An American Data Governance System: In Support of Information Trustees – LEGAL – Comment


In the fourth and final article in a four-part series, Harvard Law School student Connor Haaland argues that, from the perspective of information trustees, United States data governance systems …

A new case in the Eleventh District Court of Appeals suggests what will be one of the most important policies of the 21st century – how will America decide how to manage its data? In Tan Tsao v. Captiva MVP restaurant, the plaintiff sued on the grounds that he was injured after a group of fast-casual restaurants experienced a data breach in which their customers’ data was disclosed. The eleventh court dismissed the case for lack of legal force, believing that the alleged harm was too mitigated and hypothetical for those affected by the data breach, but the most interesting part of the opinion was the approval of Judge Jordan, who provided his opinion Finished with the words “Hopefully” the Supreme Court is about to grant Certiorari in a case involving the Article III question in a data breach case. “Judge Jordan is not alone – we are all confused about what damage is, and are not actionable in relation to our personal data.

The court’s inability to effectively deal with the harm done to consumers as a result of data breaches is likely due to the lack of any semblance of data governance policy in the United States. As I carried out in a previous article, American data governance policy is sectoral; There are protective mechanisms such as the Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA), but nothing comes close to a comprehensive, uniform regulation like the General Data Protection Regulation known in Europe. The United States is also currently seeing a surge in state data laws: the New York Privacy Act, the California Consumer Law, and the Washington Data Protection Act to name a few. This multitude of laws will be a mess.

It’s going to be a mess as businesses large and small alike have to deal with a fragmented approach to data management that really hurts their business. And that doesn’t just apply to Facebook and the Amazons of the American data economy. The New York Data Protection Act states that the Data Protection Act would apply to any company “that does business in New York state or manufacture products or services that are intentionally aimed at New York state residents.” In a world that is over sixty percent Of the small businesses that run a website to grow their sales, New York law is tantamount to forcing mom and pop stores, which may be collecting data for targeted advertising, to suddenly meet onerous regulatory requirements. At the very least, the CCPA has a $ 25 million revenue requirement for businesses that must comply with the law. To understand what that cost might be, it is predicted that similar privacy legislation in California – the CCPA – will cost businesses with fewer than twenty employees $ 50,000 in compliance costs. Imagine if a small business had to deal with not just New York’s privacy law, but dozens of them [insert state name], Data protection laws as well. It is easy to see why a multitude of state governance regimes is simply untenable, especially for small and medium-sized American companies.

To solve this, America needs a unified data governance policy. The concept of “data trustees” could be just the panacea America needs. A data trustee model would create a legal obligation between companies that collect, monetize, and use end-user data. This concept was popularized by Professor Jack Balkin, a law professor at Yale Law School. Professor Balkin notes that “Information trustees have three basic types of duties to their end users: a duty of confidentiality, a duty of care, and a duty of loyalty.” In a situation like Tan Tsao v Captiva MVP Restaurantif an end user’s data were compromised, this fiduciary relationship would provide the injured person with a cause of action commensurate with the alleged harm. A data fiduciary system would place a burden on the company that collects and uses the data to ensure that the user does not suffer material harm from the aggregator’s use of their data.

Skeptics of the information trust model noteRightly so, that the terms “confidentiality”, “care” and “loyalty” described by Professor Balkin are so vague that they are useless. But the United States has processes to understand what we really mean by “confidentiality”, “care” and “loyalty”. Professor Balkin notes that The common law decision-making system has evolved the definitions of otherwise ambiguous words into actionable concepts for several hundred years. Alternatively, managing authorities could set more specific rules and standards through the message-and-comment process that effectively governs us today. Professor Balkin is right – if we let ambiguities keep us from doing politics, we would be doing very little governance. The beauty of the common law practice is its ability to refine words and meanings over time in generally meaningful ways.

The beauty of a broader information trustee model is that it could also be used to protect end users from predatory attack practices. For example, Low-income Americans are subject to it Predatory advertisements for products like payday loans, high yield mortgages, and educational scams. When a low-income American uses Facebook and Facebook sells their information to a predatory loan company that charges them usury on a payday loan, it feels like a breach of due diligence. An information trustee model could make such practices workable.

Tan Tsao, the man whose credit card information was compromised, would have benefited from a legal information trustee system. The Eleventh District would have determined the breach of a duty of care and decided accordingly. Without such a framework, the Eleventh Circle had to try to find out whether damage was actually caused by the data breach, and Investigation that has confused the courts for some time. The Eleventh Circuit decided there was no harm, leaving companies like the MVP restaurant chain free to reap the rewards of the data economy but isolated from inadvertently disclosing their data to potential criminals. And this lack of accountability is why the need for a data governance regime, as advocated by Professor Balkin, is so important. Until we have one, consumers will continue to be abused and exploited while their data enriches the wealthy.

This is the third article in a four-part series exploring comparative data governance regimes. Visit the First, second and Third Articles to learn more about how China, Europe, and the US manage their data.

Connor Haaland is a 2020 JURIST Digital Scholar. He is a Young Women law student at Harvard University and a Frédéric Bastiat Fellow. He previously worked as a research fellow at the Mercatus Center at George Mason University, where he worked with the Fourth Branch Group on issues relating to emerging technology, data protection, telecommunications, and the intersection of law and technology. He also completed internships at the Cato Institute and the Hispanic Chamber of Commerce of the United States. He is a graduate of South Dakota State University, where he received BAs in Spanish and Global Studies with minor in French and Economics.

Suggested citation: Connor Haaland, An American Data Governance System: To Support Information Trustees, JURIST – Student Commentary, March 2, 2020,

This article has been prepared for publication by Vishwajeet Deshmukh, a LEGAL staff editor. Please direct any questions or comments to him [email protected]

The opinions expressed in the JURIST comment are the sole responsibility of the author and do not necessarily reflect the views of any of the editors, associates, donors, or the University of Pittsburgh of JURIST.


Leave A Reply