PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Article: Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data

Posted on April 7, 2023 by pogowasright.org

Daniel J. Solove has posted a draft of a new article and welcomes feedback,

Abstract:

Heightened protection for sensitive data is becoming quite trendy in privacy laws around the world. Originating in European Union (EU) data protection law and included in the EU’s General Data Protection Regulation (GDPR), sensitive data singles out certain categories of personal data for extra protection. Commonly recognized special categories of sensitive data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual orientation and sex life, biometric data, and genetic data.

Although heightened protection for sensitive data appropriately recognizes that not all situations involving personal data should be protected uniformly, the sensitive data approach is a dead end.  The sensitive data categories are arbitrary and lack any coherent theory for identifying them. The borderlines of many categories are so blurry that they are useless. Moreover, it is easy to use non-sensitive data as a proxy for certain types of sensitive data.

Personal data is akin to a grand tapestry, with different types of data interwoven to a degree that makes it impossible to separate out the strands. With Big Data and powerful machine learning algorithms, most non-sensitive data can give rise to inferences about sensitive data. In many privacy laws, data that can give rise to inferences about sensitive data is also protected as sensitive data. Arguably, then, nearly all personal data can be sensitive, and the sensitive data categories can swallow up everything. As a result, most organizations are currently processing a vast amount of data in violation of the laws.

This Article argues that the problems with the sensitive data approach make it unworkable and counterproductive — as well as expose a deeper flaw at the root of many privacy laws. These laws make a fundamental conceptual mistake — they embrace the idea that the nature of personal data is a sufficiently useful focal point for the law. But nothing meaningful for regulation can be determined solely by looking at the data itself. Data is what data does. Personal data is harmful when its use causes harm or creates a risk of harm. It is not harmful if it is not used in a way to cause harm or risk of harm.

To be effective, privacy law must focus on use, harm, and risk rather than on the nature of personal data. The implications of this point extend far beyond sensitive data provisions. In many elements of privacy laws, protections should be based on the use of personal data and proportionate to the harm and risk involved with those uses.

Solove, Daniel J., Data Is What Data Does: Regulating Use, Harm, and Risk Instead of Sensitive Data (January 11, 2023). 118 Northwestern University Law Review (Forthcoming), Available at SSRN: https://ssrn.com/abstract=4322198 or http://dx.doi.org/10.2139/ssrn.4322198

You can download the article for free at the SSRN link above.

Category: LawsMisc

Post navigation

← Article: Privately Policing Dark Patterns
Article: Murky Consent: An Approach to the Fictions of Consent in Privacy Law →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows
  • FTC dismisses privacy concerns in Google breakup
  • ARC sells airline ticket records to ICE and others
  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech

RSS Recent Posts on DataBreaches.net

  • Turkish Group Hacks Zero-Day Flaw to Spy on Kurdish Forces
  • Cyberattacks on Long Island Schools Highlight Growing Threat
  • Dior faces scrutiny, fine in Korea for insufficient data breach reporting; data of wealthy clients in China, South Korea stolen
  • Administrator Of Online Criminal Marketplace Extradited From Kosovo To The United States
  • Twilio denies breach following leak of alleged Steam 2FA codes
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy