Recently, the International Association of Privacy Professionals (IAPP) released a ranking of law schools based on their educational programs in privacy law. Although I applaud the effort to focus more attention on the issue of teaching privacy law in law schools, there are many aspects of the project that I would do differently. In this post, I will discuss the elements of what I believe would constitute a robust privacy law educational program at law schools.
First, a bit of background about IAPP’s rankings. IAPP ranks schools into three tiers. Tier 1 is for schools offering a “certification or formal concentration in privacy law.” Tier 2 is for schools that “offer at least one three-credit course in privacy annually.” Tier 3 is for schools that “have a privacy offering, such as a one-credit seminar” rather than a three-credit offering or that have offered privacy courses but not on a “consistent basis.”
Unfortunately, the data that IAPP has assembled thus far is incomplete and needs quite a number of corrections. For example, many schools listed in Tier 3 have a 3-credit annual offering.
Additionally, I don’t agree with the set of criteria used to rank the schools. Having a certificate doesn’t put a school’s program in the top tier. There are many other factors to consider. Presenting the data in a rankings format is counterproductive because the data needs a lot of correcting plus the criteria are incomplete and not properly weighted. I think a more useful endeavor would be to improve the data, gather data on some other criteria, and just present the data rather than try to rank. IAPP’s project is just a starting point, and I hope that my suggestions here are constructive and will help shape the project.
It would be useful not just to list data about schools that have privacy law courses but also schools that don’t — because not having privacy law is a glaring omission for a law school. In my view, it is an embarrassing gap for any law school not to have a privacy law course. The profession is large, law firms have big practices in privacy law, and it is ridiculous that so many law schools haven’t even caught up enough to offer even one course or seminar on the topic. According to IAPP’s data, “97 schools (48% of all schools) offer some privacy related courses.” In my view, this number is too high because many of the course offerings by these 97 schools aren’t consistent or robust enough to count for much.
Even having just one privacy law course isn’t enough. For intellectual property, many law schools offer a general survey course plus courses in copyright, patent, and trademark, among other topics. There are typically one or more full-time faculty members who teach and write in intellectual property. For privacy, many schools have just one course or seminar occasionally taught by an adjunct. I think that this state of affairs is due to the fact that law schools just don’t know what’s going on in the field. Their curriculum is based on a woefully outdated view of the practice areas of law.
A key step for improving privacy law education in law schools would be to inform deans about the field. I recommend that a care package be sent to deans of all law schools that provides background about the field and the job opportunities and that makes the case for having a robust privacy law program (whether formal or informal).
What does a robust privacy law program look like? An issue at the outset is defining what counts as a “privacy” course or professor. In my view, a core component is covering consumer privacy issues either in a privacy survey course or a course focusing on consumer privacy. Other privacy-related topics would enrich this core: data security (or cybersecurity), health privacy, international privacy, computer crime). A robust privacy program at a law school (whether formal or informal) would have many of the following elements:
- One or more full-time faculty members who write a majority of their scholarship on privacy topics
- One or more full-time faculty members who write on privacy-related topics
- Adjuncts who teach privacy or privacy-related courses
- At least one 3-credit or 4-credit privacy law course offered each academic year
- Courses or seminars on privacy or privacy-related topics (ideally, a survey course, then courses in consumer privacy, data security, health privacy, international privacy, and computer crime)
- A course where law students can learn the basics of technology relevant to privacy issues (knowledge of technology is very sought-after by employers)
- An academic center where privacy is at least a third of the focus and activity
- A formal certificate or concentration in privacy law
- Other activities in privacy (events, speakers, fellowships, internship programs, etc.)
- A person with relationships with prospective employers and expertise about how to help students find jobs (could be someone in the career center, but should have an understanding of the privacy profession)
- Robust clinical opportunities in privacy law
At a minimum, a law school should have at least one full-time faculty member who writes a majority of their scholarship on privacy topics and at least one 3+ credit privacy law course. But having these things is far from sufficient. Privacy is too vast a field to be covered in just one course. At least a few other privacy or privacy-related courses are a must. Schools can do more to support student careers in the field by helping them find internships, obtain jobs, provide field-specific career advice, offer training in technology, and have many activities where students can learn from and network with professionals in the field. The formal elements (a certificate or concentration or an academic center) are less important in my opinion. They look nice on paper, but what matters most is substance — teaching and curriculum and assistance with starting a career.
I’d love to see data gathered from all law schools about the above elements. Rankings are not important at this point, and are contentious and counterproductive. What is needed to improve here is for legal academics and privacy professionals to do the following:
(1) Discuss the above issues — how to convince law schools to offer a more robust program in privacy law and what such a program should look like
(2) Inform law schools (via a care package to deans or some other way) about the importance of a robust program and the elements of such a program
It is my hope that one day law schools will catch up with the times and bring themselves into the 21st Century (hopefully before the 22nd Century). It is really disappointing that so many law schools lack any personnel or courses on privacy law.
Thanks to Margo Kaminski for suggesting the addition of clinical opportunities to the list of elements above.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Table of Contents