Richards & Hartzog on Relationships and Data Protection

Neil M. Richards (Washington University School of Law, Yale Information Society Project, Stanford Center for Internet and Society) and Woodrow Hartzog (Northeastern University School of Law and Khoury College of Computer Sciences, Center for Law, Innovation and Creativity (CLIC), Stanford Law School Center for Internet and Society) have posted “A Relational Turn for Data Protection?” (4 European Data Protection Law Review 1 (2020)) to SSRN. Here is the abstract:

While most approaches to privacy and data protection focus on the data, we explore an alternative approach: focusing on relationships. It looks at how the people who expose themselves and the people that are inviting that disclosure relate to each other. It is concerned with what powerful parties owe to vulnerable parties not just with their personal information, but with the things they see, the things they can click, the decisions that are made about them. It’s less about the nature of data and more about the nature of power. And it can make data protection work better. We call this the relational turn in privacy law.

The relational approach has deep roots in American and English law, and a growing group of scholars in North America are starting to appreciate the virtues of such an approach, whether framed in terms of privacy as trust or information fiduciaries. The clear advantage of a relational approach is that it is acutely sensitive to the power disparities within information relationships, such as those between humans and platforms. Relational models of this sort protect against self-dealing and duties of care protect against dangerous behavior. Data protection regimes like the American “notice and choice” model or the more robust GDPR, by contrast, target, imbalances of power within relationships more indirectly by looking to the nature of the data.

We think a relational turn for data protection would be superior to the current model. A relational turn would provide a path towards more substantive rules that would limit how peoples’ data could be used against them. It would focus on the real problem that privacy and data protection law should tackle – the power consequences of information relationships, making legitimacy of processing a question of fundamental fairness rather than data hygiene. Substantive data rules would demand more than that data serve a ‘legitimate interest’ of the data processor. They would focus on the power consequences of processing on the data subject, whether we apply some version of the classic fiduciary duties of care, confidentiality, and loyalty, or the trust-promoting duties of honesty, protection, discretion, and loyalty that we have called for in other work. Perhaps equally important, relational duties allow for a decoupling of choice and consent. People would be protected no matter what they choose. It’s time for data protection’s relational turn.

Fia on Managing Access to Non-Personal Data through the Commons

Tommaso Fia (European University Institute) has posted “An Alternative to Data Ownership: Managing Access to Non-Personal Data through the Commons” (Global Jurist 2020) to SSRN. Here is the abstract:

In today’s algorithmic society, access to large-scale datasets is the sine qua non for any economic actor to reap the benefits of data-driven innovation (DDI). This article explores alternative mechanisms of data management in large-scale processing environments which can bolster access in view of the shortcomings of the existing data ownership-centric system. The scope of the analysis is limited to non-personal data. First, this contribution elaborates on the features and shortcomings of the data ownership-centric system and the existing legislation on data access. In fact, despite its ground-breaking potential, data access is not a widely available resource. It is subject, meanwhile, to the ability of several actors to control it, originating from data holders’ position of de facto control over data (“data ownership”), which is mostly anchored in technological, behavioural, and legal access barriers. This ownership-oriented setting thus stifles data sharing and opportunities for novel reuses of data. Despite these concerns, EU secondary legislation and case law (including the “essential facilities doctrine” of competition law) have not yet offered appropriate means to enable data access across society. Second, this article investigates whether alternative systems of data management based on the commons is a viable solution to open up access to raw non-personal data (RNPD). The commons as a conceptual notion and institutional mechanism values access and freedom to operate, instead of power to appropriate. The article homes in on two main reasons which substantiate why commons management of RNPD can be desirable. On the one hand, RNPD can be deemed a cooperative infrastructural resource that calls for being pulled out of its factual enclosure (“structuralist approach” of the commons). On the other hand, grasping RNPD as a commons means valuing its functional nature, making data available to a wide number of actors for the fulfilment of fundamental rights and enhancing human flourishing (“functionalist approach”). The article concludes with some thoughts on the lines of research which are still to be explored to put the commons-based vision of data management into practice.

Recommended.

Goforth on Regulating Cryptoassets

Carol Goforth (University of Arkansas School of Law) has posted “Cinderella’s Slipper: A Better Approach to Regulating Cryptoassets as Securities” (Hastings Business Law Journal, Vol. 17, 2021) on SSRN. Here is the abstract:

The Securities and Exchange Commission (SEC) seeks both to protect investors and to promote efficient capital formation, but in the context of cryptoassets these goals sometimes collide. The SEC vigorously reacts to fraudulent offerings of cryptoassets but has had to do so by forcing crypto into an antiquated framework designed with very different interests in mind. Even worse than the convoluted and complex arguments needed to force crypto into the existing category of “investment contracts,” once crypto is treated as a security, a host of onerous and inapt disclosure requirements and regulations follow. Developers, promoters, exchanges, and others who might assist in the sale of such assets are all forced into a regime that was never intended to cover this new class of assets.

This Article therefore suggests changes to the existing regulatory regime to more fairly apportion duties and responsibilities between regulators, issuers, promoters, and purchasers. This Article suggests that the SEC is the appropriate agency to oversee transactions in cryptoassets, but the underlying legislation should be amended to create a new category of securities, with different disclosure requirements and exemptions tailored to the informational needs of potential crypto purchasers. Maintaining the current anti-fraud rules will protect the public while allowing for innovation in this rapidly moving space. It will avoid wasting assets of both regulators and the regulated by eliminating the debate over whether crypto is or is not a security and will avoid duplication of efforts between the SEC and other federal regulators. It will also improve the relevance of available information for potential purchasers. This approach has the dual advantage of facilitating both parts of the SEC’s mission: protection of investors while supporting innovative capital formation for legitimate crypto enterprises.

Mazzucato, Entsminger & Kattel on Public Value and Platform Governance

Mariana Mazzucato (University College London), Josh Entsminger (University College London), and Rainer Kattel (University College London) have posted “Public Value and Platform Governance” to SSRN. Here is the abstract:

The market size and strength of the major digital platform companies have invited international concern about how such firms should best be regulated to serve the interests of wider society, with a particular emphasis on the need for new anti-trust legislation. Using a normative innovation systems approach, this paper investigates how current anti-trust models may insufficiently address the value-extracting features of existing data-intensive and platform-oriented industry behavior and business models. To do so, we employ the concept of economic rents to investigate how digital platforms create and extract value. Two forms of rent are elaborated: ‘network monopoly rents’ and ‘algorithmic rents’. By identifying such rents more precisely, policymakers and researchers can better direct regulatory investigations, as well as broader industrial and innovation policy approaches, to shape the features of platform-driven digital markets.

Christakis & Terpan on EU-US Law Enforcement Access to Data

Theodore Christakis (Institut Universitaire France; Université Grenoble Alpes; CESICE) and Fabien Terpan (Science Po Grenoble; Université Grenoble Alpes; CESICE) have posted “EU-US Negotiations on Law Enforcement Access to Data: Divergences, Challenges and EU Law Procedures and Options” (International Data Privacy Law, OUP (2020)) to SSRN. Here is the abstract:

The EU and the US kicked off negotiations in September 2019 for the conclusion of a very important agreement on LEA access to data. This is the first article to present the context of these negotiations and the numerous challenges surrounding them.

There are strong divergences between the EU and the US about what the scope and the architecture of this agreement should be. The US government supports the conclusion of a “framework agreement” with the EU to be followed by bilateral agreements with EU Member States – in order to satisfy CLOUD Act requirements. The EU wishes to arrive at a self-standing, EU-wide comprehensive agreement and is opposed to solutions that might lead to fragmentation and unequal treatment between EU Member States.

This article presents a detailed EU Law perspective on all these issues, and refers to relevant precedents concerning the conclusion of law enforcement, data-related or other international agreements. It discusses the division of competence on e-evidence between the EU and its Members States; possible architecture for the agreement and options under EU Law; and the role of the respective European Institutions (Commission, Council, Parliament) in the negotiation and conclusion of such an agreement.

The article also studies, using existing case law, what the role of the CJEU could be in relation to such an EU-US e-evidence Agreement.

The article will be useful to anyone interested in transatlantic data flows as well as judicial cooperation matters and, beyond its specific scope, could be used as a real “guide” to EU Law procedures, options and precedents in relation to the conclusion of international data-related agreements.