Law and Tech Research feed - Schwartz

Systematic government access to private-sector data in Germany

Tue, 11 Sep 2012 09:00:00 -0400

Germany has a strong commitment to the rule of law and to information privacy. Its concept of the ‘rule of law’ is best summed up in the idea of the Rechtsstaat, or ‘legal state’. The Rechtsstaat is a state that is based on civil liberties as well as the expression and protection of constitutional rights. For example, Article 1(1) of the German constitution, the Basic Law, states that human dignity is inviolable, and that the duty of all state authority is to respect and protect it.1 The Basic Law's Article 2(1) in conjunction with Article 1(1) guarantees the right of the free development of the personality. Article 20(3) of the Basic Law explicitly binds all three branches of government to the constitutional order and to law and justice.

The PII Problem: Privacy and a New Concept of Personally Identifiable Information

Mon, 15 Aug 2011 09:00:00 -0400

Personally identifiable information (PII) is one of the most central concepts in information privacy regulation. The scope of privacy laws typically turns on whether PII is involved. The basic assumption behind the applicable laws is that if PII is not involved, then there can be no privacy harm. At the same time, there is no uniform definition of PII in information privacy law. Moreover, computer science has shown that in many circumstances non-PII can be linked to individuals, and that de-identified data can, in many circumstances, be re-identified. PII and non-PII are thus not immutable categories, and there is a risk that information deemed non-PII at one point in time can be transformed into PII at a later juncture. Due to the malleable nature of what constitutes PII, some commentators have even suggested that PII be abandoned as the means to define the boundaries of privacy law.

In this Article, Professors Paul Schwartz and Daniel Solove argue that although the current approaches to PII are flawed, the concept of PII should not be abandoned. They develop a new approach called “PII 2.0,” which accounts for PII’s malleability. Based upon a standard rather than a rule, PII 2.0 is based upon a continuum of risk of identification. PII 2.0 regulates information that relates to either an “identified” or “identifiable” individual, and it establishes different requirements for each category. To illustrate their theory, Schwartz and Solove use the example of regulating behavioral marketing to adults and children. They show how existing approaches to PII impede the effective regulation of behavioral marketing and how PII 2.0 would resolve these problems.

Regulating Governmental Data Mining in the United States and Germany: Constitutional Courts, the State, and New Technology

Mon, 30 May 2011 09:00:00 -0400

For the anthropologist Clifford Geertz, law is “part of a distinct manner of imagining the real.”1 In Local Knowledge, he argues that, at a fundamental level, legal systems create a way of envisioning the world and then develop different kinds of “techniques”—whether through legal institutions, methods, or doctrines—that make this vision the correct one.2 The consequence is, of course, that the law in different countries will “see” different things. This point proves applicable to the study of comparative privacy law. Building on Geertz’s insight, this Article searches for distinct as well as shared aspects of one area of law in two countries. It seeks to determine whether German and American lawyers, judges, and policymakers are seeing the same or different things when regulating one form of technology—namely, data mining.

As a further matter, current privacy scholarship has a great need for targeted studies that look at specific areas of information use in different countries. After a first generation of broader comparative studies, today’s privacy scholarship needs more targeted analysis of specific areas of data use. As Spiros Simitis has argued, “[e]ffectiveness of data protection law crucially depends on the ability to react in a fashion that focuses on concrete situations of processing, and the ones that are especially important from the perspective of the affected party.”3 In such a fashion, this Article will look at how the legal systems of Germany and the United States respond to the use of data mining by the government for law enforcement and national security purposes.

Privacy Law Fundamentals

Sun, 20 Mar 2011 09:00:00 -0400

"Privacy Law Fundamentals" is a distilled guide to the essential elements of U.S. data privacy law. In an easily-digestible format, the book covers core concepts, key laws, and leading cases. Included here for download are The Table of Contents and Chapter 1.

The book explains the major provisions of all of the major privacy statutes, regulations, cases, including state privacy laws and FTC enforcement actions. It provides numerous charts and tables summarizing the privacy statutes (i.e. statutes with private rights of action, preemption, and liquidated damages, among other things). Topics covered include: the media, domestic law enforcement, national security, government records, health and genetic data, financial information, consumer data and business records, government access to private sector records, data security law, school privacy, employment privacy, and international privacy law.

This book provides an concise yet comprehensive overview of the field of privacy law for those who do not want to labor through lengthy treatises. "Privacy Law Fundamentals" is written for those who want a handy reference, a bird's eye view of the field, or a primer for courses in privacy law.

Data Protection Law and the Ethical Use of Analytics, Privacy and Security Law Report

Mon, 10 Jan 2011 09:00:00 -0400

Organizations now work in a data-rich environment. As the Article 29 Working Group of the EU recently noted, ‘‘[W]e are witnessing a so-called ‘data deluge’ effect, where the amount of personal data that exists, is processed and is further transferred continues to grow.’’From all indications, the data deluge will not only continue, but increase.

In 2003, a study at the UC Berkeley School of Information found that the amount of new information being created every year and stored on media was 5 exabytes. That amount is equal to the information stored in 37,000 libraries the size of the Library of Congress in the United States. By 2007, however, the amount of information stored each year had increased to 161 exabytes a year. This development has continued apace.In 2010, Google CEO Eric Schmidt noted that mankind now creates as much information every two days as it had from the dawn of civilization to 2003.

The turn to analytics is a response to this situation. Analytics involve the use of statistics, algorithms, and other tools of mathematics, harnessed through information technology, to use data to improve decisionmaking. A wide variety of organizations use analytics in their operations. Analytics are used by government, for example, but this white paper concentrates on how private-sector organizations use this technique.It does so because distinctive regulatory and ethical issues are likely to arise for different categories of enterprises. This white paper offers a contextual examination of analytics and develops ethical standards for private organizations using this technique. The term ‘‘contextual’’ is used here in reference to an organization’s need to consider the risks that a specific application of analytics poses to privacy and the kind of responsible processes that should accompany the use of analytics generally. This white paper finds that analytics tend to be applied to four stages of a data life-cycle: (1) collection, (2) integration and analysis, (3) decision-making, and (4) review and revision.

Its ethical standards for private organizations using analytics were developed through a series of interviews and discussions with the leading companies that participated in this project of the Centre of Information Policy
Leadership at Hunton & Williams. The resulting standards acknowledge that analytics can have a negative as well as a beneficial impact on individuals. Thus, the white paper requires implementation of accountable processes that are tailored to the specific, identified risks of analytics used. The guidelines further require development of organizational polices that govern information management and training of personnel. A company should also place responsibility for data processing operations and decision on designated individuals within the company. The following report is an abridged version of the full white paper, which is available online.

Prosser's Privacy and the German Right of Personality: Are Four Privacy Torts Better than One Unitary Concept?

Tue, 14 Dec 2010 09:00:00 -0400

California Law Review (forthcoming 2010)

Managing Global Data Privacy

Fri, 01 Jan 2010 09:00:00 -0400

Successive revolutions in information technology raise new challenges, risks, and opportunities for consumer privacy protection. Perhaps the most basic question is how these new technologies are changing the actual practices of companies in processing personal information. After all, emerging technologies can make legal regulations obsolete or out-of-date. The consequences can be ineffective regulation and a waster of corporate resources without meaningful protections for consumer privacy.

To understand the impact of new technologies on company practices and legal regulations, I researched how six leading North American companies manage their global use of personal information. This work was sponsored by the Privacy Projects, a new nonprofit organization devoted to empirical research into privacy issue.

My whitepaper, Managing Global Data Privacy, looks at companies that are developing pharmaceuticals, providing marketing, selling financial services, and offering a range of Internet-based software, technology, and online services. These companies collect and process and personal information about clinical health research, customer services, consumer surveys, mortgage renewals, e-mail accounts, and global job applicants.

Keeping Track of Telecommunications Surveillance

Wed, 30 Sep 2009 09:00:00 -0400

Telecommunications surveillance raises complex policy and political issues. It is also a matter of great concern for the general public. Surprisingly enough, however, the phenomenon of telecommunications surveillance is poorly measured in the U.S. at present. As a result, any attempt at rational inquiry about telecommunications surveillance is hampered by the haphazard and incomplete information the U.S. government collects about its own behavior and activities.

Neither the U.S. government nor outside experts know basic facts about the level of surveillance practices. As a consequence, U.S. citizens have limited ability to decide if there is too much or too little telecommunications surveillance. It is also impossible to determine if telecommunications surveillance is increasing or decreasing, or if law enforcement is using its surveillance capacities most effectively.[4]

Warrantless Wiretapping, FISA Reform, and the Lessons of Public Liberty

Wed, 22 Apr 2009 09:00:00 -0400

The central metaphor of Stephen Holmes’s Jorde Lecture1 is a haunting one: it is of emergency room personnel taking time and care during a lifethreatening situation to follow rules. These rules are ones of medical procedure that the staff carefully learns before the emergency and then faithfully follows during it. Rules should be followed during a crisis situation, Holmes tells us, because “psychologically flustering pressures” will provoke errors without such a behavior structure in place.2

Law should play a similar role for our leaders, and it is one that becomes more, and not less, important in responding to the terrorist threat to the United States. Holmes astutely builds on his analogy to the relatively rigid protocols upon which emergency room personnel rely.3 He argues that rights embodied in law “demarcate provisional no-go zones into which government entry is prohibited unless and until an adequate justification can be given.”4 Thus, legal rights serve as “a trip-wire and a demand for government explanation.”5

This mandatory process forces the Executive to explain her behavior and to confront other views. As Holmes warns, “If a government no longer has to provide plausible reasons for its actions . . . it is very likely, in the relative short term, to stop having plausible reasons for its actions.”6 Beyond its steadying function then, law can help the Executive “to make appropriate midstream adjustments in a timely fashion” and help everyone discover mistakes.7 Legal rules help facilitate an “adaptation to reality.”8 In contrast, when executive behavior is shielded in secrecy, inordinate delays in correcting terrible mistakes may damage national security.

The Jorde Lecture by Holmes burns with the light of clear analysis and calm rationality. In this Essay, I wish to build on it by considering Holmes’s odel of “public liberty” in greater depth. Public liberty improves security by preventing policymakers from hiding errors under a veil of secrecy. It even opens up the process of debate within the executive branch itself. This Essay develops Holmes’s model by discussing how private liberty, and information privacy in particular, is a precondition for public liberty. For Holmes, private liberty is largely a negative right—a right to be free from governmental interference. In contrast, my view is that privacy is also an element of public liberty. Participation in a democracy requires individuals to have an underlying capacity for self-determination, which requires some personal privacy.

This Essay then analyzes a number of Holmesian concepts through the lens of the recent process of the amendment of the Foreign Intelligence Surveillance Act (FISA).9 Since information privacy stands at the intersection of private and public liberty, it is an ideal topic for evaluating Holmesian principles about the contribution of law during times of national emergency. This Essay considers, in particular, the Bush administration’s policies toward FISA and Congress’s amendment of this statute.

In Part I, I describe the background of FISA and the National Security Agency’s (NSA) warrantless surveillance in violation of this statute. I also discuss the amendments to FISA in the Protect America Act of 2007—a short term statutory “fix” that has expired—and the FISA Amendments Act of 2008, which remains in effect.10 In Part II, I turn to an analysis of the challenges to private and public liberty posed by the NSA’s surveillance. I organize this Part around three topics: (1) past wisdom as codified in law; (2) the impact of
secrecy on government behavior; and (3) institutional lessons. As we shall see, a Holmesian search for the wisdom previously collected in law proves quite difficult. FISA regulated some aspects of intelligence gathering and left the intelligence community entirely free to engage in others. Over time, moreover, technological innovations and altered national security concerns transformed the implications of the past policy landscape. As a result, the toughest questions, which concern surveillance of foreign-to-domestic communications, do not receive an easy answer from the past.

Regarding the impact of secrecy on government behavior, the analysis is, at least initially, more straightforward. As Holmes discusses, the Bush administration was adept at keeping secrets not only from the public and other branches of government, but from itself. Even then-Attorney General John Ashcroft faced restrictions on his ability to receive legal advice within the Department of Justice about NSA activities, the legality of which he was required to oversee. It is also striking how little Congress knew about NSA activities while amending FISA. The larger lessons, however, prove more complicated: strong structural and political factors are likely to limit the involvement of Congress and courts in this area. This Essay concludes by confronting these institutional lessons and evaluating elements of a response that would improve the government’s performance by crafting new informational and deliberative structures for it.

The Future of Tax Privacy

Thu, 09 Apr 2009 09:00:00 -0400

The history of the tax privacy contains a number of surprises. First, the concept of tax privacy has been contested throughout much of the 19th and 20th Century. For a long period, tax returns were considered to be public documents. At times, they were even posted on court room doors or published in newspapers. Nonetheless, voices were also heard for tax privacy and the need for confidentiality of return information.

Second, the imposition of a general legal requirement of confidentiality for tax returns and a shift to a statutory regulation of access to tax returns occurred relatively recently in the history of tax law. The change occurred in the Tax Reform Act of 1976. From a historical perspective, the establishment of a concept of tax privacy occurred as part of the enactment of the most important generation of privacy laws in the 1970's.

If we move from the past of tax law to the present, tax law looks much like other privacy statutes. The Tax Reform Act of 1976 removed the authority of the President to make rules for release of tax information. Its Section 6103 established a general rule of confidentiality with Congress to set exceptions through this rule by statute. A flood of disclosure exceptions have been enacted since 1976 with requirements based on how difficult Congress thinks it should be for a given party to obtain the tax information for a specific purpose. Disclosure of tax information is now permitted for the purposes such as civil litigation, criminal litigation, child support obligations, and terrorism prevention.

Regarding predictions about the future, it is likely that tax privacy as regulated under the Tax Code will be both less and more important in the future. It will be less important because of broad governmental and public access to financial and other information of the kind that taxpayers file. At the same time, one aspect of tax privacy will be more important than before. Threats of data breaches and data leaks make tax return security more significant. For one thing, the IRS increasingly collects tax return information through e-filing. Increasingly, tax returns may also be prepared by U.S. firms that outsource work internationally and send tax information around the globe electronically. Tax preparation software is subject to hacks and virus attacks.

Both of these predictions suggest a final point. If we return to the policy arguments for and against tax privacy, there has been a shared assumption of a special status, an exceptional status for tax information. Yet, today, the same information found in tax returns is accessible through other legal statutes. Moreover, tax information in the electronic age is subject to the same vagaries of data security as other data. One can therefore predict that the privacy of tax information will not only be both more and less important in the future. It will also increasingly be subject to the same kind of forces, legal and otherwise, as other personal information.

Preemption and Privacy

Wed, 14 Jan 2009 09:00:00 -0400

A broad coalition, including companies formerly opposed to the enactment of privacy statutes, has now formed behind the idea of a national information privacy law. Among the benefits that proponents attribute to such a law is that it would harmonize the U.S. regulatory approach with that of the European Union and possibly minimize international regulatory conflicts about privacy. This Essay argues, however, that it would be a mistake for the United States to enact a comprehensive or omnibus federal privacy law for the private sector that preempts sectoral privacy law. In a sectoral approach, a privacy statute regulates only a specific context of information use. An omnibus federal privacy law would be a dubious proposition because of its impact on experimentation in federal and state sectoral laws, and the consequences of ossification in the statute itself. In contrast to its skepticism about a federal omnibus statute, this Essay views federal sectoral laws as a promising regulatory instrument. The critical question is the optimal nature of a dual federal-state system for information privacy law, and this Essay analyzes three aspects of this topic. First, there are general circumstances under which federal sectoral consolidation of state law can bring benefits. Second, the choice between federal ceilings and floors is far from the only preemptive decision that regulators face. Finally, there are second-best solutions that become important should Congress choose to engage in broad sectoral preemption.

Anonymous Disclosure of Security Breaches, in Securing Privacy in the Internet Age

Sun, 30 Nov 2008 09:00:00 -0400

Reputational sanctions are often offered as a substitute for law. Robert Ellickson has shown how social norms and gossip allow Shasta County ranchers to order theirs affairs and resolve disputes without resort to, or regard for, legal sanctions.[1] In business regulation, particularly in the post-Sarbanes-Oxley world, disclosure is king. On eBay, feedback fora allow participants to choose trading partners based on the number of positive and negative experiences others have had with the proposed counterparty.[2] The emerging regime for regulating data security is no exception, with recent state statutes and federal regulations mandating customer notice of security breaches involving personally identifiable data.[3] In all of these contexts, information about reputation benefits the public.

Data Mining and Internet Profiling: Emerging Regulatory and Technological Approaches

Fri, 09 May 2008 09:00:00 -0400

The 9/11 terrorists, before their deadly attacks, sought invisibility through integration into the society they hoped to destroy. In a similar fashion, the terrorists who carried out subsequent attacks in Madrid and London attempted to blend into their host lands. This strategy has forced governments, including the United States, to rethink counterterrorism strategies and tools.

One of the current favored strategies involves data mining. In its pattern-based variant, data mining searches select individuals for scrutiny by analyzing large data sets for suspicious data linkages and patterns. Because terrorists do not stand out, intelligence and law enforcement agents want to do more than rely exclusively on investigations of known suspects. The new goal is to search for a pattern or signature in massive amounts of transaction data.

This Article begins by examining governmental data mining. In Part II, this Article reviews widely held views about the necessary safeguards for the use of data mining. In Part III, this Article considers dataveillance by private corporations and how they have compiled rich collections of information gathered online in the absence of a robust legal framework that might help preserve online privacy.

This Article then discusses some of the techniques that individuals can employ to mask their online activity as well as existing and emerging technological approaches to preventing the private sector or government from linking their personal information and tracing their activities. This Article concludes by briefly considering three topics: (1) whether and how to regulate the potential impact of identity management systems on counterterrorism efforts; (2) the requirements of transparency and understanding of the underlying models used in either data mining or identity management systems as a necessary prelude to the creation of rules on appropriate access and use; and (3) the need for research in several further areas.

Reviving Telecommunications Surveillance Law

Sat, 05 Apr 2008 09:00:00 -0400

Consider three questions. How would one decide if there was too much telecommunications surveillance in the United States, or too little? How would one know if law enforcement was using its surveillance capabilities in the most effective fashion? How would one assess the impact of this collection of information on civil liberties?

In answering these questions, a necessary step, the logical first move, would be to examine existing data about governmental surveillance practices and their results. One would also need to examine and understand how the legal system generated these statistics about telecommunications surveillance. Ideally, the information structure would generate data sets that would allow the three questions posed above to be answered. Light might also be shed on other basic issues, such as whether or not the amount of telecommunications surveillance was increasing or decreasing.

Such rational inquiry about telecommunications surveillance is, however, largely precluded by the haphazard and incomplete information that the government collects about it. This Article evaluates the main parts of telecommunications surveillance law and the statistics about their use. The critical statutory regulations are (1) the Wiretap Act, (2) the Pen Register Act, (3) the Stored Communications Act, and, for foreign intelligence, (4) the Foreign Intelligence Surveillance Act, and (5) the different provisions for National Security Letters (NSLs).

Other parts of the surveillance landscape represent an even greater expanse of blank spaces on the legal map. There are a number of "semi-known unknowns" (to coin a phrase); these are kinds of telecommunications surveillance about which only limited public information exists - this surveillance also occurs outside a detailed legal framework.

This Article concludes with the development of the concept of "privacy theater." Currently, the value of the collection of telecommunications statistics is largely ritualistic. It serves to create a myth of oversight. This Article proposes that we go beyond myth and re-dedicate ourselves to the task of creating a telecommunications surveillance law that minimizes the impact of surveillance on civil liberties and maximizes its effectiveness for law enforcement.

Beyond the War on Terrorism: Towards the New Intelligence Network

Wed, 14 Feb 2007 09:00:00 -0400

In Terrorism, Freedom, and Security, Philip B. Heymann undertakes a wide-ranging study of how the United States can - and in his view should - respond to the threat of international terrorism. Heymann makes clear his own policy and legal preferences. First, he firmly rejects the widely used metaphor of the United States engaging in a "war" on terrorism. Second, Heymann advocates the paramount importance of intelligence to identify and disrupt terrorists' plans and to prevent terrorists from attacking their targets. At the same time, however, a heightened reliance on accurate and timely intelligence comes with risks. Heymann is concerned about the creation and consequences of an "intelligence state" in the U.S.

In this Review's Part I, we assess the idea of a war on terrorism as policy tool and metaphor. We also examine Heymann's alternative instruments, including diplomacy, intelligence, control over terrorist finances, and law enforcement. As a related topic, we consider the safeguards that Heymann develops for preventing the rise of an American intelligence state.

This Review's Part II looks at two additional aspects of Heymann's vision of future uses of intelligence to thwart terrorism. In Part II.A., we describes the contours of data mining, a technique of intelligence analysis that Heymann advocates. Although Heymann notes that data mining is likely to have an adverse effect on privacy, he does not develop detailed safeguards in response. A Pentagon blue ribbon panel, the Technology and Privacy Advisory Committee (TAPAC), has, however, developed a recommended framework for governmental use of data mining techniques, and we assess the TAPAC recommendations. Finally, in this Review's Part II.B., we turn to an important policy discussion related to data mining: how can the USIC better disseminate intelligence within a proposed new intelligence network? We sketch the proposed form of the new intelligence network and analyze four important legal and policy questions that it raises.

Notification of Data Security Breaches

Wed, 14 Jun 2006 09:00:00 -0400

The law increasingly mandates that private companies disclose information for the benefit of consumers. The latest example of such regulation through disclosure is a requirement that companies notify individuals of data security incidents involving their personal information. In the wake of highly publicized data spills, numerous states have now enacted such legislation, and federal legislation in this area has also been proposed.

These statutes seek to punish the breached entity and protect consumers by requiring that a breached entity disclose information about the data spill. There are competing possible approaches, however, to how the law is to mandate release of information about data leaks. This Article finds that a reputational sanction from breach notification can be important, but not for the reasons conventionally discussed. Moreover, a further function of breach notification is mitigation of harm after a data leak. This function requires a multi-institutional coordinated response of the kind that is absent from current policy proposals. To fill this gap, this Article advocates creation of a coordinated response architecture and develops the elements of such an approach.

Property, Privacy, and Personal Data

Tue, 17 May 2005 09:00:00 -0400

Modern computing technologies and the Internet have generated the capacity to gather, manipulate, and share massive quantities of data; this capacity, in turn, has spawned a booming trade in personal information. Even as it promises new avenues for the creation of wealth, this controversial new market also raises significant concerns for individual privacy-consumers and citizens are often unaware of, or unable to evaluate, the increasingly sophisticated methods devised to collect information about them. This Article develops a model of propertized personal information that responds to these serious concerns about privacy. It begins this task with a description and an analysis of several emerging technologies that illustrate both the promise and peril of the commodification of personal data. This Article also evaluates the arguments for and against a market in personal data, and concludes that while free alienability arguments are insufficient to justify unregulated trade in personal information, concerns about market failure and the public's interest in a protected privacy commons are equally insufficient to justify a ban on the trade. This Article develops the five critical elements of a model for propertized personal information that would help fashion a market that would respect individual privacy and help maintain a democratic order. These five elements are: limitations on an individual's right to alienate personal information; default rules that force disclosure of the terms of trade; a right of exit for participants in the market; the establishment of damages to deter market abuses; and institutions to police the personal information market and punish privacy violations. Finally, this Article returns to examples of technologies already employed in data trade and discusses how this proposed model would apply to them.

Evaluating Telecommunications Surveillance in Germany: The Lessons of the Max Planck Institute's Study

Mon, 28 Feb 2005 09:00:00 -0400

The publication in 2003 of a long-awaited empirical study of telecommunications surveillance in Germany has opened a window into existing law and practices in that country. Under the sponsorship of the Federal Department of Justice, three researchers at the Max Planck Institute for Foreign and International Criminal Law in Freiburg ("MPI") carried out a detailed examination of relevant German and international developments. The MPI Study of German and international developments in telecommunications surveillance has both weaknesses and strengths. Its weaknesses concern the MPI researchers' reliance on spotty international statistics to reach conclusions about relative amounts of surveillance activity in different countries. More successfully, the MPI researchers trace the similarities and dissimilarities in the regulation of telecommunications surveillance in different countries. To a large extent, this survey indicates a convergence among a core of shared legal approaches: a requirement of judicial approval of surveillance orders; an emergency exception to this requirement; and a use of telecommunications surveillance only as a last resort when other means of law enforcement will not reveal necessary information. Regarding its analysis of Germany, the MPI Study reveals the heavy emphasis of law enforcement agencies on surveillance of mobile telephones. This emphasis is all the more striking due to a relative lack of German law enforcement activity concerning surveillance of e-mail or traditional telephones. The MPI Study proved unable to account for these differences; it also neglected to explore the roots and significance of the disparate rate of surveillance in different German states. Finally, the MPI researchers did explore perhaps the most complex question of all in this area: can one empirically measure the results of telecommunications surveillance?

Eldred and Lochner: Copyright Term Extension and Intellectual Property as Constitutional Property

Fri, 04 Jun 2004 09:00:00 -0400

Since the ratification of the constitution, intellectual property law in the United States has always been, in part, constitutional law. Among the enumerated powers that Article I of the Constitution vests in Congress is the power to create certain intellectual property rights. To a remarkable extent, scholars who have examined the Constitution's Copyright Clause have reached a common position. With striking unanimity, these scholars have called for aggressive judicial review of the constitutionality of congressional legislation in this area. The champions of this position - we refer to them as the IP Restrictors - represent a remarkable array of constitutional and intellectual property scholars.

In this terms's Eldred v. Aschroft, leading IP Restrictor Lawrence Lessig, representing petitioner Eric Eldred, sought to convince the Supreme Court that the IP Restrictors' view of the Copyright Clause was the correct one. By a vote of 7-2, the Supreme Court rejected Eldred's claim and upheld the statute. But while the Court rejected the IP Restrictors' vision, it did not offer a satisfactory competing conception of the Copyright Clause and how the courts should construe it. Critically, even though the standard of review was of central significance, the Court applied a deferential form of rational basis scrutiny without explaining why this was the appropriate standard.

This paper develops the case for deferential review of congressional legislation in the area of intellectual property and, at a deeper level, offers a new paradigm for understanding the Copyright Clause. We propose that from the vantage point of constitutional law, intellectual property should be treated as a form of constitutional property. Deference to congressional judgments is warranted because congressional legislation affecting intellectual property is analytically similar to congressional legislation affecting other forms of property. Courts subject congressional legislation affecting traditional forms of property to deferential review because of concerns about institutional competence and respect for majoritarian decisionmaking. These two concerns in conjunction with proper regard for holistic constitutional interpretation should also lead courts to deferential review of congressional legislation affecting intellectual property.

In developing our position, we draw on constitutional history and, in particular, the lessons of Lochner v. New York. In defense of their vision of the Constitution, the IP Restrictors and the dissenters in Eldred make claims about the original understanding that, to an astonishing extent, echo those made by proponents of Lochner-era jurisprudence. We argue, however, that these claims fail for two reasons. First, the IP Restrictors and the dissenters disregard the limited scope of judicial review at the time of the Founding. Additionally, the IP Restrictors and dissenters disregard the range of views among the Founders about monopolies.

The New Privacy

Mon, 15 Dec 2003 09:00:00 -0400

In 1964, as the welfare state emerged in full force in the United States, Charles Reich published The New Property, one of the most influential articles ever to appear in a law review. Reich argued that in order to protect individual autonomy in an "age of governmental largess," a new property right in governmental benefits had to be recognized. He called this form of property the "new property." In retrospect, Reich, rather than anticipating trends, was swimming against the tide of history. In the past forty years, formal claims to government benefits have become more tenuous rather than more secure. "Overseers of the Poor: Surveillance, Resistance and the Limits of Privacy," by John Gilliom, an associate professor of political science at Ohio State University, demonstrates both the tenuousness of welfare rights today and the costs that this system imposes on individual autonomy.

In "Overseers of the Poor," Gilliom uses his case study of welfare recipients as the occasion for an attack on classic notions of privacy rights. Gilliom finds that welfare clients do not engage in "privacy talk" - indeed, he finds the concept to be devoid of value for the welfare recipients. Here, another comparison can be made with Reich's new property. Reich explicitly tied his idea of a new property right in government entitlements to privacy. He felt that the new property was needed to protect privacy, and, in particular, an individual's autonomy. Reich's notion of privacy reaches back to a classic concept of privacy, one that we term the "old privacy." It is precisely this classic idea that Gilliom finds welfare recipients to have rejected. Theoretical work inside and outside of the legal academy has pointed, however, to a "new privacy." The new privacy is centered around Fair Information Practices (FIPs) and is intended to prevent the threats to autonomy.

This Review begins by examining Gilliom's methodology and findings. It credits the insights of his look at the inner world of welfare recipients, but finds that he appears to ignore the need for income limits on aid recipients and the concomitant need for at least some personal information to enforce these limits. It also criticizes his failure to explore an interaction of an "ethics of care" among welfare recipients with possible use of retooled privacy rights or interests. In the second part of this Review, we consider the extent to which theoretical work inside and outside of the legal academy points to a new privacy and discuss how Gilliom's empirical research provides support for that scholarship. We will also evaluate the extent to which the new privacy, centered on FIPs, can prevent the threats to personal autonomy so poignantly identified by Gilliom.

German and U.S. Telecommunications Privacy Law: Legal Regulation of Domestic Law Enforcement Surveillance

Mon, 25 Aug 2003 09:00:00 -0400

The legal systems of Germany and the United States contain detailed rules that regulate the surveillance of telecommunications by domestic law enforcement agencies. An initial question about this surveillance concerns the relative levels of such activity in Germany and the United States. This Article demonstrates, however, that the available statistics do not permit the drawing of conclusions about the relative amount of surveillance in the two countries. Any comparison based on these data sets proves to be illusory - the official statistics in Germany and the U.S. measure different phenomenon.

Despite an absence of a basis for an empirical exploration of relative levels of telecommunications surveillance in Germany and the U.S., it is possible to compare the applicable legal regulations in the two countries. This Article examines both constitutional and statutory regulations. It finds that the U.S. Supreme Court has developed a restrictive vision of the Fourth Amendment that extends its protections only to telecommunications content, but not telecommunications attributes. In contrast, the German Federal Constitutional Court has interpreted Article 10 of the Basic Law, the postwar German constitution, as protecting not only telecommunications content but also telecommunications attributes.

This Article also examines the statutory law that governs telecommunications surveillance in Germany and the U.S. It evaluates six categories: (1) legal protection for telecommunications information; (2) legal protection for connection data; (3) legal protection for stored data; (4) legal requirements for data retention or data erasure; (5) legal protection for contents of telecommunications; and (6) the nature of available remedies. In a final section, this Article examines three possible "X factors," beyond the surveillance regulations expressed in legal regulations, that may affect law enforcement behavior in carrying out telecommunications surveillance in the two countries.

The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules

Mon, 30 Sep 2002 09:00:00 -0400

The Gramm-Leach-Bliley Act (GLB Act) of 1999 sought to provide new rules for financial privacy. Only a few years after the GLB Act's enactment, however, it appears to have failed as far as privacy protection is concerned. The Act has pleased neither privacy advocates nor the financial industry. It may, in fact, be a rare legislative feat to have a single statute create so many diverse critics so quickly. This Article examines the GLB Act and its shortcomings through reference to and refinement of theoretical work regarding the law of incomplete contracts. The key scholarship concerns information sharing and "defaults," or background rules, for filling gaps in agreements.

We explore three possible kinds of defaults: majoritarian, information forcing, and norm enforcing. This Article finds that the GLB Act's privacy safeguards are highly problematic as examples of either a majoritarian or information forcing default. The GLB Act also raises difficulties if evaluated as a background rule that seeks to enforce norms. In our judgment, information privacy should be conceptualized as a norm constitutive of a democratic society. The access to personal information and limits on it help form the nature of the society in which we live and shape our individual identities. For example, the structure of access to personal information can have a decisive impact on the extent to which certain actions or expressions of identity are encouraged or discouraged.
Our concept of "constitutive privacy" suggests that information privacy is a kind of commons that requires some degree of social control to construct and preserve. Default rules, when viewed from this normative perspective, should have a limited role in norm enforcement because of the current poor functioning of the privacy market between consumers and financial institutions. In particular, the presence of bounded rationality along with coordination problems makes default rules a risky choice in this context of information privacy. Under such conditions, the law should generally seek to minimize harms that flow from reliance on bargaining among consumers and data processors.

In this Article's final section, we explore ways in which to make the GLB Act's mandatory rules more flexible, and we propose possible revisions to the existing "notice and opt-out" default in the GLB Act. Finally, we revisit the GLB Act's opt-out requirement. We propose to improve upon this requirement by using social science research concerning the power of "frames." We also discuss the possible merits of a shift to an opt-in requirement.

Voting Technology and Democracy

Thu, 26 Sep 2002 09:00:00 -0400

Voting Technology and Democracy, 77 N.Y.U. L. Rev. 625 (2002), examines a phenomenon that I term the "voting-technology divide." The "divide" was caused by the deployment of election technology in November 2000 with better and worse levels of feedback to voters. Through an analysis of data from the contested Florida election of November 2000, this article demonstrates the critical importance of feedback in informing voters whether the technology they use to vote will validate their ballots according to their intent -- an advantage I find to have been distributed on unequal terms.

In this article, I also examine the various judicial opinions in the litigation following the Florida election and argue that they differed most dramatically in their embrace of competing epistemologies of technology. Finally, I evaluate the ongoing efforts to reform the unequal distribution of voting technology in the United States. Some efforts at litigation and legislation have promise, but in many instances they are stalled, and in many others they exhibit shortcomings that would leave the "voting technology divide" in place for future elections.

Vote.com and Internet Politics: A Comment on Dick Morris' Vision of Internet Democracy

Fri, 14 Dec 2001 09:00:00 -0400

A much sought-after political advisor, Dick Morris is also a successful Internet entrepreneur. His popular Web site "vote.com" sponsors informal polls on political issues and hosts discussion of nonpolitical topics such as travel, technology, business, and sports. In Direct Democracy and the Internet, Dick Morris assumes yet another role, that of Internet prophet. His provocative essay demonstrates, however, that even the most politically astute observer faces difficulties in predicting the Internet's impact on the future of American politics. In his essay, as well as in his recently published book vote.com, Morris portrays a dramatically improved post-Internet political landscape, which he develops in three predictions. First, Morris forecasts cheaper elections due to the Internet's influence. Second, he argues that the move of the electoral franchise online will encourage greater voter participation. Third, Morris believes that the general movement of politics from television to the Internet will stimulate an evolution of our system of governance to a more direct form of democracy.

In this essay, I examine each of Morris' three predictions in turn and find them contestable. Like Morris, however, I am unable to resist the role of cyberspace seer and throughout this paper speculate on the Internet's likely impact on democratic self-rule in the United States. My conclusions are generally pessimistic. I am skeptical that political use of the Internet in the United States will stimulate cheaper elections or lead to broader-based voter participation. As a normative matter, moreover, I am doubtful as to the glories of greater direct democracy through use of Internet referenda. Finally, I identify one additional point for pessimism, the impact of Internet politics on information privacy. Yet, the Internet, like our political system, is malleable. The question for the future is how we might shape cyberspace and the political process on it to avoid negative and encourage positive results from any move to online politics.

Beyond Lessig's Code for Internet Privacy: Cyberspace Filters, Privacy Control and Fair Information Practices

Mon, 15 Jan 2001 09:00:00 -0400

In Code, the most influential book yet written about law and cyberspace, Lawrence Lessig makes an intriguing proposal for shaping privacy on the Internet: (1) the legal assignment to every individual of a property interest in her own personal information, and (2) the employment of software transmission protocols, such as P3P, to permit the individual to structure her access to Web sites. In "Beyond Lessig's Code for Internet Privacy: Cyberspace Filters, Privacy Control, and Fair Information Practices," 2000 Wisc. L. Rev. 743, I respond to this approach with a number of criticisms and a competing proposal.

My initial criticism of Lessig's proposal for privacy concerns how it contradicts his stand against PICs, a software transmission protocol for filtering Internet content reminiscent of P3P. Once we place privacy in a social context, moreover, P3P seems far less attractive an option. In place of Lessig's underlying paradigm, which seeks to increase personal control of data. I develop a concept of constitutive privacy. In my view, information privacy is a constitutive value that safeguards participation and association in a free society. Rather than simply seeking to allow more and more individual control of personal data, we should view the normative function of information privacy as inhering in its relation to participatory democracy and individual self-determination.

A privacy market can play a role in helping information privacy fulfill this constitutive function. Yet, Lessig's propertization of privacy raises a further set of difficulties. In my view, propertization a la Lessig will only heighten flaws in the current market for personal data. This consequence follows from numerous shortcomings in this market and structural difficulties that indicate the unlikelihood of a self-correction in it. Moreover, in revisiting Calabresi and Melamed's work regarding the comparative merits of property and liability regimes, I find that a mixed regime is to be preferred for Internet privacy over Lessig's property regime.

Part III of this Article turns from criticism to prescription and develops the mixture of property and liability rules necessary for establishment of information privacy standards in cyberspace. It proposes recourse to Fair Information Practices (FIPs) to establish rules for the fair treatment of personal data on the Internet. Yet, FIPs are not without potential shortcomings if structured only as command-and-control rules. My suggestion therefore is that an American Internet privacy law consisting of FIPs should include both mandatory and default elements.

Free Speech vs. Information Privacy: Eugene Volokh's First Amendment Jurisprudence

Mon, 15 Jan 2001 09:00:00 -0400

Free Speech versus Informational Privacy, 52 Stanford Law Review 1559 (2000), discusses and critiques Eugene Volokh's recent article, Freedom of Speech and Information Privacy, 52 Stanford Law Review 1049 (2000). In his article, Volokh contends that the government's safeguarding of information privacy endangers a wide range of speech unrelated to personal data. In response, I propose that a democratic society depends on realms of communication beyond that of public discourse. The difficulty is that the American law of freedom of expression is underdeveloped concerning checks on communication in the name of personal privacy. As a result, the challenge is to demonstrate that information privacy is an integral part of the mission of free speech and not its enemy. This comment argues that information privacy has an important role in protecting individual self-determination and democratic deliberation. Attention to these issues by the legal order is essential to the health of a democracy, which ultimately depends on individual communicative competence.

Internet Privacy and the State

Mon, 31 Jul 2000 09:00:00 -0400

In Internet Privacy and the State, Professor Paul M. Schwartz argues that the dominant rhetoric concerning the use of personal data in cyberspace slights the State's important role in shaping both a privacy market and privacy norms. This Article reaches this conclusion in three steps. In Part I, it first identifies critical shortcomings in the leading paradigm of information privacy, which conceives of privacy as a personal right to control the use of one's data.

After discussing and rejecting this model of "privacy-control," the Article in its Part II elaborates information privacy as a constitutive value that helps both to form the society in which we live and to shape our individual identities. This model of "constitutive privacy" indicates that information privacy is necessary to place limits on the power of the state and community alike. Properly devised, information privacy serves to prevent mission-creep by over-zealous norm entrepreneurs in the public and private sectors.

Finally, Internet Privacy and the State in its Part III examines how the State can improve the functioning of a privacy market and play a positive role in the development of privacy norms. Regarding the privacy market, the State's first two steps should be to: (1) discourage a default of maximum information disclosure, and (2) encourage a market for privacy-enhancing technology. To overcome more general failings in privacy market efficiency, the State should also: (3) reduce information asymmetries, and (4) seek ways to overcome collective action problems. Regarding privacy norms, the State should: (1) encourage norm circumvention by facilitating attempts to bargain around objectionable norms, (2) provide incentives to groups to modify certain kinds of behavior, and (3) help construct positive bandwagon effects.

Privacy and Democracy in Cyberspace

Fri, 11 Feb 2000 09:00:00 -0400

In this Article, Professor Schwartz depicts the widespread, silent collection of personal information in cyberspace. At present, it is impossible to know the fate of the personal data that one generates online. Professor Schwartz argues that this state of affairs degrades the health of a deliberative democracy; it cloaks in dark uncertainty the transmutation of Internet activity into personal information that will follow one into other areas and discourage civic participation. This situation also will have a negative impact on individual self-determination by deterring individuals from engaging in the necessary thinking out loud and deliberation with others upon which choice-making depends.

In place of the existing privacy horror show on the Internet, Professor Schwartz seeks to develop multidimensional rules that set out fair information practices for personal data in cyberspace. The necessary rules must establish four requirements: (1) defined obligations that limit the use of personal data; (2) transparent processing systems; (3) limited procedural and substantive rights; and (4) external oversight. Neither the market nor industry self-regulation are likely, however, to put these four practices in place. Under current conditions, a failure exists in the "privacy market." Moreover, despite the Clinton Administration's endorsement of industry self-regulation, this method is an unlikely candidate for success. Industry self-regulation of privacy is a negotiation about "the rules of play" for the use of personal data. In deciding on these rules, industry is likely to be most interested in protecting its stream of revenues. Therefore, it will benefit if it develops norms that preserve the current status quo of maximum information disclosure.

This Article advocates a legislative enactment of the four fair information practices. This legal expression of privacy norms is the best first step in promoting democratic deliberation and individual self-determination in cyberspace. It will further the attainment of cyberspace's potential as a new realm for collaboration in political and personal activities. Enactment of such a federal law would be a decisive move to shape technology so it will further--and not harm--democratic self-governance.

Privacy and the Economics of Health Care Information

Mon, 23 Mar 1998 09:00:00 -0400

Genetic science permits, to a previously unimaginable degree, predictions as to the illnesses that a person might confront in the future. At the same time, information technology permits greater transmission, sharing, and storage of personal health care data at ever lower costs on a national and even international basis. Electronic health care records are becoming commonplace in the health care industry. The combination of easy electronic dissemination of highly sensitive data, such as personal genetic information, and use of these data to predict future health risks has already caused significant harm. The critical issue is how the law should structure the use of personal medical data by government and private enterprise alike. Privacy and the Economics of Personal Health Care Information proposes that a strong economic argument can be made in favor of information privacy. In the current marketplace for health care and employment-- and any such markets that we are likely to have in the future-- an economically efficient regulation for health care information requires rules that are tied to and follow these data through various uses. Once identifiable health care information is created, it should remain protected health information that is subject to fair information practices. These norms should take the form of multidimensional standards that create both background terms around which parties can negotiate and a smaller set of mandatory rules that will be binding. Such standards seek both to minimize the costs of contracting in the privacy marketplace and to force the party with superior knowledge about the use of personal information to disgorge it. This Article also develops the essential fair information practices that should be implemented in a federal health care privacy statute.