Question

1. Explain, in your own words, what Solove means when he refers to privacy self-management. Explain, in your own words, what Solove means when he refers to paternalism. How do the two approaches differ?

Answer 1

->>1. The current regulatory approach for protecting privacy involves what I refer to as “privacy self-management” – the law provides people with a set of rights to enable them to decide how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimizes nearly any form of collection, use, and disclosure of personal data. Unfortunately, privacy self-management is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control over personal data.

2. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model.

3. People cannot appropriately self-manage their privacy due to a series of structural problems. There are too many entities collecting and using personal data to make it feasible for people to manage their privacy separately with each entity. Moreover, many privacy harms are the result of an aggregation of pieces of data over a period of time by different entities. It is virtually impossible for people to weigh the costs and benefits of revealing information or permitting its use or transfer without an understanding of the potential downstream uses.

4. Privacy self-management addresses privacy in a series of isolated transactions guided by particular individuals. Privacy costs and benefits, however, are more appropriately assessed cumulatively and holistically — not merely at the individual level.

5. In order to advance, privacy law and policy must confront a complex and confounding dilemma with consent. Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution – paternalistic measures – even more directly denies people the freedom to make consensual choices about their data.

6. The way forward involves (1) developing a coherent approach to consent, one that accounts for the social science discoveries about how people make decisions about personal data; (2) recognizing that people can engage in privacy self-management only selectively; (3) adjusting privacy law’s timing to focus on downstream uses; and (4) developing more substantive privacy rules.

->>

There is substantial debate concerning precisely how paternalism should be defined.[2] Broadly, though, the term paternalism has both a general and a specific meaning.

In general terms, paternalism refers to ‘government as by a benign parent’.[3] That is, the notion that those in positions of power have, just as in the relationship between parents and children, the right and the obligation to overrule the preferences of those deemed incapable of knowing their true interests. Thus, in the area of politics and public policy, paternalism is commonly used in a broad sense to refer to any intervention in private decision-making and/or elitism on the part of governments or other authorities. For example, according to one critic of the former British Labor Government, one of that Government’s least attractive features was ‘its paternalistic contempt for ordinary people’.[4]

In its more specific sense, though, paternalism can be said to have three essential elements, each of which must be in evidence if an act is to be categorised as paternalist.[5] For an act to be said to be paternalist it must: involve interference in a person’s choice or opportunity to choose; be with the objective of furthering the person’s perceived good or welfare; and be made without the consent of the person concerned.[6] This stricter concept of paternalism will be the main focus of this paper.

->>The current regulatory approach for protecting privacy involves what I refer to as the “privacy self-management model” – the law provides people with a set of rights to enable them to decide for themselves about how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimizes nearly any form of collection, use, and disclosure of personal data.

Although the privacy self-management model is certainly a laudable and necessary component of any regulatory regime, I contend in this essay that it is being asked to do work beyond its capabilities. Privacy self-management does not provide meaningful control. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model.

Moreover, even if individuals were well-informed and rational, they still cannot appropriately self-manage their privacy due to a series of problems. For example, the problem of scale involves the fact that there are too many companies collecting and using data for a person to be able to manage privacy with every one. The problem of aggregation involves the fact that privacy harms often consist of an aggregation of disparate pieces of data, and there is no way for people to assess whether revealing any piece of information will sometime later on, when combined with other data, reveal something sensitive or cause harm. The essay also discusses a number of other problems.

In order to advance, privacy law and policy must confront a complex and confounding paradox with consent. Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution – paternalistic measures – even more directly denies people the freedom to make consensual choices about their data. No matter which direction the law takes, consent will be limited, and a way out of this dilemma remains elusive.