Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data

58 Pages Posted: 11 Jan 2023 Last revised: 22 Jan 2024

See all articles by Daniel J. Solove

Daniel J. Solove

George Washington University Law School

Date Written: January 21, 2024

Abstract

Heightened protection for sensitive data is becoming quite trendy in privacy laws around the world. Originating in European Union (EU) data protection law and included in the EU’s General Data Protection Regulation, sensitive data singles out certain categories of personal data for extra protection. Commonly recognized special categories of sensitive data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation and sex life, and biometric and genetic data.

Although heightened protection for sensitive data appropriately recognizes that not all situations involving personal data should be protected uniformly, the sensitive data approach is a dead end. The sensitive data categories are arbitrary and lack any coherent theory for identifying them. The borderlines of many categories are so blurry that they are useless. Moreover, it is easy to use nonsensitive data as a proxy for certain types of sensitive data.

Personal data is akin to a grand tapestry, with different types of data interwoven to a degree that makes it impossible to separate out the strands. With Big Data and powerful machine learning algorithms, most nonsensitive data give rise to inferences about sensitive data. In many privacy laws, data giving rise to inferences about sensitive data is also protected as sensitive data. Arguably, then, nearly all personal data can be sensitive, and the sensitive data categories can swallow up everything. As a result, most organizations are currently processing a vast amount of data in violation of the laws.

This Article argues that the problems with the sensitive data approach make it unworkable and counterproductive as well as expose a deeper flaw at the root of many privacy laws. These laws make a fundamental conceptual mistake—they embrace the idea that the nature of personal data is a sufficiently useful focal point for the law. But nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does.

To be effective, privacy law must focus on harm and risk rather than on the nature of personal data. The implications of this point extend far beyond sensitive data provisions. In many elements of privacy laws, protections should be proportionate to the harm and risk involved with the data collection, use, and transfer.

Keywords: Privacy, sensitive data, privacy harm, GDPR, CCPA, personal data

Suggested Citation

Solove, Daniel J., Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data (January 21, 2024). 118 Northwestern University Law Review 1081 (2024), GWU Legal Studies Research Paper No. 2023-22, GWU Law School Public Law Research Paper No. 2023-22, Available at SSRN: https://ssrn.com/abstract=4322198 or http://dx.doi.org/10.2139/ssrn.4322198

Daniel J. Solove (Contact Author)

George Washington University Law School ( email )

2000 H Street, N.W.
Washington, DC 20052
United States
202-994-9514 (Phone)

HOME PAGE: http://danielsolove.com

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
5,630
Abstract Views
14,869
Rank
3,003
PlumX Metrics