Law Commons^™

Data Privacy In The Time Of Plague, Cason Schmit, Brian N. Larson, Hye-Chung Kum

Faculty Scholarship

Data privacy is a life-or-death matter for public health. Beginning in late fall 2019, two series of events unfolded, one everyone talked about and one hardly anyone noticed: The greatest world-health crisis in at least 100 years, the COVID-19 pandemic; and the development of the Personal Data Protection Act Committee by the Uniform Law Commissioners (ULC) in the United States. By July 2021, each of these stories had reached a turning point. In the developed, Western world, most people who wanted to receive the vaccine against COVID- 19 could do so. Meanwhile, the ULC adopted the Uniform Personal Data Protection …

Legislating Data Loyalty, Woodrow Hartzog, Neil Richards

Faculty Scholarship

Lawmakers looking to embolden privacy law have begun to consider imposing duties of loyalty on organizations trusted with people’s data and online experiences. The idea behind loyalty is simple: organizations should not process data or design technologies that conflict with the best interests of trusting parties. But the logistics and implementation of data loyalty need to be developed if the concept is going to be capable of moving privacy law beyond its “notice and consent” roots to confront people’s vulnerabilities in their relationship with powerful data collectors.

In this short Essay, we propose a model for legislating data loyalty. Our …

The Surprising Virtues Of Data Loyalty, Woodrow Hartzog, Neil M. Richards

Faculty Scholarship

Lawmakers in the United States and Europe are seriously considering imposing duties of data loyalty that implement ideas from privacy law scholarship, but critics claim such duties are unnecessary, unworkable, overly individualistic, and indeterminately vague. This paper takes those criticisms seriously, and its analysis of them reveals that duties of data loyalty have surprising virtues. Loyalty, it turns out, can support collective well-being by embracing privacy’s relational turn; it can be a powerful state of mind for reenergizing privacy reform; it prioritizes human values rather than potentially empty formalism; and it offers solutions that are flexible and clear rather than …

What Is Privacy? That’S The Wrong Question, Woodrow Hartzog

Faculty Scholarship

Privacy has never had a precise meaning. But in the early 1900s, the concept took on new life as a term of art in legal frameworks. The result has been a bit of a mess, as no singular definition has been adequate for all purposes. Daniel Solove, perhaps the most influential privacy scholar of our day, wrote at the turn of the millennium that privacy was “a concept in disarray.”

In this short essay reflecting upon Solove’s impact on the modern study of information privacy, I argue that the chaos and futility of competing conceptualizations of privacy is why Solove’s …

"Slack" In The Data Age, Shu-Yi Oei, Diane M. Ring

Faculty Scholarship

This Article examines how increasingly ubiquitous data and information affect the role of “slack” in the law. Slack is the informal latitude to break the law without sanction. Pockets of slack exist for various reasons, including information imperfections, enforcement resource constraints, deliberate nonenforcement of problematic laws, politics, biases, and luck. Slack is important in allowing flexibility and forbearance in the legal system, but it also risks enabling selective and uneven enforcement. Increasingly available data is now upending slack, causing it to contract and exacerbating the risks of unfair enforcement.

This Article delineates the various contexts in which slack arises and …

Stealing (Identity) From The Poor, Sara S. Greene

Faculty Scholarship

The law of data breaches is new, dynamic, and evolving. The number and complexity of breaches increases each year and legal scholars, courts, and policymakers scramble to respond. In 2019, 14.4 million consumers became victims of identity theft, the most problematic consequence of data breaches for consumers. Indeed, one-third of all Americans have experienced identity theft at some point in their lives. Yet despite low-income groups comprising at least thirty percent of all identity theft victims, existing discourse and debate on the regulatory regime governing data breaches and identity theft primarily reflects the experiences and concerns of middle- and high-income …

The Covid-19 Pandemic And The Technology Trust Gap, Johanna Gunawan, David Choffnes, Woodrow Hartzog, Christo Wilson

Faculty Scholarship

Industry and government tried to use information technologies to respond to the COVID-19 pandemic, but using the internet as a tool for disease surveillance, public health messaging, and testing logistics turned out to be a disappointment. Why weren’t these efforts more effective? This Essay argues that industry and government efforts to leverage technology were doomed to fail because tech platforms have failed over the past few decades to make their tools trustworthy, and lawmakers have done little to hold these companies accountable. People cannot trust the interfaces they interact with, the devices they use, and the systems that power tech …

A Duty Of Loyalty For Privacy Law, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

Data privacy law fails to stop companies from engaging in self-serving, opportunistic behavior at the expense of those who trust them with their data. This is a problem. Modern tech companies are so entrenched in our lives and have so much control over what we see and click that the self-dealing exploitation of people has become a major element of the internet’s business model.

Academics and policymakers have recently proposed a possible solution: require those entrusted with people’s data and online experiences to be loyal to those who trust them. But many have concerns about a duty of loyalty. What, …

Privacy's Constitutional Moment And The Limits Of Data Protection, Woodrow Hartzog, Neil M. Richards

Faculty Scholarship

America’s privacy bill has come due. Since the dawn of the Internet, Congress has repeatedly failed to build a robust identity for American privacy law. But now both California and the European Union have forced Congress’s hand by passing the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). These data protection frameworks, structured around principles for Fair Information Processing called the “FIPs,” have industry and privacy advocates alike clamoring for a “U.S. GDPR.” States seemed poised to blanket the country with FIP-based laws if Congress fails to act. The United States is thus in the midst …

Gdpr And The Importance Of Data To Ai Startups, James Bessen, Stephen Michael Impink, Lydia Reichensperger, Robert Seamans

Faculty Scholarship

What is the impact of the European Union’s General Data Protection Regime (“GDPR”) and data regulation on AI startups? How important is data to AI product development? We study these questions using unique survey data of commercial AI startups. AI startups rely on data for their product development. Given the scale and scope of their business models, these startups are particularly susceptible to policy changes impacting data collection, storage and use. We find that training data and frequent model refreshes are particularly important for AI startups that rely on neural nets and ensemble learning algorithms. We also find that firms …

A Relational Turn For Data Protection?, Neil Richards, Woodrow Hartzog

Faculty Scholarship

If there’s one thing everyone in the data protection debate can agree on, it’s that it’s all about the data. All over the world, data protection regimes fixate on when data can be collected, how it is being processed, when it can be accessed or should be deleted, and whether it is personal, sensitive, or deidentified. This is true even for approaches that seem quite different at first glance, such as the U.S. and EU.

Consumer Protection—Exploring Private Causes Of Action For Victims Of Data Breaches, Justin H. Dion, Nicholas M. Smith

Faculty Scholarship

Data breaches are becoming a norm in modern life. Every year it seems that bigger and bigger attacks are launched, and more and more individuals are harmed. The law has responded by increasing states’ ability to prosecute cybercriminals. A glaring hole exists in this protection though. The state is largely an unharmed party. The real harm is done to individual citizens affected by the breaches. Their data is compromised, their identities are stolen, and their livelihoods are placed at risk. This Article will analyze the issue and propose a solution for increased consumer protection in addition to the current criminal …

Data-Informed Duties In Ai Development, Frank A. Pasquale

Faculty Scholarship

Law should help direct—and not merely constrain—the development of artificial intelligence (AI). One path to influence is the development of standards of care both supplemented and informed by rigorous regulatory guidance. Such standards are particularly important given the potential for inaccurate and inappropriate data to contaminate machine learning. Firms relying on faulty data can be required to compensate those harmed by that data use—and should be subject to punitive damages when such use is repeated or willful. Regulatory standards for data collection, analysis, use, and stewardship can inform and complement generalist judges. Such regulation will not only provide guidance to …

When Data Comes Home: Next Steps In International Taxation’S Information Revolution, Shu-Yi Oei, Diane M. Ring

Faculty Scholarship

Over the last decade, there has been a revolution in cross-border tax information exchange and reporting. While this dramatic shift was the product of multiple forces and events, a fundamental reality is that politics, technology, and law intersected to drive the shift to the point where nation-states will now transmit and receive from each other significant ongoing flows of taxpayer information. States can now expect to accumulate large stashes of data on cross-border income, assets, and activities on a scale and level of comprehensiveness unmatched by previous information exchange regimes.

This article examines the pressing follow-up question of how this …

The Pathologies Of Digital Consent, Neil M. Richards, Woodrow Hartzog

Faculty Scholarship

Consent permeates both our law and our lives — especially in the digital context. Consent is the foundation of the relationships we have with search engines, social networks, commercial web sites, and any one of the dozens of other digitally mediated businesses we interact with regularly. We are frequently asked to consent to terms of service, privacy notices, the use of cookies, and so many other commercial practices. Consent is important, but it’s possible to have too much of a good thing. As a number of scholars have documented, while consent models permeate the digital consumer landscape, the practical conditions …

The Business Of Ai Startups, James Bessen, Stephen Michael Impink, Robert Seamans, Lydia Reichensperger

Faculty Scholarship

New machine learning techniques have led to an acceleration of “artificial intelligence” (AI). Numerous papers have projected substantial job losses based on assessments of technical feasibility. But what is the actual impact? This paper reports on a survey of commercial AI startups, documenting rich detail about their businesses and their impacts on their customers. These firms report benefits of AI that are more often about enhancing human capabilities than replacing them. Their applications more often increase professional, managerial, and marketing jobs and decrease manual, clerical, and frontline service jobs. These startups sell to firms of different sizes, in different industries …

Technology Regulation By Default: Platforms, Privacy, And The Cfpb, Rory Van Loo

Faculty Scholarship

In the absence of a technology-focused regulator, diverse administrative agencies have been forced to develop regulatory models for governing their sphere of the data economy. These largely uncoordinated efforts offer a laboratory of regulatory experimentation on governance architecture. This symposium essay explores what the Consumer Financial Protection Bureau (CFPB) has done in its first several years to regulate financial technology (“fintech”), in the context of broader technology-related concerns identified in the literature. It begins with a survey of what the CFPB has undertaken using more traditional administrative agency tools—enforcement and rulemaking—in areas such as privacy, consumer control over data, and …

Humans Forget, Machines Remember: Artificial Intelligence And The Right To Be Forgotten, Tiffany Li, Eduard Fosch Villaronga, Peter Kieseberg

Faculty Scholarship

To understand the Right to be Forgotten in context of artificial intelligence, it is necessary to first delve into an overview of the concepts of human and AI memory and forgetting. Our current law appears to treat human and machine memory alike – supporting a fictitious understanding of memory and forgetting that does not comport with reality. (Some authors have already highlighted the concerns on the perfect remembering.) This Article will examine the problem of AI memory and the Right to be Forgotten, using this example as a model for understanding the failures of current privacy law to reflect the …

The Case Against Idealising Control, Woodrow Hartzog

Faculty Scholarship

Seemingly everyone, from scholars, industry, and privacy advocates to lawmakers, regulators, and judges seems to have settled on the idea that the key to privacy is control over personal information. But in practice, there is only so much a person can do. Control is far too precious and finite of a concept to meaningfully scale. It will never work for personal data mediated by technology.

Now we have an entire empire of data protection built around the crumbling edifice of control. The idealisation of control in modern data protection regimes like the GDPR and the ePrivacy Directive creates a pursuit …

Risk Regulation And Innovation: The Case Of Rights-Encumbered Biomedical Data Silos, Arti K. Rai

Faculty Scholarship

Recent Supreme Court cases on patent-eligible subject matter are likely to exacerbate the longstanding problem of biomedical data fragmentation. For each data silo, multiple overlapping legal claims and claimants must be addressed to achieve the benefits of pooling.

Commentators who have discussed the data aggregation challenge have generally focused on possibilities created through public funding, through collective action by research participants, or through pressure by payers. This Article emphasizes the important role of risk regulators, most notably the precedent offered by risk regulation in the area of clinical trial data.

While U.S. risk regulators have taken some positive steps, the …

The Notion And Practice Of Reputation And Professional Identity In Social Networking: From K-12 Through Law School, Roberta Bobbie Studwell

Faculty Scholarship

No abstract provided.

Rethinking The Role Of Clinical Trial Data In International Intellectual Property Law: The Case For A Public Goods Approach, Jerome H. Reichman

Faculty Scholarship

This article is a later version of the author's presentation at the Eleventh Annual Honorable Helen Wilson Nies Memorial Lecture March 26, 2008. Clinical trials are currently used to test drugs; however, the risk and cost of clinical trials are increasing so drastically that the clinical trials may become unsustainable. This article evaluates the legal and economic trends of intellectual property protection for pharmaceutical clinical trial data. The protection of clinical trials has become an alternative to patents as market exclusivity encourages the development and testing of unpatentable pharmaceuticals. This author argues that clinical trials should be treated as a …

The Simplification Of International Data Privacy Rules, Joel R. Reidenberg

Faculty Scholarship

The variation and complexity of national data privacy rules pose significant challenges for international data flows. Data protection laws range from ad hoc narrow legal rights, like those found in the United States, to comprehensive fair information practice statutes like those found in Europe. Because data processing frequently occurs across national borders, multiple data protection laws might apply simultaneously to international data flows. At the same time, data protection regimes may prohibit the circumvention of national standards by processing personal information at a foreign site. Global information processing thus presents a data controller with important burdens and obstacles related to …

Le Droit Et Les Reseaux Internationaux D'Information, Joel R. Reidenberg

Faculty Scholarship

Travaux pour obtenir le grade de Docteur De L'Universite Paris I. Discipline: Droit. Sujet des publications: Le Droit Et Les Reseaux Internationaux D'Information

The Privacy Obstacle Course: Hurding Barriers To Transnational Financial Services, Joel R. Reidenberg

Faculty Scholarship

This article addresses the challenge to transnational financial services resulting from national regulation of information processing. National laws around the world seek to define fair information practices for the private sector and contain prohibitions on data transfers to foreign destinations that lack sufficient privacy protection. The effect of these laws for the financial services industry is significant because financial services depend on personal information. The article argues that the international attempts to harmonize information practice standards and the national efforts to regulate information processing encourage divergence of national standards for financial services. It argues that regulatory flexibility and customization is …