Luohan Academy

Private Information and Privacy Rights

Event materials

  • Transcript

Patrick Bolton is the Barbara and David Zalaznick Professor at Columbia University and was President American Finance Association in 2015. Professor Bolton's research and areas of interest are in contract theory and contracting issues in corporate finance and industrial organization. A central focus of his work is on the allocation of control and decision rights to contracting parties when long-term contracts are incomplete.

In the third Luohan Academy Frontier Dialogue, Professor Bolton brought a lot of insights on how to protect privacy-related rights. He thought liability rules could be another approach for privacy protection, in addition to property rules. Platforms could be data or privacy fiduciaries under liability rules, like physicians, accountants, consultants, other traditional agents.


It's been a privilege to participate in it [the report]. I've learned a lot. Now in the interest of time today, I prepared a few slides. What I'd like to do in my allotted eight minutes, is not really [to] repeat the excellent summary that Long made, but I would like to add a couple of additional thoughts that I took away from the report [that] made me think a little further.

Before I get to these couple of thoughts, let me just tell you quickly what, to me, are some of the key takeaways from the report. So just reading off the screen here, what we learned from the report is just how the digital economy and big data have dramatically brought down informational barriers to trade. As always mind-boggling to come back to the basic data on that, see how much digital economy has changed things.

Both reports really make a strong case that it's never been easier to provide service based on shared information and that information sharing is at the heart of the digital economy. And in the second report, we had a really excellent analysis of the privacy paradox, the value of data integrity, and especially, I thought, the big data exercise based on Alipay was incredibly insightful. What we learned from that, what's been said before is that data production is a public good and that raises its own sets of questions when it comes to privacy and privacy protection.

And here I would like to say what Bengt Holmstrom said earlier, “This is a slippery subject.” And it's a slippery subject because we understand that more privacy protection isn't for free. We have a really fundamental result from information economics, that's due to Myerson and Satterthwaite[1] and others. What this result tells you is that if you have freedom of contracting with private property protection and private information, then you generally are going to get inefficient trade. That is the twin prerequisites of incentive compatibility and individual rationality will give you inefficient trade.

The problem is that if you have individual rationality, essentially you have two monopolists or more, depending on how many parties there are to a trade, that are trying to make a deal, each extracting some informational rent. No wonder you're going to get inefficiency.

In light of that basic observation, the slippery question is, how much privacy protection do you want and how should it be protected? And here the thought I would like to bring to the discussion is a very helpful distinction that's been introduced by Calabresi and Melamed between property and liability rules[2]. So a property rule is essentially one where you cannot appropriate anything without consent, so you cannot appropriate information without consent of the subject. And liability rules, however, allow for appropriation against adequate compensation, even without consent.

There is a large literature based on property and liability rule that basically point in the direction that you can get greater economic efficiency under liability rules. And so based on that literature, you could ask, should privacy be protected by property rule or property rights? And really this brings me to the ubiquitous, take it or leave it consent requirements now that we have thanks to GDPR. Is this the right approach to protecting privacy? And we've already heard about the privacy paradox, the free rider problem, and so on. And so we know there are problems with these consent requirements. But I would like to argue that there are more than problems that have already been made out in the discussion today and in the reports.

So one other thing we learned about property rights is the numerus clausus principle. So basically, you cannot have a property right on just anything. The rights that are given to you under property right laws are finite in number.That's what the numerus clausus principle means. So why is that relevant to our discussion? Well, one thing that's really not been thought through carefully under GDPR is the privacy policies that you need to consent to when you click a button, you go on a website and you have to agree. There's no constraint put on any of those policies. And that's just not adequate. That's one important reason why consent doesn't mean much as we all know.

So really, how do we think about privacy protection if it's not through a property right, if we don't require property rule or consent? Well, what I want to put on the table here is that we want to think of a privacy protection by platforms in terms of platforms as data or privacy fiduciaries. Here the analogy I want to draw is with physicians, accountants, consultants, other traditional agents. These professions have developed norms of information, integrity, and confidentiality, and they're subject to liability rules. So that's perhaps a more effective way, productive way of thinking about privacy protection.

And I want to close by highlighting how principle one in the report, to those who get to the very end, you'll see the three principles. Principle one, I think, makes a case for such an approach, and let me read it to you: data ownership by data producers, including data produced by subject as producers, should be predicated on data integrity, anonymity, and especially the protection of personal and societal privacy. 


[1] Referring to the Myerson–Satterthwaite theorem, an important result in mechanism design and the economics of asymmetric information. Myerson, R. B. and M. A. Satterthwaite (1983). Efficient Mechanisms for Bilateral Trading. Journal of Economic Theory. 29 (2): 265–281.

[2] Calabresi, G., & Melamed, A. D. (1972). Property rules, liability rules, and inalienability: one view of the cathedral. Harvard Law Review.

For more information, please visit Luohan Academy's youtube channel: Luohan Academy


to leave a comment