Zubair Shafiq, Athina Markopoulou & Woodrow Hartzog

“Data governance” is an empty term, like a Rorschach inkblot just waiting to be filled with meaning. Silicon Valley tends to use this term in different ways depending on the audience and purpose. On one hand companies brag about their data governance capabilities when it fits their business model (e.g., to advertisers) and public image (to their customers). On the other hand, they claim that meaningful data governance is impossible when regulators demand accountability.

In this essay, we argue that companies often misrepresent their data governance capabilities and that the entire discourse around governance should be given little credence. To demonstrate our point, we present two case studies that show how hypocritical companies can be when it comes to the treatment of our personal information.  First, we show that companies routinely work to identify and target minors for ad targeting purposes, but disclaim the knowledge or ability to identify children and their data in others. Next, we show how companies commonly claim they do not know whether the information shared by websites with them is protected health information (PHI) under HIPAA, but common data governance techniques to exploit data easily make this link.

We conclude this article by arguing for a more sustained critique and skepticism of the concept of data governance. Lawmakers could better scrutinize what constitutes reasonable efforts under existing data protection rules, they could better tailor new rules to the data governance capabilities of companies, and finally, lawmakers could better scrutinize the use of the term “data governance” as an efficacy claim within the law of consumer protection.