Digital Data Collection and Information Privacy Law

By Mark Burdon, Cambridge University Press. 2020. Hardback. $110. 323pp. (ISBN 978-1-108-41792-1)

I live in a relatively “smart” home. I have four Amazon smart speakers in my house, including one in each of our three bathrooms—places where one might expect to enjoy a little privacy. But those are also places where we like to enjoy some public radio, or music from our local station, KEXP in Seattle, or to know what the weather is going to do, or turn off the lights we accidentally left on downstairs. And with Amazon’s Alexa nearby, we can do it all by shouting commands from the sanctity of our showers. We also have Alexa-connected smart plugs, light switches, and even a couple of lightbulbs. Our Nest thermostat is connected to Alexa, too, though Nest itself is owned by Google.

These very useful gadgets are also sensors, and they create what Mark Burdon calls the “collected world”—a world where data about us can be collected almost anywhere, combined in ways we can’t anticipate, and (arguably) used by firms or governments to power decisions we cannot control but that change the trajectories of our lives.

I went to Mark Burdon's book for answers to some pretty personal questions: should I feel guilty for participating in, or bringing about, the collected world? Am I recklessly compromising my own or my family’s privacy or autonomy by bringing these products into our home? Burdon, a law professor at Queensland University of Technology in Australia, offers a comprehensive look at the way privacy law and theory apply in a smart home context, complete with a critique and proposals for reform. Delightfully, I think I found answers to my own questions. But first, back to why we worry.

Concerns about ubiquitous surveillance, especially “surveillance capitalism,” have begun to permeate not only scholarly treatment of privacy like Burdon’s book but also more popular writing on the topic, like Shoshanna Zuboff's The Age of Surveillance Capitalism (2018), and, most graphically, popular entertainment like the television series Westworld (HBO, 2016–). The latter features a future where a super-charged artificial intelligence relies on a massive data trove to shape not only the big picture of government planning and policy (the shapes of cities, the flows of public investment) but even (spoiler alert) the smallest details of which life chances are available to which people. Crucially, this last detail is not widely known by the humans in Westworld, and when it is revealed, it causes literal mass panic and rioting in the streets.

Digital Data Collection and Information Privacy Law doesn’t mention Westworld, but the show was often on my mind as I read it. The dystopia that privacy scholars like Burdon seek to ward off is precisely the one we find in Westworld—a place where a public-private partnership built on big data exercises hegemony over millions of unsuspecting souls. We learn from Burdon that individual autonomy has long been seen as a key value facilitated by privacy, perhaps even its ultimate purpose or justification. The emergence of a sophisticated, data-powered administrative state, and its private sector counterparts, were major drivers of twentieth century privacy laws, which were devised as bulwarks against unwelcome intrusion into spaces of autonomy. But Burdon shows that the collected world confounds the traditional conceptual and legal constructs of privacy that emerged in the last century.

The book is divided into three key parts. The first describes the collected world and is the weakest part of the book. Burdon’s dry, technical exposition (section headings like “Protocol Hub” and “WiFi Router” give you a sense of the slog) and his attempt to categorize various kinds of business arrangements between technology companies and insurers left me unsatisfied. These details won’t matter in five years, much less fifty, as we continue slouching toward dystopia. Burdon tries mightily to make this work pay off in subsequent sections, but his broad conclusions transcend the quotidian details of particular insurance business models. To his credit, though, Burdon does identify the smart home model most likely to become dominant—and harmful: one built around platforms operated by the likes of Amazon and Google. Consumers (like me!) gravitate to the convenience of a set of devices that “just work” with a voice assistant like Alexa, operated by platform owners like Amazon, who get their hands on a comprehensive trove of data.

In the book’s second part, Burdon gives a fairly detailed account of the state of information privacy law and theory. As a privacy dabbler looking to expand my own knowledge of the field, I learned a lot here, including a decent sense of the broad strokes of privacy law in the US, the EU, and the OECD countries, as well as their conceptual underpinnings, strengths, and (especially in the US) weaknesses.

Burdon’s third part argues that smart homes and their data expose existential failings in information privacy law and theory. Information privacy principles such as purpose limitation—where protected data should only be used for defined purposes disclosed to the subject—simply do not apply to smart home data, which is collected partly in the hopes that it will yield unexpected commercially valuable insights and opportunities. Also, the idea of a single transaction where a data subject knowingly consents to data collection and use is inconsistent with the pervasive and passive nature of smart home data collection and use. Following a lengthy catalog of similar tensions and failings, Burdon argues (channeling Julie E. Cohen) for a new approach based on requiring “gaps” in data collection that permit “playful” self-determination (260-266).

The upshot for me and my smart home, it seems, is that we are off the hook. Burdon demolishes the notion that I could be expected to knowingly consent to whatever data collection is going on in my Alexa-powered house. US privacy law, which generally expects individuals to manage their personal information, facilitates (encourages, even) the exchange of privacy for consumer goods and services, and is totally, woefully unequal to the task of regulating smart home businesses. EU and OECD frameworks are better, but still fall far short. In the collected world, individual consumers can’t be expected to safeguard our own privacy. It’s beyond our control.

Brandon Butler, University of Virginia