Fiduciary, United States, California discussed on Tech Policy Podcast

Automatic TRANSCRIPT

At Georgetown University. Lindsey, thank you for coming. Thanks for having me to discuss your article about information, fiduciaries and the privacy framework, and how those concepts can beat together United States right now is at close roads. We have a California consumer Protection Act that is going to go into effect on January first of twenty twenty pushing everyone to have a privacy debate over again, which is I think a good thing because a lot of things have changed since last time we kind of fought Fru privacy reform, and how -nology has changed that were understand privacy, both from government and consumer privacy. And now we have this question of do we pass a federal privacy legislation? Do we let California go into effect and states pass phone laws house is gonna affect the economy? How's the effect consumer rights? There are so many questions that we have to ask ourselves. And there's no clear, one solution that both parties can come to not yet. At least we have a little bit more time left, but I would ask you what is the failure of notice in choice model that we have right now? Oh man. How much time? So in this paper, I kind of go through why what, what are the failures of not just notice in choice. But the other failures of American privacy law and regulation that require a new approach to, to the ecosystem in terms of noticing choice. We, we have this fiction that if you provide people with a boilerplate notice of data collection, you've your data youth and collection policies that. Than they are given sufficient information to weigh the risks and make decisions accordingly when in reality, you know, the volume of privacy policies that we encounter each day and privacy choices. You know, there's privacy settings other things privacy policies, the third confusingly written usually at a reading level, that far exceeds that of the average American, they're written in can confusingly lease their Opik. They often don't disclose all the risks that a person needs to know because the company doesn't can't predict the future or because the privacy policy is hiding what the company doesn't want to tell people and then the on that people just have basic cognitive limitations. That make that make notice and choice, a an insufficient way for people to protect themselves in the online, ecosystem. So. People are generally pretty bad. At ascertaining risks, people, there's something, there's a phenomenon known as hyperbolic discounting, which is we, we tend to opt for a short term rewards over longer term rewards. And, you know, things like using using public wifi to mmediately, log on, even though we know it's about idea. There are so many ways in which noticing choice, does not enable people to and not to mention the fact that the, there's a notice, and then the choice that would imply either that the, the company actually gives you choice or if you say, all right, you know blank blanket privacy policy company, I don't wanna use. I will then go use the alternative to this product or service, that also doesn't usually so in twenty six ways to Sunday noticing choice is non effective way for. People to make privacy decisions and generally protect themselves, online and Europeans were little faster than United States. And they have passed the general data protection regulation. What is special about that regulation? And why don't we just adopt what they did? Yes. So that's basically the part of what I tried to grapple with in the paper. So the symposium that I wrote it for was about the GDP are. And I've been reading about professor Balkans idea of the information fiduciary and. Kind of trying trying to square, the sort of philosophical reasons of why you would want that as opposed to the GDP, our conception of privacy as a fundamental, right? And frankly, now GDP are a lot of great things and an information to share framework isn't. Mutually with the rights and approaches at the GDP are take. So, for instance, a lot of the individual rights, I think you could sweep in under a under the duty of loyalty to the of care, you the GDP are provides for various avenues for individuals to actually vindicate their claims and can get into court, an information fiduciary Bill could have a private right of action could could require the or, you know, provide for both on the FTC in the state. A vindicate claims that kind of thing the GDP are take say very deliberate and strong approach to enforcement, which an information fiduciary Bill would absolutely have to do any privacy Bill has to do if we can't make you know, these sweeping grand pronouncements about how important privacy is without actually providing the incentives for company. These to abide by it. So the GDP are builds on a constitutional right to privacy that US law doesn't have. And, you know, we that in many ways, kind of elevates the conversation in Europe a over privacy. And in addition to giving it a legal underpinning or a stronger legal basis, whereas in the US for consumer privacy, there's there tends to be this narrative of privacy is a good, which means that people should be able to trade it away under any circumstances. There should be known. There is no moral imperative of protecting people when it comes to consumer privacy and what I liked about information. Fiduciaries is it seemed to me to even even without a constitutional right to privacy, private private entities information fiduciaries with the finish? A framework is developed in a commercial context. So it takes. The idea that you have professional performing. They're performing their trade. But at the same time their rights and prerogatives need to be limited in light of the. Incentives that they have to abuse, the vulnerabilities of their clients, and some really we, you know, you, you take that approach to data collectors, who are trusted with people's sensitive information. There's an symmetry of power, and there's incentives to abuse that power, because no one's making them abide by the law, and the law sets the bar, very low, and that adds a moral Valence to the idea of consumer privacy that US law, and the idea of privacy is something you should be able to trade away under all circumstances. Currently lacks, as I understand it permission fiduciary concept would be at step towards more of a European phil- philosophical approach to privacy. So it would take us from a good in kind of Louis forward in direction of this is more of a right? But not be fully there is, is that sort of the claim I making the paper. And I think you know, you can look at it number two ways. I think some sometimes, you know, the paper is also it's, it's grappling with basic realities, but it mostly sets out an ideal set of circumstances, what I think should happen. Not what kind of parameters you need to fulfil within the con- within the house. We have the Senate we have cetera. I think that any any system of regulating privacy. That elevates, the idea of privacy against companies moves us towards privacy, the right. It doesn't create the same kind of textual. Right to both. Privacy and data protection that, that you're a pass, but you also don't need it. So, you know, he you could say kind of in this philosophical sense. Yeah, it moves us more towards a European understanding privacy in that the Europeans tend to think it's important to end. There is a there's a narrative in American policy discussions, that privacy is not. But I think also just by virtue how loaded, you know, oh, GDP are, is taking over American privacy law. It's it's one way of looking at it, it's not necessarily determinative. I see. So you care about more of protections should be put in place versus of a cultural and philosophical thinking that we as a society would have over privacy action I thinking after. I wouldn't say that more and more that I agree with your framing, but we also don't need to say, you know, this makes us more European by virtue of the fact that a lot of people tend to read that and, you know, run in twenty seven different directions of I, I read that. And I think oh, you mean the people who think that protecting people online is important. Great Eva, but, you know, I'm I'm talking semantics, but my guess is it's because the discussion has been so intense and very people are separating into camps, and there's crossfire. So I think yeah. Using trigger words like right is definitely not helping anyone move the needle now. Unless permission fiduciary in Hollywood. Apply in the privacy, framework. What, what, what, what did you propose? So either couple different ideas. So I'm a basing, you know, the whole paper is based off of Jack Balkans, working also Johnston's at train. So they're kind of they're thinking, was, obviously, very influential, and I was building off of that one thing that I think is important is that it has to be a compulsory classification if. Balkans at trained setup or rather they propose, an opt in framework, which I think given the current incentives of the Cosette namely, collect, I ask questions later and regulators are working with both inadequate tools, but also not doing as much as it could that won't be enough to fundamentally reset the balance, given how far skewed it is towards corporate progress and away from individual rights and protections. So I think I. You know, you, you apply it on a compulsory basis, second. Who does it apply to? So if we're if we're talking about in FTC enforceable framework than you, you either have to change what their jurisdiction to typically encompasses or accept the limitations of. No, this doesn't apply to come and carriers. I think that in order for this to be affective for a comprehensive privacy law to be effective you have to apply to the entities collect data period. So. Collects data. Yes. I think there are there ways to, to think carefully about, you know, certain what's one wing for like a forgiveness like you try, once you get a warning you get off for small businesses, but not necessarily completely exempted because, of course, small businesses can still violate your privacy. But yes, I think it should apply across the board. And then after that, I, there's a number of different components. So I think that in general, you know, a fiduciary framework includes a Judy of care duty of loyalty confidentiality, these can be interpreted or implemented in a range of different ways. One of the reasons I like a fiduciary framework is that Judy of care loyalty, a little bit less. Confidentiality is a broader sense of kind of the digital vulnerabilities end. Ways in, which we are at risk in using network technologies. So, you know, I think that a fiduciary framework, cutting, compass manipulation and a like an anti discrimination. Principle, or setup and in considering how how to regulate the way that tech affects us is, is crucial. We're talking about privacy law, but just kind of a sense of privacy as disclosure of information, I think, is too limited considering the ways in which, you know, online services and products impact our lives. So that's one of the reasons why I like fiduciary framework is because it is capable of encompassing, this broader approach to both digital harms and privacy harms, because one of the one of the things outlined in the paper as a problem of our ecosystem is in overly narrow poach to what a privacy harm is so to undo focused on physical, harm or monetary..

Coming up next