Privacy Law Commons^™

A Miscarriage Of Justice: How Femtech Apps And Fog Data Evade Fourth Amendment Privacy Protections, Rachel Silver

Washington and Lee Journal of Civil Rights and Social Justice

After the fall of Roe v. Wade, states across the country have enacted extreme abortion bans. Anti-abortion states, emboldened by their new, unrestricted power to regulate women’s bodies, are only broadening the scope of abortion prosecutions. And modern technology provides law enforcement with unprecedented access to women’s most intimate information, including, for example, their menstrual cycle, weight, body temperature, sexual activity, mood, medications, and pregnancy details. Fourth Amendment law fails to protect this sensitive information stored on femtech apps from government searches. In a largely unregulated private market, femtech apps sell health and location data to third parties like Fog …

Constitutional Confidentiality, Natalie Ram, Jorge L. Contreras, Laura M. Beskow, Leslie E. Wolf

Washington and Lee Law Review

Federal Certificates of Confidentiality (“Certificates”) protect sensitive information about human research subjects from disclosure and use in judicial, administrative, and legislative proceedings at both the state and federal levels. When they were first authorized by Congress in the 1970s, Certificates covered sensitive information collected in research about drug addiction use. Today, however, they extend to virtually all personal information gathered by biomedical research studies. The broad reach of Certificates, coupled with their power to override state subpoenas and warrants issued in the context of law enforcement, abortion regulation, and other police powers typically under state control, beg the question whether …

Stay Out Of My Head: Neurodata, Privacy, And The First Amendment, Wayne Unger

Washington and Lee Law Review

The once science-fictional idea of mind-reading is within reach as advancements in brain-computer interfaces, coupled with advanced artificial intelligence, produce neurodata—the collection of substantive thoughts as storable and processable data. But government access to individuals’ neurodata threatens personal autonomy and the right to privacy. While the Fourth Amendment is traditionally considered the source of privacy protections against government intrusion, the First Amendment provides more robust protections with respect to whether governments can access one’s substantive ideas, thoughts, and beliefs. However, many theorists assert that the concept of privacy conflicts with the First Amendment because privacy restricts the flow of information …

Do Not Touch My Data: Exploring A Disclosure-Based Framework To Address Data Access, Francis Morency

Washington and Lee Journal of Civil Rights and Social Justice

Companies have too much control over people’s information. In the data marketplace, companies package and sell individuals’ data, and these individuals have little to no bargaining power over the process. Companies may freely buy and sell people’s data in the private sector for targeted marketing and behavior manipulation. In the justice system, an unchecked data marketplace leaves black and brown communities vulnerable to serious data access issues caused by predictive sentencing, for example. Risk assessment algorithms in predictive sentencing rely on data on individuals and run all relevant data points to provide the likelihood that a defendant will recidivate low …

Gag With Malice, Shaakirrah R. Sanders

Washington and Lee Law Review

This Article brings agriculture privacy and other commercial gagging laws into the ongoing debate on the First Amendment actual malice rule announced in New York Times v. Sullivan. Despite a resurgence in contemporary jurisprudence, Justices Clarence Thomas and Neil Gorsuch have recently questioned the wisdom and viability of Sullivan, which originally applied actual malice to state law defamation claims brought by public officials. The Court later extended the actual malice rule to public figures, to claims for infliction of emotional distress, and—as discussed in this Article—to claims for invasion of privacy and to issues of public importance or concern.

United …

Wiretapping The Internet: Analyzing The Application Of The Federal Wiretap Act’S Party Exception Online, Hayden Driscoll

Washington and Lee Journal of Civil Rights and Social Justice

The federal Wiretap Act—originally enacted to curtail the government’s unbridled use of wiretaps to monitor telephonic communications—was amended in 1986 to provide a private right of action, extending the Act’s Fourth Amendment-like protections to private intrusions. Since the advent of the internet, plaintiffs have attempted to predicate claims of unauthorized online privacy intrusions on the Wiretap Act. In response, defendants claim they are parties to the communications at issue and should be absolved of liability under the Act’s party exception. The federal circuit courts of appeal disagree on how the party exception applies in the internet context. This Note evaluates …

The Three Laws: The Chinese Communist Party Throws Down The Data Regulation Gauntlet, William Chaskes

Washington and Lee Law Review

Criticism of the Chinese Communist Party (CCP) runs a wide gamut. Accusations of human rights abuses, intellectual property theft, authoritarian domestic policies, disrespecting sovereign borders, and propaganda campaigns all have one common factor: the CCP’s desire to control information. Controlling information means controlling data. Lurking beneath the People’s Republic of China’s (PRC) tumultuous relationship with the rest of the world is the fight between nations to control their citizens’ data while also keeping it out of the hands of adversaries. The CCP’s Three Laws are its newest weapon in this data war.

One byproduct of the CCP’s emphasis on controlling …

Right Of Self, Mitchell F. Crusto

Washington and Lee Law Review

The exercise of free will against tyranny is the single principle that defines the American spirit, our history, and our culture. From the American Revolution through the Civil War, the two World Wars, the Civil Rights Movement, and up to today, Americans have embraced the fundamental rights of the individual against wrongful governmental intrusion. This is reflected in our foundational principles, including the Magna Carta, the Bill of Rights to the United States Constitution, the Reconstruction Amendments, the Nineteenth Amendment, and, more recently, in the Supreme Court’s recognition of fundamental individual rights within the Constitution’s penumbras. However, there is no …

The New State Of Surveillance: Societies Of Subjugation, Khaled Ali Beydoun

Washington and Lee Law Review

Foundational surveillance studies theory has largely been shaped in line with the experiences of white subjects in western capitalist societies. Formative scholars, most notably Michel Foucault and Gilles Deleuze, theorized that the advancement of surveillance technology tempers the State’s reliance on mass discipline and corporal punishment. Legal scholarship examining modern surveillance perpetuates this view, and popular interventions, such as the blockbuster docudrama The Social Dilemma and Shoshana Zuboff’s bestseller The Age of Surveillance Capitalism, mainstream the myth of colorblind surveillance. However, the experiences of nonwhite subjects of surveillance—pushed to or beyond the margins of these formative discourses—reflect otherwise. …

“You Keep Using That Word”: Why Privacy Doesn’T Mean What Lawyers Think, Joshua A.T. Fairfield

Scholarly Articles

This article explores how the need to define privacy has impeded our ability to protect it in law.

The meaning of “privacy” is notoriously hard to pin down. This article contends that the problem is not with the word “privacy,” but with the act of trying to pin it down. The problem lies with the act of definition itself and is particularly acute when the words in question have deep-seated and longstanding common-language meanings, such as liberty, freedom, dignity, and certainly privacy. If one wishes to determine what words like these actually mean to people, definition is the wrong tool …

Making An Offer That Can't Be Refused: The Need For Reform In The Rules Governing Informed Consent And Doctor-Patient Agreements, Timothy C. Macdonnell

Scholarly Articles

On a daily basis, throughout the country, patients are required to sign informed consent forms regarding the care they receive from their doctors. Informed consent forms are an important part of ensuring patients are making an intelligent, autonomous decision regarding their healthcare based on the facts related to their particular situation. However, frequently these consent forms contain what amount to contract-like terms that require patients to permit doctors to substitute other healthcare providers to care for the patient under the doctor’s supervision (substituted caregiver terms). Often these terms are presented to patients on the eve of surgery and on a …

Comment: The Necessary Evolution Of State Data Breach Notification Laws: Keeping Pace With New Cyber Threats, Quantum Decryption, And The Rapid Expansion Of Technology, Beth Burgin Waller, Elaine Mccafferty

Washington and Lee Law Review

The legal framework that was built almost two decades ago now struggles to keep pace with the rapid expansion of technology, including quantum computing and artificial intelligence, and an ever-evolving cyber threat landscape. In 2002, California passed the first data breach notification law, with all fifty states following suit to require notice of unauthorized access to and acquisition of an individual’s personal information.1 These data breach notification laws, originally designed to capture one-off unauthorized views of data in a computerized database, were not built to address PowerShell scripts by cyber terrorists run across thousands of servers, leaving automated accessed data …

Reproductive Privacy In The World: Critical Examination Of June Medical Services, L.L.C. V. Russo And Buck V. Bell, Kumiko Kitaoka

Washington and Lee Journal of Civil Rights and Social Justice

Using insights from Professor Stephen A. Simon’s Universal Rights and the Constitution, this Article argues that national courts should continue to assume an active role in the protection of privacy rights by giving due consideration to the nature of the privacy right in combination with the merits of the universal right theory. This Article then demonstrates that both foreign national courts and domestic state courts have recognized the right to procreate and key aspects of the right to abortion as fundamental rights.

Part II introduces the universal right theory, explaining why the theory is particularly relevant to the protection …

Making Privacy Injuries Concrete, Peter Ormerod

Washington and Lee Law Review

In recent years, the U.S. Supreme Court has repeatedly said that the doctrine of Article III standing deprives the federal courts of jurisdiction over some lawsuits involving intangible injuries. The lower federal courts are carrying out the Supreme Court’s instructions, and privacy injuries have borne the brunt of the Court’s directive. This Article identifies two incoherencies in the Court’s recent intangible injury decisions and builds on the work of privacy scholars to fashion a solution.

The first incoherency is a line-drawing problem: the Court has never explained why some intangible injuries create an Article III injury in fact while others …

Data Breach Notification Laws And The Quantum Decryption Problem, Phillip Harmon

Washington and Lee Law Review

In the United States, state data breach notification laws protect citizens by forcing businesses to notify those citizens when their personal information has been compromised. These laws almost universally include an exception for encrypted personal data. Modern encryption methods make encrypted data largely useless, and the notification laws aim to encourage good encryption practices.

This Note challenges the wisdom of laws that place blind faith in the continued infallibility of encryption. For decades, Shor’s algorithm has promised polynomial-time factoring once a sufficiently powerful quantum computer can be built. Competing laboratories around the world steadily continue to march toward this end. …

The “P” Isn’T For Privacy: The Conflict Between Bankruptcy Rules And Hipaa Compliance, Sophie R. Rogers Churchill

Washington and Lee Law Review

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) included a now-ubiquitous provision designed to protect the privacy of patients’ protected health information. The provision prohibits covered entities, including health care providers and their agents, from disclosing any demographic information that may identify a patient and that relates to that patient’s medical care. The provision is broad and can include such simple information as which doctor a patient consults or the date of a patient’s consultation with a physician.

Unfortunately, such protections become impracticable in the bankruptcy setting. When a health care provider files bankruptcy, it files a host …

#Audited: Social Media And Tax Enforcement, Michelle Lyon Drumbl

Scholarly Articles

With limited resources and a diminished budget, it is not surprising that the Internal Revenue Service would seek new tools to maximize its enforcement efficiency. Automation and technology provide new opportunities for the IRS, and in turn, present new concerns for taxpayers. In December 2018, the IRS signaled its interest in a tool to access publicly available social media profiles of individuals in order to “expedite IRS case resolution for existing compliance cases.” This has important implications for taxpayer privacy.

Moreover, the use of social media in tax enforcement may pose a particular harm to an especially vulnerable population: low-income …

Bad Actors: Authenticity, Inauthenticity, Speech, And Capitalism, Sarah C. Haan

Scholarly Articles

“Authenticity” has evolved into an important value that guides social media companies’ regulation of online speech. It is enforced through rules and practices that include real-name policies, Terms of Service requiring users to present only accurate information about themselves, community guidelines that prohibit “coordinated inauthentic behavior,” verification practices, product features, and more.

This Article critically examines authenticity regulation by the social media industry, including companies’ claims that authenticity is a moral virtue, an expressive value, and a pragmatic necessity for online communication. It explains how authenticity regulation provides economic value to companies engaged in “information capitalism,” “data capitalism,” and “surveillance …

Bytes Bite: Why Corporate Data Breaches Should Give Standing To Affected Individuals, Caden Hayes

Washington and Lee Journal of Civil Rights and Social Justice

High-profile data hacks are not uncommon. In fact, according to the Privacy Rights Clearinghouse, there have been at least 7,961 data breaches, exposing over 10,000,000,000 accounts in total, since 2005. These shocking numbers are not particularly surprising when taking into account the value of information stolen. For example, cell phone numbers, as exposed in a Yahoo! hack, are worth $10 a piece on the black market, meaning the hackers stood to make $30,000,000,000 from that one hack. That dollar amount does not even consider copies the hackers could make and later resell. Yet while these hackers make astronomical payoffs, the …

The Ironic Privacy Act, Margaret Hu

Scholarly Articles

This Article contends that the Privacy Act of 1974, a law intended to engender trust in government records, can be implemented in a way that inverts its intent. Specifically, pursuant to the Privacy Act's reporting requirements, in September 2017, the U.S. Department of Homeland Security (DHS) notified the public that record systems would be modified to encompass the collection of social media data. The notification justified the collection of social media data as a part of national security screening and immigration vetting procedures. However, the collection will encompass social media data on both citizens and noncitizens, and was not explicitly …

Hardware, Heartware, Or Nightmare: Smart-City Technology And The Concomitant Erosion Of Privacy, Leila Lawlor

Scholarly Articles

Smart-city technology is being adopted in cities all around the world to simplify our lives, save us time, ease traffic, improve education, reduce energy usage, and keep us healthy and safe. Its adoption is necessary because of changes that are predicted for urban dwellers over the next three decades; urban population and travel are predicted to increase dramatically and our population is graying, meaning the population will include a much greater number of elderly citizens. As these changes occur, smart-city technology can have a huge impact on public safety, improving the ability of law enforcement to investigate crimes, both with …

Information And The Regulatory Landscape: A Growing Need To Reconsider Existing Legal Frameworks, Anjanette H. Raymond

Washington and Lee Journal of Civil Rights and Social Justice

No abstract provided.

Bulk Biometric Metadata Collection, Margaret Hu

Scholarly Articles

Smart police body cameras and smart glasses worn by law enforcement increasingly reflect state-of-the-art surveillance technology, such as the integration of live-streaming video with facial recognition and artificial intelligence tools, including automated analytics. This Article explores how these emerging cybersurveillance technologies risk the potential for bulk biometric metadata collection. Such collection is likely to fall outside the scope of the types of bulk metadata collection protections regulated by the USA FREEDOM Act of 2015. The USA FREEDOM Act was intended to bring the practice of bulk telephony metadata collection conducted by the National Security Agency (“NSA”) under tighter regulation. In …

Data Flow Maps—Increasing Data Processing Transparency And Privacy Compliance In The Enterprise, Jeremy Berkowitz, Michael Mangold, Stephen Sharon

Washington and Lee Law Review Online

In recent years, well-known cyber breaches have placed growing pressure on organizations to implement proper privacy and data protection standards. Attacks involving the theft of employee and customer personal information have damaged the reputations of well-known brands, resulting in significant financial costs. As a result, governments across the globe are actively examining and strengthening laws to better protect the personal data of its citizens. The General Data Protection Regulation (GDPR) updates European privacy law with an array of provisions that better protect consumers and require organizations to focus on accounting for privacy in their business processes through “privacy-by-design” and “privacy …

The Market’S Law Of Privacy: Case Studies In Privacy/Security Adoption, Chetan Gupta

Washington and Lee Law Review Online

This paper examines the hypothesis that it may be possible for individual actors in a marketplace to drive the adoption of particular privacy and security standards. It aims to explore the diffusion of privacy and security technologies in the marketplace. Using HTTPS, Two-Factor Authentication, and End-to-End Encryption as case studies, it tries to ascertain which factors are responsible for successful diffusion which improves the privacy of a large number of users. Lastly, it explores whether the FTC may view a widely diffused standard as a necessary security feature for all actors in a particular industry.

Based on the case studies …

Privacy In The Age Of Autonomous Vehicles, Ivan L. Sucharski, Philip Fabinger

Washington and Lee Law Review Online

To prepare for the age of the intelligent, highly connected, and autonomous vehicle, a new approach to concepts of granting consent, managing privacy, and dealing with the need to interact quickly and meaningfully is needed. Additionally, in an environment where personal data is rapidly shared with a multitude of independent parties, there exists a need to reduce the information asymmetry that currently exists between the user and data collecting entities. This Article rethinks the traditional notice and consent model in the context of real-time communication between vehicles or vehicles and infrastructure or vehicles and other surroundings and proposes a re-engineering …

From The National Surveillance State To The Cybersurveillance State, Margaret Hu

Scholarly Articles

This article anchors the phenomenon of bureaucratized cybersurveillance around the concept of the National Surveillance State, a theory attributed to Professor Jack Balkin of Yale Law School and Professor Sanford Levinson of the University of Texas School of Law. Pursuant to the theory of the National Surveillance State, because of the routinized and administrative nature of government-led surveillance, normalized mass surveillance is viewed as justified under crime and counterterrorism policy rationales. This article contends that the Cybersurveillance State is the successor to the National Surveillance State. The Cybersurveillance State harnesses technologies that fuse biometric and biographic data for risk assessment, …

Peeling Back The Student Privacy Pledge, Alexi Pfeffer-Gillett

Scholarly Articles

Education software is a multi-billion dollar industry that is rapidly growing. The federal government has encouraged this growth through a series of initiatives that reward schools for tracking and aggregating student data. Amid this increasingly digitized education landscape, parents and educators have begun to raise concerns about the scope and security of student data collection.

Industry players, rather than policymakers, have so far led efforts to protect student data. Central to these efforts is the Student Privacy Pledge, a set of standards that providers of digital education services have voluntarily adopted. By many accounts, the Pledge has been a success. …

Beyond Irbs: Ethical Guidelines For Data Research, Omer Tene, Jules Polonetsky

Washington and Lee Law Review Online

No abstract provided.

Clapper Dethroned: Imminent Injury And Standing For Data Breach Lawsuits In Light Of Ashley Madison, Arthur R. Vorbrodt

Washington and Lee Law Review Online

No abstract provided.