Skip to main content
AI & Machine LearningQuantum Computing

Rethinking Privacy Rules in AI Era

Person stands before transparent server room with humming equipment and blurred cityscape in background.

At stake is whether privacy protections in an AI-driven world will rest on individuals’ control of their data or on enforceable obligations placed on the companies that collect and process it.

Daniel Solove’s central argument

In a Wall Street Journal opinion, Daniel Solove argues that “giving people control of their personal data is not an effective way to regulate privacy in this era.” Instead, he says, the proper regulatory analogue is how we govern food and drug companies: hold firms directly accountable for the harms their products cause. That shift, Solove contends, would move privacy policy away from an over-reliance on individual choice and toward systemic responsibilities for organizations that design, collect, and use personal information.

Rigorous data minimization and fiduciary duties

Solove points to specific regulatory tools that, in his view, would work better than placing the burden on users. He recommends rigorous data minimization — limiting how much personal data is collected and retained — and imposing fiduciary duties on companies. Under his proposal, companies would have enforceable obligations to act in the interests of the people whose data they hold, rather than treating data subjects as sole arbiters of risk through consent dialogs and privacy settings.

Liability for negligent or reckless technological design

Solove further urges liability where technology is negligently or recklessly designed. That element of his prescription treats privacy harms as the predictable outcome of design choices: when systems are built in ways that foreseeably put people at risk, firms should face legal consequences. This is framed as a counterpart to data minimization and duties — a way to ensure companies internalize the downstream costs of unsafe or careless engineering.

Liability for algorithms that cause harm

Beyond design-phase negligence, Solove explicitly calls for liability when algorithms themselves cause harm. That concept addresses cases where automated decision-making produces adverse effects on people; his argument is that accountability should attach not only to data flows but to the outcomes of algorithmic systems. In this formulation, algorithmic harms become a basis for corporate responsibility in the same way that a defective product or mislabeled drug can trigger liability.

Multi-stakeholder review of technologies

Finally, Solove recommends multi-stakeholder review of technologies as part of the regulatory mix. This suggests a governance model in which independent reviewers, affected communities, technologists, and possibly regulators participate in assessing new systems before or as they are deployed. That review, paired with minimization, duties, and liability, is presented as a practical alternative to relying primarily on individual control.

What this means for technologists, policymakers, and the public

  • Technologists and security teams: Expect pressure to incorporate rigorous data-minimization practices and design safeguards into system lifecycles to reduce exposure to liability for negligent or reckless design.
  • Policymakers and regulators: Solove’s framework points them toward statutory approaches that impose fiduciary duties and create liability for algorithmic harms rather than expanding notice-and-consent regimes.
  • The public and end users: The chief implication is a shift away from the expectation that individual control over data alone will secure privacy; instead, people would rely on corporate obligations and enforceable remedies when harms occur.

Solove’s prescription reframes privacy as a problem of corporate duty and enforceable accountability rather than consumer choice. He offers a compact menu of regulatory tools — data minimization, fiduciary duties, liability for design and algorithmic harms, and multi-stakeholder review — intended to reassign responsibility to firms that build and deploy the technologies. Whether policymakers adopt that approach remains the critical, unanswered question; under Solove’s view, the practical test will be whether regulators and lawmakers are prepared to hold companies to standards comparable to those applied to food and drug producers.

https://www.schneier.com/blog/archives/2026/07/protecting-privacy-in-an-ai-era.html