Ari Ezra Waldman begins Industry Unbound: The Inside Story of Privacy, Data, and Corporate Power with a deeply relatable scenario. He describes a perpetual stream of emails from corporations that claim “your privacy is important to us.” Why, if corporations care so deeply about our privacy, is privacy viewed as under-protected, often eroded or even “over,” in the words of Meta CEO Mark Zuckerberg?
Prior literature recognizes the failures of privacy law, such as the ineffectiveness of notice and consent, but explains these failures primarily in terms of the law itself, or the behavior of individuals. Waldman begins from these known issues but goes further, offering up a compelling and systematic perspective on why such failures are occurring. He uses sociological survey research to explore the dynamics of privacy within the information economy, examining the roles of individuals, organizational structures and corporate power in shaping privacy discourses and law. In doing so, the research offers new explanations for the paradox of more privacy law yet less privacy. Waldman's work is part of a broader literature that challenges the concentration of corporate power in the United States, and pushes back against that power through the lens of labor law, antitrust, economics and media regulation.
Waldman writes in an engaging and vigorous tone, delivering an urgent narrative on why privacy protection is systematically failing. In the first chapter, Waldman compiles his more than 100 interviews of privacy professionals into synthesized conversations that reflect his findings. Chapters 2–5 of the book then weave these interviews into Waldman's broader argument, examining the role of privacy discourses, privacy professionals, technological design and corporate structures in perpetuating an ecosystem that purports to maintain privacy but in fact undermines it. Across these chapters, Waldman paints a picture of an antiprivacy ecosystem that is so extensive it becomes hard to deny.
Waldman does a wonderful job of situating his research within the context of both privacy scholarship, and writing from outside the realm of privacy. In a particularly compelling passage, Waldman argues that privacy suffers from legal endogeneity, as the concept is described by Reference EdelmanLauren Edelman in her Civil Rights Act of 1964 research (2016). Privacy law is, by its nature, often vague and principles based. As Reference Bamberger and MulliganKenneth Bamberger and Dierdre Mulligan have argued previously (2015), this means privacy professionals often imbue the law with its meaning through their on-the-ground practice and processes of privacy compliance. Waldman contends that this interpretive process contorts privacy law into a narrow construct that emphasizes corporate convenience and efficiency over the privacy of individuals. Worse still, these corporate processes of privacy compliance then become conflated with the substance of what privacy law requires. Waldman's interviews support this idea, revealing a tendency of privacy professionals to measure the improvement of substantive privacy protection based on the volume of their work translating privacy obligations into formalistic compliance tools and checklists. These processes of compliance are eventually taken by lawyers (and even regulators and judges) as evidence of substantive compliance, rendering the assessment of privacy law violations endogenous. For example, Waldman points to Federal Trade Commission consent agreements that require the subject corporation to ensure their encryption is consistent with “industry standards.” As symbolic or performative actions of data privacy (or cyber security, in this FTC example) compliance replace substance, Waldman argues this reinforces the power of the information industry, leaving society with the false perception that “something” is happening, and therefore that the law must be working to protect privacy.
Waldman fairly laments the circular and self-defining aspects of privacy law. However, the book's legal endogeneity arguments can, at times, leave the reader wondering what standards privacy professionals should be meeting. If, as Waldman argues, appropriate privacy protection is something more than legal compliance as it is understood by regulators and industry actors—something that ought to be exogenously, not endogenously defined—then the book leaves that appropriate standard of “more” largely unarticulated. What constitutes adequate protection of data privacy, if it is not compliance with the (admittedly self-interpreted) law? An articulation of this grander vision of standards for privacy law and compliance would be helpful, perhaps in future work.
Just as readers begin to despair that their privacy is hopelessly lost to the information industry, Industry Unbound ends on a hopeful note. The final chapter, titled “Fighting Back,” offers some potential solutions, (and rejects others), aiming to change the way organizations, and the law, seek to protect privacy. Although Waldman's solutions are modestly developed, this modesty is appropriate given the early juncture of privacy law and this sociolegal perspective. Most convincingly, Waldman argues that, in order for legal and discursive privacy reforms to be effective in counteracting corporate power, such reforms must consider the broader legal context of the information industry from the Communications Decency Act to trade secrecy and First Amendment law. I would add to this list antitrust law, which pursues data-driven competition with little regard to the erosion of privacy. Throughout the book, Waldman describes a tension between user engagement and user data privacy interests that exemplifies a broader friction between online privacy and the data-driven competition prompted by antitrust.
Industry Unbound will be of interest to anyone seeking to understand why newer, stronger privacy laws are persistently failing to protect privacy. Send copies to your in-house privacy colleagues, for whom Waldman has a stark but important message on their role in undermining the very privacy protections they seek to uphold.
