Mention privacy-as-control (“PaC”) at the Privacy Law Scholars Conference in the United States, and the audience rolls their eyes; mention privacy-as-control at the European PLSC, and the audience nods in consent. PaC was famously articulated by American scholar Alan Westin, and has become a dominant privacy framework on both sides of the Atlantic. However, in recent years, PaC is subject to growing criticism, especially from American privacy scholars, for its failure to capture the essence of privacy and for failing our privacy, by legitimizing the collection of our personal data, its processing, and use. In particular, the critique focuses on large scale and big data practices by data-driven corporations.
This paper answers this critique and defends PaC. I explain why the critique is mostly mistaken, for it too often reduces ‘control’ to notice-and-choice and underestimates PaC’s broader role in privacy law. Instead, I offer a positive account of PaC, arguing that it is still the best normative lens we currently have to explain privacy law, as it captures the essence of the main privacy justifications and is their common denominator. Importantly, PaC is not a justification of privacy per se, but rather a headline for other privacy justifications and rationales. Properly understood, PaC carries the potential to guide us in data-related social contexts, and no less importantly, in cross-context settings. Daniel Solove, building on Wittgenstein’s notion of “family resemblance,” suggested that we better understand privacy as consisting of “many different yet related things.” Despite Solove’s critique of PaC, I suggest that control is privacy’s family name.