THE LIMITATIONS OF PRIVACY RIGHTS.

• Author: Solove, Daniel J.

INTRODUCTION 977 I. THE RISE OF PRIVACY RICHTS 979 II. PROBLEMS AND SHORTCOMINCS 984 A. An Endless Burden of Chores 985 B. Problems with Privacy Self-Management 985 C. The Societal Dimensions of Privacy 987 1. The Social Value of Privacy 987 2. Shared Personal Data 990 3. Interrelated Personal Data 991 4. The Inadequacy of Individual Control 993 III. PRIVACY RIGHTS AND SOCIETAL MEASURES 993 A. Right to Information or Notice 994 1. Informed Decisions 995 2. Accountability 999 B. Right to Access 1000 1. Learning About Personal Data 1001 2. Reviewing Personal Data 1002 3. Using Personal Data 1003 C. Right to Data Portability 1005 1. Enhanced Access and Data Ownership 1006 2. Competition 1007 D. Right to Rectification or Correction 1009 1. Accurate Records 1009 2. Accurate Decisions and Predictive Judgments 1013 E. Right to Erasure or Deletion 1014 1. Preventing Ill-Gotten Gains 1016 2. Data Minimization 1017 F. Right to be Forgotten 1018 1. Obscurity 1020 2. Second Chances 1024 G. Rights to Objection and, Restriction (or Opt Out) 1026 1. Objectionable Processing 1026 2. Opt Out or Opt In 1027 3. Control Over Personal Data 1029 H. Right to Not Be Subject to Automated Decisions 1030 1. Algorithmic Transparency 1031 2. Control of Inferences 1032 CONCLUSION 1034 INTRODUCTION

Individual privacy rights are enshrined at the heart of most information privacy and data protection laws. (1) Countless privacy laws in the United States and worldwide provide individuals with rights in their personal data, such as a right to information about their data, rights to access and correct their data, a right to delete their data, and a right to opt out of certain uses of their data, among others.

Rights are the centerpiece of many privacy laws. Many elements of privacy laws involve mechanisms to ensure that organizations effectively administer these rights. Privacy laws have always relied heavily on rights, and the trend is increasing. Comprehensive privacy laws worldwide typically include many privacy rights. (2) Numerous privacy laws in the United States also rely heavily on privacy rights. For example, under the California Consumer Privacy Act (CCPA), the central set of protections involve a robust right to information--providing individuals with extensive information about the collection and use of their personal data--as well as a rights to opt out, correct, and delete. (3) A key goal of the law involves "putting consumers back in charge of their own data." (4)

A main impetus for rights involves a desire to address the problem that individuals lack much power in their relationships with the gigantic organizations that have massive digital dossiers of their personal data. (5) In the United States, an influential government report from 1973 sparked the development of many privacy laws; the report focused on how the burgeoning digitization of personal data was rendering individuals increasingly powerless and vulnerable. (6) Privacy laws were developed with the aim of putting individuals back in control of their personal data--and providing for individual rights was an essential way to do so.

Over in the European Union (EU), the EU's General Data Protection Regulation (GDPR) and the laws and guidelines that preceded it, were "underpinned by an important vision, namely that individuals' control over their personal data is a constitutive part of the right to data protection."' The GDPR provides for eight individual rights, many of which are also enshrined in privacy laws around the world. (8)

In this Article, I argue that although rights are an important component of privacv regulation, rights are often asked to do far more work than they are capable of doing. Privacy rights can't solve the problem of data disempowerment. The ability of individuals to exercise control over their personal data is quite limited; there is a ceiling to individual control. Rights can give people a small amount of power in a few isolated instances, but this power is too fragmented and haphazard to have a meaningful impact on protecting privacy. Ultimately, rights are at most capable of being a supporting actor, a small component in a much larger architecture.

I advance three reasons why rights are quite limited as an effective way to protect privacy. First, many rights are not practical for individuals to exercise. Rights put too much of the onus on individuals to fight a war they can't win. Attempting to use privacy rights as a primary way to protect privacy is akin to arming an individual with a dagger to fight an entire army. People can't exercise their rights in the kind of systematic way necessary to have a meaningful impact.

Second, privacy rights involve "privacy self-management," a term I have used to describe an approach to privacy that seeks to empower individuals to take control of their personal data. (9) Unfortunately, people lack the expertise to make meaningful choices about their data. These choices involve weighing the costs and benefits of allowing the collection, use, or transfer of their data. Although the benefits are immediate and concrete, the costs involve risks that are more abstract and speculative. Individuals lack the expertise to understand and assess the risks. Even experts lack the knowledge about how the data will be used in the future and how algorithms will reach decisions regarding the data.

Third, privacy can't be protected at the level of the atomistic individual. Individuals make privacy choices that have effects not just for themselves but for many others. For example, sharing one's genetic-data also shares the genetic data of one's family members. In today's world of machine learning, the personal data of everyone in a data set has an impact on the decisions that the system makes.

To address these limitations with privacy rights, I contend that rights should not be used as a primary means to regulate privacy. Privacy is about power. (10) Rights can't empower individuals enough to equalize the power imbalance between individuals and the organizations that collect and use their data. Effective privacy protection involves not just facilitating individual control but also bringing the collection, processing, and transfer of personal data under control. These two forms of control--individuals having control and the data ecosystem being under control--are very different, but they are often conflated in privacy policymaking. Individual control is important, but it is only achievable in a limited way. The more practical and effective aim is to bring the data ecosystem under better control.

Thus, to be effective, privacy laws must augment rights with broader measures that are more societal and architectural in nature. For example, privacy rights grant individuals the right to correct errors in their records. A more structural measure involves ensuring that organizations carefully carry out their duty to maintain accurate records. In contrast to rights, structural measures do not rely upon individuals as the engine of privacy protection.

This Article proceeds in three parts. Part I traces the development of privacy rights. Part II discusses the reasons why privacy rights are limited in the role they can play in privacy protection. Part III analyzes each of the main types of privacy rights, discusses their benefits and shortcomings, and sets forth the structural measures that privacy laws should require.

1. THE RISE OF PRIVACY RIGHTS

   Privacy rights have long been a central component of privacy regulation. In contrast to constitutional rights, privacy rights in statutes can apply to private or public sector organizations depending upon the statutory scope. In many instances, privacy rights are inalienable--people can't agree to relinquish them, but the rights must often be exercised or invoked.

   Privacy rights in statutes began to emerge in the 1970s in legislation in the United States and Europe. For example, in 1970, the Fair Credit Reporting Act (FCRA), was passed in the United States. (11) The FCRA provided for several individual rights including rights of access and correction, among others. (12)

   In 1973, a report by the U.S. Department of Health, Education, and Welfare (HEW) noted concerns about the rise of digital record systems and stressed the importance of ensuring that individuals have "a right to participate in deciding what the content of the record will be, and what disclosure and use will be made of the identifiable information in it." (13) The HEW report articulated one of the earliest sets of Fair Information Practice Principles (FIPPs) which proposed individual rights to know about the data being collected and its intended use, to correct errors in records, and to prevent new secondary uses of personal data. (14)

   During the 1970s and 1980s, countless privacy laws were passed in the United States and EU, and nearly all of them contained rights, especially the rights to access and correction. (15)

   In the 1980s, many Latin American countries embraced a core set of privacy rights in their constitutions--known as the writ of "Habeas Data." (16) The writ's name means "you have the data." (17) Habeas data rights first appeared in 1988 in Brazil's constitution and soon spread to other countries, such as Colombia (1997), Paraguay (1992), Peru (1993), Argentina (1994), and Ecuador (1996). (18) Many Latin American countries later enacted comprehensive privacy laws starting in the late 1990s and continuing on robustly through the early twenty-first century. (19) Habeas data evolved into a core group of privacy rights referred to as the "ARCO" rights, named for the first letter of each. (20) These rights include:

   * Right to Access. This right involves direct access to one's records. It is often combined with the right to information.

   * Right to Rectification. This right, also called the right to "correction," involves one's ability to correct errors in one's records.

   * Right to Cancellation. This right, also...