Privacy, Public Goods, and the Tragedy of the Trust Commons: A Response to Professors Fairfield and Engel

User trust is an essential resource for the information economy. Without it, users would not provide their personal information and digital businesses could not operate. Digital companies do not protect this trust sufficiently. Instead, many take advantage of it for short-term gain. They act in ways that, over time, will undermine user trust. In so doing, they act against their own best interest. This Article shows that companies behave this way because they face a tragedy of the commons. When a company takes advantage of user trust for profit, it appropriates the full benefit of this action. However, it shares the cost with all other companies that rely on the wellspring of user trust. Each company, acting rationally, has an incentive to appropriate as much of the trust resource as it can. That is why such companies collect, analyze, and “monetize” our personal information in such an unrestrained way. This behavior poses a longer term risk. User trust is like a fishery. It can withstand a certain level of exploitation and renew itself. But over-exploitation can cause it to collapse. Were digital companies collectively to undermine user trust this would not only hurt the users, it would damage the companies themselves. This Article explores commons-management theory for potential solutions to this impending tragedy of the trust commons

Going Dutch? Collaborative Dutch Privacy Regulation and the Lessons it Holds for U.S. Privacy Law

Article published in the Michigan State Law Review

The Glass House Effect: Big Data, The New Oil, and the Power of Analogy

One hears with some frequency today that “data is the new oil.” Recently, Virginia Rometty, IBM’s Chief Executive Officer, updated the phrase, explaining that Big Data is the new oil. Most people who have used the analogy do so in order to convey Big Data’s tremendous value. Data is an essential resource that powers the information economy much like oil has fueled the industrial economy. Big Data promises a plethora of new uses—the identification and prevention of the pandemics, the emergence of new businesses and business sectors, the improvement of health care quality and efficiency, and enhanced protection of the environment, to name a but a few—just as oil has generated useful plastics, petro-chemicals, lubricants, and gasoline. Big Data “is becoming a significant corporate asset, a vital economic input, and the foundation of the new business models. It is the oil of the information economy. This Article looks at the analogy in a different way, one not yet developed in the scholarly literature. It examines the underside of the ‘Big Data is the new oil’ comparison. Oil certainly has many productive uses, but it also leads to oil pollution. Big Data is similar. It produces tremendous benefits, but simultaneously generates significant privacy injuries. As the data sets get larger, the threat grows as well. Big Data is like a massive oil tanker navigating the shoals of hackers, criminals, and human error. It can make us smarter and wealthier and our lives better. However, like oil, it can also harm us. Environmental law has developed ways to reduce oil pollution. This Article draws on this environmental law success story to identify ways that law and policy can protect privacy in the era of Big Data

The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-Regulation?

The Internet poses grave new threats to information privacy. Search engines collect and store our search queries; websites track our online activity and then sell this information to others; and Internet Search Providers read the very packets of information through which we interact with the Internet. Yet the debate over how best to address this problem has ground to a halt, stuck between those who call for a vigorous legislative response and those who advocate for market solutions and self-regulation. In 1995, the European Union member states began to build a third approach into their data protection laws, one in which government and industry work together to develop and enforce privacy rules. This “co-regulatory” model could provide a way to transcend the frozen U.S. debate. But it has received little attention in the United States and almost no analysis in the law review literature. This Article identifies the threats to online privacy; evaluates whether the two main alternatives—government regulation, and the market/self-regulation—can adequately address these threats; surveys the theoretical literature on co-regulation; and, finally, describes and analyzes the statutes through which E.U. member states have implemented the new approach. It provides the first comprehensive analysis of these laws in a U.S. law review and develops an original way of categorizing and understanding them