Author: Daniel Solove

0

Welcome to Naomi Cahn

Cahn Naomi 02I am delighted to announce that Professor Naomi Cahn is joining Concurring Opinions to post here on a regular basis.  Naomi teaches at George Washington University Law School, where she holds the Harold H. Greene Chair.  She is involved in book, article, and law reform projects concerning families’ interactions and intersections with the law and gendered institutions, nationally and globally.  Her scholarship and teaching cover the entire lifespan, from pregnancy (and attempts to become pregnant) through death and inheritance.   Her co-authored book with June Carbone, Marriage Markets (OUP 2014),  about the relationship between family structure and marriage, was on the list of best books for 2014 issued by both The Economist and Newsweek.  Other ongoing projects include work on assisted reproductive technology and, with Rev. Amy Ziettlow, a book on elder care.   She has testified before Congress on adoption-related issues and  worked with the Uniform Law Commission to draft model legislation on post-death access to digital assets, and her work has been covered in media outlets ranging from The New York Times to the Wall Street Journal to The Christian Century.

Before joining the GW faculty, Naomi worked at the SEC, legal services, a large law firm, a small law firm, and Georgetown’s  domestic violence clinic.

Her areas of interest include Gender, Feminism, Family Law, International Women’s Rights, and  Trusts and Estates.

Image Group Legal Academia 07
0

Legal Academia LinkedIn Group

I created a new LinkedIn group called Legal Academia for legal academics to share useful links, posts, scholarship, events, etc. Shameless-self promotion is welcomed — as long as what you promote is good.

Who Can Join?

Anyone can join — non-academics can join too if you want to follow along.

How Do You Join?

Go to the group’s page: Legal Academia . Just click the join button at the top of the page.

Who Can Post?

The forum will be moderated so that all posts will be by legal academics about their work, blog posts, conferences, and scholarship.  Administrators can post about law school events or notable happenings or issues.

What Topics Can You Post On?

Posts are not restricted to those about legal academia.   This forum might hopefully grow into a hub of information about notable activity in the blogosphere, scholarship, and elsewhere.  Please don’t promote every single blog post you write, but if you have written something noteworthy, please share it.   Please feel free to share the work of others too.

Why Join?

Academics have not embraced LinkedIn as much as they have Twitter, but there are some really great things about LinkedIn’s platform.  It is a way to get work noticed and read by practitioners.  Posts, although short, are not subject to Twitter’s Draconian character limit.  There’s a lot less noise on LinkedIn, so the forum can be a more focused place for promoting and discussing scholarship and information relevant to the academy.

In your settings, you can have a daily digest or weekly digest of the postings to the group emailed to you — or nothing at all.

So please join the Legal Academia LinkedIn group.  And please post, as the group won’t succeed if I’m the lone one posting.   Please don’t be bashful about pointing out new things that you’ve written.  That’s what this forum is for — to help everyone publicize and get more people reading and engaging with scholarship and academic discussion.  Thanks!

FTC 01
1

Should the FTC Be Regulating Privacy and Data Security?

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

This is a question that has recently been posed in the privacy and data security arenas, where the FTC has been involved since the late 1990s. Today, the FTC is the most active federal agency enforcing privacy and data security, and it has the broadest reach. Its fingers seem to be everywhere, in all industries, even those regulated by other agencies, such as in the AT&T case. Is the FTC going too far? Is it even the FTC’s role to police privacy and data security?

The Fount of FTC Authority

The FTC’s source of authority for privacy and data security comes from some specific statutes that give the FTC regulatory power. Examples include the Children’s Online Privacy Protection Act (COPPA) where the FTC regulates online websites collecting data about children under 13 and the Gramm-Leach-Bliley Act (GLBA) which governs financial institutions.

But the biggest source of the FTC’s authority comes from Section 5 of the FTC Act, where the FTC can regulate “unfair or deceptive acts or practices in or affecting commerce.” This is how the FTC has achieved its dominant position.

Enter the Drama

Until recently, the FTC built its privacy and security platform with little pushback. All of the complaints brought by the FTC for unfair data security practices quickly settled. However, recently, two companies have put on their armor, drawn their swords, and raised the battle cry. Wyndham Hotels and LabMD have challenged the FTC’s authority to regulate data security. These are more than just case-specific challenges that the FTC got the facts wrong or that the FTC is wrong about certain data security practices. Instead, these challenges go to whether the FTC should be regulating data security under Section 5 in the first place. And the logic of these challenges could also potentially extend to privacy as well.

The first dispute involving Wyndham Hotels has already resulted in a district court opinion affirming the FTC’s data protection jurisprudence. The second dispute over FTC regulatory authority involving LabMD is awaiting trial.

In the LabMD case, LabMD is contending that the U.S. Department of Health and Human Services (HHS) — not the FTC — has the authority to regulate data security practices affecting patient data regulated by HIPAA.

With Wyndham, and especially LabMD, the drama surrounding the FTC’s activities in data protection has gone from 2 to 11. The LabMD case has involved the probable shuttering of business, a controversial commissioner recusal, a defamation lawsuit, a House Oversight committee investigation into the FTC’s actions, and an entire book written by the LabMD’s CEO chronicling his view of the conflict. And the case hasn’t even been tried yet!

The FTC Becomes a Centenarian

And so, it couldn’t be more appropriate that this year, the FTC celebrates its 100th birthday.

To commemorate the event, the George Washington Law Review is hosting a symposium titled “The FTC at 100: Centennial Commemorations and Proposals for Progress,” which will be held on Saturday, November 8, 2014, in Washington, DC.

The lineup for this event is really terrific, including U.S. Supreme Court Justice Steven Breyer, FTC Chairwoman Edith Ramirez, FTC Commissioner Joshua Wright, FTC Commissioner Maureen Ohlhausen, as well as many former FTC officials.

FTC 03 GW

Some of the participating professors include Richard Pierce, William Kovacic, David Vladeck, Howard Beales, Timothy Muris, and Tim Wu, just to name a few.

At the event, we will be presenting our forthcoming article:

The Scope and Potential of FTC Data Protection
83 George Washington Law Review (forthcoming 2015)

So Is the FTC Overreaching?

Short answer: No. In our paper, The Scope and Potential of FTC Data Protection, we argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but it also has the authority to expand its reach much more. Here are some of our key points:

* The FTC has a lot of power. Congress gave the FTC very broad and general regulatory authority by design to allow for a more nimble and evolutionary approach to the regulation of consumer protection.

* Overlap in agency authority is inevitable. The FTC’s regulation of data protection will inevitably overlap with other agencies and state law given the very broad jurisdiction in Section 5, which spans nearly all industries. If the FTC’s Section 5 power were to stop at any overlapping regulatory domain, the result would be a confusing, contentious, and unworkable regulatory system with boundaries constantly in dispute.

* The FTC’s use of a “reasonable” standard for data security is quite reasonable. Critics of the FTC have attacked its data security jurisprudence as being too vague and open-ended; the FTC should create a specific list of requirements. However, there is a benefit to mandating reasonable data security instead of a specific, itemized checklist. When determining what is reasonable, the FTC has often looked to industry standards. Such an approach allows for greater flexibility in the face of technological change than a set of rigid rules.

* The FTC performs an essential role in US data protection. The FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced. The FTC’s regulation of data protection gives the U.S. system of privacy law needed legitimacy and heft. Without the FTC’s data protection enforcement authority, the E.U. Safe Harbor agreement and other arrangements that govern the international exchange of personal information would be in jeopardy. The FTC can also harmonize discordant privacy-related laws and obviate the need for new laws.

* Contrary to the critics, the FTC has used its powers very conservatively. Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. The FTC should push the development of the norms a little more (though not in an extreme or aggressive way).

* The FTC can and should expand its enforcement, and there are areas in need of improvement. The FTC now sits atop an impressive body of jurisprudence. We applaud its efforts and believe it can and should do even more. But as it grows into this role of being the data protection authority for the United States, some gaps in its power need to be addressed and it can improve its processes and transparency.

The FTC currently plays the role as the primary regulator of privacy and data security in the United States. It reached this position in part because Congress never enacted comprehensive privacy regulation and because some kind of regulator was greatly needed to fill the void. The FTC has done a lot so far, and we believe it can and should do more.

If you want more detail, please see our paper, The Scope and Potential of FTC Data Protection. And with all the drama about the FTC these days, please contact us if you want to option the movie rights.

Cross-posted on LinkedIn

Enter Privacy Profession 01
2

Advice on How to Enter the Privacy Profession

Over at LinkedIn, I have a long post with advice for how law students can enter into the privacy profession.   I hope that this post can serve as a useful guide to students who want to pursue careers in privacy.

The privacy law field is growing dramatically, and demand for privacy lawyers is high.  I think that many in the academy who don’t follow privacy law, cyberlaw, or law and technology might not realize what’s going on in the field.  The field is booming.

The International Association of Privacy Professionals (IAPP), the field’s primary association, has been growing by about 30% each year.  It now has more than 17,000 members.  And this is only a subset of privacy professionals, as many privacy officials in healthcare aren’t members of IAPP and instead are members of the American Health Information Management Association (AHIMA) or the Health Care Compliance Association (HCCA).

There remains a bottleneck at the entry point to the field, but that can be overcome.  Once in the club, the opportunities are plentiful and there’s the ability to rise quickly.   I’ve been trying to push for solutions to make entry into the field easier, and this is an ongoing project of mine.

If you have students who are interested in entering the privacy law profession, please share my post with them.  I hope it will help.

0

Privacy and Data Security Harms

Privacy Harm 01

I recently wrote a series of posts on LinkedIn exploring privacy and data security harms.  I thought I’d share them here, so I am re-posting all four of these posts together in one rather long post.

I. PRIVACY AND DATA SECURITY VIOLATIONS: WHAT’S THE HARM?

“It’s just a flesh wound.”

Monty Python and the Holy Grail

Suppose your personal data is lost, stolen, improperly disclosed, or improperly used. Are you harmed?

Suppose a company violates its privacy policy and improperly shares your data with another company. Does this cause a harm?

In most cases, courts say no. This is the case even when a company is acting negligently or recklessly. No harm, no foul.

Strong Arguments on Both Sides

Some argue that courts are ignoring serious harms caused when data is not properly protected and used.

Yet others view the harm as trivial or non-existent. For example, given the vast number of records compromised in data breaches, the odds that any one instance will result in identity theft or fraud are quite low.

Read More

0

The World Dan Markel Created

dan markelThere have been such moving tributes to Dan Markel posted online that I wondered what I could add that hasn’t already been said about him. I didn’t know Dan as closely as many others, but I was fortunate to get to know him back in 2005. He was, as so many have said, one with a genuine passion for ideas.  Within the first few minutes of meeting him, Dan had already invited me to write some guest posts on his new blog, PrawfsBlawg.  I  barely knew him, but he was already cajoling me to blog as if he had known me for years.

I took him up on his offer.  As I began blogging on his site, he kept on encouraging me and sharing ideas with me.  “What do you think about this?”  “What do you think about that?” “You should write about this.”  Dan never eased in to anything, he didn’t gradually build speed.  You met him, and you’d find yourself instantly on a moving train.

I really loved blogging and stuck around PrawfsBlawg for quite a while before moving here to Concurring Opinions.  I thus owe my entry into the blogosphere to Dan.  Through Dan, and the people he brought to PrawfsBlawg, I met quite a lot of friends along the way.  When I think of the great people that Dan brought into my life — either directly or indirectly — it is quite an amazing list.

Dan had an intensity about nearly everything, especially ideas.  Typically, such intensity can push others away, but Dan’s intensity was paired with an exuberance and warmth.  I was not as closely in touch with Dan in recent years.  But whenever I saw Dan, he had a way of making me feel like we had been friends forever without any gaps.  And it was genuine — Dan really cared about people.

One of the refrains from the tributes to Dan is that he worked tirelessly to build a community.  His achievement here is something that is worth underscoring because it is so extraordinary.  The community Dan fostered was not merely a gathering of people.  It existed not just in meetings but in cyberspace too.  It encompassed junior law professors and senior ones.  It extended to scholars in a multitude of fields.  Dan’s community was one of friendship as well as one of ideas.   He was serious about academic engagement.

And what he created grew exponentially.  Our blog spun off of PrawfsBlawg, and other blogs have spun off of our blog.  Many blogs about law owe their origin in some way to Dan.   Many people were brought together because of Dan, spawning numerous co-authored works and lasting friendships.

The amount of friendships, collaborations, discussions, ideas,  and events that Dan played a role in creating is staggering.   Dan created more than just a community — he created a world.

0

Radical Pragmatism

Cambridge Companion to Pragmatism 01I recently posted on SSRN a book chapter I co-authored with Professor Michael Sullivan (Emory, Philosophy).  The chapter is called Radical Pragmatism and it is in The Cambridge Companion to Pragmatism pp. 324-344 (Alan Malachowski, ed. 2013).  This is a much shortened version of an earlier essay we wrote critiquing Judge Richard Posner’s conception of pragmatism.  We have tightened the argument, and this piece makes our key points much more succinctly.  Here’s the abstract:

“[P]ragmatist theory of law is, like much pragmatist theory, essentially banal.” So wrote Thomas Grey at the dawn of pragmatism’s renaissance in legal theory. Several contemporary pragmatists, as well as a number of critics of pragmatism, view pragmatism as a thin theory, more of a method than a philosophy with substantive commitments. For example, Richard Posner, one of the leading contemporary pragmatists, asserts that “pragmatism is more a tradition, attitude, and outlook than a body of doctrine” and that it has “no inherent political valence.” Likewise, Richard Rorty contends that pragmatism “is neutral between alternative prophecies, and thus neutral between democrats and fascists.”

Under this view, pragmatism generally leads to cautious common-sense policies. It is far from radical and unsettling, for it is too lacking in substantive value commitments to be otherwise. In this book chapter, we contest this account of pragmatism and offer a thicker account. Pragmatism does indeed have a political valence. It has substantive values. And, far from being banal, it is radical at its core.

You can download the chapter on SSRN.

T
0

The U.S. Supreme Court’s 4th Amendment and Cell Phone Case and Its Implications for the Third Party Doctrine

Today, the U.S. Supreme Court handed down a decision on two cases involving the police searching cell phones incident to arrest. The Court held 9-0 in an opinion written by Chief Justice Roberts that the Fourth Amendment requires a warrant to search a cell phone even after a person is placed under arrest.

The two cases are Riley v. California and United States v. Wurie, and they are decided in the same opinion with the title Riley v. California. The Court must have chosen toname the case after Riley to make things hard for criminal procedure experts, as there is a famous Fourth Amendment case called Florida v. Riley, 488 U,S, 445 (1989), which will now create confusion whenever someone refers to the “Riley case.”

Fourth Amendment Warrants

As a general rule, the government must obtain a warrant before engaging in a search. A warrant is an authorization by an independent judge or magistrate that is given to law enforcement officials after they properly justify their reason for conducting the search. There must be probable cause to search — a reasonable belief that the search will turn up evidence of a crime. The warrant requirement is one of the key protections of privacy because it ensures that the police just can’t search on a whim or a hunch. They must have a justified basis to search, and that must be proven before an independent decisionmaker (the judge or magistrate).

The Search Incident to Arrest Exception

But there are dozens of exceptions where government officials don’t need a warrant to conduct a search. One of these exceptions is a search incident to arrest. This exception allows police officers to search property on or near a person who has been arrested. In Chimel v. California, 395 U.S. 752 (1969), the Supreme Court held that the police could search the area near an arrestee’s immediate control. The rationale was that waiting to get a warrant might put police officers in danger in the event arrestees had hidden dangerous items hidden on them or that arrestees would have time to destroy evidence. In United States v. Robinson, 414 U.S. 218 (1973), the Court held that there doesn’t need to be identifiable danger in any specific case in order to justify searches incident to arrest. Police can just engage in such a search as a categorical rule.

What About Searching Cell Phones Incident to Arrest?

In today’s Riley case, the Court examined whether the police are allowed to search data on a cell phone incident to arrest without first obtaining a warrant. The Court held that cell phone searches should be treated differently from typical searches incident to arrest because cell phones contain so much data and present a greater invasion of privacy than more limited searches for physical objects: “Cell phones, however, place vast quantities of personal information literally in the hands of individuals. A search of the information on a cell phone bears little resemblance to the type of brief physical search considered in Robinson.”

Read More

0

Introducing Guest Blogger Chrisopher Kuner

KunerI am pleased to welcome Dr. Christopher Kuner as a guest blogger. Chris is Senior Of Counsel with Wilson Sonsini Goodrich & Rosati in Brussels, and an Honorary Professor at the University of Copenhagen. He is also a Visiting Fellow in the law department of the London School of Economics, and an Honorary Fellow of the Centre for European Legal Studies, University of Cambridge. He is editor-in-chief of the law journal “International Data Privacy Law”, and has been active in international organizations such as the Council of Europe, the OECD, and UNCITRAL.

Some of his publications include:

Transborder Data Flows and Data Privacy Law (Oxford University Press 2013)

European Data Protection Law: Corporate Compliance and Regulation (2nd edition, Oxford University Press 2007)

Foreign Nationals and Data Protection Law: A Transatlantic Analysis”, in: Hielke Hijmans and Herke Kranenborg (eds), Data Protection Anno 2014: How to Restore Trust (intersentia 2014)

“The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law”, BNA Bloomberg Privacy and Security Law Report (2012) February 6 2012, pages 1-15

“Data Protection Law and International Jurisdiction on the Internet (Parts 1 and 2), 18 International Journal of Law and Information Technology (2010) 18(2) 176 and 18(3) 227

 

1

Gabriel Garcia Marquez’s Chronicle of a Death Foretold

Garcia Marquez - Chronicle of a Death ForetoldI am deeply saddened by the passing of Gabriel Garcia Marquez, one of the world’s best contemporary authors. His magical realist style brims with life and zest — and his descriptions are unique and unforgettable. His most famous work is the magisterial One Hundred Years of Solitude, but my personal favorite is Chronicle of a Death Foretold.

I teach this great work in my law and literature class. It is a novella about a murder and its legal consequences that takes place in a small town. What is amazing about the book is that it is quite short — it is really just a long short story — yet unlike most works of its length, it focuses on not just the microcosm of one character but the macrocosm of an entire town, with an enormous array of characters. So much is packed into this short work, and I marvel at how each time I read it I discover interesting new details. The novella reminds me of a Breugel painting, a canvas filled with so much detail, so many interesting things going on.

Chronicle of a Death Foretold begins with one of Garcia Marquez’s signature openings, so gripping and enriched with unexpected details that it is impossible to stop reading:

On the day they were going to kill him, Santiago Nasar got up at five-thirty in the morning to wait for the boat the bishop was coming on. He’d dreamed he was going through a grove of timber trees where a gentle drizzle was falling, and for an instant he was happy in his dream, but when he awoke he felt completely spattered with bird shit.

The book is written by a narrator 27 years after the murder, pieced together by various interviews, memories, and documents. Chronicling memories that have faded, stories that diverge and contradict each other, the narrator writes in part like an investigative journalist piecing together an expose and in part like a detective investigating a crime. The narrative isn’t told in a linear way but in various fragments that are pasted together like a collage.

We know who will be murdered on the first page, and we find out the culprits very early on. And yet, Chronicle of a Death Foretold is a murder mystery. What it shows, as the narrator recreates the final days of Santiago Nasar’s life, is how each and every character played a role in the murder. Some were indifferent, some were too absorbed in their own pursuits to pay much attention, some were vindictive, with hidden malice, and some just didn’t take things seriously. So many are to blame, yet most played but a small part, and others who played larger roles acted in part based on societal pressures.

But beyond the individual characters, the ultimate indictment is against the town itself and its norms. This is a collective crime. We see how norms of race, class, and gender all combine to create a bitter stew, how many characters feel trapped by traditions and beliefs that lead them to act in unsavory ways. The indictment is thorough — the individuals and the very fabric of their society all interact to produce this tragedy.

I teach this work in my law and literature class to show how puny a force the law can be, and how the law can be too myopic in its focus. The law in this story fails to address the roots of what happened; it just focuses on a few branches and ignores most of the tree.

I marvel at this work every time I read it — the beauty of the prose, the vividness of the description, the brevity of the story that has enough detail for a book ten times as long, and the ability to capture a whole town and its culture and values in so many dimensions — without becoming too abstract or didactic.

If you haven’t read this book, I strongly recommend it to you. It is gripping, challenging, fascinating, and insightful. It is a true masterpiece, and can be read in just an afternoon. Often overshadowed by Garcia Marquez’s great novels — One Hundred Years of Solitude and Love in the Time of CholeraChronicle of a Death Foretold, despite its brevity, is as rich and sweeping.

Cross-posted at LinkedIn