Data Controllers as Data Fiduciaries

Amanda Reid, Noelle Wilson

University of Colorado Law Review

Political Processes

(Research Summary by Katherine Furl) 

In an environment where previously unforeseeable amounts of confidential data are available to an ever-growing number of businesses, understanding the best approaches to litigating potential breaches of data privacy is of utmost importance. In “Data Controllers as Data Fiduciaries: Theory, Definitions, and Burdens of Proof,” Noelle Wilson and Amanda Reid examine two common regulatory models discussed in the context of U.S. consumer privacy law—the Rights/Obligations Model mirroring language from the European Union’s General Data Protection Regulation (GDPR), and the Fiduciary Model, based on preexisting obligations of confidentiality seen in doctor-patient and attorney-client relationships. Wilson and Reid argue for a hybridized version of these two models, allowing for adaptable and consistent legislation capable of protecting as many Americans as possible from violations of their data privacy. 

Several states have adopted privacy laws following the Rights/Obligations Model, granting consumers certain rights and imposing related obligations on businesses. Many of these laws borrow a pair of terms from the EU GDRP—“data controllers,” who have some role in how data are ultimately used, and “data processors,” who merely process data at the behest of data controllers. Though these privacy laws are better than nothing, notable protection gaps remain. As one example, most privacy laws under the Rights/Obligation Model in the U.S. can only be enforced by state attorneys general, and all of these laws leave protections afforded to U.S. citizens up to their geographic location within specific states. 

To circumvent these limitations, Wilson and Reid propose considering data controllers as data fiduciaries and adapting U.S. consumer privacy laws in line with a Fiduciary Model. In such a model, the focus shifts to the relationships between businesses as trusted entities tasked with ensuring the privacy of users and users as parties guaranteed protection within these relationships. These relationships can be understood as predicated on information asymmetry—businesses have far more access to users’ personal information than users have access to sensitive information related to businesses. Nevertheless, the Fiduciary Model presents its own limitations, including that it is quite vague. 

Wilson and Reid thus propose adopting a Hybrid Model, using the data controller/data processor terminology in the Rights/Obligation Model alongside the focus on relationality and information asymmetry emphasized in the Fiduciary Model. They argue for consumer privacy laws in the U.S. to impose fiduciary duties upon data controllers and for businesses to be considered data controllers by default unless they are able to prove they should instead be considered data processors (who would not be held to the same standards of fiduciary duties toward users).  

By adopting a Hybrid Model in consumer privacy law, Wilson and Reid hope U.S. lawmakers will be able to adopt flexible, time-tested policies able to protect even the most vulnerable populations from data privacy breaches.