Woodrow Hartzog, an assistant professor at Cumberland School of Law at Samford University, has published a research paper that proposes a “chain-link confidentiality” approach to protecting online privacy. Here’s an excerpt from the introduction:
One of the most difficult challenges to the preservation of online privacy is the protection of information once it is exposed to other people. Generally, individuals lose control of their personal information once they disclose it on the Internet. People do not “own” personal information in the traditional sense. Consequently, they are forced to rely upon the recipients of their information, such as websites, to keep it safe.
The law provides few meaningful opportunities for Internet users to protect their own personal information. The current privacy laws are too limited, subjective, or vague to effectively police the “downstream” use of information by third parties.1 Yet, there is a growing consensus that information privacy must be protected,2 including calls for a privacy “bill of rights.”3 The challenge is not just if—but how—to protect an individual’s privacy on the Internet.
This Essay proposes a “chain-link confidentiality” approach to protecting online privacy. A chain-link confidentiality regime would contractually link the disclosure of personal information to obligations to protect that information as it is disclosed downstream. Unlike other online privacy regimes that focus on the private nature of information, this proposal focuses on specific obligations within the relationships, not only between the discloser of information and the initial recipient, but also between the initial recipient and subsequent recipients. […]
This Essay argues that the basic principles of confidentiality and contract law can create an attractive and broadly applicable remedy for protecting the personal information of Internet users. This remedy would allow the obligations of confidentiality to follow personal information downstream. Confidentiality doctrine could become more lenient by allowing for the limited disclosure of confidential information while also becoming more protective by having confidentiality obligations follow the information to third-party recipients. Courts and lawmakers could construct systems for confidentiality protections that follow the disclosed information in a chain-link fashion by requiring third-party recipients of confidential information to observe the same confidentiality obligations to which the initial recipient agreed.
Under a regime of chain-link confidentiality, Internet users could then pursue a remedy against anyone in the chain who either failed to abide by her obligation of confidentiality or failed to require confidentiality of a third-party recipient. Even if legislators decided not to create a private cause of action for Internet users, a statutory privacy bill of rights could breathe life into confidentiality doctrine by requiring obligations of confidentiality to follow the disclosure of personal information online.
Paper found via this article on Techcrunch.