy harms against this backdrop, but most have failed. (8)

   The U.S., E.U., and California's disparate responses to privacy violations stem from difficulty in defining both privacy and its attendant harms. Privacy harms bridge the ethereal and the concrete, including both inherent privacy harms and concrete attendant harms arising from specific violations of individuals' privacy. This duality hamstrings legislatures and courts ill-prepared to combat information-age injuries. This Note proposes an enforcement regime that reflects this ethereal-concrete divide. In whichever substantive regulatory scheme legislators enact, they should bifurcate privacy enforcement to reflect this divide. Specifically, an enforcement regime should (1) empower the federal government to litigate statutory damages for inherent privacy harms and (2) restrict private litigation to resolving only the attendant injuries that result from privacy violations. The government would distribute to affected consumers the statutory damages, which would differ according to each distinct type of data unlawfully disclosed and the context in which the data was disclosed. Together, these elements resemble the Medicare Physician Fee Schedule's ("MPFS") structure. (9) This granular, contextual approach aligns the penalties--and therefore compensation--with the privacy harm's severity. To avoid double recovery, only concrete attendant injuries flowing from a privacy violation would merit private litigation. Part II addresses this regime's theoretical and practical underpinnings. Part III details the regime's structure and why stakeholders might ultimately support it. Part IV concludes.

2. THE REGIME'S THEORETICAL AND PRACTICAL UNDERPINNINGS

   Privacy has consistently eluded simple definition. (10) Privacy's attendant harms likewise strain against simple definition. (11) consequently, this Note does not fully define privacy harm and instead employs an instrumental framework. (12) In particular, the regime bifurcates privacy enforcement. First, the government would enforce inherent privacy harms. Two complementary conceptualizations of privacy drive this prong's structure, which adopts a modified fee schedule for disclosing different types of data. This approach parallels both privacy theory and the U.S.'s sectoral approach to regulating privacy. Second, this regime allows a private party to litigate attendant harms that stemmed from violating her privacy only. This Part first illustrates how conceptualizing privacy harm as inherent or attendant supports bifurcating enforcement. It then explores the U.S.'s sectoral approach through the lens of "contextual integrity." (13) This exploration illustrates that sectoral privacy regulation implies that society values different data types differently. The penalties associated with these harms should vary accordingly.

   1. A Dichotomy of Privacy Harms

      This Note delineates privacy injuries into two distinct types: inherent privacy harms and attendant privacy harms arising from violations of one's privacy. The latter embraces definition more readily than the former. An attendant harm maps onto traditional privacy-related torts. One example is when phishing scammers steal one's identity or leak sensitive information damaging one's reputation. These (often economic) harms surmount Article III standing's hurdle relatively easily. (14) They mirror the sort of harm that the Supreme Court requires under Spokeo, Inc. v. Robins. (15) There, Spokeo, a people search engine, aggregated and disseminated partially inaccurate information about plaintiff Thomas Robins. Despite Spokeo arguably violating Robins' inherent privacy, the Court dismissed the claim. (16) Merely violating the Fair Credit Reporting Act did not confer standing. (17) Instead, standing required a concrete harm. (18) Similarly, courts have required manifest economic injury in many data breach class actions. (19) For example, in Resnick v. AvMed, (20) the court recognized the standing of data breach victims who suffered actual instances of identity theft. (21) Some courts, however, have conferred standing for the mere potential for identity theft. (22) While these decisions often still couch privacy harm in the language of pocketbook injuries, they recognize that violating one's privacy and exposing one's data harms the individual even if a data breach does not manifest monetarily.

      As these courts have begun to recognize, privacy harm exists beyond the purely economic. Inherent privacy harms have been characterized in a variety of ways. First, they may intrude upon one's "inviolate personality." (23) Second, they may create a less favorable "context for respect, love, friendship, and trust" to blossom. (24) Third, they may shrink one's "realm of intimacy"--a space necessary for forming and strengthening intimate relationships. (25) Fourth, the harms may violate the victim's informational autonomy? (26) Fifth, they might just instill in the victim the disconcerting feeling of a complete stranger ruffling through one's once private information. Focusing on a data breach's economic harm, consequences, or even resulting emotional distress fails to encapsulate privacy harm's nature. Another category, defined in this Note as an "inherent privacy harm," must exist--even if no one can agree on its definition. (27)

      This Note's proposed incorporation of inherent privacy harm partially mirrors Ryan Calo's subjective-objective dichotomy. (28) Calo categorizes privacy harm in relation to its victim. Subjective harms manifest within the victim and stem "from the perception of unwanted observation." (29) This half of the privacy harm spectrum often inflicts emotional discomfort or distress. (30) Conversely, objective privacy harm exists solely external to the victim. (31) Calo predicates this harm on "the forced or unanticipated use of information about a person against that person." (32) This harm sweeps far more broadly than its counterpart. Objective harms include any instance in which private information facilitates an adverse action or crime against its subject. (33) Calo's delineation of privacy harms into distinct categories provides an effective tool to examine privacy harms. (34)

      The regime proposed in this Note builds on Calo's categoric approach but narrows his subjective harm category to harm inherent to violating one's privacy. Where Calo's dichotomy hinges on the harm's relationship to the victim, this Note's dichotomy looks to the nature of privacy itself. Where Calo might vary privacy harm and enforcement by person, this Note's regime would not. Consequently, it diverges in two significant ways. First, the Note's "inherent privacy harm" does not incorporate fraught emotional states or exacerbated data misuse fears. By defining inherent harms more narrowly than subjective ones, the Note does not use or view privacy as a means to an end. If privacy stands as a fundamental right in itself, then using privacy only to protect one's emotional state degrades privacy's inherent importance. Further, this Note's definition avoids making harm relative to a victim's emotional constitution.

      Second, the Note's inherent harm category is narrowed to a more universal, standardized harm. This would better allow courts to adjudicate large-scale privacy harms efficiently. If one viewed privacy harms subjectively, litigating a data breach would require analyzing every affected party's emotional vulnerability and injury. Although courts could average amounts of harm or employ heuristics, this would untether their analyses from Calo's "subjective harms." This narrow category of harm inheres to the injury to privacy itself. Under this theory, one would remediate true emotional distress as a harm flowing from violations of one's privacy. Consequently, an enforcement regime should explicitly redress violations of this inherent privacy right and compensate for objective harms flowing from the violation. (35) A European trend towards increasing damages for dignitary privacy harms supports this...