Chapter 1: Theory of Markets and Privacy

Let's begin with a sense of the problem. Imagine that one day your bank or telephone company puts all of your transaction or phone records up on a Web site for the world to see. Imagine, more realistically, that the company without your permission simply sells your records to another company, for use in the latter's marketing efforts. A broad consensus would agree that posting to the Web site is undesirable. Many people would also object to the sale of personal information without the customer's permission.

Assuming that there can be significant problems in the protection of personal information, the next question is to ask what institutions in society should be relied upon to address such problems. This paper examines the chief institutions for protecting personal information. One institutional solution is to rely on the market. The basic idea is that the reputation and sales of companies will suffer if they offend customers' desires about protecting privacy. An opposite institutional approach would rely on government enforcement. The basic idea is that enforcement of mandatory legal rules would deter companies from abusing people's privacy.

A significant element of current thinking about privacy, however, stresses "self-regulation" rather than market or government mechanisms for protecting personal information. Numerous companies and industry groups have promulgated self-regulatory codes or guidelines for the use of personal information. This article is part of a broader study by the National Telecommunications and Information Administration (NTIA) about the uses and limitations of self-regulation. The NTIA has also already given (somewhat qualified) support for a self-regulatory approach for the control of personal information in telecommunications.¹

Today we face a special urgency in deciding how to use markets, self-regulation, and government enforcement to protect personal information. There is a widespread and accurate sense that a greater amount of personal information is being assembled in databases, and that more and more people have the computer and telecommunications resources to access and manipulate that personal information. The economics and technologies underlying use of personal information are fundamentally changing. These changes, in turn, make it quite likely that we will need to change the institutional arrangements governing use of personal information.

The protection of personal information arises in a wide and growing range of industries. A partial listing might include: health records; credit history; banking transactions; local and long-distance telephone calls; pay-per-view, VCR rental, cable, and other video records; records of an Internet service provider; and purchases made through direct mail or telephone ordering. This paper cannot hope to determine the best mix of markets, self-regulation, and government for protecting privacy in all of these diverse industries. This paper instead provides an analytic framework for understanding privacy issues in a wide range of industries. Armed with the analytic framework, we will not only understand more clearly what is meant by "self-regulation," but we will identify the empirical issues that are likely to be crucial in deciding when self-regulation should be preferred over market or government approaches.

The structure of the paper is as follows. Throughout the paper, in order to make the analysis easier to follow, examples will be drawn from a hypothetical "Internet Commerce Association" (ICA), whose members sell products over the Internet. Part I lays out the pure market and pure government enforcement models for protecting privacy, showing how either markets or government could in theory assure the desirable level of protection for personal information. Part II highlights the important market failures and government failures that make it unlikely that either markets or government, acting alone, will do as good a job as we would like of achieving both privacy and other social goals such as efficiency.

If markets and government are unsatisfactory, then we become more tempted to explore self-regulatory approaches to privacy. Part III defines "self-regulation," stressing how industry regulation has the same separation-of-powers structure as government regulation: industry can have a special role in legislation (drafting the rules), enforcement, or adjudication. It is not enough to be for or against self-regulation; instead, one must be clear about whether self-regulation is desirable at each stage of the process. Once self-regulation is defined, Part IV makes the case for why it may be better than either markets or government. Notably, self-regulation might take advantage of industry expertise and the possibility of community norms. Self-regulation can produce certain sorts of collective goods, such as technical standards or an enhanced industry reputation for protecting privacy. Self-regulation can also prove useful when the alternative is mandatory and perhaps less desirable government regulation. Part V then provides the key criticisms of self-regulation. It critiques the rationales offered in Part IV, and examines the longstanding worry that self-regulation will promote cartel behavior and other possible bad effects on third parties. Finally, the Conclusion summarizes the discussion and highlights the key empirical issues for comparing markets, self-regulation, and government in the protection of personal information.

THE PURE MARKET AND PURE ENFORCEMENT MODELS FOR PROTECTING PRIVACY

The overall task of this paper is to understand the roles of markets, self-regulation, and government in protecting personal information. An initial step is to see how well privacy might be protected by a system based entirely on the market--the pure market model--or entirely on the government--the pure enforcement model.²

Under the pure market model, the incentives for industry to protect privacy are entirely financial. The assumption, for now, is that there is no legal enforcement against a company that discloses personal information about its customers. Customers can be directly attracted by a strong privacy protection policy or repelled by breaches of privacy. In at least some instances, privacy may be a salient enough marketing point to induce consumers to switch from one company to another. For example, AT&T has advertised nationally that it will not use customer calling records to contact potential new customers, the way that MCI apparently has done under its "Friends and Family" program. As such, a company's privacy policy may become part of its overall marketing effort to develop brand equity and an image of quality service. Bad customer experience or bad publicity about the company's privacy practices can detract from the company's total reputation for quality. Even more broadly, an entire industry might be able to gain sales by developing a reputation for protecting privacy. To take a famous example, Swiss banks as an industry undoubtedly benefitted historically from a strong reputation for guarding customers' privacy.

In the pure market model so far described, there are two important constraints on companies' privacy policies. The first restraint comes from consumer preferences. The more that some or all consumers are willing to change their purchasing decisions based on privacy policies, the greater the market discipline on companies. The second restraint comes from publicity about companies' privacy practices. Publicity affects customers' choices by making them better informed about which companies are meeting their preferences. The prospect of such publicity encourages companies to conform to customers' preferences. Publicity over time may also shape consumers' preferences, such as by making them more concerned as a group about possible privacy problems. The pure market model thus has a dynamic component, in which both customer preferences and company practices can evolve over time as awareness and concern about privacy themselves evolve. The effectiveness of publicity as a constraint on companies will depend on factors such as how well the media can detect privacy problems, how widespread reporting on the issue becomes, and how strongly customers will react to the stories.

At the opposite extreme from the pure market model is the pure enforcement model. The assumption here is that market discipline is largely or entirely ineffective at protecting individuals' privacy. Instead, vindication of individuals' privacy rights occurs through legal enforcement. Privacy rules are defined by the government, whether by statute, agency regulation, or decision of the courts. Designated parties, such as a government agency or the citizen who has been wronged, are allowed to sue to enforce those rules. The suits seek to achieve the twin goals of compensation and deterrence. Compensation takes place when the individual whose privacy is violated is paid to the extent of the violation. Deterrence is focused on the incentives of the corporation--the corporation that violates privacy should face an expected cost for violating privacy (in the form of compensatory payments plus fines) that exceeds its expected benefit from its bad privacy practices.

LIMITATIONS OF THE PURE MARKET AND PURE ENFORCEMENT MODELS

In theory, either the pure market or the pure enforcement approach could lead to optimal protection of privacy. If market discipline is strong enough, then companies will find it unprofitable to use personal information in ways that customers find objectionable. If the legal rules are correctly defined, and enforcement is effective enough, then companies will similarly be deterred from violating customers' privacy. In practice, there are important limitations upon the extent to which either markets or legal enforcement will protect privacy. This section of the paper discusses some key market failures and government failures that arise in the protection of privacy. Once the nature of these failures is appreciated, we will be in a better position to explore the uses of self-regulation.

Market Failures

The extent of market imperfection is measured against the goals of privacy protection--how much do the actual workings of the market differ from the ideal? The privacy literature to date has emphasized individuals' personal or human rights to control information about themselves. This human rights approach is especially prominent in the regime of data protection in Europe. The approach was developed primarily with respect to data collection by governments, where individuals are subject to the coercive power of the state and forced to reveal sensitive data.

The topic of self-regulation, by contrast, arises with respect to data collection and use by non-governmental enterprises.³ A thesis of my own ongoing research is that data collection by private enterprises should be examined in terms of the contractual relationship between the company and the customer.⁴ Examples include the deposit contract a customer has with a bank, or terms affecting privacy in a contract for sale with a member of the Internet Commerce Association. For reasons that will be explained more fully in my forthcoming work, there are important advantages to analyzing the privacy issues of private companies as a matter of contract. Not least of these is the simple fact that the legal relationship between consumer and company has historically been treated under the law of contracts. Any rules protecting customers' privacy will need to be integrated with that body of law.

Market failure can be defined with respect to either the human rights or contractual approaches to the protection of personal information. Under the human rights approach, the goal is to protect individuals' right to privacy according to the moral theory that defines the right. A pure market model will fail to the extent that it protects privacy less well than is desirable under the moral theory. Under the contractual approach, the primary goal is to understand what well-informed parties would agree to, if there were no costly hurdles to their reaching an agreement. A pure market model will fail to the extent that it protects privacy less well than these parties would have agreed to, if they were fully informed and had some equality of bargaining power. The focus of the discussion here will be on market failure under the contractual approach.⁵

The key market failures with respect to privacy concern information and bargaining costs. The information costs arise because of the information asymmetry between the company and the customer--the company typically knows far more than the customer about how the information will be used by the company. A member of the ICA, for instance, would have ready access to details about how customer information will be generated, combined with other databases, or sold to third parties. The customer may face significant costs simply in trying to learn and understand the nature of a company's privacy policies.

The costs of learning about companies' policies are magnified by the difficulty customers face in detecting whether companies in fact are complying with those policies. Customers can try to adopt strategies for monitoring whether companies have complied. For instance, if a person contracted with several companies that promised not to sell her name to third parties, she could report a different middle initial to each company. She could then identify the company that broke the agreement by noticing the middle initial that later appeared on an unsolicited letter or e-mail. These sorts of strategies, however, are both costly (in time and effort) and likely to be ineffective. A member of the ICA, for instance, could use existing technology to cross-check her address with her real name, and thereby insert her correct middle initial.

The cost and ineffectiveness of monitoring logically leads to over-disclosure of private information. Consider the incentives facing a company that acquires private information. That company gains the full benefit of using the information, notably in its own marketing efforts or in the fee it receives when it sells the information to third parties. The company, however, does not suffer the full losses from disclosure of private information. Because of imperfect monitoring, customers often will not learn of that use. They will not be able to discipline the company efficiently in the marketplace for its less-than-optimal privacy practices. Because the company internalizes the gains from using the information, but can externalize a significant share of the losses, it will have a systematic incentive to over-use private information. In terms of the contract approach, companies will have an incentive to use private information even where the customers would not have freely bargained for such use.

Not only are there imperfections in the ability of consumers to learn about and monitor a company's privacy policies. The problems are exacerbated by the costs of bargaining for the desired level of privacy. It is a daunting prospect for an individual consumer to imagine bargaining with a distant Internet marketing company or a huge telephone company about a desired privacy regime. To be successful, bargaining would likely require a considerable degree of expertise in privacy issues, as well as a substantial commitment of time and effort. The cost of this elaborate bargaining process is likely to exceed the incremental benefit in privacy to that citizen.⁶ The temptation for the ordinary consumer will be to free ride, and hope that someone else will negotiate a more favorable privacy regime. In addition, the benefits of the bargain would be undermined by the cost and difficulty, already discussed, of monitoring the company's compliance with its announced privacy policies.

Government Failures

These substantial market failures must be considered together with substantial governmental failures. The pure enforcement model above posits a rosy picture of government regulation in which optimal rules are enforced with perfect accuracy, all at minimal cost. Even for government's greatest supporters, the real world of government regulation is likely to appear considerably different. Once we better understand both market and government failures, we will see more clearly the attraction of a self-regulatory approach to privacy protection.

Government failures where officials seek the public interest. In order to understand the most important types of governmental failure, assume for the moment that the government actors are public spirited. That is, assume that the people drafting and enforcing the rules are competent, well-informed, and wish to achieve the public good in the area of privacy protection.⁷ Even under these optimistic assumptions, government privacy regulation will lead to administrative costs on government and taxpayers, and compliance costs on industry.

Administrative costs include the expense to the government of drafting privacy rules, administering the rules, and enforcing the rules in particular cases. In the modern state, all of these functions might take place within a particular government agency. For instance, a rule might be promulgated by the agency under the Administrative Procedure Act, administered by agency personnel, and adjudicated by an Administrative Law Judge. It is also possible for mandatory government rules to take place outside of an agency, such as when rules are drafted in the legislature and enforced in a court. No matter how these functions are allocated between the branches of government, taxpayer funds are usually needed to pay for the government regulatory activities. The amount of funding can clearly be substantial.

Industry will incur a variety of costs in complying with the government regulation. It would not be accurate, however, to say that all costs incurred by industry are a measure of governmental failure. Where privacy rules are well drafted, the government regulatory system will have net benefits compared to a system without regulation. That is, the gains resulting from compliance with the regulations will outweigh the costs incurred by the company in molding its behavior to the regulation. For regulation of ICA members, a particular disclosure rule might have relatively small costs to industry, such as the cost of placing the privacy disclosure forms on their Web site. The rule might also have relatively large benefits to consumers, such as if the disclosure enables a significant number of customers to choose a level of privacy protection that they prefer. In considering this sort of net-beneficial rule, governmental failure arises to the extent that a different rule would have even lower compliance costs for industry or even greater benefits for consumers.⁸

Although the range of possible compliance costs is wide, it is helpful to mention a few that may be especially relevant to the privacy discussion. One important factor in determining the size and type of compliance costs is the degree of precision in the regulation.⁹ Enforcement by the government can be based on fairly precise rules, stated in advance. These sorts of rules give clear notice to industry of what is expected, and it is relatively inexpensive to determine whether industry has violated a precisely-stated rule. The chief problem with precise rules is that they tend to be both over- and under-broad. They are over-broad whenever there are net benefits from using the information, but the rule prohibits such use. A rule, for instance, might prohibit uses of personal information that consumers, if asked, would approve. Rules are under-broad whenever there are net costs from using the information, but the use is nonetheless allowed. The rule, for example, might instead let a company use information in ways that a customer would find highly objectionable. One way to avoid the over- and under-breadth problem is by using vague standards instead, such as the injunction to "act reasonably under the circumstances." These vague standards create their own compliance costs, however. Industry lacks clear notice of what is expected, and expensive trials may be needed after the fact to determine what was reasonable in a particular case. In short, where rules are either precise or vague, there are likely to be significant costs to industry in complying.

Another compliance cost to industry arises from the inflexibility of government rules. Simply put, it is often difficult to change government rules, even when there is a consensus in the agency and policy community that such change is appropriate. Anyone experienced in Washington is likely to have favorite examples of this inflexibility.¹⁰ The problem of inflexibility is likely to be particularly acute during a period of rapid technological and market change--rules promulgated under one set of assumptions will make less sense when the technical and economic realities change. Today, the uses of personal data seem to be undergoing just this sort of rapid change. Vast amounts of public records are coming on-line, new industries are arising to mine for public and private data, and advances in computers and telecommunications are distributing the ability to create customer profiles to an unprecedented array of users.

Today's rapid changes present a dilemma for those interested in creating legal rules to protect privacy. On the one hand, the inflexibility of government rules suggests that rules passed today may create substantial compliance costs, because the rules will not adapt smoothly enough to changing market and technical realities. On the other hand, the heightened risks to privacy lead many to conclude that the need for mandatory rules is greater than before. In assessing the degree of government failure, an important question will thus be the degree to which legal rules can keep up with changes in markets, technology, and the protection of privacy.

Government failures and public choice problems. The discussion of government failures to this point has assumed that the government officials are competent and seek to achieve the public good in the area of privacy protection. If government officials are incompetent, then it follows that the costs of regulation will likely be greater and the benefits smaller. Perhaps of even greater importance, government officials may not faithfully follow the public good. Instead, as emphasized by public choice theory, officials may be influenced by powerful interest groups, or may themselves seek other goals, such as an increase in their agency's turf.¹¹

In considering the effects of interest groups on privacy law, it is not necessarily clear whether the political process will tilt toward either the industry or consumer position. First consider what will occur when the industry position dominates politically. We will expect less thorough regulation to protect privacy than would be promulgated in the public interest. The industry might succeed, for instance, in having government enact the precise rules that the industry itself would write under self-regulation. Indeed, government rules could be even more protective of industry than self-regulatory ones. Industry has an incentive to use government rules as a shield to preempt any contrary laws. An example is the ability of the tobacco industry to preempt many lawsuits by complying with the warning requirements of a 1969 federal statute.¹² If the federal statute did not exist, the tobacco industry would have been under greater pressure to regulate itself, and would have faced greater liability under evolving state statute and tort law. For privacy advocates, the tobacco story can serve as a warning against a too-ready conclusion that some mandatory regulation is better than none. At a minimum, such advocates should consider the effect that passage of mandatory regulation will have on how the field of law would otherwise develop.

In the alternative, consider if the forces favoring regulation dominate politically. Although some observers might find this possibility remote, the debates about regulatory reform show a wide range of parties who claim that the costs of regulations often exceed their benefits. One way such regulations might be passed is by a coalition of regulatory advocates and government officials (legislators and regulators) who do not themselves incur the costs of complying with the regulation.¹³ Another possibility is that some companies or industries might succeed in pressing for regulations that impose costs on their competitors. A third possibility is that the government agency may systematically over-estimate the benefits of regulation, whether out of sincere mistake or a less honorable desire to increase the agency's turf.

Without seeking to take a general position on whether there is under-regulation or over-regulation, this discussion of possible public choice problems identifies a series of possible governmental failures. To the extent these government failures affect the nature of privacy regulation, there will be greater reason to seek non-governmental approaches for guarding privacy.

DEFINING "SELF-REGULATION:" LEGISLATION, ENFORCEMENT, ADJUDICATION

The pure market and pure enforcement models make no mention of self-regulation, and need not rely on self-regulation in order to reach the desired privacy protection. Examination of market failures and government failures, however, show that pure models bear little resemblance to reality. Because both market and government efforts to protect privacy are subject to significant limitations, the question arises whether a different approach, such as self-regulation, might create the reasonable protection of privacy without excessive cost.

Before further examining the rationales for self-regulation, we must first be more specific about the meaning of the term "self-regulation." Self-regulation, like government regulation, can occur in the three traditional components of the separation of powers: legislation, enforcement, and adjudication. Legislation refers to the question of who should define appropriate rules for protecting privacy. Enforcement refers to the question of who should initiate enforcement actions. Adjudication refers to the question of who should decide whether a company has violated the privacy rules.

An industry-organized process can "regulate" at one or more of the three stages. Probably the greatest amount of self-regulation occurs at the legislative stage. Industry groups often create and issue codes on privacy and many other topics. The Direct Marketing Association and Consumer Bankers Association, among many others, have issued guidelines for good privacy practices. These guidelines often provide for no legal enforcement, but instead are simply made available to industry members, government agencies, and the general public. In other instances, industry-drafted rules are enforceable. For example, building codes adopted by local and state governments routinely incorporate technical industry standards by reference--a violation of the "self-regulatory" code is itself a violation of law.

Enforcement and adjudication can also be undertaken by industry organizations. Prominent examples include state bar associations, medical boards, and the National Association of Securities Dealers. These organizations can typically both bring enforcement actions against their members and judge that professionals should be fined or stripped of their license to practice. In situations such as these, government regulation and self-regulation can be mixed together in almost endlessly complex ways. For instance, the rules that govern a lawyer's conduct may be a mixture of government-defined law (statutes) and self-regulatory law (bar association rules). Enforcement might be by an individual complainant, the bar association itself, or a government prosecutor. Adjudication might be by the organization itself, members of the profession officially appointed to a state board, or state agency personnel. Even when adjudication initially includes the self-regulatory organization, there may be an appeal to a government agency or to the courts.

These examples of "self-regulation" should make the basic point clear: Industry can be involved at one or any number of points in the process of legislating, enforcing, or adjudicating the rules. In the privacy context, one can imagine the Internet Commerce Association in the multiple roles of defining privacy rules, taking enforcement action against those who violate the rules, or deciding that a member has violated industry standards. In the latter instance, for example, the member might no longer be permitted to use the "ICA Seal of Good Privacy Practices." One should not speak too freely about the advantages or disadvantages of "self-regulation" generally. Instead, one should see whether and under what conditions industry has a particular, positive role to play at each stage of creating and enforcing the applicable regime.

THE CASE FOR WHY SELF-REGULATION MAY IMPROVE ON MARKET OR GOVERNMENT APPROACHES

Now that we have defined self-regulation, we are in a position to explore why it might be better than pure market or government approaches to the protection of personal information. First, self-regulation may provide benefits to society compared with an otherwise-unregulated market. Self-regulation can build on the collective expertise of industry. An industry might help instill ethics in members of the industry about the importance of protecting personal information, and community norms might reduce the amount that privacy is invaded. Members of an industry acting together might also be able to supply collective goods that they would not be able to supply acting alone. For instance, self-regulation might promote the reputation of the industry as a whole, and it might facilitate the creation of technical standards that will benefit the industry itself and society more generally. In addition, self-regulation may be better than a pure government solution. The same factors that can make self-regulation better than the market may also make it better than government. Self-regulation may also be adopted in order to stave off mandatory government regulation, and may thereby gain some of the good attributes of both government regulation and industry participation.

Reasons Why Self-Regulation May Benefit Society Compared with the Market

To explore these possible benefits, we will first build the case for self-regulation, and then explore reasons that might make the case less persuasive. The argument for industry expertise is intuitive and straightforward. Members of the industry have a great deal of knowledge about how customer information is used and sold. In assessing the cost-effectiveness of privacy practices, industry will have special insights about the costs of complying with rules. Industry will also understand the rules' effectiveness in preventing the dissemination of customer information. If any sort of regulation is indicated, then accurate information from the industry will be vital to making the rules as cost-effective as possible.

A different argument for self-regulation focuses on the role of an industry or profession in creating and enforcing norms of behavior.¹⁴ These norms are not legally enforceable, but may be taught or absorbed as part of professional training. The ICA, for instance, might require companies to have their personnel trained in the ICA privacy guidelines.¹⁵ Once a person enters an industry or profession, the norms can be enforced both internally and externally. The internal enforcement takes shape in what we call a person's ethics, scruples, or just plain unwillingness to do certain things. There will be situations where a person or firm can profit from disclosing client information, but scruples about privacy prevent the disclosure from occurring. The nature and empirical effect of these scruples are difficult to determine; the stronger the societal norms against disclosure, however, the more likely that companies will at least sometimes protect privacy rather than maximizing profits.¹⁶ The external enforcement occurs when members of a community monitor and discipline those who violate the community norms. An every-day example is when a group of people refuse to speak with someone because he or she is a gossip; i.e., the gossip is disciplined for disclosing private information. For the ICA, a company that violates privacy norms may find itself punished in a variety of informal ways, such as by having company personnel shunned at conferences. Once again, the empirical effect of community norms may be difficult to determine, but in theory strong norms can be an effective complement to market discipline and government enforcement.

Members of the industry might engage in self-regulation on a disinterested basis--they may wish to get the rules right, or may have ethical beliefs that certain sorts of private information should not be disclosed. Members of the industry may also find it in their collective self-interest to promulgate and enforce regulations. An important example is where self-regulation can enhance the overall reputation of the industry. Consider how this reputational issue might arise for the new Internet Commerce Association. Consumers will have concerns that Internet commerce will not be secure (i.e., hackers will steal their credit card numbers) and private (i.e., merchants will disseminate personal information widely). In order to allay these concerns, members of the ICA may find it useful to promulgate a Code for Internet Commerce. The ICA might educate consumers about the Code, and individual members could let purchasers know that they adhere to the Code. The ICA might even expel members that violated the Code, or sue companies in court for falsely claiming to adhere to it.

Notice how this hypothetical Code builds on the previous discussion. Drafting and enforcement of the Code relies on industry expertise. The Code might be enforced in part by individual ethics and community norms. And individual firms may find it highly profitable to pay dues to the ICA in order to subsidize a collective good--the Code enhances the overall industry reputation and reduces the risk that consumers otherwise perceive in doing business on the Internet.

Technical standards are another prominent example of a collective good that may be beneficial to both industry and society at large. A great number of standard-setting organizations foster self-regulation--the American National Standards Institute, the Institute of Electrical and Electronics Engineers, and many more.¹⁷ A key role of technical standards is to provide what economists call "network externalities."¹⁸ The most familiar example of a network externality is the telephone system--if everyone is hooked up to the same system, the value of telephones rises for everyone. When new people hook into the telephone network, the new members benefit from being part of the network. Additional benefits--external to the new members--are realized by existing members of the network, who can now communicate with a larger number of people.

The creation of technical standards can lower costs and increase competition in numerous ways.¹⁹ The case for such self-regulation is especially strong, however, where there are important network externalities. In such instances individual companies working alone cannot create the same amount of benefits to all users. For instance, in order to lower the cost of processing transactions, the Internet Commerce Association might develop a technical protocol for transmitting information among participating companies. No one company could similarly save costs by adopting the protocol--the benefits arise from the fact that many different companies adopt it. To take another example, the ICA might develop a standard form for consumers who wish to opt out of uses of their personal information. It might also act as a clearinghouse for forwarding the forms to all ICA members. Consumers could thereby express their privacy preferences once, and benefit from having those preferences recognized by the full network of ICA members.

Reasons Why Self-Regulation May Benefit Society Compared with Government Enforcement

Many of the points that make self-regulation potentially better than the market also make it potentially better than government enforcement. Industry expertise might not be given its full effect in a government-controlled system. Individual ethics and community norms might be more effective when arising from the community itself than when mandated by government agencies. Poorly-considered government rules might also interfere with the ability of industry to create collective goods such as technical standards or a strong industry reputation. For instance, the ICA might not be able to implement certain technical standards, which would improve the industry reputation, if mandatory government rules prevent sensible and cost-effective standards from being adopted.

There is an additional, powerful reason that it might be in industry's interest to self-regulate--in order to stave off mandatory government regulation. Consider how members of the ICA might rationally prefer an unregulated market to a market with self-regulation. As discussed above, companies can profit from using and selling personal information in an unregulated market, in large part because customers have difficulty in monitoring which companies have bad information practices. Members of the ICA might thus prefer no regulation to self-regulation, at least until a credible threat of government regulation arises. At that point, the calculus for industry changes. Adopting self-regulation will tend to reduce the likelihood of government regulation. The expected cost to the industry of self-regulation may thus be lower than the expected cost of complying with government regulation.

Industry is often quite explicit that the threat of government regulation is what spurs the adoption of self-regulation.²⁰ If one is an optimist, it is possible to believe that this sort of self-regulation is the best possible solution. The self-regulation can draw on industry expertise and on the legitimacy of community-based norms. We might expect the self-regulation to be strict about protecting privacy, on the theory that only a reasonably strict rule will persuade government not to step in. We can thus hope for the advantages of self-regulation and of strict government regulation, but without some of the disadvantages of government regulation, such as inflexible rules and costly, formal enforcement processes.

THE LIMITS OF SELF-REGULATION:
CARTELS AND CRITIQUING THE BENEFITS OF SELF-REGULATION

We have now seen the case for how self-regulation may be better than the market because of industry expertise, community norms, and the provision of collective goods such as industry reputation and technical standards. Self-regulation may be better than government regulation for the same reasons, and also because of the possibility that the threat of government regulation will produce effective self-regulation at lower cost than a mandatory government regime.

In making the case for self-regulation, the emphasis was on situations where self-regulation would benefit the industry as a whole, such as by enhancing the industry's reputation or establishing technical standards that would profit the industry. An implicit assumption was that persons outside of the industry would not be significantly harmed by the industry's efforts. Now we shall relax that assumption, and examine the principal ways in which industry regulation may benefit the industry but harm outsiders. The traditional concern about self-regulation has been that the industry would harm outsiders by creating a cartel or otherwise exercising market power. In the privacy setting, an additional important concern is that self-regulation might be designed by industry for its own benefit, but that the privacy concerns of customers will not be effectively considered within the industry process. The discussion here will briefly examine the antitrust issues, and then critique each of the reasons given so far for why self-regulation should be the preferred institutional approach.

Cartels and the Possibility that Self-Regulation Will Be Used to Wield Market Power

Other papers in this NTIA report address the connection between antitrust law and self-regulation, and the comments here on the topic will be relatively brief. A first observation is that it is easy to see how self-regulation can lead to the risk of cartels--a cartel agreement, after all, is precisely an agreement by members of an industry to regulate their own sales. According to standard economic theory, cartels tend to increase industry profits by raising prices. Cartels are difficult to administer, however. Members are tempted to cheat to gain market share, such as by secretly lowering the price or raising the quality of the goods sold. In order to help cartel members police each other, cartels work best with standardized products at clearly-stated prices. Cartels thus do more than raise price. They also tend to stifle innovation and reduce the range of quality and choice available to customers.

The asserted benefits of self-regulation in any setting, therefore, must be weighed against the risk that industry members are acting together to exercise market power. The extent of the risk will depend heavily on the structure of the underlying market. At one extreme are cases where the antitrust risks are low, such as where there are low barriers to entry and the self-regulation does not increase barriers to entry. If starting a business on the Internet, for instance, primarily involves the low cost of writing a Web page, then rules of the Internet Commerce Association are unlikely to have major antitrust implications. At the other extreme are cases where self-regulation moves a market from competition toward monopoly--the regulation might reduce competition among members of the industry association, and also block entry by new competitors. An example might be a rule that somehow prevented sellers from using the Internet unless they agreed to join the cartel. In such an instance, the benefits of self-regulation would seem more doubtful when weighed against the likelihood of higher prices and lower quality for consumers.

The earlier discussion of market failures focused on the inability of customers to detect abuses of private information. Where customers cannot easily monitor privacy practices, a company's reputation does not suffer fully for bad data protection practices, and the company has an incentive to over-use private information. The existence of monopoly power provides an additional way that the market will not discipline a company's use of private information. Even if customers know that the monopoly has bad information practices, they may have no ready way to avoid doing business with the monopoly. The traditional policy response to the existence of such monopolies has been either to seek to end the monopoly or else to regulate it as a public utility. How to regulate the use of private information by utilities is, itself, a complicated inquiry within antitrust law. For purposes of this paper, the important point is that the existence of monopoly power can be the sort of market failure that can justify government regulation of the use of private information.

Critiquing the Asserted Benefits of Self-Regulation

The next task is to scrutinize the arguments that have been put forward to justify self-regulation: industry expertise; community norms and ethical values; enhancing industry reputation; technical standards; and self-regulation as an alternative to threatened government regulation. The discussion here will seek to highlight the analytical and empirical issues that will be important to determining the role of markets, self-regulation, and government regulation.

Industry Expertise. There is wide consensus that industry expertise should be brought to bear in designing rules for protecting personal information. As with other regulatory issues, industry will have unique access to information about the underlying technology and market conditions, and about the costs of complying with alternative regimes.

It is less clear, however, that our belief in industry expertise also means that we should favor self-regulation over market or government approaches. In a market approach, each company has the usual incentive to apply its expertise in order to maximize profits. All of the company's efforts to use its expertise will ordinarily inure to the profit of that company itself. By contrast, it will only sometimes be in the self-interest of a company to employ its expertise as part of an industry-wide effort to develop self-regulation. The industry-wide regulation will be a collective good to the industry. The individual companies will have the usual incentives to free-ride and let other companies suffer the expense of organizing the effort. Companies engaged in the process may also suffer by letting competitors learn about their business operations, or by undergoing special scrutiny of their privacy practices. In short, a member of the ICA might rationally "lie low" and fail to share its expertise, especially if it wished to continue profiting from the use of personal information.

In comparison to the market, then, the case for self-regulation will depend on there being an explanation of why the expertise is provided, and how that expertise will take shape in the form of well-drafted and effective self-regulation. In comparison to government regulation, the case for self-regulation must take account of the ways industry expertise is mobilized in the government setting. Industry representatives are deeply involved in the process of drafting statutes and regulations. As a formal matter, industry representatives are almost always included as witnesses at legislative hearings and as sources of information for agency efforts such as this Report by the NTIA. Under the Administrative Procedure Act, interested parties have the right to comment on proposed rulemakings, and the agency is required to respond to those comments. On a less formal level, industry expertise is made available to government in a wide range of lobbying and educational contexts.

It is no simple task to compare how well industry expertise is included in self-regulation and government regulation. The case for self-regulation will stress how industry might be more forthcoming to an industry group than to a formal government process. Discussing industry issues with the government often means disclosing that information to the world, in light of the requirements of the Freedom of Information Act, the Federal Advisory Committee Act, and other government-in-the-sunshine laws. The formality and publicity of sharing information with government thus might favor a self-regulatory approach. On the other hand, an advantage of government regulation is that it systematically takes account of the views of those outside of the industry. An obvious worry about self-regulation is that the rules will be drafted to favor industry, such as by allowing greater industry use of personal information than a more inclusive process would have permitted. The effect on other parties highlights the possibility that those outside of the industry will have relevant expertise.

Community norms and ethical values. The next argument for self-regulation focuses on the role of an industry or profession in creating and enforcing norms of behavior. The idea is that individuals may feel ethical constraints against misusing customers' personal information. In addition, those who do disclose such information may be subject to non-legal sanctions from the community. This sort of self-regulation naturally complements a market approach. Individuals and companies in the industry will protect their reputation, not only in the eyes of consumers (the market approach), but also in the eyes of their own professional community (the self-regulatory approach). Compared to government regulation, it is plausible that self-regulation will do a better job of inducing voluntary compliance with norms--a sense of honor or ethical pride in adhering to high standards might be diluted if enforcement is done through bureaucratic rules and procedures.

That said, there is serious doubt about how well community norms will protect personal information in the modern settings relevant to protecting personal information. First, our usual intuition is that informal norms work most effectively in small groups. In these settings, the members interact with each other repeatedly, information about disreputable acts spreads widely, and each person has reason to care about his or her reputation with each of the others. By contrast, the modern issues about protecting personal information tend to occur in nationwide or even global settings. If an individual or company acts in a disreputable way and profits from the sale of personal information, it is quite possible that no one outside of the companies using the information will know of the act. Even if some other persons learn of the distasteful act, those persons might be geographically distant or otherwise outside of the social circles that would express outrage upon learning of the act.

A related reason to doubt the effectiveness of norms is that many decisions about uses of personal information are done as a matter of corporate policy rather than individual decision. An individual professional might decide to accept lower profits for the sake of upholding ethical principles. That ethical decision might be bolstered by the individual's awareness that his or her personal reputation would be on the line if any unethical behavior became known. By contrast, a similarly ethical person acting within a corporation might be required to justify a policy in terms of how it will increase the company's profits. That person would also know that blame for the bad act would fall on the company as a whole, rather than on him or her personally. When decisions about the protection of personal information are diffused widely across a large corporation, it seems unlikely that community norms will be a powerful constraint on the company's incentive to maximize profits.

Enhancing Industry Reputation. We next turn to the argument that the industry might promulgate and enforce regulations in order to enhance the overall reputation of the industry. In the discussion above, we considered how the ICA might create a Code for Internet Commerce in order to allay customer concerns about security and privacy. The idea is that it will be in the interest of individual ICA members to comply with this Code. This self-interest will exist precisely when the profits from the improved industry reputation outweigh the losses from the company not being able to use personal information. A familiar example might be the history of banks in Switzerland (or other countries), where all members of the industry benefited from a strong reputation for keeping bank records private.²¹

The chief task with respect to the industry reputation argument is to specify the conditions under which the industry would actually provide the collective good. A first thing to notice is how much maintaining the industry reputation for protecting privacy resembles the task of maintaining a company's reputation for protecting privacy. A concern in both instances is that the market does an imperfect job of policing the reputations--it is difficult for consumers to detect when a company or an industry has misused personal information, and so the companies and industry have incentives to over-use that information.

The incentive for industry to create the collective good is especially great when customers can tell that someone in the industry has misused personal information, but cannot tell which company in the industry has done so. For instance, one might imagine a circumstance in which a customer could tell that some problem has arisen in connection with an Internet purchase, perhaps because the personal information was linked to that person's e-mail information. The customer does not know, however, which Internet company misused the information. In such a case, the customer might become less willing to use the Internet generally for purchases. Members of the Internet Commerce Association would then have a collective interest in enhancing the reputation of Internet purchasing, and might act together as an industry to promulgate an effective Code for Internet Commerce.

A different way to create the collective good is where the reputation of a dominant company or a small set of companies overlaps substantially with the reputation of the entire industry. In such a case, the leading company or companies may find it in their self-interest to lead the way to an industry-wide Code of privacy practices.²² This "leading company" scenario may help in protecting privacy, if the result of promulgation of the Code is to spread better data protection practices more widely in industry.²³ The Code might help reduce the likelihood of companies seeking competitive advantage by cutting corners on data protection policies.

In general, it would seem that such efforts to enhance the industry's reputation for privacy would be a helpful, although perhaps modest, supplement to market competition. The main objections to the argument are not that enhancing industry reputation is a bad thing. The main concern instead is that the collective good simply will not be created that often--as explained here, industry members will only promulgate a Code and enforce it under fairly restrictive conditions. In addition, an industry member might still find it in its self-interest to break a privacy rule, when the loss of reputation is spread across the entire industry.

Technical standards. As discussed above, a prominent sort of self-regulation is a different sort of collective good, the creation of industry technical standards. Such standards might provide a variety of benefits compared to a market lacking such standards. One can imagine the ICA developing a standard electronic form, for instance, that would lower the costs to members of sharing personal information. The same form might also provide an inexpensive way to let customers opt out of having their information shared.

Intricate antitrust issues can arise about when the benefits of standard-setting procedures are outweighed by possible antitrust problems. In the Internet context, Professor Mark Lemley has recently argued that joint standard-setting activity raises the most acute antitrust risks in two settings: (1) where the standards are "closed" rather than "open;" i.e., where access to the standards is limited to members of the organization; and (2) where a particular participant "captures" the standard-setting process and uses the process to its competitive advantage.²⁴ An example of the latter is if the standard requires use of intellectual property owned by one participant. In the privacy context, it is not immediately apparent that either of these situations is likely to occur. If not, then the antitrust concerns about standard-setting are not likely to a prominent argument against self-regulation.

A more pressing privacy problem is likely to result from the relatively small role that customers and others outside of industry often play in the creation of industry standards. For many technical standards, where negative effects on outsiders are small, the standards should indeed be drafted by the industry experts who are most affected by the rule. For instance, if the ICA creates standard forms that simply reduce the cost of doing business, then it seems unlikely that the government could do a better job. In other instances, however, effects on outsiders may be substantial. Imagine, for instance, if the ICA standards made it much easier for merchants to discover highly sensitive personal information, such as by opening up previously-inaccessible databases. This ICA regime might create profits for industry, but at a substantial privacy cost to customers.

Where the burden on outsiders is substantial, then the argument for government regulation becomes stronger. The case for government regulation will be stronger to the extent that the government rules are more rigorously enforced and better incorporate the interests of those outside of industry. Any such benefits of government regulation will be weighed against the usual costs of government intervention, including the possible inflexibility of government rules and the likely higher administrative and compliance costs.

Self-Regulation as an Alternative to Threatened Government Regulation. The last argument for self-regulation is that it might be desirable in order to stave off the threat of mandatory government regulation. In order to forestall government regulation, the self-regulation may need to be fairly strict. If the self-regulatory rules are indeed strict, then it is possible that the protection of privacy would be comparable under either self-regulation or government regulation. At the same time, a self-regulatory approach might be able to avoid some of the substantial costs of having a formal government regime.

On the other hand, there are grounds for believing that this sort of self-regulation will be less protective of personal information than government regulation would be. First, there is the question of how non-binding enforcement of industry codes compares with legally-binding enforcement of government rules.²⁵ Second, we again face the general question of how the concerns of persons outside of industry, such as consumers, will be included within the industry regulation. If self-regulation is indeed more flexible, it may be more flexible for industry than for others. Third, this sort of self-regulation is premised on the existence of a credible threat of government regulation. Self-regulation is more likely to be adopted when the legislative or executive branches are very concerned about privacy issues. Over time, however, the legislative threat might ease.²⁶ Agency attention may be directed elsewhere. As the threat of government action subsides, we might expect that self-regulatory efforts would also become more lax. After all, by hypothesis, the industry is spurred to regulate itself because of the threat of government regulation. Unless someone outside of the industry has the ongoing ability to enforce for privacy lapses, whether by market action or legal enforcement action, then we should expect the effectiveness of self-regulation to be uneven over time.

In conclusion, there are significant reasons to believe that government regulation will be stricter in enforcing the protection of personal information than this sort of self-regulation. The difficult question will be to balance these gains in privacy protection against the likely higher administrative and compliance costs of government regulation.

CONCLUSION

Economists sometimes warn against the "Nirvana fallacy"--against the idea that there is some perfect institutional arrangement that will solve all problems. Markets, self-regulation, and government each have potential strengths for protecting privacy and achieving other social goals. One task here has been to identify the ways that each might do so. The pure market model shows how a company might effectively protect privacy in order to enhance its reputation and sales. The pure enforcement model shows how government rules might deter improper disclosure of personal information. The discussion of self-regulation shows how that approach may protect privacy by drawing on industry expertise, community norms, and the ability of industry to provide collective goods such as technical standards and an enhanced industry reputation.

Markets, self-regulation, and government inevitably also have their own limitations in the protection of privacy. A chief failure of the market approach is that customers find it costly or impossible to monitor how companies use personal information. When consumers cannot monitor effectively, companies have an incentive to over-use personal information: the companies get the full benefit of the use (in terms of their own marketing or the fee they receive from third parties), but do not suffer for the costs of disclosure (the privacy loss to consumers). Government regulation is subject to the well-known possible failures of rigid, costly, and/or ineffective rules. Self-regulation is subject to the possibility that the industry is using the self-regulation for cartel purposes. The claimed advantages of industry expertise, community norms, and collective goods may also, on inspection, be less substantial than advocates of self-regulation would hope.

Even when Nirvana cannot be achieved, we must do the best we can with the available, imperfect institutions. As mentioned in the introduction, the issue of how to protect personal information arises in a large and rapidly-growing number of settings. A chief goal of this paper has been to supply an analytic framework for examining the role of markets, self-regulation, and government in the protection of personal information. An important benefit of this framework is that it supplies a list of empirical questions that will be helpful in choosing among the alternative institutional approaches.

Based on the analytic framework developed in this paper, the following empirical questions provide a useful checklist for choosing institutions to help protect personal information in a given setting:

Key Questions about a Market Approach

How difficult is it for consumers to discover companies' policies for use of private information and monitor the companies' compliance with those policies? How much do such difficulties lead to over-use of private information by companies?

How difficult is it for customers who wish to do so to bargain with companies for different privacy practices?

Key Questions about a Government Approach

How great are government's administrative costs and industry's compliance costs under a mandatory government regime?

How do the costs of drafting, enforcing, and adjudicating a government privacy regime compare to those costs in the private sector?

What sort of public choice or other political problems would we expect in the government process?

What are the key benefits of a government approach, which notably may include stricter enforcement of privacy rules and greater concern for the interests of those not in the industry?

Key Questions about a Self-Regulatory Approach

Monopoly Power

Do the self-regulatory processes offer significant opportunities to create cartels or otherwise enhance market power?

To what extent do sellers already have monopoly power, so that a bad reputation concerning use of personal information will not reduce their profits?

Industry Expertise

To what extent will self-regulation result in the use of industry expertise more than would occur in an unregulated market?

How do the incentives of industry to provide expertise compare for self-regulatory and government efforts? How significant are the disincentives to disclose information to the government, such as from government-in-the-sunshine laws?

How likely is there to be important expertise from outside of industry? How well will that expertise be incorporated into either self-regulatory or government efforts?

Community Norms and Ethical Values

Can we identify ways in which companies or the industry will instill ethics or enforce community norms against excessive disclosure of personal information? Will compliance with norms be greater in some way than would be compliance with legally enforceable rules?

Can we identify a small enough community or a direct enough effect on individuals' reputations that we can expect the ethical rules or community norms to substantially constrain the incentive of companies to maximize profits?

Enhancing Industry Reputation for Protecting Privacy

What incentives will the industry have to enhance its reputation beyond the incentives that companies have in an unregulated market?

We will expect such incentives to be strongest where: (a) customers can tell that someone in the industry has misused personal information, but cannot tell which company in the industry has done so; or (b) the reputation of a dominant company or a small set of companies overlaps substantially with the reputation of an entire industry.

Technical Standards

How much are network externalities or other benefits realized through industry standard-setting processes in the privacy realm?

Do antitrust problems argue that a governmental process would be preferable to an industry process?

How well are the concerns of those outside of industry, including consumers, included within the industry standard-setting process? How much better, if at all, are such concerns incorporated into a government process?

What other costs would the governmental process have that would be less in the industry standard-setting process?

Self-regulation and the Threat of Government Regulation

If self-regulation does not stave off government regulation, what sort of additional costs would arise from government-mandated rules, such as greater inflexibility and other administrative and compliance costs?

How do these costs of government regulation compare to any benefits in improved protection of personal information? How likely is there to continue to be a credible threat of government regulation, in order to keep self-regulation effective? How well are the interests of those outside of the industry protected in self-regulation compared with government regulation?

In conclusion, the empirical magnitude of these various costs and benefits will vary considerably across industries. The best mix of markets, self-regulation, and government regulation will often vary for the distinct stages of defining, enforcing, and adjudicating the rules for protecting personal information. At each stage, we can examine how self-regulation may be better or worse than a more fully market or government approach.

At heart, the attraction of self-regulation is that the industry generally has the greatest expertise and the most at stake in the regulatory process. We might readily imagine that a measure of industry cooperation and self-regulation will protect private information more fully than would a pure market approach. The corresponding worry about self-regulation is that it may harm those outside of the industry--those who are not part of the "self." Where the likely harm to those outside of industry is greatest, the argument for government regulation becomes stronger.

________________________________

ENDNOTES

1 A recent NTIA study concluded: "Uniform privacy requirements will further benefit the private sector by eliminating a potential source of competitive advantage or disadvantage among rival providers of telecommunications and information services. At the same time, NTIA's recommended approach gives private firms considerable flexibility to discharge their privacy obligations in a way that minimizes costs to the firms and to society. For all of these reasons, NTIA believes that both consumers and the private sector will benefit substantially from voluntary implementation of that approach. If, however, industry self- regulation does not produce adequate notice and customer consent procedures, government action will be needed to safeguard the legitimate privacy interests of American consumers." NTIA, Privacy and the NII: Safeguarding Telecommunications-Related Personal Information, www.ntia.doc.gov/ntiahome/ privwhit epaper.html.

2 For a somewhat similar discussion of market and government enforcement systems, see David Charny, Nonlegal Sanctions in Commercial Relationships, 104 Harv. L. Rev. 375, 397-403 (1991).

3 "Self-regulation" of government's use of data is handled by separate law. In the United States, the Privacy Act and the Freedom of Information Act are the primary "self-regulation" for how the federal government treats personal data.

4 I am currently at work on a longer article tentatively entitled "Cyberbanking and Privacy: The Contracts Model."

5 A full description of the human rights and contracts approaches must be left to a different paper. For present purposes, it is not necessary to choose between the two approaches, which differ somewhat as to the overall goals of privacy protection. The focus here is on which institutional arrangements, including self-regulation, will tend to achieve those goals, however defined.

6 An exception would be if the person involved in the bargaining gained some other sort of benefit from his or her effort. For instance, the person might be an employee of a citizen's group devoted to privacy issues. The individual and the group might gain in various ways, including professional satisfaction and favorable publicity, by reaching agreement with a major company. While acknowledging the substantial effects that citizen groups often have, there remains a strong suspicion in the academic literature that public goods, such as bargaining for effective privacy protection, will be provided less than people's actual preferences would warrant. For the classic treatment, see Mancur Olson, The Logic Of Collective Action (1965); see also Peter P. Swire, The Race to Laxity and the Race to Undesirability: Explaining Failures in Competition Among Jurisdictions in Environmental Law, Yale Journal on Regulation/Yale Law and Policy Review, Symposium: Constructing a New Federalism, at 67, 98-105 (1996) (discussing likely underprovision of public goods).

7 There can obviously be endless debate about what constitutes the "public good" and whether the term even has any coherent meaning. The point for now is that the government personnel are sincerely seeking what they believe to be the best policy, rather than being governed by motives such as personal corruption, interest-group politics, or desires for increased agency turf.

8 The discussion here focuses on the efficiency of the rule, rather than its distributional effects. The question of who actually pays for the cost of regulation is often extremely difficult to answer, and depends on empirical issues such as the existence of close substitutes or complements for the product, and on the ability of the industry to pass on added costs to its customers. ICA members, for instance, might or might not be able to charge more for their products if a burdensome privacy rule were imposed. If their purchasers readily switched to mail-order, the ICA members and their stockholders might suffer a loss. If purchasers instead were mostly choosing among ICA members, then the purchasers would be more likely to absorb the higher prices.

9 For one discussion of the issue, see Louis Kaplow, Rules versus Standards: An Economic Analysis, 42 Duke L.J. 557 (1992).

10 In the area of information privacy, a good example of slowness-to-amend may be the longstanding controversy about how to update the 1974 Freedom of Information Act to take account of computerized records. Important such amendments were included in the Electronic Freedom of Information Amendments Act of 1996.

11 For two general introductions to public choice theory, see Daniel A. Farber & Philip P. Frickey, Law and Public Choice: A Critical Introduction (1991), and Dennis Mueller, Public Choice II (1989).

12 Cipollone v. Liggett Group, Inc., 505 U.S. 504 (1992) (federal statute preempts state laws requiring additional warnings, as well as state failure-to-warn and fraudulent misrepresentation claims).

13 For one academic treatment of this sort of possible over-regulation, see Henry Butler & Jonathan Macey, Externalities and the Matching Principle: The Case for Reallocating Environmental Regulatory Authority, in Yale Journal on Regulation/Yale Law and Policy Review, Symposium: Constructing a New Federalism, at 23 (1996).

14 For extensive discussion of the role of norms in supplementing markets and legal rules, see Symposium, Law, Economics, and Norms, 144 U. Pa. L. Rev. 1643-2339 (1996).

15 Current examples of such ethical training include law students, who are required to study the rules of professional responsibility, including the ban on disclosing a client's secrets. Similarly, bankers are trained in a distinct culture that has generally frowned on disclosing client financial information.

16 For an analogous argument about the importance of norms and ethics in environmental law, see Carol M. Rose, Rethinking Environmental Controls: Management Strategies for Common Resources, 1991 Duke L.J. 1.

17 Web links to many of these organizations are provided by the National Standards Systems Network, at www.nssn.org.

18 For a clear discussion of the role of network externalities and other factors favoring promotion of standardization on the Internet, see Mark A. Lemley, Antitrust and the Internet Standardization Problem, 28 Conn. L. Rev. 1041, 1043-54 (1996).

19 According to ANSI: "Implementing standards can: Increase market access and acceptance; Reduce time and costs in product development; Attain a competitive advantage and faster time to market; Cut costs in component and materials acquisition; Reduce administrative and material expenses. Participating in standards development can: Help develop new markets and strengthen existing ones; Ensure foreign market access to your company technology or processes; Help you gain a competitive edge by influencing the content of domestic and international standards; Minimize your time to market, strengthen your market presence, and allow you to realize new revenue through the licensing of technology on reasonable terms." See www.ansi.org/broch1.html.

20 A clear example comes from the recent announcement by the Consumer Bankers Association of their new privacy guidelines. The trade press report on the guidelines stated: "The Consumer Bankers issued the privacy guidelines to show the federal government that the banking industry is policing itself and no new regulations are needed." Barbara A. Rehm, "Bank Group Issues Guidelines for Protecting Consumer Privacy," Am. Banker, Nov. 22, 1996.

21 In at least some countries whose banks have a reputation for secrecy, the industry efforts to keep records secret are bolstered by laws that prohibit disclosure of information.

22 In particular, the self-interest of leading companies can explain how the self-regulatory efforts of industry might be funded. The expected value of the Code to the company might be great enough to reduce any incentive to free ride on the efforts of other companies. The leading companies may also benefit by tinkering with the Code so that, at the margins, it provides a good fit for their own privacy practices.

23 The "leading company" creation of the Code might also be an anti-competitive effort to raise rivals' costs or increase barriers to entry to the industry. In the privacy setting, however, the risk of net harm to consumers does not seem especially great. The harm to consumers would result only if a specific sort of supplier stopped competing--those suppliers who can survive in the market only by using more personal information than self-regulation would allow.

24 Mark A. Lemley, Antitrust and the Internet Standardization Problem, 28 Conn. L. Rev. 1041, 1083-88 (1996).

25 It is possible that self-regulation will be more protective of privacy than government regulation, such as when expertise is better applied in industry regulation, or when ethical beliefs and community norms work better under an industry system than a government system. I am inclined to be cautious about such an optimistic view of the effectiveness of self-regulation. For a highly critical assessment of the effectiveness of self-regulation by the Direct Marketing Association, see Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study of United States Data Protection 307-48 (1996). As discussed in the text, a more likely scenario is that government regulation will result in stricter protection of personal privacy, but will also impose higher administrative and compliance costs.

26 In a well-known article, economist Anthony Downs discussed the "issue-attention cycle," in which issues predictably would rise and fall in the level of attention they received in the legislature and the general public. Anthony Downs, Up and Down with Ecology: The Issue Attention Cycle, 28 Pub. Interest 38 (1972).

Privacy and Self-Regulation: Markets for Electronic Privacy

Eli M. Noam⁽²⁾
Professor of Finance and Economics
Director, Columbia Institute of Tele-information
tel: (212) 854-4596
fax: (212)932-7816
e-mail: enoam@research.gsb.columbia.edu
or www.ctr.columbia.edu/citi/

INTRODUCTION

For a long time, the conventional wisdom was that electronic communications constituted a major threat to individual privacy. Wiretapping, eavesdropping, and data banks were part of the Big Brother and Nosy Sister scenario. This fear for personal privacy is justified in the short term. But in the long term, the opposite is more likely to happen, because the electronic tools that permit privacy invasion are even more powerful in controlling an individual's informational autonomy. In the process, still another revolution is upon us, the revolution of access control. By gaining such control individuals achieve bargaining strength over those who seek information about them. They can establish a perimeter over the inflow and outflow of information. They can create property rights in personal information. Transactions become possible, and markets in private information can emerge.

No problem is ever new. Jeopardies to privacy have been associated with electronic media from the beginning. Gossipy manual operators,¹ party lines with participatory neighbors,² and the absence of a warrant requirement for wiretapping³ all created privacy problems.⁴ The first American patent for a voice scrambling device was issued only five years after the invention of the telephone.

The New York Police Department, always on the technology frontier, listened in on telephones since at least 1895. In 1916 this led to a public controversy about eavesdropping on a Catholic priest as well as on a law firm involved with competitors to J.P. Morgan & Co. For World War I munitions contracts.⁵

Today, a new generation of electronic privacy problems has emerged, for several reasons:

• An increasing number of transactions are conducted electronically.⁶

• It has become easier and cheaper to collect, store, access, match, and redistribute information about transactions and individuals.⁷

• Wireless transmission conduits include unsecured portions.

• The number of communications carriers and service providers has grown enormously, leading to an increasingly open network system in which information about use and user is exchanged as part of network interoperability.

• The Internet computer network system is wide open.

In consequence, new electronic privacy problems keep emerging. Recent controversies include:

• Intrusive telemarketing.

• Data collection about transactions.

• The ability of governments to control encryption.

• The ability to determine an incoming caller's phone number and use of such information.

• The monitoring of wireless mobile communications.

• Employers' monitoring of their employees.

• The ability of using e-cash for illegal transactions.

• The difficulties of law enforcement agencies to keep up with transmission technology.

• The unsecured nature of the Internet, and the ability to track the sites which an individual visits.

And more is coming our way. For example, tiny mobile communication transceivers, together with number portability, will enable telephone subscribers to be continuously connected. Their locational whereabouts, their comings and goings, and the identity of other persons in the same location could, therefore, be continuously ascertained.

Given that privacy is important to so many people, and given that information technology keeps raising new questions, what approach should be adopted to deal with privacy problems?

In the past, if remedies were considered, the primary strategy was to resort to regulation. The call for the state to control and protect privacy is a natural response especially in the field of electronic communications, given their history around the world as either a state-controlled telephone or broadcast monopoly or tightly regulated sector. This has led to a view of electronic privacy problems largely as an issue of rights versus the state or its regulated monopoly firms-- and to the question how to create such rights in the political, regulatory and legal sphere. But such a view is static: having a right is often believed to be the end of the story. Yet in most parts of society, the allocation of rights is only the beginning of a much more complex interaction.

Privacy is an interaction, in which the rights of different parties collide. A has a certain preference about the information he receives and lets out. B, on the other hand, may want to learn more about A, perhaps in order to protect herself. The controversies about caller-identification, or of AIDS disclosure by medical personnel, illustrate that privacy is an issue of control over information flows, with a much greater inherent complexity than a conventional "consumers versus business," or "citizens versus the state" analyses suggests. In this case, different parties have different preferences on "information permeability" and need a way to synchronize these preferences or be at tension with each other. This would suggest that interactive negotiation over privacy would have a place in establishing and protecting privacy.

While this article will not suggest that markets can provide a solution to every privacy issue, it will argue that they can be utilized much more than in the past.

WHAT IS PRIVACY?

In the information sector, privacy consists of two distinguishable but related aspects:⁸

The protection against intrusion by unwanted information. This is sometimes termed "the right to be left alone,"⁹ and it is an analogue to the constitutional protection to be secure in one's home against intrusion.

The ability to control information about oneself and one's activities; this is related in some ways to proprietary protection accorded to other forms of information through copyright laws,¹⁰ and security of information about oneself from tampering by others.

The common aspect of both these elements is that they establish a barrier to information flows between the individual and society at large. In the first case, it is a barrier against information inflows; in the second instance, against information outflows.

The concept of privacy is not without its detractors. Among the major criticisms are:

"Privacy protects anti-social behavior." In this view, privacy is a smoke-screen used to hide activities that should be discouraged. This may be true at times; yet it is also the price of personal freedom. Authoritarian or backward societies do not value a private sphere since they do not tend to respect individuality and subordinate it to the demands of rulers or societal groups.¹¹ The recognition of a private sphere is hence one of the touch-stones of a civilized and free society.¹²

"Privacy is costly to the economy." Privacy protection raises the cost of an information search. For example, potential employers and buyers have to spend more effort (and money) to find out who they are dealing with if access to personal information is restricted. Deception becomes easier and transaction costs rise.

But there are economic arguments on the other side. Privacy affects the ability of companies and organizations to hold on to their trade secrets and details of their operations, and to protect themselves from leaks of insider information and against governmental intrusion. Information has value, and where it has no protection through property rights it must be protected through confidentiality or secrecy.¹³ To permit its easy breach¹⁴ would lead to a lesser production of such information.

The loss of privacy leads to inefficiency in information flows, just as excessive privacy protection may. One of the predictable results of third party monitoring of telephone calls is to force speakers to disguise or modify their communications in order to keep them secret.

Partly in response to economic and social needs, many transactions have been specifically accorded special common-law informational protection known as "privileges," e.g., between attorney-client, patient-doctor, citizen-census taker, penitent-clergy, etc. The idea in each case is that the protection of information leads to an economically and socially superior result even if it is inconvenient to others in an individual instance.

"There is no demand for Privacy." This objection views privacy as an issue of concern only to a small elite group. But to the contrary, attention to privacy is widely shared. For example, according to information from the New York Telephone Co., of a few years ago, 34% of all residential households in Manhattan and 24% of all its residential households in the State had unpublished telephone numbers at subscriber's request. Most policemen, doctors, or judges, to name but a few professions, have unlisted numbers. On the West Coast, the spread of unlisting is still further advanced, reaching 55% in California! It should be noted that it costs extra to be unlisted. In other words, a large number of customers is willing to pay in order to increase its privacy. With more than half of the population willing to do so, it becomes impossible to keep denying that privacy is an important issue.

POLICY APPROACHES

As the new technological options emerge they create new opportunities but also new privacy problems. How can such problems be dealt with?

As was mentioned, the primary policy response has been regulatory. Within that position there were two major directions--centralized general protection and decentralized ad-hoc protection. West European countries, in particular, have pursued the former, and passed comprehensive (omnibus) data protection laws and established institutionalized boards with fairly rigorous rules, and coordinated internationally on information collection and data flows.¹⁵ The United States, in contrast, has dealt with specific problems, one at a time, and with different approaches across the country.

In Europe, advances in data processing led in the 1970s to fears about the abuse of information storage and the potential for a "1984"-like surveillance state. Many of these fears were based on the technological notion of computers as vast centralized mainframes, a notion which corresponded to the state of computer technology of the 1960s. But since then, this technology has moved steadily toward a decentralized system, with millions of small computers in people's offices and homes.

Though the origin of concern over privacy was the potential violent abuse of data by government agencies, the focus of remedial action shifted quickly to data collection activities by private business. Rules against the government's collection of data were also set, but with less severity. At the same time that Germany promulgated the first data protection laws against private data abuse, its federal and state governments took a quantum leap in the use of data-processing technology for the surveillance of its citizenry. During the 1970s, a handful of terrorists prompted the German police to institute a chillingly efficient system of border checks, citizen registration, data access, and domestic road blocks, all of which were interconnected by data banks and communication links. Although the terrorism was quickly stopped, many control mechanisms were not.

Additionally, the rules had a tendency to spread. A loophole was soon recognized in privacy laws: international data transfers permitted the evasion of data protection laws. In Sweden, for example, a data file on any employee is subject to protection from disclosure to third persons. However, if a Swede works for a foreign firm, it would be possible that the data would be transmitted to the headquarters of the firm, where it would be less protected. Conceivably, therefore, some countries could set themselves up as "data havens" in order to attract businesses determined to circumvent privacy laws. Although these threats were more theoretical than real, they led to a movement to "harmonize" data protection practices or to restrict the flow of sensitive data in the absence of such harmonization.

The Organization for Economic Cooperation and Development (OECD) was instrumental. In 1979, the OECD drafted a first set of guidelines for its member states: Data collection should be limited to necessary information obtained lawfully, and, where appropriate, with consent; data should be accurate, complete, up-to-date, and relevant to the needs of the collector; use of the data ought to be specified at the time of collection, and its disclosure should be in conformity with the purpose of collection; assurances must be made against unauthorized access, use, and disclosure; and data should be open to inspection and correction by the individual to whom it refers.¹⁶

The Council of Europe incorporated the OECD guidelines in the 1980 Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data. The convention affected all transborder data flows among European countries and with other countries, such as the United States. This made American firms with international business activities nervous, since the convention provided that any country could restrict the transmission of data to another country that did not have data protection legislation comparable to its own. Since firms conducting international transactions generally prefer to have uniform procedures for transactions in various countries, procedures were likely to conform to the strictest of national rules.

In 1992, the European Commission adopted a directive establishing basic telecommunications privacy rights for its member states. The draft included restrictions on unsolicited calls, calling number identification, and use and storage of data collected by telephone carriers for electronic profiles.¹⁷ It mandates that holders of data pay for security measures in order to bar unauthorized access. It also prohibits the creation of electronic profiles of individuals utilizing data concerning their purchases or other actions, and it bars transfers of data to non-EC member countries unless those countries have adequate data protection rules.¹⁸

Among Third World countries, Brazil has been particularly active in data and telematics issues. Instituted during the years of military dictatorship, the thrust of Brazil's policy was evident in the statement of its top information officer, who combined both the civilian and military functions of that term.

The administration [i.e., the restriction] of TDF [transborder data flows] appears to be an effective government instrument for the creation of an environment that makes the emergence of an internationally viable national dat-service industry possible. By itself, such an industry would have had great difficulties in overcoming the obstacles of a completely "laissez-faire" environment. The country's TDF policy altered that situation.¹⁹

A license had to be obtained before establishing international data links. Applications for foreign processing, software import, and database access were rejected if domestic capability existed. The policy was strongly embraced by the Brazilian military dictatorship and its business and industry allies, and it was admired around the world as an assertion of national sovereignty by many observers who would otherwise feel no kindness toward right-wing juntas.

In the United States a generally more pragmatic approach to legislation, and a case oriented decision process administered through the judiciary and the regulatory agencies, have led to the tackling of specific data abuses when the became apparent rather than to comprehensive laws. This has led to a less systematic approach that in Europe, and to a variety of ad hoc federal and state legislation. Typically, they addressed a narrow and specific issue of concern.²⁰ Most such statutes were either aimed at particular industries (for example, credit rating bureaus), or at the conduct of governmental agencies, or they dealt with flagrant abuse such as computer break-ins.²¹

Thus, contrary to often-held views in other countries, numerous laws protecting data and privacy exist in the United States, and some of them are quite far-reaching, especially in terms of access to state files, and limits on such files.

Nevertheless, U.S. privacy legislation remains considerably less strict than European law in the regulation of private databases, and coverage of U.S. governmental organizations by privacy law is not comprehensive. Although the Privacy Act of 1974 restricts collection and disclosure by the federal government, and vests some responsibility in the Office of Management and Budget, only a few states and local governments have passed similar fair information practices laws for their agencies. The U.S. has no government agency specifically charged with data protection similar to the centralized data protection commissions or authorities established in European countries, though proposals have been advanced in Congress.

A synthesis of the comprehensive European and the ad-hoc American approaches is to formulate a set of broad rules or principles applicable to a sector of the economy, or to a set of issues. This was the direction taken by the New York Public Service Commission on the issue of telecommunications privacy.

The New York Public Service Commission's approach in 1991 went well beyond the problem-specific approach. It issued, after a proceeding initiated by the author, a set of broad privacy principles applicable to the whole range of telecommunications services under its jurisdiction.²²

A similar approach, that of privacy principles, was recently taken by the Federal Government's high visibility Information Infrastructure Task Force, in the report by its Privacy Working Group, which issued a set of Principles for Providing and Using Personal Information. But that report is virtually devoid of a discussion of a market mechanism in protecting privacy, or in integrating such mechanisms in its privacy principles.

MARKETS IN PRIVACY

The reflexive approaches to privacy problems has been regulation, or denial. Are there other options?

First, there is the possibility of self-regulation, where an industry agrees to restrict some of its practices. Realistically, though, self-regulation is rarely voluntary (unless serving an anti-competitive purpose): it usually occurs only under the threat of state regulation, and it can therefore be considered a variant of direct regulation.

The practice for the state to control and protect privacy is a natural response in the telecommunications field, given its history as state-controlled monopoly. It has led to a view of privacy problems largely as an issue of rights, and the question is how to create such rights in the political, regulatory and legal sphere. Such a view is appropriate in the context of privacy rights of the individual against the state. But the same cannot be said for the privacy claims of individuals against other individuals. The allocation of rights is only the beginning of a much more complex interaction. Some people may want and need more privacy than others. Privacy, by definition, is an interaction in which the informational rights of different parties collide. Different parties have different preferences on "information permeability" and need a way to synchronize these preferences or be at tension with each other. This would suggest that interactive negotiation over privacy would have a place in establishing and protecting privacy.

How should one analyze the role of bargaining over privacy? It is useful to consider as a framework for discussion the economic theorem of Nobel laureate Ronald Coase, a Chicago economist. Coase²³ argues that in a conflict between the preference of two people the final outcome will be determined by economic calculus and (assuming reasonably low transaction costs) result in the same outcome regardless of the allocation of rights.²⁴ If the final result is the same, who then should have the rights? According to Coase, it should be the "least cost avoider," i.e., the party who can resolve the conflict at the lowest possible cost.

Let us apply this discussion to privacy, using the example of telemarketing. Both of the parties to a telephone solicitation call attribute a certain utility to their preference. For example, it may be worth $3 to the telemarketer to have an opportunity to talk to the consumer. If necessary, she would be willing to pay a potential customer up to that amount.

Conversely, assume that the consumer would be willing to pay--grudgingly for sure--up to $4 to the telemarketer to keep her off the phone. The $4 is the value he places on his privacy in this instance. Thus, if the telemarketer has a legal tight to call the consumer at home, the latter would "bribe" her not to call in order to keep his peace and quiet.

The basic decision on regulatory rights is either to prohibit unsolicited telemarketing calls, or to permit them. But regardless of which rule is adopted, the call will not take place, because under our numerical example the value of privacy to the consumer is greater than its interruption is to the telemarketer. But if for some reason the value to the telemarketer should rise, say to $6, the consumer could not pay her enough not to call; and conversely, if the telemarketer would have no initial right to make unsolicited calls, she would pay for the consumer's cooperation by a payment of $4 or more, so that the call is accepted.

In other words, the distribution of the legal rights involved may largely determine who has to pay whom, not whether something will happen. Thus the law does not necessarily determine whether telemarketing calls actually take place, it only affects the final wealth distribution. This interactive concept is often difficult to grasp if one is used to think in absolutes of black-letter law. Common law, in contrast, has recognized transactions from the beginning. Indeed, the original legal cases which established the tort of privacy were not based on a finding that the plaintiff had a right to privacy, but instead that the plaintiff had a right to be adequately compensated.²⁵

For privacy transactions to occur, however, there are several prerequisites They include:

• Sufficiently low transaction costs.
• A legal environment that permits transactions to be carried out.
• An industry structure which permits transactions to occur.
• Symmetry of information among the transacting parties.
• No "market failure," i.e., no growing instability in the market.²⁶
• The ability to create property rights, or to exclude.

Courts have been reluctant to grant property rights to personal information outside of the case of luminaries. In one case,²⁷ Avrahami vs. U.S. News & World Report, a gutless court²⁸ managed to hold for two organizations that exchanged subscriber name lists without permission, even though Virginia Code 8.01-40 (Michie 1999) clearly provided that "Any person whose name, portrait, or picture is used without having first obtained written consent of such personfor advertising purposes or for the purposes of trade, such person may maintain a suitto prevent and restrain the use thereof." The statute also permitted the aggrieved party to recover actual and punitive damages.²⁹ The court held that the inclusion of a name was "too fleeting and incidental," and that a person's name was not personal property. An appeal may be brought before the Virginia Supreme Court.

This reluctance of courts (and probably of legislatures) to recognize property rights in residual information s not surprising in light of the role of direct marketing in the economy. However, property is only not established from above by formal statutes or court decisions, but also from below, by the simple mechanism of an individual's ability to exclude others. Good fences create good neighbors, and good transactions as well. Electronics makes this increasingly possible. Such access control creates the possibility of bargaining, by transforming information from a "public good" (like a light house's flashing) to a private good (like a flashlight).

EXAMPLES FOR THE MARKET APPROACH

Telemarketing

As we discussed, because privacy and access are of value to parties in a telemarketing transaction, exchange transactions will emerge once they become technically feasible. How could this happen on a practical level? Signaling technology and telecommunications equipment provide now the capability to select among incoming calls electronically. This creates the precondition for access control by individuals, namely information about the calling party, which until now enjoyed the stealth of anonymity. Information is power, or rather it is worth money. Once this choice of avoiding calls is available to the called party without loss of important incoming calls, callers must offer incentive to be admitted. Friendship, family ties, reciprocity, useful information business--or a financial payment. What will therefore inevitably emerge is a system of individualized access charges.

Such a system might be described as Personal-900 Service, analogous to 900-service in which the caller pays a fee to the called. The caller would be automatically informed that the customer charges telemarketers for his time and attention.

Individual customers could set different price schedules for themselves based on their privacy value, time constraints, and even the time of day. They would establish a "personal access charge" account with their phone or an enhanced services provider, or a credit card company. By proceeding, the telemarketer enters into a contractual agreement The billing service provider would then automatically credit and debit the accounts in question.

Such a system will probably have a negative impact on the business of telemarketers. Currently, they "externalize" some of their costs by accessing customers at home at no charge to themselves other than their operating cost. Right now, consumers do not yet have the means to make the telemarketer compensate them for their attention. (In television, the audience gets at least to view an entertainment, sports, or news program.) Under personal-900, telemarketers will be forced to pay more for consumer access.

Consumers will benefit from the payment the receive for accepting calls. Some might even become "professional call-receivers." though telemarketers will no doubt refine ways to select the most likely buyers. Telemarketers will become more selective in who they try to reach, and spend more money on "fine tuning" their customer list. Technological tools to refine their search are intelligent agents sent out to find interested and affordable targets for solicitation.

Markets in access will develop. Consumers will adjust the payment they demand in response to the number of telemarketer calls competing for their limited attention span. If a consumer charges more than telemarketers are willing to pay, he can either lower access or will not be called anymore. Prices could vary by time of day.

Consumers will bear some of the portion of these costs. First, by way of higher prices for telemarketed products. The extent to which these costs can be shifted by telemarketers are in strong competition with other forms of marketing, and where consumers are price-inelastic, telemarketers will bear most of the added cost.³⁰

Wireless Transmission

Market forces may also be able to resolve the unauthorized eavesdropping of wireless communication systems such as cellular and cordless telephones. True, such monitoring is illegal for cellular calls (though not for cordless phones), but it is widely practiced by scanning hobbyists as well as investigators. Just ask Prince Charles.

Eavesdropping is inefficient because it forces the participants in a communication to disguise the content of their transmissions, or to seek other ways of communicating. Thus, there are incentives for cellular service providers or equipment firms to offer scrambling devices.³¹

Encryption systems require extra equipment and may increase the amount of spectrum required for a given quality and information content of a signal. Customers who value privacy sufficiently will be willing to pay for the increased resource cost.³²

Data Banks

Companies often sell or pass along information about their customers to others, for a variety of purposes. Insurance companies want to know the accident and medical history of new applicants; stores, whether new customers are credit-worthy; employers, whether job applicants have criminal histories; doctors, whether a patient has brought a malpractice suit in the past; and so on.³³

In America individuals, firms, and governments have a substantial right to collect and redistribute personal and financial data about individuals. One could conceive of a market transaction system by which consumers offer companies payments to delete such information or refrain from distributing it. But could such a system work? In any transaction, both parties remain with information about it. The problem is not usually that a party saves that information, but rather that it disseminates it to others. The regulatory approach restricts some of these transfers. Could a market work instead?

The answer is usually "no" today. And only "maybe," in the future.

The reason for this can be found in the logic of reselling information. In many cases the holder of information about a second party could share that information with a third party at a higher price that the resulting reduction in value to him. Take, for example, a piece of credit history information on individual A that is worth $5 to B so long as B retains the information exclusively. If B distributes the data to another party, C, the direct value of the data to B may not be diminished at all, or may drop a bit to, say, $4. (It is one of the peculiar economic properties of information that it can usually be shared without any or only little loss of usefulness to its holder. The exceptions are business and trade secrets) Suppose C, too, is willing to pay up to $4 for the same information because it is of similar usefulness to him. Then the total value to B of not destroying the information is $8. And why stop at two beneficiaries? B could resell the information also to D, E, etc. So could C. In each case, the reduction in value of the information to one of its holders may be less that what another party will gain by obtaining it.

Hence the information will spread. Accordingly, the subject of the information, individual A, might have to expend a significant amount of money to prevent B from spreading the information. If it is of use to a hundred firms, each valuing it at say $4, it would take a $396 "bribe" for A to keep B from reselling it. If a resale of information is possible, B and C would market the same information about A, and they will drive down its price to the marginal costs of distribution. In that case, the information would spread greatly, but it would also be cheaper for A to bribe B at the outset. Yet all B would have to do is to contractually assure, in the transaction with C, against resale.

A could attempt to stop personal data from getting released to a third party by preferring to do business only with firms that agree to destroy such data. But companies would charge customers higher prices to compensate for the lost information resale. Furthermore, once many companies start refusing to sell information, each will have less information that before and hence a greater business risk, which would be reflected in the price. In effect, firms would charge for withholding the information through their product or service prices.

At the same time, any effort by A to pay a high price to B for non-revelation will likely raise the value of the information to B, C, etc--what is A trying to hide, anyway? And, wouldn't A have to pay a similar bribe to C, too, if the information reaches it? Thus, the more important the information is to more parties, the less affordable is a market transaction to purchase privacy. Only where information is of little use to others, or only to a very few, are privacy transactions likely.

An example is a video store. Such a business could advertise that its policy is to guarantee privacy. It would gain customers, and since the information is not usually very important to many other parties, it would lose little (the interest in political figures and celebrities is an exception). In contrast, it is hard to imagine a credit card company willing to be compensated for non-disclosure to other credit-extending firms. The value of preventing credit-fraud is so great to so many firms that any payment to undermine the reporting system would have to be quite high. Yet video-store disclosure is prohibited by law, while credit-reporting is legal. The reason is probably that the loss of information-value was low for video-viewing and nobody therefore mounted a fight against such legislation, while politicians running for election were particularly sensitive about the issue.

Even if A could pay B to withhold the information, it may not be possible in practical terms. One of the characteristics of information is that its exclusivity is almost impossible to acquire once multiple parties have access to it.

Any negotiating approach will only work for transactions between individuals and businesses. If the information is obtained by government, fewer market-based incentive exists to prevent transfer of the data. This is one reason why government agencies are becoming so active in selling information to others. They have little to lose. Where else could one go to get a driver's license?³⁴

Currently, there is a right to collect, distribute and utilize personal data. What then if the rights were reversed and one would have to get a person's permission before retaining, transferring or utilizing personal data about him? If the information is of value to a bank and other credit institutions, they would acquire it by compensating the customer. Given the collective value of the information, such transaction would be likely. Hence, the information would be circulating. Consumer would be richer that before, but the information would be, in effect, still in the public domain.³⁵

In conclusion, for personal data banks containing information about individuals, market transactions are either unlikely where the information is of use to many others, or it will be acquired by them. In either case the personal information, if valuable, becomes public information. For the future, one possibility that may help alleviate this problem is the emergence of encryptions.

Encryption

For markets in personal information to exist, it is necessary to protect that information from appropriation by others.

With digital technology, methods of protecting information with encryption have become powerful and convenient. Encryption goes back for thousands of years. It emerged primarily for the first electronic computers being the impetus as part of national security work, and spread to civilian computer applications. Encryption became popular with the release of the Data Encryption Standard (DES) to the public in 1977. DES is a 56 bit single key algorithm. To send a message to B using DES, A needs to encrypt it. This leaves open the risk that the key is intercepted, and anyone knowing the key can decrypt the transaction.

Dual key systems solved this problem. In this system, anyone who wants to receive a message has a "public" key. If A wants to send information to B in a secure way, he can encrypt it using B's public key. But the encrypted message can be decrypted only by using B's "private" key. Thus, there is never a need for the risk-laden transmission of private keys.

Dual-key encryption software has appeared with the spread of the Internet: Pretty Good Privacy (PGP) employs dual key cryptography and is distributed free of charge for private use. Business users pay. Privacy Enhanced Mail (PEM) uses DES encryption along with a dual key algorithm to secure mail transmission.

According to International Resource Development, the U.S. data encryption market has grown from $384 million in 1991 to an estimated $946 million in 1996.³⁶

Where information is protected by encryption it is more marketable. Ironically, the U.S. government, for reasons of law enforcement and national security, has opposed easy and fully secure encryption, thus reducing the ability of individuals to control access to their information, to establish property rights, and to create the foundation for markets.

Present encryption, however, does not solve the problem of information resale to a third party C, once decrypted by the second party B. Solving that problem in the future would be a god-send to every owner of information and copyright, but it is hard to conceive how it might be done securely. A buyer of information cannot be stopped from memorizing and or photographing the de-crypted information on his screen and then reselling it.

Even so, giving A protection vis-a-vis B already goes a long way. It permits, for example for property rights in information about transactions between A and B to be held jointly. Both A and B hold keys to it, and therefore need each other's permission for their release. This would enable, for example A (a consumer) to require compensation from B (a credit card company) for releasing transaction information. It is true that B could copy information once it accessed it for one purpose, in other says that were not authorized. But to do this in a systematic way to thousands of customers would be a foolish business practice.

The dual-key systems would permit also individuals to sell information about themselves directly, instead of letting various market researchers and credit checkers snoop in their demographics, personal history, and garbage cans. Individuals would define a set of access rights: their doctor only would be allowed to view medical records. Other categories of information would have free access, while others would be costly. Presumably, the more valuable information is to the buyer, and the more negative it is to the seller, the higher the price. Some information would be priced too high for voluntary exchange. This system would also allow an individual to keep track of who asked for the information.. And, the reselling of the information would be authorized only by agreement of both key holders.

SELLING THE RIGHT OF PRIVACY

So far we have analyzed the role of markets in the provision of privacy in a largely pragmatic way--will it work? Yes, in some cases. No, in other cases. But at least as important is the normative question--should privacy be part of a market? While the market approach could be in many instances efficient on economic grounds and would differentiate according to needs, efficiency is not the only value to be concerned about. Just as there are economic trade-offs, so are there non-economic ones.

A distribution of privacy rights on a free-market basis would provide no protection for citizens against encroachment by the state. The only effective limits on government are those established through constitutional and statutory means. Therefore there would have to be two types of privacy rules, one for transactions among private parties, the other for transactions between private parties and the state. The former would be left, in part, to the market to allocate, the latter would involve a constitutionally protected right. Yet the question may be asked whether such a bifurcation in the treatment of the most mobile of resources-- information--is sustainable and practical.

Perhaps the most prevalent argument against markets in privacy is that affiance is not the only societal goal. Thus, some resources, such as privacy allocations, might be in the category of inalienable rights that are protected from encroachment and "commodification" by the market system.

This position leads to several responses to the notion of transaction-generated privacy:

• Privacy is a basic human right, and not subject to exchange transactions.
• Consumers cannot correctly assess the market value of giving up personal information.
• A transaction system in privacy will disproportionally burden the poor.

To state that privacy is a basic human right is a noble sentiment with which I am in accord, but it does not follow that privacy therefore is outside the mechanism of transactions. As mentioned, a right is merely an initial allocation. It may be acquired without a charge and be universally distributed regardless of wealth, but is in the nature of humans to have varying preferences and needs, and to exchange what they have for what they want. Thus, whether we like it or not, people continuously trade in rights. In doing so they exercise a fundamental right, the right of free choice.

In most cases, a person does not so much transfer his right to another but chooses not to exercise it, in return for some other benefit. An accused has the right to a jury trial, but he can waive it for the promise of a lenient sentence. A person has the freedom of his religion, but may reconsider in order to make his spouse's parents happy. One can be paid to assemble or not to assemble, to forgo bearing arms, travel, petition, or speak. Voluntary temporary servitude in exchange for oceanic passage has peopled early America. Students have the right to read faculty letters of recommendation written in their behalf, but they usually waive that right in return for letters they hope will have greater credibility.³⁷

These departures from textbook civics are socially undesirable if the rights in question were given up under some form of duress, for example if in a single-employer town workers must agree not to assemble as a condition of employment. But when an informed, lucid, sober, and solvent citizen makes a choice freely, the objections are much harder to make. They then boil down to a transaction being against public policy, often because it affects others outside the transactions (i.e., "negative externalities"). To make these transactions illegal, however, does not stop many of them, if there are willing buyers and sellers, but it makes them more difficult and hence costly. The extent of the success of such a ban depends, among other factors, on the ability of the state to insert itself into the transaction. In the case of privacy, which by its nature is an interactive use of information, such insertion is difficult. All it usually takes is to make the information transaction consensual. And if it becomes illegal to offer compensation to obtain consent, one can expect imaginative schemes to circumvent such a prohibition. After all, we now have over 3.0 lawyers per thousand population, up from 1.3 in 1970.³⁸ Indeed, the success of government enforcement would then depend on intrusive actions by the state into private transactions. As important as privacy is, it will not necessarily override other values, such as free choice, the right to know, and the right to be left alone.

A second objection is that consumers have asymmetric knowledge relative to business about the value of their personal information, and that they consequently would be exploited (Gandy, 1996). The holders of this view disc