I'm a big fan of Andrew Tuch's work on fiduciary law. His new article is quite interesting:
Abstract Countless high-profile abuses of user data by leading technology companies have raised a basic question: should firms that traffic in user data be held legally responsible to their users as “information fiduciaries”? Privacy legislation to impose fiduciary duties of care, confidentiality and loyalty on data collectors enjoys bipartisan support but faces strong opposition from scholars. First, critics argue that the information fiduciary concept flies in the face of fundamental corporate law principles that require firms to prioritize shareholder interests over those of users. Second, it is said that the overwhelming self-interest of digital companies makes fiduciary loyalty impossible as a practical matter from the outset.
This essay finds neither objection convincing. The first objection rests on a mischaracterization of corporate law, which in reality would require compliance with user-regarding fiduciary obligations—the opposite of what critics fear. The second objection fails to convince because fiduciary law has proven itself adaptable enough to survive such challenges in other settings, such as in the asset management industry. The second objection nevertheless reveals a need for greater specificity of the fiduciary duties that would be imposed under the information fiduciary model, but even then it is unlikely that either objection would undermine the model.
Tuch, Andrew F., A General Defense of Information Fiduciaries (September 12, 2020). Washington University in St. Louis Legal Studies Research Paper No. 20-09-01, Available at SSRN: https://ssrn.com/abstract=3696946.
One of Tuch's arguments is that it is possible for Facebook (to cite one example) to owe fiduciary duties to its users, while Facebook's directors owe duties to Facebook's shareholders. This seems obviously correct. It is a basic tenet of the corporate social responsibility debate, for example, that directors' duty to maximize shareholder fiduciary duties does not require and, arguably, (see below) does not allow directors to cause the corporation to break the law.
Second, he argues that "Never in Delaware law are shareholders’ interests equated with the corporation’s immediate profitability to the exclusion of long-term interests ...." Accordingly, because care for users will often be consistent with the long term interest of the shareholders, directors who protect user interests at the cost of short term profits will rarely (if ever) be held liable for breaching the duty of shareholder wealth maximization (citing, inter alia, yours truly).
Third, he argues that Delaware "case law indicates clearly that directors must act 'within the law.'" Well, yes, but. It is my longstanding view that "fiduciary obligation and the duty to act lawfully make a bad fit." See also my post Can directors of corporations be held liable to shareholders when the corporation breaks the law.
My main concern with suggesting that Facebook and its ilk should be treated as fiduciaries of their users is that fiduciary duties, by virtue of their inherent ambiguity, are a blunt instrument as a regulatory tool. Stephen M. Bainbridge, Director Primacy: The Means and Ends of Corporate Governance, 97 Nw. U.L. Rev. 547, 591 (2003). Consider, for example, the famously vague language of Meinhard v. Salmon:
In discussing the problem with a broad conception of fiduciary duty, under which the fiduciary has “a duty to act in the best interests of the beneficiary,” Lionel Smith explains that “the indeterminacy of such a duty is such that any lawyer would agree that this cannot be its correct formulation.”