Evolving Law and Economics of Internet Privacy in the Evolving Technological Environment
B. Economic and Legal Foundations of Internet Privacy
I. In search for a rationale of data protection on the internet According to Professor Ko, privacy is often explained as liberty in the U.S.
while in the EU dignity of the individual is considered a key underlying attribute.1 This comparison might be a bit simplified because this contrast is not absolute and both rationales are often closely linked. Furthermore, we find different approaches in Europe as well. They are very much dis-cussed in the German context but can be identified on the European level, too.
The first approach looks at privacy – and on personal data in particular – as a form of property rights. This seems to be the predominant point of view in economics.2 Therefore, the consumer can (and should) deal with his data as with other economic goods in the most efficient way to maxim-ize his individual welfare. The jurisprudence of the German Constitutional Court and relating legal literature on the fundamental right of information-al self-determination as a part of the personinformation-ality-right, Art. 2 (1), Art. 1 (1) of the German Constitution (Grundgesetz – GG), arguably point in a simi-lar direction. The Court identifies a constitutional right to a free decision about sharing his or her own data with others and about the way others may use his or her data.3 This also includes that everybody is entitled to sell his or her data (but not the personality-right itself) to commercial en-terprises.4 The right to a free decision on the use of personal data is not
1 Drawing on Whitman (2004), 1161.
2 Prominently Posner (1978); compare more recently Murphy (1996); Varian (1996).
3 Decisions of the German Federal Constitutional Court, Official Documentation (BVerfGE) vol. 65, 1, 42, 43; excerpts in English in Kommers (1997), 323–326. This is not a genuine German innovation, for a similar approach see already Westin (1967), 7.
4 For details see Weichert (2001), 1467, who, however, simultaneously warns against undue commercialisation of the right of informational self-determination, ibid., 1469;
meant as a property right in the more narrow sense of the fundamental right of property (Art. 14 GG), but it might be understood as a property right in a broader economic meaning. In the U.S., the right to privacy in general (not relating to personal data) is even seen as a Fourth Amendment matter which closely links this right to the sanctity of the home.5
The second approach might be labeled dignitarian because it points to the roots of informational self-determination in human dignity. This link-age is rarely mentioned in the U.S.6 but becomes clear already in the legal foundation the Constitutional Court gives for this fundamental right:
Art. 1 (1) GG explicitly names human dignity as the basis of the constitu-tional legal order.7 The legal discussion has refined this rationale by point-ing out that data protection is not a virtue in itself but a necessary precon-dition for individual freedom in many contexts in a social environment. If a person does not know what others know about him or her, this might have a chilling effect on free interaction with others. The protection of an area of privacy – which is, at least in part, self-defined – is a precondition for enhancing his or her own personality. This dignitarian approach focus-es much more on the social context of information than the property rights-approach does.8 It is important to note, however, that in social interaction not only protecting private data from others but also sharing privacy rele-vant information with others is an essential prerequisite of personal free-dom. This double-sidedness becomes especially clear within Art. 16 TFEU which both mentions the right to data protection and the free flow of data within the European Union.9
In an economic analysis this double rationale could be reflected in the analytical framework of optimizing central constitutional values.10 The
“capability approach” developed by Nobel laureate Amartya Sen might be even better suited for the analysis because this approach draws on substan-tial freedoms to realize alternative combinations of different so called
Britz (2010), 587, even argues for Art. 14 GG as the appropriate constitutional founda-tion of this right to self-commercialisafounda-tion of one’s personal data.
5 For an overview see Whitman (2004), 1211–1216; compare Slobogin (2011), 467, who shows the limitations of this approach if there is no physical intrusion but only a technological one.
6 The famous starting point was Warren/Brandeis (1890), see on the reception of this article Whitman (2004), 1204–1208; in the Supreme Court jurisprudence Schmerber v.
California, 384 U.S. 757, 767 (1966), describes the Fourth Amendment as protecting
“privacy and dignity against unwarranted intrusion by the State”; furthermore cf. Law-rence v. Texas, 123 S. Ct. 2472 (2003) on homosexuality.
7 BVerfGE 65, 1, 42–43; BVerfGE 120, 351, 359–360.
8 Compare Britz (2010), 568–569, 573, who looks at informational self-determination as a means to secure freedom in various contexts rather than an end in itself.
9 Short remarks by Schneider (2011), 519.
10 According to van Aaken (2003), 315–333.
“functionings”.11 In this framework the right to informational self-determination should be construed in such a way that the individual can interact most freely with others, taking into account both his or her interest in privacy as a requisite of freedom and his or her interest in sharing in-formation in social networks or business contacts on the internet. This per-spective does not exempt from the necessity to weigh the benefits (merits) of enhanced data protection against the related costs of lost private and business opportunities. But it shifts the point of view of his analysis from economic efficiency (as in the neoclassical approach) to the maximisation of capabilities. While most aspects of efficiency can be implemented in the capability approach as well, this approach helps to broaden the perspective in cost-benefit analysis.12
II. The right of privacy between private parties
Taking fundamental rights as the starting point of our analysis leads us to the question whether such rights are applicable in (business) contacts of private parties on the internet. In the U.S. the constitutional right to priva-cy, deriving from the Fourth Amendment, is protected only – at least in general – against state action.13 This might explain why data protection in the private sector seems to be so much weaker in the U.S., based primarily on tort law14, than in Germany and the European Union.
In German doctrine, constitutional rights do not only serve as individual rights against the state but – as a reaction to Nazism – also as an objective order of values which influence the whole legal order including the rela-tionship between private individuals themselves.15 Therefore, the state (in particular the legislator) has a constitutional duty to protect the individu-al’s fundamental rights against other private parties so far as the individual
11 Theoretical foundations by Sen (1985); contrasted with traditional cost-benefit-analysis by Sen (1999), 54–86; in the context on human rights Sen (2004), 332–338; for an critical discussion see e.g., Alkire (2005); Robeyns (2005); used in practice for exam-ple in the Report to the French President by Stiglitz/Sen/Fitoussi (2009), 15 – Recom-mendation 6.
12 For an more detailed discussion see Fehling (2011), 49–51; intimated in a different context (environmental protection) in passing by Kaplow (2007), 116; Kysar (2010), 106.
13 Whitman (2004), 1161, 1213–1216. The leading case on informational privacy is Whalen v. Roe, 429 U.S. 589 (1977).
14 Tene/Polonetsky (2012), 337, pointing to Restatement (second) of Torts, § 652D (1977).
15 BVerfGE 7, 195, 205–207; published in English in Mitglieder des Bundesverfas-sungsgericht (1998), 1, 5–6; excerpts in English in Kommers (1997), 361–368, for the concept of a “radiating effect” of basic rights on third parties see ibid., 48–49; in the context of informational self-determination (concerning a renting contract) BVerfGE 84, 192, 194–195; Kühling/Seidel/Sivridis (2011), 54.
is not able to protect himself or herself. Such inability might be caused by overwhelming market power of the opponent or by severe information asymmetry. In our context, this means that legal institutions must be estab-lished and guaranteed to empower the individual (quite often, but not nec-essarily in the role of the consumer) in such a way that he or she can freely choose his or her appropriate level of privacy and openness on the inter-net.16 I think that a similar conclusion should be possible in the analytical framework of institutional economics. Such a duty to protect – and corre-spondingly: such an individual right to get protection – is recognized for the right to privacy under Art. 8 ECHR, too.17 There is less doctrinal cer-tainty about the interpretation of the new Art. 8 of the European Charter of Fundamental Rights (and the similar Art. 16 TFEU), but it seems fair to say that there is such a right to privacy protection on the internet on the level of the European Union as well. At least, the European Directive on Privacy and Electronic Communications,18 which draws on Art. 7 and 8 of the Charter, addresses these issues in internet communications between private parties.
III. Necessary level of protection
In a rational choice model the consumer is seen as a completely rational actor maximizing his or her individual welfare in internet transactions.
From such a point of view, more information about each other helps pri-vate parties to create contracts on the internet which serve both parties best. If this were true, the protection of privacy might – according to Pos-ner and others – even be a source of inefficiency.19 There would be no need for time consuming and costly legal barriers against an easy flow of infor-mation.
16 From a constitutional law point of view compare Bäcker (2012), 99–111; Albers (2005), 562–582.
17 See Meyer-Ladewig (2011), Art. 8 para. 2, 4, 8; O’Boyle/Harris (2009), pp. 362, 369, 382; Ehlers (2007), § 2 para. 16, § 3 para. 26.
18 Directive 2009/136/EC of the European Parliament and of the Council of 25 No-vember 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal data and the Protection of Privacy in the Electron-ic CommunElectron-ications Sector and Regulation (EC) No. 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws, O.J.
L 337 of 18 December 2009, 11.
19 Posner (1978), 397–401; similarly Stigler (1980), especially at 628–633; Calzola-ri/Pavan (2006); more nuanced Murphy (1996), 2385–2388, who endorses Posner’s view regarding claims for the protection of a mere reputation but differs regarding privacy claims based on subjective privacy preferences other than manipulating reputation.
But even from a rational choice point of view, one might reach a different conclusion when taking into account transaction costs: Because it takes too much time to read and trying to understand the privacy policy of undertak-ings on the internet, it might be rational to ignore the more or less hypo-thetical risks to privacy in internet communication. Regulation should then enhance the information companies are obliged to give to consumers about the processing of their data, in particular making the statements more com-prehensive and better understandable.
Professor Ko showed us that the context (framing effect), the paradox of control and the privacy paradox influence consumers’ privacy decisions.20 Therefore, behavioural law and economics might give us a more realistic picture of such decisions in internet communication. Consumers might overvalue short term benefits of information disclosure to less visible long term risks. Because of peer group pressure this might be even more the case in social networks than in pure business contacts. In this model, regu-lation should not only reduce information asymmetries on the usage of personal data but must also help the consumers to properly weigh the pro and cons of giving away parts of their privacy.
Although European and German law on data protection do not com-pletely endorse the idea of bounded rationality,21 the law at least recogniz-es that there are severe information asymmetrirecogniz-es which might cause severe problems to reach a truly informed consent:22 On the one hand, the lack of knowledge about the further processing of one’s data might result in con-sumers’ annoyance or overconfidence in dealing with personal data.23 But the perception of less control over the usage of private data might also – the other way round – have a chilling effect on the enhancement of one’s personality. Unlike Posner, the fundamental right to informational self-determination recognizes the psychological costs – that is, the possibly chilling effect which unknown risks to privacy may have on personal and business relationships24 – as a completely rational motive for rules of data protection. As risks to privacy are part of a social context even the pre-sumption of such severe risks endangers the level of freedom in social rela-tionships not only on an individual level but also in society as a whole.25
20 For example, John/Acquisti/Loewenstein (2011), 868; also compare Tene/
Polonetsky (2012), 333, noting that consumers often express a strong interest in privacy and aversion towards online behavioural tracking but refrain from taking any step, no matter how trivial and costless, to prevent tracking.
21 Compare Britz (2010), 587–588, drawing on BVerfGE 9, 353, 358, noting that in the first place everybody has to protect himself by making informed decisions about privacy relevant information.
22 This has already been noted by Simitis (1987), 736–737, compare ibid., 733–734.
23 Compare Tene/Polonetsky (2012), 335, 338; more sceptical Britz (2010), 592.
24 BVerfGE 65, 1, 42–43; compare Britz (2010), 569–570.
25 Weichert (2001), 1469, emphatically endorses this view.
Therefore, legislation has to build trust in the protection of privacy in the electronic information infrastructure even if losses in freedom according to reduced privacy cannot be completely tracked down to quantified and monetized individual costs.26