NB: This post is part of the “Skepticism About Information Fiduciaries” symposium. Other contributions can be found here.
James Grimmelmann –
Online platforms do different things for (and to) users. Some of these things are a good fit for fiduciary principles, some are not.
Perhaps most obviously, platforms collect data about users. Some of that data is inherently sensitive, like health records; some of it is sensitive in the aggregate, like months of Facebook likes. Either way, the users could be harmed if their data got into the wrong hands or were used against them.
Fiduciary principles are a good fit for platform data collection in two overlapping ways. First, the core fiduciary duty of confidentiality has long applied to knowledge professionals like doctors and lawyers when they receive information about their patients and clients. Like digital platforms, they need information to do their jobs; fiduciary law makes sure they use it only to do their jobs. Second, fiduciary duties of care and loyalty have long applied to parties who are entrusted with a thing of value. That’s what happens in a literal trust, the paradigmatic source of fiduciary duties. It is not difficult to extend those duties to parties who hold information, rather than money or other tangible property. Current U.S. information privacy law is patchy and hesitant, but its best version of itself would cash out fiduciary principles in specifying when and how platforms can use and share user data.