A recent case out of the Eleventh Circuit Court of Appeals foreshadows what will be one of the most important policies of the twenty-first century – how will America decide to govern its data? In Tan Tsao v. Captiva MVP Restaurant, the plaintiff sued on the grounds that he was harmed after a group of fast-casual restaurants experienced a data breach that exposed their customers’ data. The Eleventh Circuit dismissed the case for lack of standing, believing the alleged harm to those who experienced the data breach too attenuated and hypothetical, but the most interesting part of the opinion was the concurrence of Judge Jordan, who ended his opinion by saying “Hopefully the Supreme Court will soon grant certiorari in a case presenting the question of Article III standing in a data breach case.” Judge Jordan is not alone – we are all confused by what harms are and are not actionable when it comes to our personal data.
The court’s inability to effectively grapple with harm dealt with consumers because of data breaches likely stems from the fact that the United States lacks any semblance of a data governance policy. As I elaborated in an earlier article, American data governance policy is sectoral; there are protections like the Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA), but nothing coming close to sweeping, uniform regulation like the General Data Protection Regulation known in Europe. The United States is also currently seeing a surge in state-based data laws: the New York Privacy Law, the California Consumer Protection Act, and the Washington Privacy Act to name a few. This multiplicity of laws is going to be a mess.
It will be a mess because companies, both large and small, will have to deal with a fragmented approach to data governance that really harms their business. And this does not apply just to the Facebook and Amazons of the American data economy. The New York Privacy Act declares that the privacy law would apply to all entities “that conduct business in New York state or produce products or services that are intentionally targeted to residents of New York state.” In a world where over sixty percent of small businesses host a website to boost their sales, the New York law is tantamount to forcing mom and pop shops that might collect data for targeted advertising to suddenly comply with onerous regulatory requirements. At least the CCPA has a $25M revenue requirement for businesses that have to abide by the law. To understand what these costs might look like, a similar data privacy bill in California – the CCPA – is predicted to cost businesses with less than twenty employees $50,000 in compliance costs. Imagine that a small company has to deal not just with the New York privacy law, but with dozens of [insert state name], Privacy Acts as well. It is easy to see why a multiplicity of state-based governance regimes is simply untenable, particularly for small and medium-sized American businesses.
To resolve this, America needs a united data governance policy. The concept of “data fiduciaries” could be just the panacea America needs. A data fiduciary model would create a legal obligation between companies that collect, monetize, and use end-user data. This concept has been popularized by Professor Jack Balkin, a professor of law at Yale Law School. Professor Balkin notes that “information fiduciaries have three basic kinds of duties toward their end-users: a duty of confidentiality, a duty of care, and a duty of loyalty.” In a situation like Tan Tsao v Captiva MVP Restaurant, where an end-user had their data compromised, this fiduciary relationship would provide the harmed individual a cause of action commensurate with the alleged harm. A data fiduciary regime would place a burden on the entity capturing and utilizing the data to ensure no substantive harm comes to the user from the aggregator’s use of their data.
Skeptics of the information fiduciary model note, rightly so, that the concepts of “confidentiality,” “care,” and “loyalty” as described by Professor Balkin are so vague as to be useless. But, the United States has processes to home in on what we really mean by “confidentiality,” “care,” and “loyalty.” Professor Balkin notes that the system of common-law decision making has, for a few hundred years now, developed the definitions of otherwise ambiguous words into actionable concepts. Alternatively, administrative agencies could adjudicate more concrete rules and standards through the notice-and-comment process that effectively governs us today. Professor Balkin is correct – if we let ambiguity deter us from enacting policy we would have very little governance being done. The beauty of the common law process is its ability to refine words and meanings over time in a way that, generally, makes sense.
The beauty of a broader information fiduciary model rather than relegating ourselves to divining what “harm” means is that it could also be leveraged to protect end-users from predatory targeting practices. For instance, low-income Americans are subject to predatory advertising for products such as payday loans, high-interest mortgages, and educational scams. If a low-income American uses Facebook, and Facebook sells their data to a predatory lending company that will charge them usurious interest rates on a payday loan, that feels a lot like a breach of care. An information fiduciary model could make such practices actionable.
Tan Tsao, the man whose credit card information was compromised, would have benefited from an information fiduciary regime being written into law. The Eleventh Circuit would have determined if a duty of care were breached and made a decision accordingly. Without such a framework, the Eleventh Circuit was left trying to ascertain if there really was a harm that resulted from the data breach, an inquiry that has confounded courts for some time. The Eleventh Circuit held that there was no harm leaves companies like the MVP Restaurant chain off the hook, free to reap the rewards of the data economy but insulated from accidentally exposing their data to potential criminals. And this lack of accountability is why the need for a data governance regime of the type Professor Balkin espouses is so important. Until we have one, consumers will continue to be abused and exploited while their data enriches the well-to-do.
This is the third article in a four-part series exploring comparative data governance regimes. Check out the first, second and third articles to learn more about how China, Europe and the US govern their data.
Connor Haaland is a 2020 JURIST Digital Scholar. He is a JD student in Law at Harvard University and a Frédéric Bastiat Fellow. Previously, he worked as a research assistant at the Mercatus Center at George Mason University, where he worked with the Fourth Branch group on issues related to emerging technology, data privacy, telecommunications, and the intersection of law and technology. He has also interned with the Cato Institute and at the United States Hispanic Chamber of Commerce. He is a graduate of South Dakota State University, where he received B.A.s in Spanish and Global Studies with minors in French and Economics.
Suggested citation: Connor Haaland, An American Data Governance System: In Support of Information Fiduciaries, JURIST – Student Commentary, March 2, 2020, https://www.jurist.org/commentary/2021/03/connor-haaland-usa-data-fiduciaries/.
This article was prepared for publication by Vishwajeet Deshmukh, a JURIST staff editor. Please direct any questions or comments to him at commentary@jurist.org.
