'Privacy Theater in the Bankruptcy Courts' by
Christopher Bradley in (2023) 74 Hastings Law Journal comments
The sharply resource-constrained environment of bankruptcy breeds fierce competition for the value that remains in a bankrupt firm.'Managers are tasked with maximizing the overall value of the firm, while those with individual rights in the firm's assets or claims against the firm fight to protect their interests. Businesses may seek to restructure or escape contractual obligations and other burdensome relationships in order to maximize their assets' value-a process that can seem inequitable to those who dealt with the debtor prebankruptcy. The determinations made in bankruptcy proceedings often go beyond business and financial issues and implicate public policy. For example, in recent years, debtors have sought relief from liabilities to victims of asbestosis, sexual assault, or opioid addiction.
The general bankruptcy goal of value maximization is often in tension with the interests of consumers. As a matter of policy, consumer interests may be worth protecting, but usually consumers lack individual incentive to involve themselves in the bankruptcy process. As a result, consumers can see gift card values wiped out; warranties, leases, and loans abandoned or dramatically restructured; or private data sold to the highest bidder.
The efforts of bankrupt firms to monetize consumers' private data is a prime example of how unresolved policy conflicts can end up in the bankruptcy system. Although the intersection between privacy law and the big business of consumer data has become a major focus of policymakers, scholars, the business community, and consumer advocates, the legal regime governing the commercial use of data in bankruptcy proceedings remains contested and often unclear. To the stakeholders in a financially distressed firm, consumers' private data is a resource that can be monetized. While a healthy firm might hesitate to exploit private data out of concern over reputational risk or liability, these
scruples matter less to financially distressed firms.
The pressure to capitalize on data has been acute in quickly transforming industries such as retail and healthcare. Thousands of companies in these fields have experienced financial distress, closed offices and stores, and sought bankruptcy relief.' Meanwhile, the value of consumer data has continued to rise, tempting cash-strapped companies to sell this data regardless of any risk to their
reputation or harm to consumers.
Recognizing this issue, Congress passed legislation to protect consumer
privacy in bankruptcy proceedings in the sweeping Bankruptcy Abuse
Prevention and Consumer Protection Act of 2005. Congress did so in reaction
to a high-profile case in which a failing dot-com e-retailer, Toysmart, sought to
sell its consumer data-including data collected from and about children-to the
highest bidder, despite the company's promises never to do so. Regulators
opposed the sale, the national media covered the battle, and the sale was
scuttled. In response to public outcry, Congress created the regime that Senator
Patrick Leahy, the law's primary legislative sponsor, pronounced would prevent
future breaches of such privacy promises.
This law created a new institution and procedural rules to address the
tension between bankruptcy value maximization and the protection of consumer
data. When certain conditions are met, the law provides for the appointment of
a "consumer privacy ombudsman" (an "ombud") to investigate a sale of
consumers' private information, and to advise the court on whether the sale
should be allowed. The rationale underlying this law is that by forcing the
retention of an outside expert to report to the court, the process will ensure
consideration of the impact of the sale on the privacy interests of consumers.
In a companion article [noted below], I summarize the contributions that ombuds have
made to the law of privacy. There, I show that privacy law, as applied by
ombuds, imposes some guardrails on companies' sale of consumer data, but that
these restrictions leave businesses with considerable latitude to collect, use, and
transact in data. In addition, privacy law in this area relies heavily on the
assumption that companies will continue to uphold the privacy promises that
they made to their consumers after the sale of data is complete. While the
companion article deals with ombuds' impact on privacy law in general, this
Article addresses the operation of the regime in actual bankruptcy proceedings.
This Article provides an empirically grounded analysis of the regime that
Congress established. Drawing primarily from a hand-collected dataset of every
case from 2005 to 2020 where private data was offered for sale, an ombud was
appointed, and a written report was submitted to a bankruptcy court, this Article
presents the first comprehensive empirical study of who ombuds are, what they
charge, and what they do. This Article also presents evidence of the lengths to
which parties in dozens of cases have gone to avoid the appointment of
ombuds.
The Article shows that the consumer privacy ombudsman regime falls far short of its promise of protecting consumers from the misuse of their data by
distressed entities. Most ombuds are capable and accomplished privacy experts, and undoubtedly their work sometimes helps consumers. In the RadioShack bankruptcy, for instance, the personal information of more than 117
million individuals was put up for sale. Together with regulators, the ombud
crafted a regime that protected much of the most sensitive consumer information
that RadioShack was seeking to monetize. But regulators and the media are
rarely as active as they were in the RadioShack case, and absent such pressure,
ombuds operate within a legal and institutional system that does not equip them
to energetically protect consumers' private data.
The law applies in a narrow subset of cases where consumers' private
information is sold, and while the work of the ombuds has some impact in those
cases, it is less than most would assume. Ombuds routinely follow a set
framework derived from a prominent FTC settlement. Ombuds' analyses
typically rely on neither technical knowledge nor legal expertise beyond that
which most lawyers could attain with a few hours of research-particularly if,
as this Article recommends, prior reports are collected and published so that
future ombuds, future debtors in bankruptcy, and the public can better
understand what ombuds do.
Ultimately, the consumer privacy ombudsman regime is best understood
as a form of "privacy theater," intended to reassure the public that their data is
safe by giving an exaggerated sense of protection. As privacy law scholar Paul
Schwartz articulates, "privacy theater . .. seeks to heighten a feeling of privacy
protection without actually accomplishing anything substantive in this regard."
A legal regime that functions as privacy theater is "largely ritualistic," used to
"create a myth of oversight," and used to sustain that myth while obscuring the
darker realities. The consumer privacy ombudsman regime mobilizes public trust in experts and courts to "create a myth of oversight" while adding little
"substantive" protection.
While there are good reasons to enhance consumer privacy protections
when companies are financially stressed, the current system does not do the job.
Instead, appointments are rarely made, and when they are, these appointments
provide relatively minimal protection. This Article presents a series of proposals
to reform the law and the institutions governing commerce in consumers' private
data. It further suggests that ombuds' role could be played by U.S. Trustees'
lawyers, or could be shaped into a more traditional form where the proponents
of a sale present necessary proofs to the judge to decide on the sale's compliance
with the law.
In addition, the Bankruptcy Code could be changed to make its privacy
protections more meaningful. Most obviously, the many gaps in the current law
could be fixed so that all sales of private information comply with governing
law, and that the burden of demonstrating compliance with the law lies more
clearly with the proponents of the sale. In addition, lawmakers could shift
ombuds from the relatively neutral role they have generally played and instruct
them to serve as protectors of consumers' interests, investigate proposed sales
more actively, and advocate more directly for consumers.
Changes beyond the bankruptcy system should also be considered. Because
financially distressed businesses present special risks regardless of whether they
are in bankruptcy, and because there is no workable way to identify and target
distressed businesses for additional privacy scrutiny, commercial privacy law
reforms arguably should apply to all business transactions involving consumers'
private information. Distress should be merely one factor for regulators or courts
to consider as they weigh the propriety of a transfer of private data or the need
for data protection. Some potential reforms involve requiring regulatory
preclearance of transactions in data, or requiring advance notification of such
transactions so that consumers, regulators, and others can act if necessary to
protect consumer privacy.
Part I summarizes the existing consumer privacy ombudsman regime and
the broader context of the law of privacy the regime operates in. This Part
discusses the public concern over the protection of data from misuse by
distressed entities, which led to the creation of the ombudsman regime, and
surveys the significant limitations of that regime. Part II explores how this
regime is implemented in practice. It shows that many sales of private data take
place without the appointment of an ombud, and that even when ombuds are
appointed, they show keen awareness of the limits of their statutory
responsibilities. Part III surveys possible reforms to the consumer privacy
ombudsman regime. It begins with potential changes to the bankruptcy system,
and then suggests more sweeping changes to transactions in private data by
businesses outside of bankruptcy as well.
Bradley's 'Privacy for Sale: The Law of Transactions in Consumers’ Private Data' in (2023) 40(1) Yale Journal of Regulation states
Lawmakers, regulators, consumer advocates, and the business community have focused increasing attention on the policy issues that arise at the intersection of privacy, technology, and commerce. Yet the law governing what businesses can do with consumer data remains unsettled and unclear. The United States has no dedicated and comprehensive privacy law, relying instead on a patchwork of general consumer protection laws and industry-specific regulations like HIPAA. The FTC has created what scholars have called a “common law of privacy” through its enforcement actions and published guidance, but how privacy law applies to business practices often remains uncertain.
This Article uncovers a large new trove of privacy law, elaborating the jurisprudence of privacy with reports submitted to courts in which hundreds of millions of consumers’ private information has been put up for sale. A unique provision of bankruptcy law requires the appointment of a privacy expert when consumer information is put up for sale, to report on the sale’s legality. These expert reports constitute an unrecognized but substantial body of privacy law. The Article presents and analyzes reports submitted from 2005 to 2020—a hand-collected dataset gathered from 141 court dockets. The reports dramatically increase what is known about how the “common law of privacy” applies in practice to sales of consumer data in a legal forum, and what the future of privacy law may hold.
The reports generally advocate a pro-transactional view and permit sales to proceed in spite of existing privacy promises so long as the purchasers’ use of consumer data will be roughly consistent with the sellers’. They rely on aspects of the traditional “notice and choice” regime that has guided privacy law, but they also include substantive consideration of the reasonable expectations that consumers may have formed or of the sensitivity of the information to be transferred. Thus, the reports reflect privacy law’s shift beyond strictly consent-based contractarian models and toward more substantive and context-based approaches.
The reports also speak to the institutional context of regulation of commerce in consumer information. On the one hand, the reports impose significant limits on companies selling private data, which suggests that expert oversight and supervision mechanisms, such as the legal regime that generated these reports, can play an important role in privacy regulation on the ground. But the reports are, on the whole, timid and formulaic, hewing closely to existing precedent and showing little inclination to adapt or develop it even when novel circumstances might justify a change in course. This hesitancy indicates that privacy law’s continuing development requires leadership from federal and state policymakers.