'In Defense of Privacy-as-Control (Properly Understood)' by Michael Birnhack in (2025) 65 Jurimetrics comments
Privacy-as-control (‘PaC’) is one of the dominant conceptions of privacy. PaC means that each person should be able to decide for themselves whether to disclose personal data to another person, company, or the state, when, how, and under which conditions. PaC is translated into operational mechanisms, namely Fair Information practices (FIPs). In practice, we have little control, especially vis-à-vis data-driven corporations. Privacy scholars blame PaC for much of the muddle in the field, claiming that PaC achieves the opposite––loss of control and privacy. This Article defends PaC, properly understood.
I address PaC’s critique and offer a positive account. The critique wrongly reduces PaC to the principle of notice-and-choice/consent, underestimates the role of notice, and wrongly deduces the ‘ought’ (denounce PaC) from the failing ‘is’ (consent’s many failures). Critics also point to the individualistic nature of PaC. While PaC surely has such a core, it has always placed the individual in relation to others. Properly understood, PaC can serve both individuals’ privacy and societal values and is not at odds with the communitarian thesis or with the notion of networked privacy.
On the positive side, the Article argues that PaC is broader than consent and is not exhausted after the initial collection of personal data. Rather, we should conceptualize privacy as continuous control. To facilitate continuous control, the law creates data meeting points between people and their data, which enable data subjects to exercise their control, beyond the first encounter between the parties. Instead of denouncing PaC, we should search for ways to amend consent and strengthen control.
The Article organizes privacy justifications as a series of concentric circles, moving from the individual to social interactions, the community, and the state. Each circle subsumes the previous ones. The high-level justifications are translated into a midlevel instruction: PaC. Thus, PaC is a common denominator of various privacy justifications. Following Daniel Solove, I suggest that PaC is privacy’s Wittgensteinian family name. Finally, the Article explains the relationship between PaC and Privacy-as-Access, argues that PaC can provide the missing normative element in Nissenbaum’s framework of contextual integrity, and that PaC does not mean property.
