A Relational Turn for Data Protection?
4 European Data Protection Law Review 1 (2020)
6 Pages Posted: 4 Feb 2021 Last revised: 12 Jul 2021
Date Written: December 9, 2020
While most approaches to privacy and data protection focus on the data, this paper explores an alternative approach that focuses on relationships. This means means looking more closely at how the people who are exposing their information and the people that are inviting that disclosure relate to each other. It is concerned with what powerful parties owe to vulnerable parties - not just with their personal information, but with the things they see, the things they can click, and the decisions that are made about them. It’s less about the nature of data and more about the nature of power. And it can make data protection work better. We call this the "relational turn" in privacy law.
The relational approach has deep roots in American and English law, and a growing group of scholars in North America are starting to appreciate the virtues of such an approach, whether framed in terms of "privacy and trust" or "information fiduciaries." The clear advantage of a relational approach is that it is acutely sensitive to the power disparities within information relationships, such as those between humans and platforms. Relational models of this sort protect against self-dealing and impose duties of loyalty and care to protect against dangerous behavior. Data protection regimes like the American "notice and choice" model or the more robust GDPR, by contrast, target imbalances of power within relationships more indirectly by looking to the nature of the data.
We think a relational turn for data protection would be superior to the current model. A relational turn would provide a path towards more substantive rules that would limit how people's data could be used against them. It would focus on the real problem that privacy and data protection law should tackle – the power consequences of information relationships, making legitimacy of processing a question of fundamental fairness rather than of data hygiene. Substantive data rules would demand more than that data serve a ‘legitimate interest’ of the data processor. They would focus on the power consequences of processing on the data subject, whether we apply some version of the classic fiduciary duties of care, confidentiality, and loyalty, or the trust-promoting duties of honesty, protection, discretion, and loyalty that we have called for in other work. Perhaps equally important, relational duties allow for a decoupling of choice and consent, whereby people would be protected no matter what they choose. It’s time for data protection’s relational turn.
Keywords: privacy, data protection, gdpr, loyalty, trust, cyberlaw
Suggested Citation: Suggested Citation