by Daniel J. Solove
Professor Neil M. Richards (Washington University School of Law) has posted a draft chapter of his forthcoming book about privacy law and free speech. It is a fascinating piece — very accessible and engaging. It’s called Why Data Privacy Law is (Mostly) Constitutional.
Eyebrows were raised a few years ago when the U.S. Supreme Court struck down a privacy statute in Sorrell v. IMS Health, Inc., 131 S.Ct. 2653 (2011). A Vermont statue restricted pharmacies from disclosing personal data for marketing purposes and barred pharmaceutical companies from using personal data for marketing without people’s consent. The Supreme Court held that the statute violated the First Amendment because it singled out particular content and particular speakers.
Does this mean that most privacy laws have a problem with the First Amendment right to free speech? After all, privacy laws mandate restrictions on uses and disclosures of personal data.
A number of commentators have pointed to Sorrell to support a claim that most privacy law violates the First Amendment right to free speech. But Neil Richards rightly debunks these claims. According to Richards: “Privacy law is thus (mostly) constitutional. And when we’re talking about the regulation of commercial data flows, it’s entirely constitutional, except for a few poorly-drafted outliers like the law struck down in Sorrell.”
The law in Sorrell failed because, ironically, it was too narrow, not too broad. The Vermont law singled out only speech about pharmaceutical marketing; had it been more broad, it likely wouldn’t have violated free speech. The Supreme Court cited HIPAA as an appropriate privacy law in contrast to the Vermont law because it allowed “the information’s sale or disclosure in only a few narrow and well-justified circumstances.”
In other words, because HIPAA’s baseline is to restrict most uses and disclosures, it is less discriminating against certain viewpoints unlike the Vermont law which doesn’t restrict most uses and disclosures except for pharmaceutical marketing.
More broadly, Richards argues that data should not be viewed as speech. “In a society in which data flows are becoming increasingly important, this is really akin to asking whether we can have commercial regulation at all. Good policy as well as our constitutional traditions of democratic self-government counsel against a broad and dangerous reading of the First Amendment that ‘data’ is somehow ‘speech.’”
Richards’s essay also discusses the “Right to be Forgotten” and is a great read. It’s part of a book called Intellectual Privacy due out by Oxford University Press in 2014.
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter