A GENERAL DEFENSE OF INFORMATION FIDUCIARIES.

• Author: Tuch, Andrew F.
• Position: Response to Lina M. Khan and David E. Pozen, Harvard Law Review, vol. 133, p. 497, 2019

ABSTRACT

Countless high-profile abuses of user data by leading technology companies have raised a basic question: should firms that traffic in user data be held legally responsible to their users as "information fiduciaries"? Privacy legislation to impose fiduciary-like duties on data collectors enjoys bipartisan support but faces strong opposition from scholars. First, critics argue that the information-fiduciary concept flies in the face of fundamental corporate law principles that require firms to prioritize shareholder interests over those of consumers. Second, it is said that the overwhelming self-interest of large technology companies makes fiduciary loyalty impossible as a practical matter from the outset.

This Essay finds neither objection convincing. The first objection rests on a mischaracterization of corporate law, which in reality would require compliance with user-regarding fiduciary obligations--the opposite of what critics fear. The second objection fails to convince because fiduciary law has proven itself adaptable enough to survive such challenges in other settings, such as in the asset management industry. The second objection nevertheless reveals a need for greater specificity of the scope and intensity of fiduciary duties that would be imposed under the information fiduciary model. Even so, neither objection plausibly undermines the model.

TABLE OF CONTENTS INTRODUCTION I. CLAIMED TENSION WITH CORPORATE LAW A. The Problem of Conflicting Fiduciary Obligations B. Fiduciary Duties Owed by Whom? C. The Risk of Directorial Breach D. The Requirement to Act Within the Law E. Potential Reach of Critics' Claims II. CLAIMED INCOMPATIBILITY WITH DIGITAL COMPANIES' SELF INTEREST A. The Objection B. Self-Interest and the Identification of Fiduciary Relationships C. Business Models and Fiduciary Duties D. Alignment of Interests III. IMPLICATIONS AND EXTENSIONS CONCLUSION INTRODUCTION

Lawmakers have their sights on the leviathans of our time--Facebook, Google, and other digital companies. Across the political spectrum, legislators condemn these firms' conduct, accusing them of undermining user privacy and data security. (1) Scholars and other commentators decry the regulatory status quo, seeking reform. (2) One especially influential proposal has emerged: making digital companies "information fiduciaries" of their users. (3) This reform, if implemented, would impose fiduciary duties of care, confidentiality, and loyalty, intended to ensure that firms do not betray the confidence users place in them. (4) The information fiduciary model is reflected in consumer privacy laws now under review by legislatures at the federal and state levels. (5)

But while there is enthusiasm behind this model, it also faces significant opposition. The information-fiduciary model "could cure at most a small fraction of the problems associated with online platforms--and to the extent it does, only by undercutting directors' duties to shareholders, undermining foundational principles of fiduciary law, or both," (6) write Lina Khan and David Pozen, referring to a proposal by Jack Balkin. (7) Summarizing their critique, Pozen has written that this proposal is "flawed--likely beyond repair--on conceptual, legal, and normative grounds." (8) Their analysis raises two principal objections. First, the proposal is incompatible with corporate law in Delaware, where the relevant companies incorporate. (9) Balkin's user-regarding duties would clash with shareholder-regarding corporate law duties, creating the problem of "conflicting fiduciary obligations" (10) or "divided loyalties." (11) Managing this problem would require either reform of corporate law or the watering down of the proposed duties, (12) with companies forced to prioritize shareholders' interests over those of users. (13) Second, digital companies' powerful self-regarding incentives are at odds with users' interests, undermining the case that these proposed duties can be fiduciary at all. (14) Khan and Pozen's critique has been broadly accepted by scholars (15) and has led advocates to qualify their support for the fiduciary model. (16)

Although these principal criticisms are levelled at Balkin's proposal, they are directed at the information fiduciary at large, which "has, in one form or another, been circulating for some time." (17) Other scholars have contributed to the model. (18) These criticisms threaten the entire, many-tendrilled project. Indeed, they may cast doubt on any regulatory approach that would impose conduct-regulating obligations, fiduciary or not, on digital companies since the argument is quite general: that obligating corporations to serve users' interests creates divided loyalties among corporate directors enjoined to shareholder loyalty as well.

But Khan and Pozen are not simply critics. They see the information fiduciary model as in direct competition with "more ambitious approaches." (19) These approaches could require reform of technology firms' organizational structures. In other work, Khan examines the case for separating the operations of Facebook and its ilk, (20) suggesting that "full structural separation" may be needed (21)--a strategy requiring the break-up of firms, much as Congress famously did to Wall Street firms in the 1930s when it separated commercial and investment banks. (22) Khan and Pozen worry that "if pursued with any real vigor, [the fiduciary approach] would tend to cannibalize rather than complement" other regulatory options. (23)

If accepted, the critique of the information fiduciary model may have sweeping implications, extending beyond major technology firms. Many of the largest financial services firms are subject to fiduciary regimes that arguably impose dual loyalties, as the information fiduciary model might. For example, Delaware-incorporated Goldman Sachs, a financial services conglomerate, often acts as a fiduciary for customers, even as its directors owe duties of loyalty to shareholders. (24) The same is true of Delaware-incorporated BlackRock, one of the world's largest asset managers. (25) On their face, Khan and Pozen's arguments would seem to extend to these fiduciary regimes, with similarly troubling consequences.

Khan and Pozen argue eloquently and emphatically, but their central criticisms significantly overstate the threat that corporate and fiduciary law poses for the information fiduciary model. In this Essay, I show that imposing user-regarding obligations on corporations will not create untenable frictions between duties to users and duties to shareholders. In Part I, I argue that the primary criticism--that Delaware corporate law undermines the information fiduciary regime--should be dismissed. The criticism rests on a partial understanding of corporate law doctrine and theory. The criticism sees conflicting obligations where none exist and identifies strategies for resolving these apparent conflicts that are unknown to corporate law. In fact, the plausible outcome of an information fiduciary regime is exactly the opposite of what Khan and Pozen fear. Under the information fiduciary model, corporate law would require compliance with user-regarding obligations, creating incentives for directors to favor users' interests over those of shareholders. I also argue that Khan and Pozen's arguments are not merely mistaken but, if accepted, may do harm. Applying their case to financial conglomerates--more apt analogues for social media companies than the "[d]octors, lawyers, accountants, and the like" (26) to whom scholars often draw their comparison--shows that Khan and Pozen's arguments, if accepted, may have pernicious effects on broad spheres of corporate regulation.

In Part II, I address the other primary objection to the information fiduciary model--that the model is incompatible with social media companies' powerful self-interests. The objection reflects twin concerns. According to the first, Facebook and other digital companies have such powerful self-regarding incentives that these companies may not properly be characterized as fiduciaries of their users; such incentives should be seen "as an insuperable obstacle to a fiduciary relationship," Khan and Pozen suggest. (27) Under the related concern, digital companies could not satisfy fiduciary duties unless their business models were fundamentally transformed. To impose user-regarding duties on digital companies, Khan and Pozen write, "and wind up with anything recognizable as a fiduciary relationship, it seems to us that the legislators would have to force fundamental changes in the companies' business practices ... and preempt or dilute the stockholder-regarding norms under which the companies currently operate." (28)

Even if one accepts that Facebook's interests are completely misaligned with those of its users--a contestable claim--fiduciary law may be adaptable enough to survive such challenges. Fiduciary duties may be, and frequently are, imposed on actors with powerful incentives to serve their own interests rather than those of their customers. This is because self-interested incentives themselves are not a barrier to the imposition of fiduciary duties. In fact, it is often the very drive to serve self-interest at the expense of another that creates the need for fiduciary protection. Financial services regulation includes examples of fiduciary law operating in the presence of the conflicting interests and tensions much like those that Khan and Pozen claim beset the relationships between social media companies and their users.

It is also no barrier to the information fiduciary model to assert that digital companies currently fall short of fiduciary standards. To the extent Khan and Pozen argue that digital companies cannot now act with fiduciary loyalty, this suggests that firms' existing practices would need to change under the force of fiduciary duties, not that fiduciary duties could not be imposed. As fiduciaries, digital...