Information privacy/information property.

• Author: Litman, Jessica

What we offer our advertisers, is an audience delivered with unprecedented precision. An Audience that welcomes your message because we show you how to make it relevant to their interests. An audience that we know intimately because they allow us to follow them wherever they roam on the Internet.

--Advertisement for NetZero[TM]

Almost everything each of us does seems to generate transactional information. Walks round the block are still unrecorded, except in those communities with cameras. Interactions that begin and end and stay within the home are still largely unreported, although everything entering and leaving by way of the phone lines, cable lines, satellite dishes or wireless, non-broadcast spectrum is documented.(2) Non-cash purchases are memorialized and toted up. Large cash purchases are memorialized and turned in. Cash withdrawals and deposits are recorded and saved. Visits to the doctor, diagnoses, prescriptions, and referrals are coded and passed along. Everything we look at on the Internee is noted and retained.(3) All of this information is collected, aggregated, and stored on computers. Anyone with reason to do so can correlate the information stored on one computer with the information stored on another, and another, and another.(4) The resulting dossier may be used, sold, published, or correlated with other sources of data.(5) In the United States, that's completely legal.

At some level we know that this is happening, although few of us really appreciate it.(6) Sometime in the past dozen or so years, most of us became gradually aware of the fact that businesses were collecting information about us to use in marketing products to us. At some moment it became impossible not to add up all the little hints. That check cashing card we'd applied for at the supermarket in order to write checks for groceries gave the supermarket the ability to track our purchases; when supermarkets began accepting credit cards, that gave them the same ability. The sweater we ordered from a catalog arrived in the mail along with umpteen new glossy catalogs for people who wear sweaters. That cooking magazine we subscribed to seemed to show up along with a score of apparently independent special offers for folks interested in cooking.

People react to this in different ways. Some (although fewer than the Direct Marketing Association would have us believe)(7) seem to appreciate the individual attention.(8) Others find it chilling. If one is a member of the latter class, though, there isn't too much one can do. The gradual dawning of the realization that folks have been collecting personal information about one means that, almost invariably, by the time one realizes that there is a problem, the cat is out of the bag. A variety of different businesses have already collected a sea of details about one's income, interests, employment history, health, purchases, and preferences. Even if one never supplied a single further datum, anyone with access to all the details could assemble a frighteningly precise dossier.

So, many people understandably try to rejoin the category of folks who, on balance, like, or at least really don't mind, the individualized attention. They, we, seek reassurance in the notion that, as unimportant peons with no public profile, our personal information is not of sufficient interest to anyone to collect, compile or correlate. "Someone who tailed me all day long could find out all sorts of personal things, but nobody is going to bother, so I don't worry about it. This is like that."

It's a lie, of course, and increasingly people realize it. The information that you (insert name, address, age, income, and social security number here) read both Newsweek and your daily horoscope; buy Haagen-Dazs[R] ice cream; travel annually to New Mexico; have a standing prescription for Prozac[R] and buy a variety of different OTC antacids as well as a number of different brands of lubricated condoms; have joined three different health clubs for short sojourns over the past two years; always order a salad in restaurants; never joined Weight Watchers[R] (and, in fact, have a 31" waist and a body mass index of 25); and give money to public television, is exceedingly valuable for the crassest of reasons: Anyone who has that information can sell it.

Some people adopt silly but vaguely reassuring tactics: confuse the collectors by using different variations of your name;(9) make up several different assumed middle initials; choose your favorite merchants and fill out their information cards so that they will reap the extra cents from selling you to the data banks; trade your shopper's advantage cards with your neighbors; open bank accounts at different banks; fill in forms with your work address and phone number rather than your home address and phone number, and pay your bills using different credit cards. None of these maneuvers, of course, is likely to be of any help to any particular individual who wants to protect her privacy: If there are six different dossiers out there for someone with her name, she'll just get six times the junk mail, and data miners have invented effective strategies for dispatching their computers to sort through the data mines to figure out just who is really whom. Nonetheless, these tactics seem to undermine the reliability of the data, just a little, making this game a little more expensive, and offering a thin but ultimately unpersuasive illusion of control.

Actual control seems unattainable. It's just barely possible that one could regain some measure of data privacy by moving to Europe.(10) In Europe, it is illegal to release personal data to a third party, or even to use it for a purpose unrelated to the reason for which it was collected, without the subject's consent.(11) The European Union has been pressing the United States to enact similar restrictions to protect data privacy, and has even threatened to stop the international data flow if necessary to protect its citizens' privacy rights, but a data privacy protection law seems unlikely.(12) The direct marketing industry has apparently persuaded the foreign affairs folks in the administration to view the negotiations with Europe over data privacy protection as a test of national manhood. The object seems to be to get the other government to blink first. Instead of some law, the industry insists, self-regulation will result in more than adequate protections.(13) Industry self-regulation, of course, has got us where we are today.(14) Studies of how well it is working confirm what one would expect: It works far better at enhancing commerce in personal data than it does in protecting personal data privacy.(15) Despite those studies, government actors insist that self-regulation is the American way, and it is enough.(16) And, in the long run, the market for personal data will be a global one. If, as the U.S. negotiators assure us is likely, Europe blinks first,(17) then data transfers will continue without meaningful restriction on the uses made of personal information.(18) If personal data moves freely around the world and is unregulated in the United States, nobody will have significant data privacy.

Is there any realistic solution? Self-regulation is an abject failure; meaningful privacy regulation appears to be unenactable as a political matter; and accepting that privacy is an outmoded notion from a bygone age seems unacceptable. The proposal that has been generating the most buzz, recently, is the idea that privacy can be cast as a property right. People should own information about themselves and, as owners of property, should be entitled to control what is done with it.(19)

This essay explores that proposal. In Part I, I review the recent enthusiasm for protecting data privacy as if it were property, and identify some of the reasons for its appeal. In Part II, I examine the model and conclude that a property rights approach would be unlikely to improve matters; indeed, it would tend to encourage the market in personal data rather than constraining it. In Part III, I search for a different paradigm, and suggest that tort law might support a workable approach to data privacy. Part IV, therefore, explores the possibility of a solution based in tort. Current law does not provide a tort remedy for invasion of data privacy, but there are a number of different strands in tort jurisprudence that might be extended to encompass one. In particular, a rubric based loosely on breach of confidence might persuade courts to recognize at least limited data privacy rights. Part V concludes that while the tort solution is preferable to a property rights approach, it is likely to offer only modest protection. Common law remedies are by their nature incremental, and achieving widespread adoption of novel common law causes of action is inevitably a slow process. Even established common law remedies, moreover, are vulnerable to statutory preemption. Although a rash of state tort law decisions protecting data privacy might supply the most compelling impetus to federal regulation we are likely to achieve, the resulting protection scheme is unlikely to satisfy those of us who believe that data privacy is worth protecting.

I

One of the most facile and legalistic approaches to safeguarding privacy that has been offered to date is the notion that personal information is a species of property. If this premise is accepted, the natural corollary is that a data subject has the right to control information about himself and is eligible for the full range of legal protection that attaches to property ownership. --ARTHUR MILLER(20)

Treating privacy as a property right has been a perennial entry in the debate about personal information, but has not received much serious attention until recently. Alan Westin suggested treating personal information as a property right more than thirty years ago,(21) to mixed reviews.(22) The recent upsurge in interest in a...