Check out my latest post on Concurring Opinions:
The past half-decade has seen an uptick in thoughtful and influential scholarship on the potential risks — particularly to privacy and civil liberties — of emerging technologies. Regular readers of this blog will not be surprised to find works by several Concurring Opinions bloggers on any list of must-read commentary on the legal, ethical, and political dimensions of new data-driven technologies. Technological progress (or regress, depending on your point of view) has become one of the dominant narratives of our time, and it’s good that critiques of its darker implications have slowly but inexorably entered our political discourse.
Still, there’s a smallish subset of tech commentary and criticism that is, in my view, overwrought. These are critiques that, on their face, seem to have no particular target other than technology tout court. They often include alarmist headlines which are not supported in substance. They cite the marketing claims of technology vendors as statistics. Their true targets are generally people, or political ideologies, rather than technology — a critical fact which often remains buried in the work.
Cross posted from Concurring Opinions, where I’m guest-blogging this month
Who bears the costs of privacy breaches? It’s challenging enough to articulate the nature of privacy harms, let alone determine how the resulting costs should be allocated. Yet the question of “who pays” is an important, unavoidable, and in my view undertheorized one. The current default seems to be something akin to caveat emptor: consumers of services — both individually as data subjects and collectively as taxpayers — bear most of the risks, costs, and burdens of privacy breaches. This default is reflected, for example, in legal rules that place high burdens on consumers seeking legal redress in the wake of enterprise data breaches and liability caps for violations of privacy rules.
Ironically, the “consumer pays” default may also (unwittingly) be reinforced in well-meaning attempts to empower consumers. This has been one of the unintended consequences of decades of advocacy aiming to strengthen notice and consent requirements. These efforts take it for granted that data subjects are best-positioned to make effective data privacy and security decisions, and thus reinforce the idea that data subjects should bear the ultimate costs of failures to do so. (After all, they consented to the use!). And while notice and consent are still the centerpiece of every regulator’s data privacy toolbox, there’s reason to doubt that empowering consumers to make more informed and granular privacy decisions will reduce the incidence or the costs of privacy breaches.
Continue reading Why empowering consumers won’t (by itself) stop privacy breaches [cross-posted]