The Case Against Idealising Control

4 European Data Protection Law Review 423 (2018)

10 Pages Posted: 31 Dec 2018 Last revised: 10 Jan 2019

See all articles by Woodrow Hartzog

Woodrow Hartzog

Northeastern University School of Law and Khoury College of Computer and Information Sciences; Stanford Law School Center for Internet and Society

Date Written: December 12, 2018

Abstract

Seemingly everyone, from scholars, industry, and privacy advocates to lawmakers, regulators, and judges seems to have settled on the idea that the key to privacy is control over personal information. But in practice, there is only so much a person can do. Control is far too precious and finite of a concept to meaningfully scale. It will never work for personal data mediated by technology.

Now we have an entire empire of data protection built around the crumbling edifice of control. The idealisation of control in modern data protection regimes like the GDPR and the ePrivacy Directive creates a pursuit that is actually adversarial to safe and sustainable data practices. It deludes us about the efficacy of rules and dooms future regulatory proposals to walk down the same, misguided path. We should dislodge and minimise the concept of control as a goal of data protection.

In mediated environments, the control we users get is illusory, overwhelming, and myopic. Justifying control measures on privacy grounds requires so much justification and tying ourselves in knots that it feels like it’s merely serving as a proxy for some other protection goal that’s just out of reach. Lawmakers and companies should pursue more direct values like trust, obscurity, and autonomy. They should embrace more direct strategies like mandatory deletion, collection and purpose limitations, and non-waivable duties of care, loyalty, discretion. People's trust in companies should be protected regardless of the control they are given.

Keywords: control, privacy, data protection, GDPR, ePrivacy, privacy by design

Suggested Citation

Hartzog, Woodrow, The Case Against Idealising Control (December 12, 2018). 4 European Data Protection Law Review 423 (2018). Available at SSRN: https://ssrn.com/abstract=3299762

Woodrow Hartzog (Contact Author)

Northeastern University School of Law and Khoury College of Computer and Information Sciences ( email )

416 Huntington Avenue
Boston, MA 02115
United States

HOME PAGE: http://https://www.northeastern.edu/law/faculty/directory/hartzog.html

Stanford Law School Center for Internet and Society ( email )

Palo Alto, CA
United States

HOME PAGE: http://cyberlaw.stanford.edu/profile/woodrow-hartzog

Register to save articles to
your library

Register

Paper statistics

Downloads
59
Abstract Views
353
rank
359,429
PlumX Metrics