'The Fiduciary Model of Privacy' by Jack M. Balkin in (2020) 134(1) Harvard Law Review Forum comments
This essay summarizes and restates the theory of information fiduciaries and the fiduciary model of privacy.
In the digital age people are increasingly dependent on and vulnerable to digital businesses that collect data from them. Companies use this data to predict and control what people do, and to sell third parties access to them. Because of the vulnerability and dependence created by information capitalism, the law should regard digital companies that collect and use end user data as information fiduciaries. The fiduciary model is part of a larger trend in privacy law that views privacy in terms of relationships of loyalty and trust.
Information fiduciaries have three basic kinds of duties toward their end users: a duty of confidentiality, a duty of care, and a duty of loyalty. These fiduciary duties also must “run with the data”: digital companies must ensure that anyone who shares or uses the data is equally trustworthy and is legally bound by the same legal requirements of confidentiality, care, and loyalty as they are.
The fiduciary model has important consequences for Fourth Amendment law. It limits the application of the third-party doctrine to those persons and businesses who are not our information fiduciaries. If we give our data to an information fiduciary, by contrast, the government must obtain a warrant to access it, because we have a reasonable expectation that our fiduciary has a responsibility not to betray us. In this way, the fiduciary model helps preserve our security from the government as we hand over more and more information about ourselves to digital businesses. It prevents our constitutional rights from continually contracting in the digital age.
The fiduciary model is fully consistent with corporate managers' fiduciary duties to shareholders. Nevertheless, once implemented, the fiduciary model will transform existing business models and will have systemic effects. Its central purpose is to give digital businesses legal incentives to act in the interests of their end-users, interests which they often claim to respect but actually do not.
The fiduciary model is not a substitute for competition law reforms or antitrust regulation. Quite the contrary, reformers must proceed on multiple fronts. The power of digital businesses arose from changes in many different areas of law during the Second Gilded Age, and addressing that power will require reforms in many different areas as well. Thus, attending only to privacy reform will leave crucial problems of economic concentration unaddressed. But the converse is also true. Focusing solely on antitrust and competition policy may not solve — or may even exacerbate — important threats to digital privacy.
The essay concludes with a proposal for imposing fiduciary and other public interest obligations on digital businesses in a way that is consistent with the First Amendment. The full scope of current intermediary immunity rules is not required by the First Amendment. Rather, intermediary immunity is a valuable regulatory subsidy. In exchange for this subsidy, government should demand public interest obligations from digital platforms. First, digital companies must accept that they are information fiduciaries toward their end users and toward any persons whose data they collect in the course of their businesses. Second, digital businesses must allow interoperability for other applications, as long as those applications also agree to act as information fiduciaries. Third, digital businesses must allow government regulators to inspect their algorithms for purposes of enforcing competition law, privacy, and consumer protection obligations.