Computers, Privacy & the Constitution
-- BarakBacharach - 08 Mar 2020

A positive right of action.

In Europe, the study of Constitutional Rights can be broadly broken down into two eras -- the era of negative rights and the era of positive rights. The era of negative rights is strongly associated with the classical liberal era, and thus, negative rights reflect the largely libertarian leanings of those times. Negative rights are the rights to be largely free of state interference or coercion when doing certain activities, most famously in the United States, either speaking or exercising one's religion. Positive rights, on the other hand, reflect a more modern understanding of rights that began to evolve in the late 19th and early 20th centuries, and reached their Constitutional peak following WWII. Positive rights are affirmative guarantees from the government that it will provide something, usually medicine or education.

The Positive and Negative Rights Distinction in the Context of Privacy

The distinctions between American and European Constitutional approaches to information privacy are vast, not least because of the times they were drafted. The Charter of Fundamental Rights of the European Union is a 21st century document and can thus explicitly can make reference to protecting information privacy. Article 8 of the CFREU famously has a provision stating "1. Everyone has the right to the protection of personal data concerning him or her." However, looking at the strictly technological advantages of the CRFEU misses the larger context of the kinds of rights embodied in the CFREU as opposed to the American Constitution. Because the Constitution was drafted and has been amended solely using negative rights language, the protection of personal data can only be inferred from protection against general government interference. This leads to a host of problems both in the areas of third-party data collection and governmental spying. What's more, the classical liberal mindset, limiting an individual to only negative rights, is so ingrained in American society it permeates not only the Constitutional process, but the lawmaking process and the public's attitude towards data privacy as well. I aim to address this problem by having Congress affirmatively grant individuals property rights over data created through their actions.

Stuck in the 18th Century

On the Federal level, the American posture towards all rights, not merely privacy ones, remains firmly rooted in the 18th century. On the oft chance that positive rights do exist in America, they are not explicit, such as the right to abortion, they are not explicit and only inferred from the "penumbras" of the Constitution. This further extends to the legislative process - not only is Congress reticent to create positive rights, often legislative creations of positive rights are looked upon with skepticism, because Congress has no power to create legislative rights absent limited clauses, most notably the interstate commerce and taxation clause. Thus, the creation of a positive right to healthcare was limited by the Supreme Court to the imposition of a tax, and that itself is controversial. However, there is one area where Congress' power to create positive rights is uncontroversial -- the employee employer relationship.

The most infamous era in American legal history, the Lochner era, presupposed that Congress' power over positive rights was functionally nonexistent and subservient to the individual right to freedom of contract. Luckily, however, this attitude was overturned by the "switch in time that saved the nine" which upheld that Congress indeed had the power to create positive rights (at least in the interstate commerce context). There are interesting parallels with data privacy, because one of the main arguments against Congressional regulation of third-party data privacy is that individuals should have the right to sell their data to the companies. Of course, as with the same argument in the employment context, this ignores the massive power imbalance between the two parties and is not worth addressing seriously. However, the counterfactual offers an interesting perspective -- why not approach data privacy in the same way we approach minimum wage law, by creating a private right of action against individuals, corporations and the government, for privacy violations. The background of this right of action would be the belief that people own data concerning them.

A Private Right of Action

California has already created a private right of action by consumers that have suffered a data breach. I would argue, however, that the California private right of action has two main drawbacks. One, it is not nearly broad enough -- it only creates a private right of action for data breaches, whereas a private right of action should occur in all unauthorized gathering of personal information. Banning gathering of private information without express consent of the user is a good starting point, but without an enforcement mechanism it is useless. On the other hand, the creation of a private right of action treats user data as a property owned by the user and is parallel to the common law tort of simple theft. Put simply, if the data is user property, users should be allowed to sue when companies steal it.

The second, and far more ambitious private right of action, would be the creation of a private right of action against the government for unauthorized access to one's personal data. It would be tantamount to explicitly extending a Bivens action to accessing a person's data in a way that contravenes not only the 4th Amendment, but also the Takings Clause. While theoretically a Bivens action could cover this, the Supreme Court has steadily chipped away at its reach since the 1980s, and as previously mentioned, the central thrust of this idea is personal ownership of data concerning oneself. If data concerning oneself is one's property, then Congress has no more right over it than one's house. This would also neatly fit personal data into preexisting search and seizure doctrine.

The Implications of a Private Right of Action

Perhaps more than anything, the creation of a private right of action for taking data concerning a person would place the power firmly in the hands of individuals. By granting individuals a positive right to data based off their actions, Congress would give people the power to stand up for their own rights, either as individuals or as a class. Given the reticence of the United States to embrace antitrust and Congressional regulation in general, giving the power to the people to take on big tech themselves may be the most palatable way for us to protect our rights.


Webs Webs

r5 - 31 Mar 2020 - 18:49:08 - BarakBacharach
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM