How do information privacy laws regulate the use of big data techniques, if at all? Do these laws strike an appropriate balance between allowing the benefits of big data and protecting individual privacy? If not, how might we amend or extend laws to better strike this balance?
This chapter attempts to answer questions like these. It builds on Chapter 1 of this volume, by Strandburg, which focused primarily on legal rules governing the collection of data. This chapter will focus primarily on the law of the United States, although it will make comparisons to the laws of other jurisdictions, especially the European Union, which is well covered in Chapter 8 of this volume.
Most information privacy law focuses on collection or disclosure and not use. Once data has been legitimately obtained, few laws dictate what may be done with the information. The exceptions to this general pattern receive attention below; laws that govern use tend to focus on particular types of users, especially users that lawmakers have deemed owe obligations of confidentiality to data subjects. For example, law regulating the health and financial industries, industries that historically have evolved obligations of confidentiality, constrain not only collection and disclosure but also use.
This chapter argues that our current information privacy laws are failing to protect individuals from harm. The discussion focuses primarily on shortcomings in the law that relate to specific features of big data, although it also describes a few shortcomings that relate only tangentially to these features. All of these shortcomings expose some individuals to the risk of harm in certain circumstances. We need to develop ways to amend the laws to recalibrate the balance between analytics and risk of harm. Ultimately, the chapter proposes five general approaches for change.