Supreme Court shows the way on privacy regulations

Getty Images

In a recent 6-2 decision, the Supreme Court struck a blow for a more rational and consumer-friendly privacy regime by coming down in favor of a “harms-based approach.” Although the opinion focused on standing rather than regulatory policy, agencies that enforce privacy regulations, such as the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) — the latter of which has proposed major new privacy regulations for internet service providers (ISPs) — should take a lesson from the Spokeo, Inc. v. Robins decision.

{mosads}The Spokeo case involved a complaint under the Fair Credit Reporting Act, where the plaintiff alleged that the information in his Spokeo profile was not accurate. Spokeo, according to its website, is a “people search engine that organizes white pages information, public records, and social network information into simple profiles to help you safely find and learn about people.”

The court ruled that inaccurate information in Spokeo’s database did not give the plaintiff standing to bring a case because “not all inaccuracies cause harm or present any material risk of harm.” In order to have standing, the court decided, a plaintiff needs to allege a “concrete” injury resulting from any inaccuracies. “Concreteness requires an injury to be ‘de facto’ that is, to actually exist,” though the court also noted that concrete injuries can be tangible or intangible.

Requiring actual harm makes the privacy legal framework more efficient and more pro-consumer. It does not help consumers if companies are forced to defend expensive lawsuits where consumers have not been harmed. Similarly, it does not help consumers if the legal system provides an incentive for companies to spend resources correcting mistakes that cause no consumer harm.

Whether privacy regulation should be based on evidence of harm has been, in many respects, the central point of contention in privacy policy debates for decades. Some advocates would protect consumers from hypothetical concerns about data being used in harmful ways. In general, they would prophylactically limit the collection, use, sharing and retention of data. This is the approach taken by the Fair Information Practices Principles (FIPPs) dating back to the 1970s, the OECD (Organization for Economic Cooperation and Development) Privacy Principles of 1980 and the FTC’s 2012 privacy report.

In a world of big data, however, where innovative new uses of data are unpredictable, the focus on data minimization has come to be seen as increasingly irrelevant and costly. Indeed, two White House reports in 2014 came to that conclusion, suggesting a focus on actual uses of data that could cause adverse consequences — i.e., a harms-based approach.

As the White House reports make clear, limiting the collection and use of data in a way that does not address specific harms is costly. According to the report by the President’s Council of Advisors on Science and Technology, for example:

The beneficial uses of near-ubiquitous data collection are large, and they fuel an increasingly important set of economic activities. Taken together, these considerations suggest that a policy focus on limiting data collection will not be a broadly applicable or scalable strategy — nor one likely to achieve the right balance between beneficial results and unintended negative consequences (such as inhibiting economic growth).

A showing of harm is necessary for any meaningful cost-benefit analysis, whether in the context of privacy liability litigation, FTC enforcement or regulatory policy. Privacy benefits, by definition, consist of reducing harms from privacy violations. If there are no harms, then restricting data use has only costs and no benefits. Thus, regulatory agencies should limit their enforcement actions and regulatory prescriptions to cases where there is evidence of harm to consumers.

The FCC, in its pending proposal to limit data collection by ISPs without evidence of consumer harm, is taking precisely the wrong approach and not heeding the suggestions of the Supreme Court and the White House. This is a recipe for regulation that will impose costs on consumers without corresponding benefits.

Lenard is president and senior fellow at the Technology Policy Institute.

Tags FCC Federal Communications Commission Federal Trade Commission FTC Inc. v. Robins Internet privacy Privacy Spokeo Spokeo Supreme Court
See all Hill.TV See all Video