Unjust Enrichment Law and AI

Data Protection, Unjust Enrichment

By Hu Ying

When companies collect our data to train their AI systems, or benefit from our data in other ways, are we entitled to any of those benefits? In a chapter published in The Cambridge Handbook of Private Law and Artificial Intelligence edited by Ernest Lim and Phillip Morgan, I consider the situations in which individual data subjects should be allowed to seek gain-based remedies against those companies.

Companies collect a wide variety of personal data about individuals who use their products or services. They can benefit from the personal data they have collected in various ways. They might sell that data to third parties for money or for benefits in kind (e.g., other types of data or insights from data analysis). They might also use that data to develop or improve their own products or services (e.g., to train their voice recognition algorithms).

Let us consider the following scenario as an example. Assume that a company has collected and used Jane’s personal data without her consent. One plausible cause of action against the company is unjust enrichment. To bring an unjust enrichment claim, a claimant generally has to establish that (1) the defendant is enriched, (2) at the claimant’s expense, and (3) in circumstances which render it unjust for the defendant to retain the enrichment. The exact elements of the cause of action vary in different jurisdictions.

The first question, therefore, is what benefit, if any, has been transferred from Jane to the company? The benefit cannot be the personal information itself. Jane retains that information. It cannot be the digital files that contain the binary representation of Jane’s personal data. Those files are created by the company, not transferred by Jane to the company. The benefit may not even be the value of using Jane’s personal data for a particular purpose. Since information is non-rivalrous, the company can use it for one purpose without necessarily preventing Jane from using it for the same or different purposes. I believe the benefit transferred from Jane to the company is control over information about her: as the company acquires the power to determine the use of that information, Jane’s power to determine its use diminishes accordingly. Third parties can obtain that information either directly from Jane or from the defendant. The power to determine the use of one’s personal data has value to both individual data subjects and companies. The more difficult question concerns the value of that power. This chapter suggests several factors that might help determine its value.

The second question is whether the company has been enriched at Jane’s expense. There has been a divergence of views on whether there must be an exact correspondence between the claimant’s loss and the defendant’s gain to satisfy the ‘at the claimant’s expense’ requirement. My preferred answer is ‘No’. The answer to this question is particularly important where data subjects have difficulty establishing that they suffered pecuniary loss as a result of unauthorized use or disclosure of their personal data (see, e.g., In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F. 3d 125, 148–149).

The third question is whether the company has been enriched in circumstances which render it unjust for the company to retain the benefit (commonly referred to as ‘unjust factors’). At least two unjust factors are potentially relevant.

  • First, Jane might argue that she transferred personal data to the company due to a mistake (e.g., a mistake about the company’s data practice) and that she would not have transferred that data but for the mistake.
  • Second, if Jane has paid the company for a certain product/service and the company has made an express promise not to collect or use certain types of personal data in relation to that product/service, then Jane might be able to argue that she has paid the company for that promise. The relevant unjust factor is failure of basis: simply stated, the company promised to do something for remuneration, received remuneration, but did not do what was promised. Therefore, it is unfair for the company to keep the payment.

Even if Jane can establish a prima facie unjust enrichment claim, it is trite law that she cannot bring such a claim against a defendant with whom she has a valid and subsisting contract governing the same subject matter. It is not uncommon for online service providers (e.g., Google or Facebook) to require their users to agree to their Terms of Service and/or Privacy Policies, whose terms are sometimes contractually binding. The chapter in turn considers circumstances in which Jane’s unjust enrichment might fail as a result of such contracts.

Finally, the chapter examines various grounds for awarding the remedy of disgorgement and explains how those reasons might help justify an award of disgorgement for unlawful collection or use of personal data in certain cases.

My interest in exploring gain-based remedies is mainly driven by the difficulties that data subjects often face in seeking compensation for loss suffered due to unauthorized collection or use of personal data. In the chapter, I aim to demonstrate that bringing an unjust enrichment claim can sometimes be a more cost-effective way to protect people’s right to privacy. Moreover, disgorgement might also prove to be a useful remedial tool to deter companies from collecting or using personal data in ways that violate important social norms regarding privacy.

Keywords:  Unjust Enrichment, Disgorgement, Data Privacy, Data Security

AUTHOR INFORMATION

Dr. Hu Ying is an Assistant Professor at the NUS Faculty of Law.

Email: lawhuyi@nus.edu.sg

Share this post:

Share on Pinterest Share on LinkedIn