Privacy Law Is Devouring Internet Law (and Other Doctrines)…To Everyone’s Detriment

What does “privacy” mean? It’s a simple question that lacks a single answer, even from privacy experts. Without a universally shared definition of privacy, scholars have instead attempted to “define” privacy by taxonomizing problems that they think should fit under the privacy umbrella. However, this taxonomical approach to defining “privacy” has no natural boundary. Virtually every policy question could have privacy implications, so the privacy umbrella keeps expanding to account for those implications.

To privacy advocates, an ever-expanding scope for privacy law might sound like a good thing. For the rest of us, it’s unquestionably not a good thing. We don’t want privacy experts making policy decisions about topics outside their swimlanes. They lack the requisite expertise, so they will make serious and avoidable policy errors. Furthermore, in the inevitable balancing act between competing policy interests, they will overweight privacy considerations to the exclusion of other critical considerations. (This is a hammer/nail problem–if you’re a privacy hammer, everything looks like a privacy nail).

Worse, if policymaker prioritize privacy considerations over others, bad-faith actors will use “privacy” as a trojan horse to advance illegitimate policy objectives–including censorship. As just one example, I’ll point to the California Age-Appropriate Design Code (AADC). The AADC pretextually claims to protect children’s privacy. What it actually does is censor massive quantities of online speech, counterproductively undermine consumer privacy and security by requiring intrusive and risky age assurance online, and delegate questions about how to protect children’s “well-being” to the California privacy administrative agency with zero expertise on the topic. In other words, the CA AADC is an omnibus social regulation, with censorial, anti-privacy, and anti-technology consequences that will shock and dismay tens of millions of Californians (and many outside the state). Characterizing such a sprawling and wide-reaching law as a “privacy” law is disingenuous.

To explain to students how privacy law has sprawled into pretty much every area of Internet Law, I use this meme:

A recent paper by María P. Angel & Ryan Calo, “Distinguishing Privacy Law: A Critique of Privacy as Social Taxonomy,” reinforces some of my concerns and provides important critiques of the privacy community’s doctrinal overreaches. Some lines that caught my attention:

  • “This vibrant, interdisciplinary field with decades of history possesses no real sense of what constitutes a privacy problem and what does not.”
  • “A taxonomical approach to privacy grounded in social recognition may relieve the burden of defining privacy, but only at the expense of raising a range of critical and unanswered questions about legitimacy and authority.”
  • “privacy is not the only value at play in a complex digital ecosystem. For privacy scholarship to remain relevant, the field needs to move beyond the comfortable habit of labeling whatever information-based harm the right people are talking about as a ‘privacy problem.'”

[UPDATE: Omer Tene has been thinking along similar lines. He wrote “My recommendation to privacy policymakers is to not jump ahead of the pack. There is more learning to do before hitting this nail with a hammer” and, with respect to the IAPP’s AI Governance Center, “if it’s an AI governance program, should it be overseen by an overwhelmingly privacy board?”]

* * *

Many existing and new technologies raise important privacy issues. We need privacy expertise at the table to understand and address those issues. However, the privacy issues should not automatically trump the other considerations, just as the other considerations shouldn’t automatically trump the privacy issues. We always need to make tradeoffs and engage in balancing acts. Privacy doesn’t get a free pass from that process.

One other consideration: the problems with privacy primacy exposes an unexpected risk of the “privacy-by-design” movement. While any new product or service should consider the privacy implications from the outset, it is not optimal to functionally designate privacy professionals as gatekeepers of entrepreneurship. That results in less innovation because there’s always some privacy reason to object to new developments.

* * *

Every post about the CA AADC gets this meme:

Prior AADC coverage