In their recent paper, “Databuse and a Trusteeship Model of Consumer Protection in the Big Data Era”, Benjamin Wittes and Wells Bennett argue we need to reconceptualize privacy. Privacy has morphed into a notion that could describe a range of beliefs but captures none of the potential harms. Consumers care about privacy, “in proportion to whether it is used for our benefit or to our detriment and critically, how seriously to our detriment.” The authors invoke the concept of databuse. Databuse is a negative right that invokes companies to safeguard consumers from undesired harms that might result from the sharing of data.
The Trusteeship Approach
Wittes and Bennett argue for a trusteeship model where companies have the responsibly to serve as good stewards of the data that consumers entrust to them. Companies also have a lot to gain in this new paradigm. Establishing themselves as protectors of data fosters consumer confidence, which is a valuable asset for any company.
- The authors identify several attributes of a good data trustee:
- Safely store private data
- Never use data in a way that injures consumers
- Disclose uses of data in an open and clear manner
- Give users control over how their data is shared and used, to the greatest degree possible
- Keep promises to consumers about data
Three Categories of Corporate Data Usage
Wittes and Bennett imagine three broad ways to categorize how companies use data. The categories are based on the premise that consumers face different benefits and harms depending on the actions of companies. They provide a strong model to understand how to best protect “privacy”.
Category One: Aligned Interests
Category one encompasses uses of data where the interests of the consumer and the company are aligned. The company provides a service where the consumer actually wants the company to make use of its data or desires a product that couldn’t exist without their data; for example, credit card companies searching through purchasing records to help detect fraudulent activity.
Category Two: Data for Service
This includes activities that benefit a company but neither hurts nor benefits the consumer. The most popular example is personalized advertisements. Ads generate revenue for the business and are relatively inconsequential for consumers.
Category Three: Databuse
Databuse occurs when a company actively harms the interests of the consumer through its use of data. In this case, a company breaks an explicit agreement with a consumer or when it doesn’t take reasonable steps to protect data.
Protecting privacy is difficult to achieve because it can have different definitions for different people. One person may comfortably tweet out personal details of their life while another would gasp at having their search results archived. Many people have data anxiety or a fear about the potential unwanted sharing of data. These complexities create challenges for policymakers who want to address the range of expectations that consumers have about privacy. The trustee approach overcomes these barriers by establishing specific protections that are easier to enforce.
Read the full paper from Benjamin Wittes and Wells Bennett.
Commentary
A Practical Model for Real Privacy Protection
June 12, 2014