EDPL 4|2020 1

A Relational Turn for Data Protection?

Neil Richards and Woodrow Hartzog*

If there’s one thing everyone in the data protection debate can agree on, it’s that it’s all about the data. All over the world, data protection regimes fixate on when data can be collected, how it is being processed, when it can be accessed or should be deleted, and whether it is personal, sensitive, or deidentified. This is true even for approaches that seem quite different at first glance, such as the U.S. and EU¹.

But what if our shared focus on the data is too narrow? Data protection as a concept is a relatively new response to a specific technology: the database. In the decades following the Second World War, societies began to realize that data could be aggregated, made searchable, and stored in a pristine state for a remarkably low cost. Lawmakers needed a plan to make sure data could be collected and stored in these databases in a safe and sustainable way. The Fair Information Practices Principle (FIPs), developed with contributions from Americans and Europeans, laid the blueprint for privacy on both sides of the Atlantic.² These principles focus on procedural rights like transparency, consent, safeguards, purpose limitations, and data minimization, in service of informational self-determination and a sustainable environment for data processing. Because they emphasize choice and individual autonomy, FIP-based regimes tend to lack substantive prohibitions on particular kinds of data practices. The concept of data protection has been wildly successful in terms of adoption by government and industry. But has it been effective? The jury is still out.

2 | EDPL 4|2020

companies not just because it is personal to us, but because in their hands it becomes power that can be wielded to control people and institutions. 3 It exposes us in ways that risk more than just identification or denial of control. Data protection regimes were not designed to confront this kind of adversary. 4 Originating in the 1970s, when home computing and mobile phones were still science fiction in the mode of Star Trek, the FIPs were a managerial approach for an analog age. Their approach never questioned that data processing might not always be a worthy endeavor, or that what seemed like large amounts of data in the 1970s might seem quaint a half-century later. Most importantly, the FIPs approach never considered that future consumers and citizens might create so much data and have so many commercial and government accounts that informational self-determination could become impossible. Today, unfortunately, we are living in that never-considered future.

There is, however, a different way to approach data privacy. It has less to do with the data itself and more to do with people and their relationships. Specifically, it looks at how the people who expose themselves and the people that are inviting that disclosure relate to each other. It is concerned with what powerful parties owe to vulnerable parties not just with their personal information, but with the things they see, the things they can click, the decisions that are made about them. It’s less about the nature of data and more about the nature of power. And it can make data protection work better. We call this the relational turn in privacy law. The folly of our modern privacy predicaments is our failure to anticipate the sheer power that results from the scale and size of these large tech companies. We had our eyes trained so much on the data that we lost sight of the power that comes from inequality and inequity in relationships, even when data is fairly processed. But it wasn’t always this way.

Long before databases or even film cameras, privacy law was primarily about relationship...

the nature of the data and whether it was public or private, which became a focus on whether data uses were 'highly offensive to a reasonable person' in American tort law, and whether the data being processed was 'sensitive' or not in data protection regimes.

Although the database shifted the focus of privacy law away from relationships of trust for quite some time, America seems to be rekindling its appreciation for them, perhaps recognizing the limits of focusing too closely on the nature of the data and too little on the relationships in which that data is used. A scholarly movement taking relationships seriously in privacy law that began over decade ago is increasingly active and visible. Some scholars (including the authors of this paper), have advocated for legal rules that draw upon the law of fiduciaries to impose duties of loyalty, confidentiality, and care on tech companies as a way of curbing harmful self-dealing and reckless behavior from tech companies in their data processing and the design of their products.10 Lawmakers in the U.S. have also proposed legislation that cements these duties within information relationships of trust.

The clear advantage of a relational approach is that it is acutely sensitive to the power disparities within information relationships. Tech companies control what we see, what we can click on, and what sorts of information they want to extract from their customers. They have incredible resources that help them predict and nudge our behavior and have the financial incentive to keep us ever more exposed. Duties of loyalty and care on tech companies as a way of curbing harmful self-dealing and reckless behavior from tech companies in their data processing and the design of their products.

8 ibid, 151, 175.

9 Neil Richards and Woodrow Hartzog, 'Taking Trust Seriously in Privacy Law' (2016) 19 Stan Tech L Rev 431; Neil Richards and Woodrow Hartzog, 'A Duty of Loyalty in Privacy Law' (2020) (unpublished manuscript) <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3642217>; Neil Richards and Woodrow Hartzog, 'The Pathologies of Digital Consent' (forthcoming 2019) Wash U L Rev

Electronic copy available at: https://ssrn.com/abstract=3745973

4 | EDPL 4|2020

alty protect against self-dealing and duties of care protect against dangerous behavior. The greater the power imbalance and the more people are made vulnerable through exposure, the stricter the duty to which the trusted party is held.12

Data protection regimes, by contrast target, imbalances of power within relationships more indirectly by looking to the nature of the data. Rules under the data protection model are largely procedural ones, with a few important exceptions. These provisions are combined with data subject rights against all who process their data, and structural proportions, under the idea fair processing is, in and of itself, a way to mitigate power. But these frameworks are not primarily intended to restrict processing, rather to ensure that processing happens in a legitimate manner.13 Thus, while relational duties explicitly prioritize the best interests of vulnerable parties, data protection regimes ostensibly pre-code the best interests of data subjects into rules and rights built around the fair information practices. But data privacy should be about more than just the FIPs and informational self-determination.14 Properly understood, data privacy is about civil rights, free expression, freedom from harassment, collective autonomy interests, and how personal information is leveraged to erode our attention spans, our mental well-being, and our public institutions. The GDPR, CCPA, and other data protection regimes around the world fail to undertake a holistic inquiry that is sufficiently sensitive to such values except in the case of ‘legitimate interest’ processing.

Data protection frameworks are not agnostic to the status and power of actors, of course. Much hinges on whether people are processors, controllers, or data subjects. But these frameworks typically do not account for the power imbalances between these parties. They essentially treat all relationships between data subjects and controllers the same. Put another way, data protection law flattens the power dynamics of specific relationships, treating your relationship with Google the same that you have with your grocer. And while Google and your grocer might collect some similar kinds of information in the abstract – your shopping habits and credit card information, for example – you are significantly more vulnerable to Google or any tech platform than you are to your grocer. By controlling your mediated environments in ways that expose you, these companies are able to leverage information they have about you, your network, and people it thinks are similar to you to choose what ads you see, whose posts you see, how you are able to interact with them, and what other people see about you. The relational turn in data privacy ratchets up the obligations based in a way that is proportional to this exposure.

We think a relational turn for data protection would be superior to the current model, even of the GDPR, which is still FIPs-based in its bones. A relational turn would provide a path towards more substantive rules that would limit how peoples' data could

EDPL 4|2020 5

be used against them. It would focus on the real problem that privacy and data protection law should tackle – the power consequences of information relationships, making legitimacy of processing a question of fundamental fairness rather than data hygiene. Substantive data rules would demand more than that data serve a ‘legitimate interest’ of the data processor.15 They would focus on the power consequences of processing on the data subject, whether we apply some version of the classic fiduciary duties of care, confidentiality, and loyalty, or the trust-promoting duties of honesty, protection, discretion, and loyalty that we have called for in other work.16

Perhaps equally important, duties of loyalty and care would allow data protection regimes to finally jettison the concept of consent, which it has long been skeptical of. Instead of obsessing over whether the consent people gave was a truly meaningful, informed, and revocable choice, relational duties allow for a decoupling of choice and consent. People would be protected no matter what they choose.17

Notably, the European Commission might have just taken the first major step towards a relational turn in E.U. data protection law. On Nov. 25, 2020, the Commission issued a proposal for a regulation on European data governance (Data Governance Act).18 This proposal includes a remarkable number of bold data privacy interventions designed to increase trust in data intermediaries, including the idea that ‘Data sharing providers that intermediate the exchange of data between individuals as data holders and legal persons should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holders.’19 We have long argued for a similarly articulated duty for those entrusted with our information and our online experiences. We think this duty should be the foundation of modern data privacy frameworks and should be applied in a much broader way to encompass all information relationships with significant power disparities.

Much work remains to be done in fleshing out some of the practical details of the relational turn. Neither Rome nor the FIPs were built in a day, and for all of its flaws, the FIPs model does have the advantage of a half-century’s head start. But we worry that if we continue to head down the path of focusing solely on data in service of informational self-determination, it will actually have the effect of continuing to disempower human beings rather than helping them. Ultimately we face a question of what we want the law to do here, and we believe strongly that the informational self- [word-unreadable]

6 EDPL 4|2020

mination model has been a failure in practice and promises more failure as it confronts the new problems on the horizon: ever-increasing volumes of processing, algorithmic decisionmaking, artificial intelligence, and augmented reality. It’s time to try something different. Lawmakers and judges should focus on power and vulnerability and place substantive limitations on the ability of the powerful to manipulate us against our interests. After all, the goal of data protection law should be to promote trust in the digital environment, rather than stoke fear, anxiety, and a sense of being overwhelmed by its complexity. Building trust requires us to focus directly on power imbalances in relationships rather than indirectly through data rules. It’s time for data protection’s relational turn.