Legislators across the country are writing new laws to protect your data privacy. One tool in the toolbox could be “information fiduciary” rules. The basic idea is this: When you give your personal information to an online company in order to get a service, that company should have a duty to exercise loyalty and care in how it uses that information. Sounds good, right? We agree, subject to one major caveat: any such requirement should not replace other privacy protections.
The law of “fiduciaries” is hundreds of years old. It arises from economic relationships based on asymmetrical power, such as when ordinary people entrust their personal information to skilled professionals (doctors, lawyers, and accountants particularly). In exchange for this trust, such professionals owe their customers a duty of loyalty, meaning they cannot use their customers’ information against their customers’ interests. They also owe a duty of care, meaning they must act competently and diligently to avoid harm to their customers. These duties are enforced by government licensing boards, and by customer lawsuits against fiduciaries who do wrong.
These long-established skilled professions have much in common with new kinds of online businesses that harvest and monetize their customers’ personal data. First, both have a direct contractual relationship with their customers. Second, both collect a great deal of personal information from their customers, which can be used against these customers. Third, both have one-sided power over their customers: online businesses can monitor their customers’ activities, but those customers don’t have reciprocal power.
Accordingly, several law professors have proposed adapting these venerable fiduciary rules to apply to online companies that collect personal data from their customers. New laws would define such companies as “information fiduciaries.”
EFF supports legislation to create “information fiduciary” rules. While the devil is in the details, those rules might look something like this:
New information fiduciary rules would help address situations that have arisen in the past:
The rules can also help in potential future situations as well:
While information fiduciary rules would be an important step forward, they are just one strand of the larger tapestry of data privacy legislation.
First, while information fiduciary rules are a good fit for “first-party” data miners that have a direct contractual relationship to their customers (such as social media companies and online vendors), these rules may be less applicable to “third-party” data miners that have no direct relationship to the people whose data they gather (such as credit agencies). The essence of the fiduciary relationship is the choice of a customer to entrust someone else with their personal information.
Second, while information fiduciary rules would limit how a first-party data miner may use, store, and disclose a customer’s personal information, these rules may have less to say about when and how a business may initially collect a customer’s personal information.
Third, there is uncertainty as to how information fiduciary rules will be applied in practice. Fiduciary rules are hundreds of years old, and have typically been applied to skilled professionals. But since the law of information fiduciaries does not yet exist, it remains unclear exactly what enforceable limits it will place on online businesses.
We should not put all of our eggs in this one basket. EFF supports information fiduciary rules. But these rules must not displace other data privacy rules that EFF also supports, such as opt-in consent to collect or share personal information, the “right to know” what personal information has been collected from you, and data portability. Companies subject to data fiduciary rules must follow these other data privacy rules, too.
Likewise, a federal information fiduciary statute must not preempt state laws that provide these other privacy safeguards. EFF has been sounding the alarm against federal legislation that preempts strong state data privacy laws—and that includes any federal law on information fiduciaries.