Richards & Hartzog on Relationships and Data Protection

Neil M. Richards (Washington University School of Law, Yale Information Society Project, Stanford Center for Internet and Society) and Woodrow Hartzog (Northeastern University School of Law and Khoury College of Computer Sciences, Center for Law, Innovation and Creativity (CLIC), Stanford Law School Center for Internet and Society) have posted “A Relational Turn for Data Protection?” (4 European Data Protection Law Review 1 (2020)) to SSRN. Here is the abstract:

While most approaches to privacy and data protection focus on the data, we explore an alternative approach: focusing on relationships. It looks at how the people who expose themselves and the people that are inviting that disclosure relate to each other. It is concerned with what powerful parties owe to vulnerable parties not just with their personal information, but with the things they see, the things they can click, the decisions that are made about them. It’s less about the nature of data and more about the nature of power. And it can make data protection work better. We call this the relational turn in privacy law.

The relational approach has deep roots in American and English law, and a growing group of scholars in North America are starting to appreciate the virtues of such an approach, whether framed in terms of privacy as trust or information fiduciaries. The clear advantage of a relational approach is that it is acutely sensitive to the power disparities within information relationships, such as those between humans and platforms. Relational models of this sort protect against self-dealing and duties of care protect against dangerous behavior. Data protection regimes like the American “notice and choice” model or the more robust GDPR, by contrast, target, imbalances of power within relationships more indirectly by looking to the nature of the data.

We think a relational turn for data protection would be superior to the current model. A relational turn would provide a path towards more substantive rules that would limit how peoples’ data could be used against them. It would focus on the real problem that privacy and data protection law should tackle – the power consequences of information relationships, making legitimacy of processing a question of fundamental fairness rather than data hygiene. Substantive data rules would demand more than that data serve a ‘legitimate interest’ of the data processor. They would focus on the power consequences of processing on the data subject, whether we apply some version of the classic fiduciary duties of care, confidentiality, and loyalty, or the trust-promoting duties of honesty, protection, discretion, and loyalty that we have called for in other work. Perhaps equally important, relational duties allow for a decoupling of choice and consent. People would be protected no matter what they choose. It’s time for data protection’s relational turn.