The Hidden Harms of Privacy Penalties
How to frame privacy penalties to protect our personal information is an important question as demands for legislation and proposals proliferate. The predominant assumption in calls for a comprehensive consumer privacy regime is that regulation and penalties arm the consumer David against Goliath businesses. Missing in the focus on powerful companies is attention to the potential harms of expanding privacy penalties for small-fry individuals and entities, especially from disfavored or marginalized groups. This Article is the first to illuminate the regressive risks of privacy penalties, showing how broad privacy penalties can become tools for harassment of small businesses and individuals with limited resources to defend.
Drawing on original research collecting and coding 571 privacy penalty decisions from 20 nations under the world’s toughest privacy rights and penalties regime, the European Union’s General Data Privacy Regulation (“GDPR”), this Article offers cautionary lessons. Illuminating a shadow jurisprudence of small targets, the Article shows how overly broad, amorphously worded privacy penalty provisions can be used to target disfavored groups and create weapons for the disgruntled, such as punishing people who record the police or in disputes between neighbors.
The Article offers three major principles to protect against targeting harms. First, the Article warns against vague broad language in framing penalty-backed obligations to curb discretion to harass and target disfavored groups. Second, the Article argues for a regulatory agency model with an explicit advisory role rather than a predominantly quasi-prosecutorial role. Third, the Article proposes safe harbors for individuals and small businesses and a complementary understanding that even seemingly minor penalties can carry major collateral consequences for the vulnerable.