Privacy Law Commons^™

Who Owns Data? Constitutional Division In Cyberspace, Dongsheng Zang

Articles

Privacy emerged as a concern as soon as the internet became commercial. In early 1995, Lawrence Lessig warned that the internet, though giving us extraordinary potential, was “not designed to protect individuals against this extraordinary potential for others to abuse.” The same technology can “destroy the very essence of what now defines individuality.” Lessig urged that “a constitutional balance will have to be drawn between these increasingly important interests in privacy, and the competing interest in collective security.” Lessig envisioned that creating property rights in data would help individuals by giving them control of their data. As utopian as property …

Layered Fiduciaries In The Information Age, Zhaoyi Li

Articles

Technology companies such as Facebook have long been criticized for abusing customers’ personal information and monetizing user data in a manner contrary to customer expectations. Some commentators suggest fiduciary law could be used to restrict how these companies use their customers’ data. Under this framework, a new member of the fiduciary family called the “information fiduciary” was born. The concept of an information fiduciary is that a company providing network services to “collect, analyze, use, sell, and distribute personal information” owes customers and end-users a fiduciary duty to use the collected data to promote their interests, thereby assuming fiduciary liability …

The Fourth Amendment's Constitutional Home, Gerald S. Dickinson

Articles

The home enjoys omnipresent status in American constitutional law. The Bill of Rights, peculiarly, has served as the central refuge for special protections to the home. This constitutional sanctuary has elicited an intriguing textual and doctrinal puzzle. A distinct thread has emerged that runs through the first five amendments delineating the home as a zone where rights emanating from speech, smut, gods, guns, soldiers, searches, sex, and self-incrimination enjoy special protections. However, the thread inexplicably unravels upon arriving at takings. There, the constitutional text omits and the Supreme Court’s doctrine excludes a special zone of safeguards to the home. This …

Privacy And National Politics: Fingerprint And Dna Litigation In Japan And The United States Compared, Dongsheng Zang

Articles

Drawing cases from two related areas of law-fingerprint and DNA (deoxyribonucleic acid) data-this Article proposes a modified framework, built on the Balkin-Levinson emphasis on national politics: First, national politics understood as partisan rivalry cannot account for what I call doctrinal lock-in in this Article, where I will demonstrate that in different stages of American politics-the Lochner era, the New Deal era, and Civil Rights era-courts across the nation ruled predominantly in favor of public data collectors-state and federal law enforcement in fingerprint cases. From the 1990s, when DNA data became hot targets of law enforcement, the United States Supreme Court …

Unprecedented Precedent And Original Originalism: How The Supreme Court’S Decision In Dobbs Threatens Privacy And Free Speech Rights, Leonard Niehoff

Articles

The U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization has drawn considerable attention because of its reversal of Roe v. Wade and its rejection of a woman’s constitutional right to terminate her pregnancy. The Dobbs majority, and some of the concurring opinions, emphasized that the ruling was a narrow one. Nevertheless, there are reasons to think the influence of Dobbs may extend far beyond the specific constitutional issue the case addresses.

This article explains why Dobbs could have significant and unanticipated implications for the law of privacy and the law of free expression. I argue that two …

Why Govern Broken Tools?, Ryan Calo

Articles

In Assessing the Governance of Digital Contact Tracing in Response to COVID-19: Results of a Multi-National Study, Brian Hutler et al. ably compare two approaches to the governance of digital contract tracing (DCT). In this brief essay, I want to examine to what extent governance actually played a meaningful role in the failure of DCT. If DCT failed primarily for other reasons, then the authors’ normative suggestion to pursue “a new governance approach … for designing and implementing DCT technology going forward” may be misplaced.

The Privacy Paradox By Proxy: Considering Predictors Of Sharenting, Niamh Ní Bhroin, Thuy Dinh, Kira Thiel, Elisabeth Staksrud, Kjartan Ólafsson

Articles

Despite being worried that children may compromise their privacy by disclosing too much personal data online, many parents paradoxically share pictures and information about their children themselves, a practice called sharenting. In this article we utilise data from the EU Kids Online survey to investigate this paradox. We examine both how individual charac‐ teristics such as demographics and digital skills, and relational factors, including parental mediation styles, concerns about children’s privacy, and communication between parents and children influence sharenting practices. Counter‐intuitively, our findings show that parents with higher levels of digital skills are more likely to engage in sharenting. Furthermore, …

The Hidden Harms Of Privacy Penalties, Mary D. Fan

Articles

How to frame privacy penalties to protect our personal information is an important question as demands for legislation and proposals proliferate. The predominant assumption in calls for a comprehensive consumer privacy regime is that regulation and penalties arm the consumer David against Goliath businesses. Missing in the focus on powerful companies is attention to the potential harms of expanding privacy penalties for small-fry individuals and entities, especially from disfavored or marginalized groups. This article is the first to illuminate the regressive risks of privacy penalties, showing how broad privacy penalties can become tools for harassment of small businesses and individuals …

Self-Control Of Personal Data And The Constitution In East Asia, Dongsheng Zang

Articles

No abstract provided.

Problematic Interactions Between Ai And Health Privacy, W. Nicholson Price Ii

Articles

Problematic Interactions Between AI and Health Privacy Nicholson Price, University of Michigan Law SchoolFollow Abstract The interaction of artificial intelligence (AI) and health privacy is a two-way street. Both directions are problematic. This Essay makes two main points. First, the advent of artificial intelligence weakens the legal protections for health privacy by rendering deidentification less reliable and by inferring health information from unprotected data sources. Second, the legal rules that protect health privacy nonetheless detrimentally impact the development of AI used in the health system by introducing multiple sources of bias: collection and sharing of data by a small set …

The Right To Benefit From Big Data As A Public Resource, Mary D. Fan

Articles

The information that we reveal from interactions online and with electronic devices has massive value—for both private profit and public benefit, such as improving health, safety, and even commute times. Who owns the lucrative big data that we generate through the everyday necessity of interacting with technology? Calls for legal regulation regarding how companies use our data have spurred laws and proposals framed by the predominant lens of individual privacy and the right to control and delete data about oneself. By focusing on individual control over droplets of personal data, the major consumer privacy regimes overlook the important question of …

Pandemic Surveillance Discrimination, Christian Sundquist

Articles

The COVID-19 pandemic has laid bare the abiding tension between surveillance and privacy. Public health epidemiology has long utilized a variety of surveillance methods—such as contact tracing, quarantines, and mandatory reporting laws—to control the spread of disease during past epidemics and pandemics. Officials have typically justified the resulting intrusions on privacy as necessary for the greater public good by helping to stave off larger health crisis. The nature and scope of public health surveillance in the battle against COVID-19, however, has significantly changed with the advent of new technologies. Digital surveillance tools, often embedded in wearable technology, have greatly increased …

Location Tracking And Digital Data: Can Carpenter Build A Stable Privacy Doctrine?, Evan H. Caminker

Articles

In Carpenter v United States, the Supreme Court struggled to modernize twentieth-century search and seizure precedents for the “Cyber Age.” Twice previously this decade the Court had tweaked Fourth Amendment doctrine to keep pace with advancing technology, requiring a search warrant before the government can either peruse the contents of a cell phone seized incident to arrest or use a GPS tracker to follow a car’s long-term movements.

Privacy In The Age Of Medical Big Data, W. Nicholson Price Ii, I. Glenn Cohen

Articles

Big data has become the ubiquitous watch word of medical innovation. The rapid development of machine-learning techniques and artificial intelligence in particular has promised to revolutionize medical practice from the allocation of resources to the diagnosis of complex diseases. But with big data comes big risks and challenges, among them significant questions about patient privacy. Here, we outline the legal and ethical challenges big data brings to patient privacy. We discuss, among other topics, how best to conceive of health privacy; the importance of equity, consent, and patient governance in data collection; discrimination in data uses; and how to handle …

Shadow Health Records Meet New Data Privacy Laws, W. Nicholson Price Ii, Margot E. Kaminski, Timo Minssen, Kayte Spector-Bagdady

Articles

Large sets of health data can enable innovation and quality measurement but can also create technical challenges and privacy risks. When entities such as health plans and health care providers handle personal health information, they are often subject to data privacy regulation. But amid a flood of new forms of health data, some third parties have figured out ways to avoid some data privacy laws, developing what we call “shadow health records”—collections of health data outside the health system that provide detailed pictures of individual health—that allow both innovative research and commercial targeting despite data privacy rules. Now that space …

Privacy Law's Indeterminacy, Ryan Calo

Articles

American legal realism numbers among the most important theoretical contributions of legal academia to date. Given the movement’s influence, as well as the common centrality of certain key figures, it is surprising that privacy scholarship in the United States has paid next to no attention to the movement. This inattention is unfortunate for several reasons, including that privacy law furnishes rich examples of the indeterminacy thesis—a key concept of American legal realism—and because the interdisciplinary efforts of privacy scholars to explore extra-legal influences on privacy law arguably further the plot of legal realism itself

A Long-Standing Debate: Reflections On Risk And Anxiety: A Theory Of Data Breach Harms By Daniel Solove And Danielle Keats Citron, Ryan Calo

Articles

This jointly-authored Article contributes mightily to our understanding of a critical aspect of privacy: harm. As Professors Solove and Citron carefully evidence, courts are reticent to countenance the harms that flow from a violation of privacy, even as they compensate similar harms in other contexts. Thus while exposing a plaintiff to an environmental or health risk may be compensable, few decisions vindicate victims of a data breach unless or until they experience actual identity theft. Courts have recognized subjective harms such as fear since the night W de S threw his fateful axe at M de S. But courts seldom …

Risk And Resilience In Health Data Infrastructure, W. Nicholson Price Ii

Articles

Today’s health system runs on data. However, for a system that generates and requires so much data, the health care system is surprisingly bad at maintaining, connecting, and using those data. In the easy cases of coordinated care and stationary patients, the system works—sometimes. But when care is fragmented, fragmented data often result. Fragmented data create risks both to individual patients and to the system. For patients, fragmentation creates risks in care based on incomplete or incorrect information, and may also lead to privacy risks from a patched together system. For the system, data fragmentation hinders efforts to improve efficiency …

The Eeoc, The Ada, And Workplace Wellness Programs, Samuel R. Bagenstos

Articles

It seems that everybody loves workplace wellness programs. The Chamber of Commerce has firmly endorsed those progarms, as have other business groups. So has President Obama, and even liberal firebrands like former Senator Tom Harkin. And why not? After all, what's not to like about programs that encourage people to adopt healthy habits like exercise, nutritious eating, and quitting smoking? The proponents of these programs speak passionately, and with evident good intentions, about reducing the crushing burden that chronic disease places on individuals, families, communities, and the economy as a whole. What's not to like? Plenty. Workplace wellness programs are …

Ancient Worries And Modern Fears: Different Roots And Common Effects Of U.S. And Eu Privacy Regulation, David Thaw, Pierluigi Perri

Articles

Much legal and technical scholarship discusses the differing views of the United States and European Union toward privacy concepts and regulation. A substantial amount of effort in recent years, in both research and policy, focuses on attempting to reconcile these viewpoints searching for a common framework with a common level of protection for citizens from both sides of Atlantic. Reconciliation, we argue, misunderstands the nature of the challenge facing effective cross-border data flows. No such reconciliation can occur without abdication of some sovereign authority of nations, that would require the adoption of an international agreement with typical tools of international …

Lessons Learned Too Well: Anonymity In A Time Of Surveillance, A. Michael Froomkin

Articles

It is no longer reasonable to assume that electronic communications can be kept private from governments or private-sector actors. In theory, encryption can protect the content of such communications, and anonymity can protect the communicator's identity. But online anonymity-one of the two most important tools that protect online communicative freedom-is under practical and legal attack all over the world. Choke-point regulation, online identification requirements, and data-retention regulations combine to make anonymity very difficult as a practical matter and, in many countries, illegal. Moreover, key internet intermediaries further stifle anonymity by requiring users to disclose their real names.

This Article traces …

"Revenge Porn" Reform: A View From The Front Lines, Mary Anne Franks

Articles

The legal and social landscape of "revenge porn" has changed dramatically in the last few years. Before 2013, only three states criminalized the unauthorized disclosure of sexually explicit images of adults and few people had ever heard the ternm "revenge porn." As of July 2017, thirty-eight states and Washington, D.C. had criminalized the conduct; federal criminal legislation on the issue had been introduced in Congress; Google, Facebook, and Twitter had banned nonconsensual pornography from their platforms; and the term "revenge porn" had been added to the Merriam- Webster Dictionary. I have had the privilege of playing a role in many …

Cybersecurity Stovepiping, David Thaw

Articles

Most readers of this Article probably have encountered – and been frustrated by – password complexity requirements. Such requirements have become a mainstream part of contemporary culture: "the more complex your password is, the more secure you are, right?" So the cybersecurity experts tell us… and policymakers have accepted this "expertise" and even adopted such requirements into law and regulation.

This Article asks two questions. First, do complex passwords actually achieve the goals many experts claim? Does using the password "Tr0ub4dor&3" or the passphrase "correcthorsebatterystaple" actually protect your account? Second, if not, then why did such requirements become so widespread? …

Democratic Surveillance, Mary Anne Franks

Articles

No abstract provided.

Privacy, Vulnerability, And Affordance, Ryan Calo

Articles

This essay begins to unpack the complex, sometimes contradictory relationship between privacy and vulnerability. I begin by exploring how the law conceives of vulnerability — essentially, as a binary status meriting special consideration where present. Recent literature recognizes vulnerability not as a status but as a state — a dynamic and manipulable condition that everyone experiences to different degrees and at different times. I then discuss various ways in which vulnerability and privacy intersect. I introduce an analytic distinction between vulnerability rendering, i.e., making a person more vulnerable, and the exploitation of vulnerability whether manufactured or native. I also describe …

U.S. Discovery And Foreign Blocking Statutes, Vivian Grosswald Curran

Articles

What is the reality between U.S. discovery and the foreign blocking statutes that impede it in France and other civil law states? How should we understand their interface at a time when companies are multinational in composition as well as in their areas of commerce? U.S. courts grapple with the challenge of understanding why they should adhere to strictures that seem to compromise constitutional or quasi-constitutional rights of American plaintiffs, while French and German lawyers and judges struggle with the challenges U.S. discovery poses to values of privacy and fair trial procedure in their legal systems. This article seeks to …

Riley V. California And The Beginning Of The End For The Third-Party Search Doctrine, David A. Harris

Articles

In Riley v. California, the Supreme Court decided that when police officers seize a smart phone, they may not search through its contents -- the data found by looking into the call records, calendars, pictures and so forth in the phone -- without a warrant. In the course of the decision, the Court said that the rule applied not just to data that was physically stored on the device, but also to data stored "in the cloud" -- in remote sites -- but accessed through the device. This piece of the decision may, at last, allow a re-examination of …

Authority And Authors And Codes, Michael J. Madison

Articles

Contests over the meaning and application of the federal Computer Fraud and Abuse Act (“CFAA”) expose long-standing, complex questions about the sources and impacts of the concept of authority in law and culture. Accessing a computer network “without authorization” and by “exceeding authorized access” is forbidden by the CFAA. Courts are divided in their interpretation of this language in the statute. This Article first proposes to address the issue with an insight from social science research. Neither criminal nor civil liability under the CFAA should attach unless the alleged violator has transgressed some border or boundary that is rendered visible …

Intelligence Legalism And The National Security Agency’S Civil Liberties Gap, Margo Schlanger

Articles

Since June 2013, we have seen unprecedented security breaches and disclosures relating to American electronic surveillance. The nearly daily drip, and occasional gush, of once-secret policy and operational information makes it possible to analyze and understand National Security Agency activities, including the organizations and processes inside and outside the NSA that are supposed to safeguard American’s civil liberties as the agency goes about its intelligence gathering business. Some have suggested that what we have learned is that the NSA is running wild, lawlessly flouting legal constraints on its behavior. This assessment is unfair. In fact, the picture that emerges from …

Regulating Mass Surveillance As Privacy Pollution: Learning From Environmental Impact Statements, A. Michael Froomkin

Articles

Encroachments on privacy through mass surveillance greatly resemble the pollution crisis in that they can be understood as imposing an externality on the surveilled. This Article argues that this resemblance also suggests a solution: requiring those conducting mass surveillance in and through public spaces to disclose their plans publicly via an updated form of environmental impact statement, thus requiring an impact analysis and triggering a more informed public conversation about privacy. The Article first explains how mass surveillance is polluting public privacy and surveys the limited and inadequate doctrinal tools available to respond to mass surveillance technologies. Then, it provides …