Evan Seligner, Jules Polonetsky, and Omer Tene have just published a terrific edited volume of essays called The Cambridge Handbook of Consumer Privacy. This is a truly impressive collection of writings by a wide array of authors from academia and practice. There’s a robust diversity of viewpoints on wide-ranging and cutting-edge issues. The book has a hefty price tag, but it is a terrific resource.
I have a blurb on the back of the book. This is what I wrote:
The Cambridge Handbook of Consumer Privacy is a magnificent collection of essays – each one short, engaging, and thought-provoking. The broad range of topics covers the most important and vital issues in consumer privacy, and these essays will be relevant for years to come. The authors are a superb assembly of the leading scholars and practitioners from diverse fields and perspectives. This book is a true feast of ideas.
Below is the table of contents. I found a few of these essays on SSRN, where they are available for free, and I am linking to the ones I found. Continue Reading
Hot off the press is Professor Woodrow Hartzog’s new book, Privacy’s Blueprint: The Battle to Control the Design of New Technologies (Harvard Univ. Press 2018). This is a fascinating and engaging book about a very important and controversial topic: Should privacy law regulate technological design?
My new article was just published: Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018). I co-authored the piece with Professor Danielle Keats Citron. We argue that the issue of harm needs a serious rethinking. Courts are too quick to conclude that data breaches don’t create harm. There are two key dimensions to data breach harm — risk and anxiety — both of which have been an area of struggle for courts.
Many courts find that anything involving risk is too difficult to measure and not concrete enough to constitute actual injury. Yet, outside of the world of the judiciary, other fields and industries have recognized risk as something concrete. Today, risk is readily quantified, addressed, and factored into countless decisions of great importance. As we note in the article: “Ironically, the very companies being sued for data breaches make high-stakes decisions about cyber security based upon an analysis of risk.” Despite the challenges of addressing risk, courts in other areas of law have done just that. These bodies of law are oddly ignored in data breach cases.
When it comes to anxiety — the emotional distress people might feel based upon a breach — courts often quickly dismiss it by noting that emotional distress alone is too vague and unsupportable in proof to be recognized as harm. Yet in other areas of law, emotional distress alone is sufficient to establish harm. In many cases, this fact is so well-settled that harm is rarely an issue in dispute.
We aim to provide greater coherence to this troubled body of law. We work our way through a series of examples — various types of data breach — and discuss whether harm should be recognized. We don’t think harm should be recognized in all instances, but there are many situations where we would find harm where the majority of courts today would not.
The article can be downloaded for free on SSRN.
Here’s the abstract:
In this post, I provide a brief overview of my scholarship last year.
I co-authored Risk and Anxiety: A Theory of Data Breach Harms with Professor Daniel Keats Citron. The piece is forthcoming in Texas Law Review this year. Even though there continues to be a steady flow of data breaches, there remains significant confusion in the courts around the issue of harm. Courts struggle with data breach harms because they are intangible, risk-oriented, and diffuse. Professor Citron and I argue: “Despite the intangible nature of these injuries, data breaches inflict real compensable injuries. Data breaches raise significant public concern and legislative activity. Would all this concern and activity exist if there were no harm? Why would more than 90% of the states pass data-breach notification laws in the past decade if breaches did not cause harm?” We provide examples of different types of data breaches and discuss whether harm should be recognized. We argue that there are many instances where we would find harm that the majority of courts today would not.
Download Risk and Anxiety: A Theory of Data Breach Harms for free.
Here are some notable books on privacy and security from 2017. To see a more comprehensive list of nonfiction works about privacy and security, Professor Paul Schwartz and I maintain a resource page on Nonfiction Privacy + Security Books.
From Christopher Slobogin (Vanderbilt University Law School): “Technology has so rapidly expanded the scope of government surveillance that current legal constraints on its use have become obsolete. In this book, David Gray proposes a completely novel yet conceptually elegant and eminently workable way of balancing the competing law enforcement and privacy interests at stake, all while remaining faithful to the text and history of the Constitution.”
From Rowena Olegario (University of Oxford): “Consumer credit reporting is ubiquitous, but its pioneering role in the surveillance of consumers has been poorly understood―until now. Josh Lauer has dug deep into the historical sources and marshaled his findings into a rich and cohesive narrative that encompasses business dynamics, social norms, technology, and regulation. This book will become the indispensable source on the history of both consumer credit reporting and the surveillance society.”
Countless women have been coming forward to say #MeToo and share their traumatic stories of sexual harassment and assault. But there are many stories we’re not hearing. These stories are being silenced by extremely broad nondisclosure agreements (NDAs), some made at the outset of employment and others when settling litigation over sexual harassment. They stop victims from talking. They also silence other employees who witness sexual harassment of co-workers. NDAs were a powerful device used by Harvey Weinstein to hush up what he was doing.
In her new book, You Don’t Own Me: How Mattel v. MGA Entertainment Exposed Barbie’s Dark Side, Professor Orly Lobel tells a fascinating story about the Barbie versus Bratz litigation, which went on for about a decade. Her book is a page turner — told as a story that could readily be a movie. The book succeeds brilliantly as a gripping tale. But it goes beyond great storytelling to explore many important issues related to business, employment, and intellectual property: the enormous power of corporate employers, the weaponized use of intellectual property to stifle innovation, the dismal failure of business ethics, the troubling use of nondisclosure agreements (NDAs) to maintain dominance and power, and the punishing litigation process. Continue Reading
In response to government surveillance or massive data gathering, many people say that there’s nothing to worry about. “I’ve got nothing to hide,” they declare. “The only people who should worry are those who are doing something immoral or illegal.”
The nothing-to-hide argument is ubiquitous. This is why I wrote an essay about it 10 years ago called “I’ve Got Nothing to Hide,” and Other Misunderstandings of Privacy, 44 San Diego Law Review 745 (2007). It was a short law review piece, one that I thought would be read by only a few people. But to my surprise, this essay really resonated with many people, and it received an unusually high number of downloads for a law review essay. I later expanded the ideas in the essay into a book: Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale University Press 2011).
This year is the 10th anniversary of the piece. A lot has happened between then and now. Not too long before I wrote my essay, there were revelations of illegal NSA surveillance. A significant percentage of the public supported the NSA surveillance, and the nothing-to-hide argument was trotted out again and again. This was the climate in which I wrote the essay.
Later on, in 2013, Edward Snowden revealed that the NSA was engaging in extensive surveillance far beyond its legal authority. Snowden declared: “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” This time, there was a significantly large percentage of the public that didn’t side with the NSA but instead demanded scrutiny and accountability.
Nevertheless, the nothing-to-hide argument is far from vanquished. There will always be a need for citizens to demand accountability and oversight of government surveillance, or else we will gradually slide into a more dystopian world.
Here are a few short excerpts from my nothing-to-hide essay:
I’m pleased to announce that a new 4th edition of my short guide, PRIVACY LAW FUNDAMENTALS (IAPP 2017) (co-authored with Professor Paul Schwartz) is now out in print. This edition incorporates extensive developments in privacy law and includes an introductory chapter summarizing key new laws, cases and enforcement actions.
Privacy Law Fundamentals is designed with an accessible, portable format to deliver vital information in a concise (318 pages) and digestible manner. It includes key provisions of privacy statutes; leading cases; tables summarizing the statutes (private rights of action, preemption, liquidated damages, etc.); summaries of key state privacy laws; and an overview of FTC, FCC, and HHS enforcement actions.
“This is the essential primer for all privacy practitioners.” — David A. Hoffman, Intel Corp.
“In our fast-paced practice, there’s nothing better than a compact and accessible work that is curated by two of the great thinkers of the field. It is a gem.” — Kurt Wimmer, Covington & Burling LLP
“Two giants of privacy scholarship succeed in distilling their legal expertise into an essential guide for a broad range of the privacy community.” — Jules Polonetsky, Future of Privacy Forum
“This book is my go-to reference for when I need quick, accurate information on privacy laws across sectors and jurisdictions.” — Nuala O’Connor, Center for Democracy and Technology
You can get a copy at IAPP’s bookstore or at Amazon. For general information about this book as well as all my textbooks and useful resources, visit our Information Privacy Law textbook website.
The full table of contents is below:
I recently updated my book chapter, A Brief History of Information Privacy Law, which appears in the new edition of PLI’s Proskauer on Privacy.
This book chapter, originally written in 2006 and updated in 2016, provides a brief history of information privacy law, with a primary focus on United States privacy law. It discusses the development of the common law torts, Fourth Amendment law, the constitutional right to information privacy, numerous federal statutes pertaining to privacy, electronic surveillance laws, and more. It explores how the law has emerged and evolved in response to new technologies that have increased the collection, dissemination, and use of personal information.
The chapter can be downloaded for free here.
Here is the table of contents:
I am now offering the full text of my book The Digital Person: Technology and Privacy in the Information Age (NYU Press 2004) online for FREE download.