Emory Law Journal


The click of a mouse. The tap of a phone screen. Credit card purchases. Walking through an airport. Driving across a bridge. Our activities, both online and offline, are increasingly monitored, converted into data, and tracked. These troves of data—collected by entities invisible to us, stored in disparate databases—are then aggregated, disseminated, and analyzed. Data analytics—algorithms, machine learning, artificial intelligence—reveal “truths” about us; weaponize our data to influence what we buy or how we vote; and make decisions about everything from the mundane—which restaurant a search engine should recommend—to the significant—who should be hired, offered credit, granted parole. This Article is the first to chart the terrain of this novel, networked data landscape and articulate the ways that existing laws and ethical frameworks are insufficient to constrain unethical data practices or grant individuals meaningful protections in their data. The United States’ sectoral approach to privacy leaves vast swaths of data wholly unprotected. Recently enacted and proposed privacy laws also fall woefully short. And all existing privacy laws exempt de-identified data from coverage altogether—a massive loophole given that the amount of publicly available data sets increasingly render reidentifying de-identified data trivial. Existing ethical frameworks, too, are unable to address the complex ethical challenges raised by networked datasets. Accordingly, this Article proposes an ethical framework capable of maintaining the public’s full faith and confidence in an industry thus far governed by an ethos of “move fast and break things.” The CRAFT framework—arising from considerations of the shortcomings of existing ethical frameworks and their inability to meaningfully govern this novel, networked data landscape—establishes principles capable of guiding ethical decision making across the data landscape and can provide a foundation for future legislation and comprehensive data governance.