Site Meter

Category: Administrative Law

P
0

The FTC and the New Common Law of Privacy

I’m pleased to announce that my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), is now out in print.  You can download the final published version at SSRN.  Here’s the abstract:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.

P
0

FTC v. Wyndham

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and it has finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Some Quick Background

For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people’s data with “good,” “adequate,” or “reasonable” security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn’t outweighed by other benefits.

For more background about the FTC’s privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.

Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC’s power to regulate data security under the FTC Act.

The Court’s Opinion and Some Thoughts

1. The FTC’s Unfairness Authority

Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”

This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.

Read More

0

Economic Dynamics and Economic Justice: Making Law Catastrophic, Middling, or Better?

Contrary to Livermore,’s post,  in my view Driesen’s book is particularly powerful as a window into the  profound absurdity and destructiveness of the neoclassical economic framework, rather than as a middle-ground tweaking some of its techniques.  Driesen’s economic dynamics lens makes a more important contribution than many contemporary legal variations on neoclassical economic themes by shifting some major assumptions, though this book does not explore that altered terrain as far as it might.

At first glance, Driesen’s foregrounding of the “dynamic” question of change over time may, as Livermore suggests, seem to be consistent with the basic premise of neoclassical law and economics:   that incentives matter, and that law should focus ex ante, looking forward at those effects.   A closer look through Driesen’s economic dynamics lens reveals how law and economics tends to instead take a covert ex post view that enshrines some snapshots of the status quo as a neutral baseline.  The focus on “efficiency” – on maximizing an abstract pie of “welfare”  given existing constraints –  constructs the consequences of law as essentially fixed by other people’s private choices, beyond the power and politics of the policy analyst and government, without consideration of how past and present and future rights or wrongs constrain or enable those choices.  In this neoclassical view, the job of law is narrowed to the technical task of measuring some imagined sum of these individual preferences shaped through rational microeconomic bargains that represent a middling stasis of existing values and resources, reached through tough tradeoffs that nonetheless promise to constantly bring us toward that glimmering goal of maximizing overall societal gain (“welfare”) from scarce resources.

Driesen reverses that frame by focusing on complex change over time as the main thing we can know with certainty.  In the economic dynamic vision, “law creates a temporally extended commitment to a better future.” (Driesen p. 52). Read More

0

FAA Appeals Drone Decision

Last week, an administrative law judge invalidated a fine against Raphael Pirker by the Federal Aviation Administration for using a small drone for a commercial purpose.  I discuss the basis for the decision–in short, that the FAA implied that the type of craft Pirker was using was subject only to non-binding guidance–over at Forbes.  In that post and elsewhere, I cautioned drone start ups and others to wait and see what the FAA does in response to the ruling before rushing ahead with their idea for a drone-based business.  Today the FAA announced it was, in fact, appealing the decision.

How the appeal fares may depend on the way the appeals court characterizes the decision.  In issuing rules, the FAA has to follow the strictures of the Administrative Procedure Act, including issuing notice and soliciting comment.  The judge at one point refers to a defect in the FAA’s public notice concerning “unmanned aerial systems.”  According to the judge, “Notice 07-01 does not … meet the criteria for valid legislative rulemaking,” due to defects in title (not called an “Notice of Proposed Rulemaking” or “NPRM”) and timing (not issued 30 days in advance).  My understanding is that courts review procedural defects de novo under the APA.  Now, if an appellate court upholds the administrative judge’s decision on this basis, then the FAA loses authority to regulate drones in general, but only until they follow the proper procedure to create valid rules.

If the basis is that the FAA misinterpreted its own rules, however–i.e., the agency was wrong to sweep the drone Pirker was operating into its definition of “aircraft”–then arguably Seminole Rock / Auer deference applies.  Auer has faced its share of criticism, as my colleague Kathryn Watts explores in a forthcoming article in Georgetown Law Journal.  But it remains the law of the land, and requires courts to uphold agency interpretations unless they are “plainly erroneous” or else inconsistent.  I don’t see the FAA’s decision to include unmanned aircraft systems as aircraft as plainly erroneous.  Otherwise, you could simply replace the pilot of a cargo plane with a robot and suddenly the plane falls outside the authority of the FAA.  But the FAA’s decision could be inconsistent: As the administrative judge notes, official FAA communications repeatedly treat some categories of “model aircraft” or “modelers” separately than other UAS.

The basis of the invalidation of the fine could be a procedural defect, an inconsistent interpretation, or both.  The ruling is not entirely clear.  We will have to wait and see how the court reacts to the FAA’s appeal.  And even if the court upholds the judgment, we should probably expect a drone NPRM from the FAA to follow.  Those of you with deeper training in administrative law should feel free to jump in.

CLARIFICATION (March 13, 2014): Peter Sachs of Drone Law Journal points out that the first layer of appeal here is to a five-member panel of administrative judges.  They could in theory clarify the basis of the decision (or overrule it) before the case heads to an Article III court.  Thanks, Peter!

The Comments Experiment

I just wanted to announce that I am joining Gerard on this policy. I think it will be an improvement over the status quo (for me at least) because:

1) It works for Sullivan. He gives many great comments or responses a high level of prominence. He doesn’t just highlight people who agree with him. He publishes “dissents of the day” that contradict his position in a constructive, interesting, or provocative way.

2) I’ve heard from several people that they would comment, but don’t want to get “drowned out” in the noise of irrelevant comments. So this is a way for them to get some attention for their views.
Read More

Rethinking Airline Deregulation

The challenge to the US Airways/American merger led Justin Fox to reconsider the much-vaunted “success” of passenger airline deregulation:

Before deregulation, airlines in the U.S. were pretty reliable moneymakers. [After deregulation they] lost $41.6 billion (in 2011 dollars). And it’s not just shareholders who have come off terribly. The past few decades have been, if anything, an even bigger disaster for airline employees, many of whom have seen their pensions mostly evaporate and their pay and status diminish. Taxpayers haven’t come off untouched, either — getting stuck with partial pension bailouts and big loan guarantees to aid the ailing industry in recent years along with ongoing subsidies for airport construction and improvement.

But at least things are good for CEOs, right? Doug Henwood adds more critical perspective:

Between 1963 (when the figures begin) and 1979, the airfare subindex of the CPI grew 25% more slowly than the overall CPI. Since 1979, it’s growth 2.4 times as fast as overall inflation. A major reason for this is that there are many fewer nonstop flights than in the regulated days, and far tighter advance purchase restrictions. To the Bureau of Labor Statistics, which computes the CPI, such quality decreases are the same as price increases. (This is the opposite of the logic prevailing in computers, where rapidly increasing power is the same as a price decline.) And then ridership. Between 1948 and 1978, annual passenger miles flown grew 12% a year; since then, they’ve grown less than 4%.

Perhaps we can thank the deregulators for one thing: cutting the climate impact of a carbon-intensive industry.

Schmayek’s Shutdown

MirowskiCoverIf you asked Ted Cruz or Jim DeMint who was the guiding spirit of their government shutdown, they’d probably mention Friedrich von Hayek. The Nobel Prize winning economist warned the world that “socialism” would put citizens on a “road to serfdom.” For the Tea Party, PPACA is a horror, perhaps even a new form of slavery, a threat to liberty even darker than the feudal past Hayek evoked.

But there is another figure just as important to current neoliberal thought as Hayek. Carl Schmitt provided jurisprudential theories of “the emergency” and “the exception” that highlighted the best opportunities for rapid redistribution of wealth upwards. In Never Let a Serious Crisis Go to Waste, Philip Mirowski explains how neoliberal thought, far from advocating a shrinking of the state, in fact sparks a redirection and intensification of its energies. As he puts it, “A primary function of the neoliberal project is to redefine the shape and the function of the state, not to destroy it” (56). Moreover, the “strong state was necessary to neutralize what [Hayek] considered to be the pathologies of democracy” (84). Even a temporary dictatorship can work in a pinch.

The shutdown is a brilliant strategy to meld Hayekian substance and Schmittian procedure. As Aaron Bady has observed,

A shutdown is a state of exception when the government gets to do things it normally can’t do, like close the Environmental Protection Agency, de-fund WIC, close the national parks, send a lot of government employees home [in what is in many ways a lock-out], and all sorts of other stuff. A shutdown is a moment in which a choice gets made about which laws to obey and which laws to ignore, when the government gets to decide that some people are essential and some people aren’t.

Read More

0

Homeownership, Flood Insurance, and Stupid Land Uses: The Kolbe Decision

First, thanks to Concurring Opinions for inviting me back.  It’s been years.  What took you so long? 

I plan to spend some of my month’s effort here discussing coastal land use and disasters and the law.  In light of Superstorm Sandy and likely future megastorms, and given climate change and sea level rise, I can’t help noting that, whatever is going on with managing CO2 levels at a global scale, one class of disasters results from what I have come to call in conversation (and now in writing) Stupid-A** Land Use Decisions (SALUD).   We build houses in harm’s way.  I’ve written about the folly of allowing homes on the parts of barrier islands that are most likely to flood or wash away, noting in passing the folly of building homes on scenic hillsides subject to rock- and mudslides.  In the news lately, there’s much about the costs of rescuing homes built in forests that are just waiting to catch fire.  At some point, we have to disincent SALUD, or at least insist that the full cost of risk and rescue and rebuilding be reflected in the market cost of building in Stupid-A** places, and let that expense disincent.  It’s very hard to do.  As my own dear New Jersey Governor Chris Christie said after Superstorm Sandy, we will rebuild!

 Which brings me to the case I’m discussing today.  It came down last Friday. The case is Kolbe v. BAC Home Loans Servicing, LP (1st Cir. No. 11-2030, Sept. 27, 2013) (en banc), 2013 WL 5394192.  It is a First Circuit en banc decision, on a 3-3 vote, failing to reverse the District of Massachusetts, which granted a motion to dismiss a putative class action seeking an interpretation of a form mortgage contract provision concerning flood insurance.  Warning, I’m not an expert in all of the doctrinal areas involved, so please forgive if I miss something, but boy, is it interesting. 

The provision in dispute is Covenant 4, a three-sentence paragraph required by the Department of Housing and Urban Development (HUD) to be included in all single family dwelling mortgage contracts insured by the Federal Housing Administration (FHA).  Covenant 4 was established by a regulation promulgated in 1989 after notice and comment rulemaking.  It allows a lender to require that the homeowner purchase insurance for “any hazards . . . in the amounts and for periods that the Lender requires.”  Covenant 4 also requires the borrower to insure against loss from floods to the extent required by the Secretary of HUD.  HUD requires flood insurance whenever a property is located in a “special flood hazard area,” the most risky category under the National Flood Insurance Program (NFIP) classification scheme.  HUD requires flood insurance at least equal to the outstanding balance of the mortgage, that is, the lender’s stake in the property, but there is a cap of $250,000.  Thus, as to hazard (but not flood), the lender clearly has authority under Covenant 4 to require further hazard insurance.  But it is, arguably, unclear whether Covenant 4 empowers the lender to require a homeowner to purchase additional flood insurance.  Perhaps the provision of Covenant 4 referring to requirements by HUD insulates the homeowner from lender requirements as to purchasing flood insurance.  Perhaps Covenant 4′s authorization for lenders to require additional hazard insurance includes flood insurance, because floods are a type of hazard.  That’s the interpretation question. Read More

1

Secret Adjudications: the No Fly List, the Right to International Air Travel, and Procedural Justice?

Airplane_silhouette_SLatif v. Holder concerns the procedures owed individuals denied the right to travel internationally due to their inclusion in the Terrorist Screening database. Thirteen individuals sued the FBI, which maintains the No Fly list and the Terrorist Screening database. Four plaintiffs are veterans of the armed forces; others just have Muslim sounding names. All of the plaintiffs are U.S. citizens or lawful residents. The plaintiffs’ stories are varied but follow a similar trajectory. One plaintiff, a U.S. Army veteran, was not allowed to return to the U.S. from Colombia after visiting his wife’s relatives. Because he could not fly to the U.S., he missed a medical exam required for his new job. The employer rescinded his offer. Another plaintiff, a U.S. Air Force veteran, was in Ireland visiting his wife. He spent four months trying desperately to return to Boston. Denied the right to travel internationally, the thirteen plaintiffs lost jobs, business opportunities, and disability benefits. Important family events were missed. The plaintiffs could not travel to perform religious duties like the hajj. Some plaintiffs were allegedly told that they could regain their right to fly if they served as informants or told “what they knew,” but that option was unhelpful because they had nothing to offer federal officials. Plaintiffs outside the U.S. were allowed to return to their homes on a one-time pass. When back in the U.S., they turned to the TSA’s redress process (calling it “process” seems bizarre). The process involves filling out a form that describes their inability to travel and sending it via DHS to the Terrorist Screening Center. The Terrorist Screening Center says that it reviews the information to determine if the person’s name is an exact match of someone included in the terrorist database or No Fly list. All of the plaintiffs filed redress claims; all received DHS determination letters that neither confirmed nor denied their inclusion on the list. The letters basically told the plaintiffs nothing–they essentially said, we reviewed your claim, and we cannot tell you our determination. 

The plaintiffs sued the federal government on procedural due process and APA grounds. They argued that the DHS, FBI, and TSA deprived them of their right to procedural due process by failing to give them post deprivation notice or a meaningful chance to contest their inclusion in the terrorist database or No Fly list, which they have to presume as a factual matter based on their inability to travel though some of the plaintiffs were told informally that they appeared on the No Fly list. The standard Mathews v. Eldridge analysis determines the nature of the due process hearings owed individuals whose life, liberty, or property is threatened by agency action. Under Mathews, courts weigh the value of the person’s threatened interest, the risk of erroneous deprivation and the probable benefit of additional or substitute procedures, and the government’s asserted interests, including national security concerns and the cost of additional safeguards.

Most recently, the judge partially granted plaintiffs’ summary judgment motion, ordering further briefing set for September 9. In the August ruling, plaintiffs were victorious in important respects. The judge found that plaintiffs had a constitutionally important interest at stake: the right to fly internationally. As the judge explained, plaintiffs had been totally banned from flying internationally, which effectively meant that they could not travel in or out of the U.S. They were not merely inconvenienced. None could take a train or car to their desired destinations. Some had great difficulty returning to the U.S. by other means, including boat, because the No Fly list is shared with 22 foreign countries and U.S. Customs and Border Patrol. Having the same name as someone flagged as a terrorist (or the same name of a misspelling or mistranslation) can mean not being able to travel internationally. Period. The court also held that the federal government interfered with another constitutionally important interest — what the Court has called “stigma plus,” harm to reputation plus interference with travel. She might also have said property given the jobs and benefits lost amounted to the plus deprivation. That takes care of the first Mathews factor. Now for the second. The court assessed the risk of erroneous deprivation under the current DHS Redress process. On that point, the court noted that it’s hard to imagine how the plaintiffs had any chance to ensure that DHS got it right because they never got notice if they were on the list or why if they indeed were included. Plaintiffs had no chance to explain their side of the story or to correct misinformation held by the government–what misinformation or inaccuracy was unknown to them. In the recent “trust us” theme all too familiar these days, defendants argued that the risk of error is minute because the database is updated daily, officials regularly review and audit the list, and nomination to the list must be reviewed by TSC personnel. To that, the court recognized, the DOJ’s own Inspector General had criticized the No Fly list in 2007 and in 2012 as riddled with errors. Defendants also contended that plaintiffs could seek judicial review as proof that the risk of erroneous deprivation was small. The court pushed off making a determination on the risk of erroneous deprivation and valued of added procedures because it could not evaluate the defendants’ claim that plaintiffs could theoretically seek judicial review of determinations on which they have no notice. Defendants apparently conceded that there were no known appellate decisions providing meaningful judicial review. The court required the defendants to provide more briefing on the reality of that possibility, which I must say seems difficult if not impossible for plaintiffs to pursue. Because the court could not weigh the second factor, she could not balance the first two considerations against the government’s interest.

I will have more to say about the decision tomorrow. The process provided seems Kafka-esque. It’s hard to imagine what the defendants will file that the public can possibly learn. The briefing will surely be submitted for in camera review. Details of the process may be deemed classified. If so, defendants may invoke the state secrets doctrine to stop the court’s ever meaningfully addressing the rest of the summary judgment motion. It would not be the first time that the federal government invoked the state secrets doctrine to cover up embarrassing details of mismanagement. Since its beginnings, the state secrets doctrine has done just that. The parties were supposed to provide the court a status update today. More soon.