Imagine that you’ve been struggling with a serious and fairly embarrassing personal problem. Putting aside a longstanding reluctance to address it, you finally consult a therapist. The therapist is friendly and welcoming and promises to protect your privacy. Gaining a sense of trust, you bare your soul, describing the issue you are struggling with in all of its painful detail.
Only later do you realize, to your horror, that your confessions were being recorded and retained by the therapist. It turns out that your therapist, to supplement his income, has gotten into the advertising business: He takes data gleaned from his patients and offers it to advertisers (or any other interested party) for a fee.
Everyone would be outraged by this; it is professionally unethical and a serious breach of trust. Yet what I’ve described is not so different from our relationship with businesses like Google, Facebook, Quora and Amazon. They hold themselves out as trustworthy, enticing us to share our information with them — from the banal details of our lives to our most intimate secrets — without making it very clear that everything is being recorded, kept and used for advertising.
The Europeans find this kind of thing distasteful, which is why last Friday they instituted a strict online privacy law — the General Data Protection Regulation. The law’s approach is, for want of a better word, European: broad, rule-driven and administered by regulators. Under the G.D.P.R., any company that gathers or processes personal data is defined as a “data controller” and is subject to a raft of new rights and duties that are enforced by Europe’s member states.
Many people have argued that the United States should adopt or borrow from the G.D.P.R. in strengthening its own online privacy protections. But Congress is the stumbling block. It has repeatedly failed to pass a number of proposed privacy bills, and despite increased public outrage, it seems unlikely to create a European-style privacy bureaucracy anytime soon.
For all these reasons, the United States may need to try something different and more American: namely, to rely on judges and state law to establish that the legal concept of “fiduciary duty” can apply to technology companies.
To understand what fiduciary duties are, return to the example of the unfaithful therapist. Given that he used a position of trust and expertise to gain sensitive information from you, medical ethics and the law hold that he has a special obligation to be loyal and careful with your data. He is a fiduciary. (The word derives from the Latin for “trust.”) The idea of a fiduciary duty is intuitive and familiar to American law: Your lawyer, your doctor, your therapist and your accountant are all fiduciaries.
So why not your search engine, your digital assistant and your social media platform? These entities present themselves as trustworthy, have a special expertise and usually require you to reveal information about yourself to be useful. As Mark Zuckerberg, the chief executive of Facebook, himself put it: “We have a responsibility to protect your data.” These companies should be considered, to borrow a term coined by the law professor Jack Balkin, “information fiduciaries” — or perhaps “data fiduciaries.”
How would this work in practice? Once these fiduciary duties were established by state legislation or a court ruling, questions about the breach of such duties would be addressed case by case, by courts and judges, in the American common-law manner. Instead of asking what responsibilities all “data controllers” have, as the Europeans must now do, courts in the United States could ask more specific questions.
For example: Did Equifax, the credit reporting agency, fail to adequately protect user data? (Obviously.) Should a firm like Quora, the question-and-answer website, require that users “opt in” before allowing other people to find out what you are asking about? (Almost certainly.) Should Alexa, Amazon’s digital assistant, require users to “opt in” before it listens to their conversations? (It depends on how it would be carried out.)
To be sure, a European-style regulatory system operates faster and has clearer rules than an American-style common-law approach. But the European approach runs the risk of being insensitive to context and may not match our ethical intuitions in individual cases. If the past decade of technology has taught us anything, it is that we face a complex and varied array of privacy problems. Case-by-case consideration might be the best way to find good solutions to many of them and, when the time comes (if the time comes), to guide the writing of general federal privacy legislation.
A defining fact of our existence today is that we share more of ourselves with Silicon Valley than with our accountants, lawyers and doctors. It is about time the law caught up with that.
Tim Wu is a law professor at Columbia, the author of The Attention Merchants: The Epic Struggle to Get Inside Our Heads and a contributing opinion writer.