The Failure of Fair Information Practice Principles

Modern data protection law is built on "fair information practice principles." At their inception in the 1970s and early 1980s, FIPPS were broad, aspirational, and included a blend of substantive (e.g., data quality, use limitation) and procedural (e.g., consent, access) principles. They reflected a wide consensus about the need for broad standards to facilitate both individual privacy and the promise of information flows in an increasingly technology-dependent, global society. As translated into national law in the United States, Europe, and elsewhere during the 1990s and 2000s, however, FIPPS have increasingly been reduced to narrow, legalistic principles (e.g., notice, choice, access, security, and enforcement). These principles reflect a procedural approach to maximizing individual control over data rather than individual or societal welfare. As theoretically appealing as this approach may be, it has proven unsuccessful in practice. Businesses and other data users are burdened with legal obligations while individuals endure an onslaught of notices and opportunities for often limited choice. Notices are frequently meaningless because individuals do not see them or choose to ignore them, they are written in either vague or overly technical language, or they present no meaningful opportunity for individual choice. Trying to enforce notices no one reads has led in the United States to the Federal Trade Commission's tortured legal logic that such notices create enforceable legal obligations, even if they were not read or relied upon as part of the deal. Moreover, choice is often an annoyance or even a disservice to individuals. In addition, many services cannot be offered subject to individual choice. Requiring choice may be contrary to other activities important to society, such as national security or law enforcement, or to other values, such as freedom of communication. Enforcement of notice, choice, and the other FIPPS is uneven at best. Situations likely to threaten greatest harm are often subject to the least oversight, while innocuous or technical violations of FIPPS may be prosecuted vigorously if they are the subject of a specific law or obligation and they can be used to generate popular or political pressure. In short, the control-based system of data protection, with its reliance on narrow, procedural FIPPS, is not working. The available evidence suggests that privacy is not better protected. The flurry of notices may give individuals some illusion of enhanced privacy, but the reality is far different. The result is the worst of all worlds: privacy protection is not enhanced, individuals and businesses pay the cost of bureaucratic laws, and we have become so enamored with notice and choice that we have failed to develop better alternatives. The situation only grows worse as more states and nations develop inconsistent data protection laws with which they attempt to regulate increasingly global information flows. This paper reflects a modest first step at articulating an approach to privacy laws that does not reject notice and choice, but does not seek to rely on it for all purposes. Drawing on other forms of consumer protection, in which standards of protection are not negotiable between providers and consumers, I propose that national governments stop subjecting vast flows of personal data to restraints based on individual preferences or otherwise imposing the considerable transaction costs of the current approach. Instead, the paper proposes that lawmakers reclaim the original broader concept of FIPPS by adhering to Consumer Privacy Protection Principles (CPPPS) that include substantive restrictions on data processing designed to prevent specific harms. The CPPPS framework is only a first step. It is neither complete nor perfect, but it is an effort to return to a more meaningful dialogue about the legal regulation of privacy and the value of information flows in the face of explosive growth in technological capabilities in an increasingly interconnected, global society.