The Data Care Act: Viewing Businesses as Information Fiduciaries

By Siddharth Sonkar*

 

CONTEXT

Last month, in an unprecedented cyber attack on J.W Marriott Hotel’s guest database, data relating to more than five-hundred million guests spanning over four years was stolen. Not only were the hackers able to obtain the personal information of these guests but were also able to obtain sensitive personal information relating to credit cards and passports. The attack on Marriott’s database is one of the largest data security breach in the history of United States. On September 7, 2017, another cybersecurity breach revealed by Equifax led to the compromise of data belonging to more than 148 million customers–almost half the population of the United States. Appallingly, the House Oversight and Government Reform Committee admitted that the Equifax breach was a result of its failure to implement a robust security program to ensure protection to its sensitive data.

 

A GRADUAL REALIZATION OF THE NEED FOR FEDERAL MANDATES

These attacks highlight an endemic problem plaguing the United States–the absence of institutional mandates aimed at ensuring the internalization of cyber-security. At the same time, there is a gradual realization of the need for federal mandates on businesses that handle consumer data. This realization is reflected in the September 26, 2018 hearing convened by U.S. Senate Committee on Commerce on “Examining Safeguards for Consumer Data Privacy.” In this hearing, the need of federal rules on the use, sharing and protection of data was acknowledged in order to facilitate the empowerment of consumers without depriving them of benefits from data flow.

This realization is further reflected in the recently proposed data privacy bill entitled ‘The Data Care Act of 2018’ introduced by fifteen democratic senators including Sen. Brian Schatz, Cory Booker, and Amy Klobuchar to regulate how corporations handle consumer information. In Preemption and Privacy, Professor Paul Schwartz argues that it would be unwise for Congress to adopt a unitary federal information privacy statute that both eliminates the sector-specific distinctions in federal information privacy law and blocks the development of stronger state regulation. Interestingly, the Data Care Act does not seek to replace sector-specific laws on privacy but instead, supplement existing state legislation by devising an overarching federal privacy policy harmonizing existing laws and closing gaps within the existing framework.

In this article, I highlight a few anomalies inherent in the proposed Data Care Act in its present form which, in my opinion, may require closer scrutiny.

 

ONLINE SERVICE PROVIDERS AS INFORMATION FIDUCIARIES 

One can trace the conceptual basis of the Data Care Act to Professor Jack Balkin’s paper entitled “Information Fiduciaries”. Balkin describes “information fiduciaries” as online service providers that analyze, collect, use, distribute and sell personal information. Generally, a fiduciary is a person or business having special obligations of loyalty and trustworthiness toward another person. Professor Balkin illustrates this with the example of lawyers, accountants and doctors–all of whom share a special relationship with their clients–one which entails confidence and trust. In the context of data privacy, an information fiduciary would mean a business or person who deals in information instead of money.

Fiduciaries typically have two basic obligations: the duty of loyalty and the duty of care. The duty of loyalty requires the fiduciary to prioritize the interests of the principal in case there is any potential conflict. The duty of care involves ensuring that the fiduciary discharges her obligations diligently ensuring that the interests of the principal are not harmed. Professor Balkin highlights the importance of fiduciary duties in the context of online services by taking the example of Google maps and how it should not suggest a drive past an IHOP as the best route simply because IHOP paid Google to do so.

 

DUTY OF CARE: AGAINST WHAT?

First, the Bill imposes a duty of care on online service providers to protect “individual identifying data” of end-users against unauthorized access. While the term “unauthorized access” is not defined anywhere in the text of the draft legislation, “individual identifying data” has been defined to mean any data which is reasonably linked to an end-user.  An “end user” in turn is defined as an individual availing a service from an online service provider over the internet. Interestingly, there is no explicit requirement of consent to precede processing of data, in stark contrast to the General Data Protection Regulation (GDPR) adopted by the European Union this year. This makes the distinction between authorized and unauthorized access unclear, especially insofar as non-consensual processing of data is concerned. It would be far-fetched to suggest that the term ‘unauthorized’ implies the absence of consent even vis-a-vis the online service provider. Instead of relying on consent, the Bill presupposes that a fiduciary relationship comes into existence when an individual avails a service online. This involves an implied rejection of the consent-oriented framework in determining a breach of privacy.

 

FROM CONSENT TO “DETRIMENT”: A PRUDENT TRANSITION?

Instead of a consent-oriented framework, online service providers owe a duty of loyalty to not use end-users’ data in a way which benefits them while causing detriment to end-users.  However, the conceptualization of detriment could be ambiguous without achieving precision. Besides, who determines whether a particular act of processing of data would be detrimental to the interests of an end-user; whether it would be the fiduciary itself or the Federal Trade Commission as a regulator–is also not clear. If the service provider determines whether any detriment is caused by a particular act, the business could escape liability by arguing that its ex-ante subjective assessment of its act suggested no detriment. On the other hand, if it is the end-user making an ex-post subjective assessment, it could lead to a slippery slope resulting in a floodgate of claims based on detriment. In either of the two cases, a service provider would find it difficult to assess the consequences of processing an end user’s data. This would in turn make the determination of a breach far more uncertain for both the fiduciary and the principal, would be mutually undesirable.

 

A NARROW UNDERSTANDING OF WHAT’S SENSITIVE

Second, the Bill seems to define sensitive personal data narrowly so as to exclude information relating to one’s race, gender, sexual orientation or sex life, transgender status or intersex status. Given the likelihood of individual profiles using such data, it becomes important to include these classifications within the definition of sensitive personal data. Yesterday, the MIT Technology Review published an article which proposed a ‘Bill of Data Rights’ for individuals to claim rights against unreasonable surveillance, behavioral manipulation and unfair discrimination. The absence of the aforementioned classes of data from the categorization of “sensitive data” undermines the seriousness associated with undermining the security of such data, a step away from the achievement of such a desirable set of goals.

 

BREACH NOTIFICATIONS ONLY FOR SENSITIVE DATA?

Third, the Bill necessitates a breach notification by service providers to end-users only when the security of sensitive data is compromised. This means that in case of breach of individually identifiable data, there would be no mandatory breach requirement. The rationale behind a classification between the two in the context of breach notifications is not clear. An end-user should be equally entitled to be notified of a breach if her individual identifiable data is breached, even if the nature of the breach consists of assess to data that is considered less important in relative terms.

 

DEFINITION OF ONLINE SERVICE PROVIDERS: WHAT IF IT’S NONE OF THEIR BUSINESS?

Lastly, an “online service provider” is defined as an entity which engages in interstate commerce over the internet or any other digital network which in the course of its business collects an individual’s identifying data about end users including in a manner that is incidental to the business being conducted. However, it is not clear what is meant by “in the course of business”. Would free services rendered online qualify to mean “business”? It is also not clear why an online service provider restricting its services to a particular state should be excluded from this definition.

In conclusion, while the Data Care Act succeeds in identifying existing problems plaguing the American federal privacy framework, its present form necessitates reconsideration before it is put to vote. The failure to make additional changes could result in losing an opportunity to make businesses sufficiently accountable for protection of customer data.

 

*Siddharth Sonkar is a student of National University of Juridical Sciences (NUJS), India with interests in law, technology, and policy.


Old Paper by ThunderThemes.net