Skip to main content Accessibility help
  • Get access
    Check if you have access via personal or institutional login
  • Cited by 9
  • Print publication year: 2014
  • Online publication date: July 2014

4 - Changing the Rules: General Principles for Data Use and Analysis



How do information privacy laws regulate the use of big data techniques, if at all? Do these laws strike an appropriate balance between allowing the benefits of big data and protecting individual privacy? If not, how might we amend or extend laws to better strike this balance?

This chapter attempts to answer questions like these. It builds on Chapter 1 of this volume, by Strandburg, which focused primarily on legal rules governing the collection of data. This chapter will focus primarily on the law of the United States, although it will make comparisons to the laws of other jurisdictions, especially the European Union, which is well covered in Chapter 8 of this volume.

Most information privacy law focuses on collection or disclosure and not use. Once data has been legitimately obtained, few laws dictate what may be done with the information. The exceptions to this general pattern receive attention below; laws that govern use tend to focus on particular types of users, especially users that lawmakers have deemed owe obligations of confidentiality to data subjects. For example, law regulating the health and financial industries, industries that historically have evolved obligations of confidentiality, constrain not only collection and disclosure but also use.

This chapter argues that our current information privacy laws are failing to protect individuals from harm. The discussion focuses primarily on shortcomings in the law that relate to specific features of big data, although it also describes a few shortcomings that relate only tangentially to these features. All of these shortcomings expose some individuals to the risk of harm in certain circumstances. We need to develop ways to amend the laws to recalibrate the balance between analytics and risk of harm. Ultimately, the chapter proposes five general approaches for change.

Secretary’s Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens (Washington, DC: U.S. Department of Health, Education and Welfare, 1973), 41–42
Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (September 23, 1980)
Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace: A Federal Trade Commission Report to Congress, Washington, DC, May 2000
Cate, Fred, “The Failure of the Fair Information Practice Principles,” in Consumer Protection in the Age of the Information Economy, ed. Winn, Jane K. (Surrey, UK: Ashgate, 2006), 356
Schwartz, Paul M., “Preemption and Privacy,” Yale Law Journal 118 (2009): 902
Nissenbaum, Helen, Privacy in Context: Technology, Policy, and the Integrity of Social Life (Stanford, CA: Stanford University Press, 2009)
Keats Citron, Danielle, ‘Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age,” California Law Review 80 (2007): 241
Citron, Danielle Keats, “Technological Due Process,” Washington University Law Review 85 (2008): 1249
Solove, Daniel J., “Privacy and Power: Computer Databases and Metaphors for Information Privacy,” Stanford Law Review 53 (2001): 1393
Ohm, Paul, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57 (2010): 1701
Stolfo, S. et al., eds., Insider Attack and Computer Security: Beyond the Hacker (New York: Springer, 2008)
Schwartz, Paul M. and Treanor, William M., “The New Privacy,” Michigan Law Review 101 (2012): 2163–2181
Cohen, Julie, Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (New Haven, CT: Yale University Press, 2012)
Richards, Neil, “Intellectual Privacy,” Texas Law Review 87 (2008): 387
Schwartz, Paul, “Internet Privacy and the State,” Connecticut Law Review 32 (2000): 815
Regan, Priscilla M., Legislating Privacy: Technology, Social Values, and Public Policy (Chapel Hill, NC: University of North Carolina Press, 1995)
Lanier, Jaron, You Are Not a Gadget: A Manifesto (New York: Knopf, 2010), 193
Schwartz, Paul M. and Solove, Daniel J., “The PII Problem: Privacy and a New Concept of Personally Identifiable Information,” NYU Law Review 86 (2011): 1814
Calo, Ryan, “Consumer Subject Review Boards: A Thought Experiment,” 66 Stanford Law Review Online66 (2013): 97