Information Fiduciaries: Good Framework, Bad Solution.

By and large, human beings reason by analogy. We learn a basic rule, usually from a specific experience, and then generalize it to any new experience we encounter that seems similar. Even in the relatively abstract area of policy, human beings depend on reasoning by analogy. As a result, when looking at various social problems, the first thing many people do is ask “what is this like?” The answer we collectively come up with then tends to drive the way we approach the problem and what solutions we think address it. Consider the differences in policy, for example, between thinking of spectrum as a “public resource” v. “private property” v. “public commons” — although none of these actually describes what happens when we send a message via radio transmission.

 

As with all human things, this is neither good nor bad in itself. But it does mean that bad analogies drive really bad policy outcomes. By contrast, good analogies and good intellectual frameworks often lead to much better policy results. Nevertheless, most people in policy tend to ignore the impact of our policy frameworks. Indeed, those who mistake cynicism for wisdom had a tendency to dismiss these intellectual frameworks as mere post hoc rationalizations for forgone conclusions. And, in fact, sometimes they are. But even in these cases, the analogies till end up subtly influencing how the policies get developed and implemented. Because law and policy gets implemented by human beings, and human beings think in terms of frameworks and analogies.

 

I like to think of these frameworks and analogies as “deep structures” of the law. Like the way the features of geography impact the formation and course of rivers over time, the way we think about law and policy shapes how it flows in the real world. You can bulldoze through it, forcibly change it, or otherwise ignore these deep structures, but they continue to exert influence over time.

 

Case in point, the idea that personal information is “property.” I will confess to using this as a shorthand myself since 2016 when I started on the ISP privacy proceeding. My 2017 white paper on privacy legislative principles, I traced the evolution of this analogy from Brandies to the modern day, similar to other intangibles such as the ‘right of publicity.’ But as I also tried to explain, this was not meant as actual, real property but shorthand for the idea of a general, continuing interest. Unfortunately, as my Public Knowledge colleague Dylan Gilbert explains here, too many people have now taken this framework as meaning ‘treat property like physical property that can be bought and sold and have exclusive ownership.’ This leads to lots of problems and bad policies, since (as Dylan explains) data is not actually like physical property or even other forms of intangible property.

 

Which brings me to Professor Jack Balkin of Yale Law School and his “information fiduciaries” theory. (Professor Balkin has co-written pieces about this with several different co-authors, but it’s generally regarded as his theory.) Briefly (since I get into a bit more detail with links below), Balkin proposes that judges can (and should) recognize that the nature of the relationship between companies that collect personal information in exchange for services is similar to professional relationships such as doctor-patient or lawyer-client where the law imposes limitations on your ability to use the information you collect over the course of the relationship.

 

This theory has become popular in recent years as a possible way to move forward on privacy. As with all theories that become popular, Balkin’s information fiduciary theory has started to get some skeptical feedback. The Law and Political Economy blog held a symposium for information fiduciary skeptics and invited me to submit an article. As usual, my first draft ended up being twice as long as what they wanted. So I am now running the full length version below.

 

You can find the version they published here, You can find the rest of the articles from the symposium here. Briefly, I think relying on information fiduciaries for privacy doesn’t do nearly enough, and has no advantage over passing strong privacy legislation at the state and federal levels. OTOH, I do think the idea of a fiduciary relationship between the companies that collect and use personal information and the individuals whose information gets collected provides a good framework for how to think about the relationships between the parties, and therefore what sort of legal rights should govern the relationship.

 

More below . . .

In the realm of privacy, the United States has two distinctions among other industrialized nations. First, the United States has several sector-specific laws governing privacy (for example, provisions of the Health Insurance Portability and Accountability Act (HIPAA)), but it lacks a national, generally applicable privacy law limiting collection or use of information by private companies. Happily, for consumers, this appears to be on the cusp of changing. In 2018 California became the first state to pass a comprehensive generally applicable privacy law, the California Consumer Privacy Act (CCPA) (although the law will not go into effect until 2020). This, in turn, has inspired other states and members of Congress to seriously consider passage of new privacy laws.

 

This leads to the second way the United States differs from similarly situated countries. Our uniquely expansive approach to freedom of expression under the First Amendment. Courts have interpreted the First Amendment in ways that may limit the ability of legislatures to protect consumers from the collection and exploitation of their personal information. Although the case law remains somewhat vague as to whether the First Amendment applies to the collection of information — as opposed to the use of information for marketing purposes after the information is collected — courts have found a First Amendment interest in using personal information collected in the course of business for marketing purposes (see US West v. FCC). In one case, the Supreme Court has found that privacy laws targeting personal advertising but exempting other uses of collected personal information must survive strict scrutiny as a content based speech infringement (see Sorrell v. IMS Health, Inc.).

 

To fill the gap left by statutory law and the potential problems created by the First Amendment in regulating privacy, Professor Jack Balkin proposes the creation of a new class of common law fiduciaries subject to a heightened duty of care when entrusted with a party’s personal information. Balkin argues that digital companies such as Facebook and Uber occupy a position in modern commerce similar to that traditionally occupied by providers of personal professional services such as doctors and financial advisers. As explained by Balkin, the common law imposes both a duty of loyalty and a duty of care on fiduciaries that limit the way in which a fiduciary may use information that comes into its possession as a consequence of the fiduciary relationship. In addition to providing an answer to possible First Amendment problems, Balkin argues that in the face of continued legislative paralysis courts may expand traditional fiduciary duties to this new class of “information fiduciaries” in the accordance with traditional common law principles.

 

While Balkin’s information fiduciary proposal is attractive in a number of ways, it does not accomplish nearly enough to protect consumer privacy – especially when compared with legislation directly crafted to provide comprehensive privacy protections. I also disagree with Balkin that this provides any particular advantage over legislation with regard to resisting a First Amendment challenge – although I believe that legislation that takes an approach similar to fiduciary obligations (as HIPAA does, for example) may find greater sympathy among more conservative judges. The only remaining advantage of the proposal is therefore that judges could conceivably find the existence of a fiduciary relationship under the common law, thus bypassing legislative inaction. But even this advantage to Balkin’s proposal appears to be fading, as the recent passage of comprehensive privacy law by California has galvanized interest in passing comprehensive privacy legislation both on a federal level and among the other states.

 

I propose that the greatest value of Balkin’s information fiduciary concept is as a necessary framework for conceptualizing how a privacy regime can genuinely protect consumers (and promote competition) rather than as a literal fiduciary relationship under the common law. The existing frameworks – the Privacy Principles adopted by the Organization for Economic Co-operation and Development (OECD) in 1980 which rely heavily on notice and consent and the property framework introduced by Louis Brandies in “The Right To Privacy” (both of which I discuss in this privacy white paper) – have significant limitations. Balkin’s proposed fiduciary framework provides a model for legislation that recognizes that the nature of the relationship between information collectors and aggregators requires imposing additional duties and restrictions to adequately protect consumers, while still enabling commerce and facilitating competition.

 

‘Information Fiduciaries’ Covers Too Small a Class of Entities.

 

Fiduciary relationships are the exception, rather than the rule. As Balkin explains, they arise out of the unique relationship between the provider of a service and the individual receiving the service. Balkin argues that companies such as Google Search and Facebook meet the requirements to find a common law duty as “information fiduciaries.” Even assuming Balkin is right, however, this scarcely scratches the surface on the modern “privacy” market which consist of more than Google and Facebook and other entities that both collect information and use it for advertising or other purposes.

 

Unfortunately for consumers, information collection and storage has become trivially easy. Nearly everything from your car to your thermostat to your child’s toys to your more ‘adult’ toys now collects your personal information. Your cable operator monitors what shows you watch and what devices you use on your broadband network. An entire secondary market in personal information exists where “information brokers” (also called data brokers) buy this information and aggregate it into massive personal profiles. Analysis of “big data” is sufficiently sophisticated that even a bricks-and-mortar business such as Target can tell if you’re pregnant based on your purchases. None of these businesses fall into the kind of special relationship that would support classifying them as “information fiduciaries.” By contrast, the Califronia legislature explicitly designed the CCPA to reach such businesses and to broadly govern the collection and exploitation of personal information by non-government entities.

 

No Clear First Amendment Advantage.

 

A chief selling point for creating information fiduciaries via the common law is that courts would analyze newly identified fiduciary duties differently than they have treated legislative privacy regulations. However, as Balkin himself notes, it remains unresolved whether regulating what information an entity may collect in the first instance (rather than trying to control its ability to ‘speak’ via advertising) even triggers a First Amendment interest in the first place. Let us assume for the sake of argument, however, that courts would find a speech interest in this sort of activity. Does identifying a common law fiduciary relationship, rather than creating comprehensive regulation along the lines of the CCPA, have a better chance of surviving First Amendment scrutiny?

 

Balkin argues that it would, based on a theory of the First Amendment (with which I happen to agree) that the First Amendment is designed to protect primarily public-oriented speech rather than regulate private commercial relationships. But Balkin does not explain why regulation of private commercial speech based on a statute is less likely to survive First Amendment scrutiny that regulation based on a common law relationship. We have numerous regulations of private, contractual speech, such as warranty requirements and disclosure requirements, that raise no First Amendment concerns. Many states incorporate into state law legal ethics codes, or other professional ethics codes that govern speech between the professional and the customer. Nothing indicates that courts have analyzed the First Amendment implications differently for common law obligations as opposed to statutory obligations. By contrast, the court has struck down traditional common law limitations on speech, such as restrictions on the ability of lawyers to advertise (Bates v. State Bar of Arizona, 433 U.S. 350 (1977).

 

Additionally, while it is particularly risky to try to predict where the judiciary will go on corporate speech given its increasingly conservative tilt, the way in which courts have treated the Federal Communications Commission’s customer proprietary network information (CPNI) provides much more hope that direct regulation of privacy by statute and regulation will survive First Amendment scrutiny than Balkin apparently believes.

 

The CPNI rules have some similarity to Balkn’s proposed information fiduciary proposal worth noting at the outset. Before the Communications Act, common carriers had unique privacy obligations under the common law as specialized fiduciaries. This responsibility was subsequently incorporated in the Federal Radio Act of 1927 and the Communications Act of 1934 and is currently codified at 47 U.S.C. §605. In addition, as part of the Telecommunications Act of 1996, Congress further elaborated on these traditional privacy concerns. When the FCC issued new regulations under this new provision (47 U.S.C. §222), the 10th Circuit (in U.S. West) examined these regulations under the commercial speech test, not strict scrutiny.

 

That the U.S. West court found that mandatory opt in failed the commercial speech test goes to the specific case at issue, not whether or not privacy regulation could survive scrutiny under the commercial speech test generally. The D.C. Circuit has twice upheld application of the CPNI rules against a First Amendment challenge finding that the FCC had created a sufficient record in light of the compelling government interest. See NCTA v. FCC, 555 F.3d 996 (D.C. Cir. 2009) (opt in for sharing information with third parties to protect customers from potential stalkers); Verizon California, Inc. v. FCC, 555 F.3d 270 (D.C. Cir. 2009) (prohibition on using information obtained from rival carrier for purposes of transferring customer for marketing). In the current environment, a legislature should have little problem compiling an adequate record to support comprehensive privacy regulation – without requiring a finding of a new type of fiduciary relationship.

 

A possibly useful framework, but no substitute for legislation.

 

Professor Balkin’s information fiduciary proposal may find its greatest contribution in how we conceptualize privacy and create a workable framework for strong privacy regulation. Existing frameworks have proven deficient in providing adequate consumer protection, and create potentially dangerous analogies. The European Union’s General Data Protection Regulation (GDPR) and many other global statutes rely on the OECD Privacy Principles adopted by OECD in 1980. This framework creates a “mutuality” of rights between the information collector/aggregator and the individual, which relies on a notice and comment regime. The experience of the last few years, however, has demonstrated repeatedly that even “opt out” rather than “opt in” notice requirements cannot adequately protect consumer privacy interests. The traditional American conceptualization since Brandies of a “fundamental right to be left alone” as a sort of Locke-ian privacy right, creates its own problems and has its own critics. In particular, the analogy to “property” has created the distraction of trying to find ways to monetize personal privacy and return some of the economic surplus to consumers. California’s Governor Newsom, for example, has proposed modifying the California Consumer Privacy Act to allow for this sort of monetization by creating a “data dividend.”

 

Balkin’s information fiduciary framework provides a conceptualization that is far better suited to regulating intangible information than property rights. Fiduciary duties extend beyond a one-time transaction, and in some (but not all) are considered unwaivable. Often they impose a duty of care and create obligations that extend long after the commercial relationship ceases, or even in perpetuity. The fiduciary framework likewise addresses the basis for the “mutuality” framework developed by the OECD. As the OECD recognized, the collection and organization of personal information is a necessary part of modern commerce and good governance. Additionally, the information collector or aggregator contributes important labor that can assist not merely in commercial exploitation, but in research or other positive public interest goals. The traditional fiduciary relationship takes the interest of the collecting party into account as well, including the interest of the information collector in exploiting the data for legitimate purposes.

 

Balkin’s information fiduciary framing therefore provides an important conceptualization for legislators and advocates seeking to design a privacy regime that genuinely protects consumers while still permitting robust uses of collected personal data in the digital age. The underlying and familiar common law legal concepts such as a duty of care and a duty of confidentiality provide a reasonable starting point for legislative drafting. But we should not confuse the value of the information fiduciary concept as a framework to guide legislation as a substitute for actual legislation. Further, even when used a framework for drafting, the traditional limits on fiduciary regulation should not prevent legislation from extending much further where needed to adequately protect consumers or competition. The goal should be for the information fiduciary concept to inform the legislative process, not for the legislative process to enshrine the information fiduciary concept.

 

Leave a Reply

Your email address will not be published. Required fields are marked *