Preeminent privacy scholar and George Washington University Law School professor, Daniel Solove, joined Ropes & Gray’s virtual conference on “The Future of Global Data Protection,” for a wide-ranging discussion with Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, in which the pair explored:
- The state of complexity and inconsistency in the international privacy law landscape
- The inherent flaws in the models on which privacy laws are currently based
- The risks of moving toward a regulatory model
- Theories of harm in data breach cases
- The role of the courts in adjudicating privacy laws
Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.
Complexity and inconsistency ahead
The session opened with an overview of the rapid evolution in the privacy space in recent years, with the passage of the EU, California, and Chinese approaches to data protection.
The two sadly agreed that with no reasonable probability of the Untied States Congress passing an overarching federal law anytime soon, this period of complexity and often incoherence is here to stay. Even if Congress could reach a consensus on the many significant issues associated with a comprehensive privacy law, such as whether to include a private right of action, states will continue to advance their own privacy legislation.
Nevertheless, Professor Solove voiced the optimistic view that despite the different iterations and inconsistencies with which we must grapple for the time being, the laws contain a sufficient number of commonalities such that, with the assistance of privacy counsel, companies can find a path to compliance.
Which privacy law is the fairest of them all?
The answer for Professor Solove is none. Considering CCPA/CPRA, the new laws in Virginia and Colorado, and GDPR, Professor Solove noted several fundamental flaws common to the underlying framework on which these laws are modeled.
For one thing, Professor Solove emphasized that these laws are unduly and narrowly focused on one dimension of privacy - the sale and transfer of data - to the exclusion of other important aspects. They are also rooted in and rely on individual rights as the primary enforcement mechanism. Professor Solove explained that while rights are a great supporting actor, the weight of the laws must be directed elsewhere.
Given the sheer number of companies with which consumers interact, asking them to monitor their data and the companies’ use thereof is a set of chores that Professor Solove believes individuals simply cannot accomplish. Part and parcel of this undue reliance on individual rights is the notice and choice model, which Professor Solove labeled a well-documented failure.
Referring to what he calls the myth of the privacy paradox, Professor Solove believes that consumers cannot actually exercise the choices presented to them for a multitude of reasons. It is not only difficult for consumers to understand the current potential for harm if they disclose certain information or choose not to opt out, but data collected now can also be combined with other information in the future and subjected to algorithms, the output of which consumers cannot predict let alone comprehend.
Analogizing to consumers purchasing products at the grocery store, Professor Solove pointed out that others have already inspected and ensured these items are safe, such that individuals do not have to take it upon themselves to research the originating farm or factory. Privacy needs something similar, as the current model does not enable consumers to make reasonable risk calculations.
The regulatory route
The panelists also discussed the possibility of the United States moving toward a regulatory model premised on the European Union’s notion of legitimate interests. Raising concerns of commercial free speech and the FTC, or a newly-established privacy agency, dictating what qualifies as a company’s legitimate interest, McNicholas noted the very real concern of bureaucrats acting as corporate censors. Professor Solove agreed, commenting that the question is ultimately who we want to decide.
While neither self-interested companies nor bureaucrats are appealing options, Professor Solove believes that the answer could lie in some sort of body comprising various stakeholders who delineate a set of boundaries or meaningful lines that companies cannot exceed. Although there will inevitably be edge cases, Professor Solove posited that in many instances, if we exercise reasonable and contextual judgment, there would be a fair amount of consensus as to where those lines should be.
Theories of harm in data breaches
McNicholas and Solove agreed that the theories of harm in data breach cases must be further litigated and refined. They agreed that laws and the courts have a misplaced focus on punishing companies that suffer a data breach to the exclusion of the many other actors that play a role both before and after the incident. Believing that it is not a win if the company is solely liable, Professor Solove concluded that progress can be made if all of the various actors who contribute to a data breach are held accountable for their actions.
The courts and privacy laws
The panel ended with a discussion of the courts’ role in the privacy space, with McNicholas noting in particular that four times in the last year the Supreme Court adopted a narrow approach to privacy in important respects: the Telephone Consumer Protection Act in Facebook v. Duguid, the FTC’s authority to seek monetary relief in AMG Capital Management v. FTC, the Computer Fraud and Abuse Act in Van Buren v. United States, and standing in TransUnion v. Ramirez.
On the standing cases in particular, Professor Solove stated they have all been wrongly decided, and Congress should have the right to define what constitutes harm without the courts subsequently imposing limited notions of common law harm. In his view, Congress should continue to press forward in spite of the prospect that the Court will create “mischief” here and there.