Feedback to SSRN (Beta)
What type of feedback would you like to send?
Abstract: The U.S. Constitution has been largely ignored in the recent flurry of privacy laws and regulations designed to protect personal information from incursion by the private sector, despite the fact that many of these enactments and efforts to enforce them significantly implicate the First Amendment. Questions about the role of the Constitution have assumed new importance in the aftermath of the September 11 terrorist attacks on the World Trade Center and the Pentagon. Efforts to identify and bring to justice the perpetrators and to protect against future terrorist attacks, while threatening to weaken constitutional protections against government intrusions into personal privacy, demonstrate vividly the value of information collected in the marketplace and the need for such information in the future. While there is some suggestion that the First Amendment may be a source of privacy rights applicable to the collection and use of personal information by the private sector, it is clear that the First Amendment restrains the power of the government to enact and enforce privacy laws that curtail expression. The precise extent of that restraint depends on a number of factors, not all of which have been clearly resolved by the Supreme Court. But, as the events of September 11 starkly remind us, the price of privacy may be very high indeed. Legislators, regulators, and prosecutors who ignore the First Amendment when considering privacy laws do so at their - and our - peril.
Abstract: Among the wide variety of national and multinational legal regimes for protecting privacy, two dominant models have emerged, reflecting two very different approaches to the control of information. The European Union has enacted a sweeping data protection directive that imposes significant restrictions on most data collection, processing, dissemination, and storage activities, not only within Europe, but throughout the world if the data originates in a member state. The United States has taken a very different approach that extensively regulates government processing of data, while facilitating private, market-based initiatives to address private sector data processing. Under the EU data protection directive, information privacy is a basic human right; the failure of the U.S. legal system to treat it as such offends European values and has led the EU to threaten to suspend information flows to the United States. This threat is understandable in light of the directive's treatment of privacy as a human right, and necessary if the privacy of European nationals is to be protected effectively in a global information economy. In the United States, however, the government is constitutionally prohibited under the First Amendment from interfering with the flow of information, except in the most compelling circumstances. The EU data protection directive is plainly contrary to that constitutional maxim, and the suggestion that the directive should be extended to the United States exacerbates that conflict, as well as threatens U.S. leadership in information technologies and services. This Article examines the expanding conflict and emerging compromises between the European Union and the United States over data protection. After describing each of the legal regimes and the principles that undergird them, the article concludes by addressing the conflict between those principles, current political efforts to minimize that conflict, and the inadequacies of both systems in the context of the Internet.
data protection, privacy, European Union, international trade
Abstract: The article examines the government's growing appetite for collecting personal data. Often justified on the basis of protecting national security, government data mining programs sweep up data collected through hundreds of regulatory and administrative programs, and combine them with huge datasets obtained from industry. The result is an aggregation of personal data - the "digital footprints" of individual lives - never before seen. These data warehouses are then used to determine who can work and participate in Social Security programs, who can board airplanes and enter government buildings, and who is likely to pose a threat in the future, even though they have done nothing wrong to date.
The article describes the extraordinary volume and variety of personal data to which the government has routine access, directly and through industry, and examines the absence of any meaningful limits on that access. So-called privacy statutes are often so outdated and inadequate that they fail to limit the government's access to our most personal data, or they have been amended in the post-9/11 world to reduce those limits. And the Fourth Amendment, the primary constitutional guarantee of individual privacy, has been interpreted by the Supreme Court to not apply to routine data collection, accessing data from third parties, or sharing data, even if illegally gathered.
The result is not only that individual privacy goes unprotected, but that national security is compromised because it is increasingly based on data mining initiatives that are untested, ill focused, and rely on inaccurate or incomplete data. These shortcomings, and the urgent need for Congress to act to address them, have been widely recognized by numerous public and private commissions, but largely ignored by members of Congress - republicans and democrats alike. The article concludes that there is wide agreement about both the need to restore some limits on the government's use of personal data and the form that those limits should take. The problem is the unwillingness - or inability - of Congress to act.
privacy, data protection, national security, data mining, Fourth Amendment
Abstract: The definition of privacy developed by Brandeis and Warren and Prosser, and effectively codified by Alan Westin in 1967 - the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others - worked well in a world in which most privacy concerns involved physical intrusions (usually by the government) or public disclosures (usually by the media), which, by their very nature, were comparatively rare and usually discovered. But that definition's exclusive focus on individual control has grown incomplete in a world in which most privacy concerns involve data which we inevitably generate in torrents as go through our lives in an increasingly computerized, networked environment, and which can be collected and used by virtually anyone, usually without us knowing anything about it. Few of us have the awareness and expertise to consider trying to control all of the data we generate, few of us have the time or, frankly, even the incentive to attempt to do so, and the sheer volume of data, variety of sites where they are collected and used, and economic incentive for doing so would make the attempt laughably futile. This is not to suggest that individual control should not be part of our understanding of privacy, but rather that it can no longer reasonably be considered the only part. This article identifies principles that should undergird the government's efforts to protect privacy and craft privacy norms, and then contrast the application of those principles in particular settings identified by Professor Paul Schwartz in his article Internet Privacy and the State.
data protection, privacy, Internet
Abstract: Government data mining is widespread and expanding. A 2004 report by the General Accounting Office found 42 federal departments - including every cabinet-level agency that responded to the GAO's survey - engaged in, or were planning to engage in, 122 data mining efforts involving personal information. Thirty-six of those involve accessing data from the private sector; 46 involve sharing data among federal agencies. These programs present vexing legal and policy issues about the government's access to, and use of, personal information, especially when that information is obtained from the private sector or another government agency or when it concerns individuals who have done nothing to warrant suspicion. Surprisingly, many of these issues have not yet been addressed by statutes or judicial decisions, or the applicable law is uncertain or unclear. This paper examines the technological and geopolitical factors that have raised - and complicated - this question, and helped to render existing law inadequate. It describes that law and the legal and other issues posed by data mining, but not resolved by existing law. The paper includes a summary of the recommendations of the DOD Technology and Privacy Advisory Committee - the most recent word on the subject - which are currently under consideration by Congress and the Secretary of Defense.
data mining, national security, privacy, Fourth Amendment
Abstract: Modern data protection law is built on "fair information practice principles." At their inception in the 1970s and early 1980s, FIPPS were broad, aspirational, and included a blend of substantive (e.g., data quality, use limitation) and procedural (e.g., consent, access) principles. They reflected a wide consensus about the need for broad standards to facilitate both individual privacy and the promise of information flows in an increasingly technology-dependent, global society. As translated into national law in the United States, Europe, and elsewhere during the 1990s and 2000s, however, FIPPS have increasingly been reduced to narrow, legalistic principles (e.g., notice, choice, access, security, and enforcement). These principles reflect a procedural approach to maximizing individual control over data rather than individual or societal welfare. As theoretically appealing as this approach may be, it has proven unsuccessful in practice. Businesses and other data users are burdened with legal obligations while individuals endure an onslaught of notices and opportunities for often limited choice. Notices are frequently meaningless because individuals do not see them or choose to ignore them, they are written in either vague or overly technical language, or they present no meaningful opportunity for individual choice. Trying to enforce notices no one reads has led in the United States to the Federal Trade Commission's tortured legal logic that such notices create enforceable legal obligations, even if they were not read or relied upon as part of the deal. Moreover, choice is often an annoyance or even a disservice to individuals. In addition, many services cannot be offered subject to individual choice. Requiring choice may be contrary to other activities important to society, such as national security or law enforcement, or to other values, such as freedom of communication. Enforcement of notice, choice, and the other FIPPS is uneven at best. Situations likely to threaten greatest harm are often subject to the least oversight, while innocuous or technical violations of FIPPS may be prosecuted vigorously if they are the subject of a specific law or obligation and they can be used to generate popular or political pressure. In short, the control-based system of data protection, with its reliance on narrow, procedural FIPPS, is not working. The available evidence suggests that privacy is not better protected. The flurry of notices may give individuals some illusion of enhanced privacy, but the reality is far different. The result is the worst of all worlds: privacy protection is not enhanced, individuals and businesses pay the cost of bureaucratic laws, and we have become so enamored with notice and choice that we have failed to develop better alternatives. The situation only grows worse as more states and nations develop inconsistent data protection laws with which they attempt to regulate increasingly global information flows. This paper reflects a modest first step at articulating an approach to privacy laws that does not reject notice and choice, but does not seek to rely on it for all purposes. Drawing on other forms of consumer protection, in which standards of protection are not negotiable between providers and consumers, I propose that national governments stop subjecting vast flows of personal data to restraints based on individual preferences or otherwise imposing the considerable transaction costs of the current approach. Instead, the paper proposes that lawmakers reclaim the original broader concept of FIPPS by adhering to Consumer Privacy Protection Principles (CPPPS) that include substantive restrictions on data processing designed to prevent specific harms. The CPPPS framework is only a first step. It is neither complete nor perfect, but it is an effort to return to a more meaningful dialogue about the legal regulation of privacy and the value of information flows in the face of explosive growth in technological capabilities in an increasingly interconnected, global society.
privacy, data protection, fair information practice principles
Abstract: U.S. privacy laws are increasingly moving from a presumption that consumers must object to ("opt out" of) uses of personal data they wish to prohibit to a requirement that they must explicitly consent ("opt in") to uses they wish to permit. Despite the growing reliance on opt-in rules, there has been little empirical research on their costs. This Article examines the impact of opt-in on MBNA Corporation, a diversified, multinational financial institution. The authors demonstrate that opt-in would raise account acquisition costs and lower profits, reduce the supply of credit and raise credit card prices, generate more offers to uninterested or unqualified consumers, raise the number of missed opportunities of qualified consumers, and impair efforts to prevent fraud. These costs would be incurred despite the fact that as of the end of 2000, only about two percent of MBNA's customers had taken advantage of existing voluntary opportunities to opt out of receiving MBNA's direct mail marketing offers. If Congress were to adopt opt-in laws applicable to financial information, the impact across the economy on consumers and businesses would be significant.
data protection, privacy, credit, Gramm-Leach-Bliley
Abstract: This article explores the differences in privacy protection between the European Union and the United States, and examines the emerging conflict over data protection. Professor Cate analyzes the European data protection Directive, with particular emphasis on the Directive's extraterritorial provisions. He then examines privacy protection under United States laws and the extent to which that protection satisfies the requirements of the Directive. Finally, Professor Cate focuses on privacy issues involved in telecommunications, an area significantly regulated by United States and European laws, and therefore one area in which some commonality among privacy protection might be anticipated. Even in this highly regulated area, Professor Cate concludes, United States privacy protection for telecommunications-related information fails to meet the standard required by the Directive. However, he argues, the most effective protections for privacy are not legal regulations, but rather individual responsibility, limited governmental oversight, and competition among telecommunication service providers.
data protection, privacy, telecommunications
Abstract: Both statutory and case law clearly recognize the constitutional interest in promoting, not restricting, expression. Digital technologies, however, are rapidly changing the application of copyright law to prohibit access, protect ideas and facts, and dramatically expand the monopoly granted to copyright holders. Whether on a disk or network, digital expression cannot be accessed without being copied into computer memory, as well as onto a hard drive, floppy disk, or magnetic tape if it is to be retained after the computer is switched off. This necessarily violates the exclusive right to reproduce that copyright law grants to copyright holders. Moreover, to read or otherwise view digital expression on a computer screen, or to listen to it through computer speakers, the digital work must be "displayed" or "performed," within the meaning of copyright law. If that digital expression was downloaded from a computer network, the display or performance is "public" and violates the copyright holder's exclusive rights to publicly display and perform her copyrighted work. In short, the very nature of the new technological environment causes current copyright law to protect facts and ideas, not merely expression. The law restricts subsequent use of those facts and ideas without the copyright holder's permission by forbidding access altogether. The technology is turning the law on its head. Rather than acting to counteract this technological transformation, federal regulators are seeking to codify it into law. This article examines the technological transformation of copyright law and recommends a renewed focus on the constitutional mandate to tailor the monopoly conveyed by copyright law to the incentive necessary for creation and dissemination. In the digital information context, this would require amending or interpreting the law to prevent its use as a barrier to public access to information and to return it to its constitutional origins.
copyright, Internet, technology
Abstract: What the First Amendment status of electronic information should be is a fundamental question which must be addressed in any attempt to arrive at appropriate legal standards to protect the multifarious interests of the users of cyberspace. Yet, despite its importance, the First Amendment has largely been ignored in the debate surrounding what sort of legal framework should control the emerging National Information Infrastructure. Professor Cate surveys the current terrain of First Amendment jurisprudence and describes the different analytical approaches which may be taken. Doctrinal anomalies such as the law of common carriage indicate that at times the courts have reduced the scope of First Amendment protection in the face of new technologies. However, the rationales behind applying diminished protection do not carry force in the electronic context, especially when other controls such as antitrust doctrine are available. There is no reason not to confer full First Amendment protection on speech conveyed by cyberspace.
First Amendment, Internet, National Information Infrastructure
© 2009 Social Science Electronic Publishing, Inc. All Rights Reserved. Terms of Use Privacy Policy This page was served by apollo3 in 0.094 seconds.
