Privacy Is Not Dead: Expressively Using Law to Push Back Against Corporate Deregulators and Meaningfully Protect Data Privacy Rights

• Publication year: 2023

Privacy Is Not Dead: Expressively Using Law to Push Back Against Corporate Deregulators and Meaningfully Protect Data Privacy Rights

Alexander F. Krupp
University of Georgia School of Law, alexander.krupp@uga.edu

Privacy Is Not Dead: Expressively Using Law to Push Back Against Corporate Deregulators and Meaningfully Protect Data Privacy Rights

Cover Page Footnote

* J.D. Candidate, 2023, University of Georgia School of Law; B.A., 2017, University of Kentucky. I would like to thank Professor Thomas E. Kadri for his guidance and insights throughout the process of writing this Note. I would also like to thank the editorial staff at the Georgia Law Review for their efforts. And above all, I thank Penn Hansa for her unwavering support and patience.

[Page 875]

PRIVACY IS NOT DEAD: EXPRESSIVELY USING LAW TO PUSH BACK AGAINST CORPORATE DEREGULATORS AND MEANINGFULLY PROTECT DATA PRIVACY RIGHTS

Alexander F. Krupp^*

When the European Union's (EU) General Data Protection Regulation (GDPR) passed in 2016, it represented the world's first major comprehensive data privacy law and kicked off a conversation about how we think about the right to privacy in the modern age. The law granted a broad range of rights to EU citizens, including a right to have companies delete data they collect about you, a right not to have your personal information sold, and a range of other rights all geared towards individual autonomy over personal data.
All the while, platform companies like Facebook (Meta), Apple, and Amazon have taken advantage of a phenomenon called spontaneous deregulation to outrun legislation designed to regulate data privacy. Spontaneous deregulators take advantage of the inherent gap between the speed at which technology advances and the comparatively languid pace at which legislatures try to keep up. The deregulators do this through co-opting discourses about privacy and pitching a self-regulatory system in which they are entrusted with personal data that they have an inherent profit motive to capitalize on. In today's economy, data is eminently valuable—trusting a system of deregulation creates unacceptable conflicts of interest at best and a predatory system of data mining at worst.
This Note advocates for robust privacy legislation that takes full advantage of the expressive function of the law—the aspect of lawmaking that shapes and protects valuable social norms—to meaningfully protect individual data privacy rights from

[Page 876]

corporate deregulators. By placing social values and human rights at the forefront, expressive law makes it more difficult for deregulators to obfuscate the purposes and messaging of privacy.

[Page 877]

Table of Contents

I. Introduction....................................................................878

II. Background....................................................................885

A. WHAT IS PRIVACY? ...................................................885
B. PRIVACY IN THE UNITED STATES ..............................887
C. INTERNATIONAL PRIVACY ........................................890
D. SPONTANEOUS DEREGULATION................................892
E. THE EXPRESSIVE FUNCTION OF LAW ........................895

III. Analysis.........................................................................896

A. THE PROBLEM TODAY...............................................896
B. WHAT CURRENT LAW GETS RIGHT AND WRONG.........901
C. RECOMMENDATIONS.................................................908

1. Data Privacy as a Right in Itself......................912
2. Personal Liability.............................................912
3. A Private Right of Action..................................913
4. Fines..................................................................913
5. Opt-In Consent..................................................913
6. Lessons from GDPR..........................................913
7. Progressive Regulation.....................................914

D. ADDRESSING SOME COUNTERARGUMENTS................915

IV. Conclusion....................................................................917

[Page 878]

I. Introduction

2018 was a big year for data privacy. In March, it came to light that data consulting firm Cambridge Analytica acquired and used the personal information of eighty-seven million Facebook users over the better part of the previous decade to build behavioral profiles on potential voters without their consent.¹ This sparked global outrage and condemnation, forcing Facebook Chief Executive Officer Mark Zuckerberg to apologize and testify before Congress.² In May, the European Union's (EU's) widely anticipated General Data Protection Regulation (GDPR) went into effect.³ This comprehensive data privacy law went further than any law before it, granting sweeping rights to EU citizens regarding their personal information based on the concept that protection of personal information and data "is a fundamental right."⁴ In June, California passed the California Consumer Privacy Act (CCPA).⁵ Though its focus was narrower than the GDPR's and centered primarily on

[Page 879]

economic concerns, the CCPA represented the first major comprehensive U.S. data privacy law.⁶

These events transformed the international conversation about privacy—today, people care about their online data in ways that were simply not on the public's radar as recently as five years ago.⁷ But even so, technology can be difficult to regulate.⁸ The field's rapid change makes it easy for lawmakers to fall behind companies like Facebook, Apple, Google, and other "Big Data" purveyors.⁹ In sum: technology moves fast and regulations do not.

[Page 880]

The gap between advancing technology and subsequent regulation can be especially damaging because it results in a phenomenon called spontaneous deregulation: when an industry actor takes advantage of a new technology to effectively self-regulate and circumvent existing regulations that are slow to be enacted and slower still to be enforced.¹⁰ Another problem is that these actors can get so far ahead of the regulatory scheme that they begin to influence future regulation, thus shaping it in their own image.¹¹

The spontaneous deregulation phenomenon that began at the start of the twentieth century with the proliferation of the automobile and faster lines of communication has exploded in recent years.¹² If left unchecked, spontaneous deregulation creates a "fox in the henhouse" scenario: large industry players who take advantage of existing privacy norms and influence regulation to overlook the loopholes they exploit pose a serious threat to data privacy.¹³ Considered in light of the large social and personal harm that breaches of privacy can cause,¹⁴ deregulatory foxes create a serious problem.

[Page 881]

So where does that leave us? Today, data privacy is a preeminent issue, sparked by flashpoint events like Cambridge Analytica and crystallized by benchmark-setting laws like GDPR. But to date, there is still no comprehensive federal data privacy law or regulatory scheme to protect peoples' data.¹⁵ The patchwork of federal and state laws that do exist are too narrowed and too focused on certain sectors to be broadly effective.¹⁶ Ultimately, they fail to provide adequate protection to individuals' interests and allow industry actors to circumvent regulations through spontaneous deregulation in ways that would be much harder if data privacy was treated more as a fundamental right.

For example, in 2005, a group of plaintiffs sued JetBlue Airlines for selling their personal information, alleging a violation of the Electronic Communications Privacy Act (ECPA).¹⁷ The court dismissed the case because the ECPA was tailored so narrowly that it did not cover the sort of information contemplated by the complaint.¹⁸ This was even though JetBlue admitted to violating its own privacy policy by transferring passenger data to third-party research companies without the passengers' consent.¹⁹ Because the law was never intended to apply to the specific conduct in question in the specific way that it occurred, the plaintiffs were left without

[Page 882]

a remedy.²⁰ This demonstrates what can happen when privacy law is not adequately tailored modern harms.

The issue is even more prominent in 2023 as state-level privacy laws begin to adapt.²¹ This change is even more pronounced internationally with over eighty countries having passed freestanding data privacy laws.²² Given that new international, comprehensive data privacy laws are constantly changing the privacy landscape, it is important to understand the real and possible impacts of privacy regulation in a modern online world in which the vast majority of people live on the internet. As such, U.S. privacy regulations must be written and enforced effectively and in a way that sends the right messages. Privacy is too important to leave to a retrospective patchwork approach—it demands and deserves more comprehensive and thoughtful protection.

[Page 883]

Here, we have a problem where modern technology reforms the way people and governments ought to think about privacy while simultaneously rendering privacy vulnerable to spontaneous deregulation. What is the law to do? This Note proposes an approach to data privacy legislation that utilizes the expressive function of the law—the way the law sends bigger messages and signals to society beyond just regulating actions²³ —to protect data privacy and curb spontaneous deregulation more effectively. Meaningful change will occur by treating data privacy as a core value and a fundamental right as it has been treated both globally and in certain narrow sectors in the United States.

If you are a U.S. citizen, your credit data is protected by the Fair Credit Reporting Act (FCRA)²⁴ and your health data is protected by the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule.²⁵ Those under eighteen have comprehensive privacy protections as well.²⁶ This patchwork is a...