Showing 9 of 176 Publications in Data Security & Privacy

Comments on the California Consumer Privacy Act (CCPA)

Regulatory Comments We begin our analysis of the California Consumer Privacy Act (“CCPA”) with a discussion of the standardized regulatory impact assessment (SRIA) prepared for the AG’s Office by Berkeley Economic Advising and Research, LLC.

We begin our analysis of the California Consumer Privacy Act (“CCPA”) with a discussion of the standardized regulatory impact assessment (SRIA) prepared for the AG’s Office by Berkeley Economic Advising and Research, LLC. The bottom-line cost figures from this report are staggering: $55 billion in upfront costs and $16.5 billion in additional costs over the next decade. The analysis includes large benefits as well, but as we show in the full comments, the actual costs are even higher than the SRIA estimates and the benefits fall far short of making up for those costs.

We also draw on the the early evidence coming out of the EU related to GDPR enforcement and compliance to highlight some potential pitfalls that California is facing. In particular, after its first twelve month period in force, the compliance costs were astronomical; enforcement of individual “data rights” led to unintended con- sequences; “privacy protection” seems to have undermined market competition; and there have been large unseen — but not unmeasurable — costs in forgone startup investment.

Finally, we note that, despite the DC Circuit trimming the FCC’s 2018 Restoring Internet Freedom Order, the fact remains that the FCC still retains a conflict-preemption authority to specifically preempt state laws that are incompatible with its regulations. The DC Circuit only limited the FCC’s ability to generally preempt all potentially conflicting state laws, requiring that each preemption be challenged in a fact-intensive inquiry. Similarly, it is also possible that the broad extent of the CCPA’s rules, and their impositions on firms outside of California’s borders could lead to Dormant Commerce Clause challenges. Activities that “inherently require a uniform system of regulation” or that “impair the free flow of materials and products across state borders” violate the Dormant Commerce Clause. As the FCC noted in its RIF Order, Internet-based communications is such a type of activity.

We therefore offered the following suggestions:

  1. Clarify the definition of “personal information” so that it is not overinclusive of incidental information and also does not allow third-parties to claim rights over others’ data;
  2. Stress that the “valuation” of data is a difficult exercise, and the requirements to value data when offering different tiers of service shall be interpreted liberally;
  3. Clarify that the definition of a “business” does not mean that any firm that “receives for the business’s commercial purposes” an individual’s personal information includes firms that merely “receive” information on consumers as a normal part of operations. For example, a website that logs a user’s behavior through its site “receives” location, IP Address, and other information about that user, but should not be included in such a broad definition;
  4. Delay implementation until there is a broadly available means of ensuring that firms can reliably ascertain the validity of user data requests (i.e. that, as is happening under the GDPR, third- parties are not able to obtain information on the customers of firms by representing themselves as those customers); and
  5. Use the authority granted by the CCPA to establish a necessary exception in order to comply with applicable federal law to temporarily delay implementation until (1) it is determined that the law does not violate the Dormant Commerce Clause, and (2) the AG’s Office has the opportunity to consult with the FCC and ensure that the CCPA is not subject to conflict-preemption in light of the FCC’s authority over Internet communications.
Continue reading
Data Security & Privacy

Why Data Is Not the New Oil

TOTM “Data is the new oil,” said Jaron Lanier in a recent op-ed for The New York Times. Lanier’s use of this metaphor is only the latest instance of what has become the dumbest meme in tech policy.

“Data is the new oil,” said Jaron Lanier in a recent op-ed for The New York Times. Lanier’s use of this metaphor is only the latest instance of what has become the dumbest meme in tech policy. As the digital economy becomes more prominent in our lives, it is not unreasonable to seek to understand one of its most important inputs. But this analogy to the physical economy is fundamentally flawed. Worse, introducing regulations premised upon faulty assumptions like this will likely do far more harm than good.

Read the full piece here.

Continue reading
Data Security & Privacy

7 Things Netflix’s ‘The Great Hack’ Gets Wrong About the Facebook–Cambridge Analytica Data Scandal

TOTM Despite its tone and ominous presentation style, The Great Hack fails to muster any support for its extreme claims. The truth is much more mundane: the Facebook-Cambridge Analytica data scandal was neither a “hack” nor was it “great” in historical importance.

This excerpt from the beginning of Netflix’s The Great Hack shows the goal of the documentary: to provide one easy explanation for Brexit and the election of Trump, two of the most surprising electoral outcomes in recent history.

Read the full piece here.

Continue reading
Data Security & Privacy

The Third Circuit’s Oberdorf v. Amazon Opinion Offers a Good Approach to Reining in the Worst Abuses of Section 230

TOTM In a remarkable ruling issued earlier this month, the Third Circuit Court of Appeals held in Oberdorf v. Amazon that, under Pennsylvania products liability law, Amazon could be found liable for a third party vendor’s sale of a defective product via Amazon Marketplace.

In a remarkable ruling issued earlier this month, the Third Circuit Court of Appeals held in Oberdorf v. Amazon that, under Pennsylvania products liability law, Amazon could be found liable for a third party vendor’s sale of a defective product via Amazon Marketplace. This ruling comes in the context of Section 230 of the Communications Decency Act, which is broadly understood as immunizing platforms against liability for harmful conduct posted to their platforms by third parties (Section 230 purists may object to myu use of “platform” as approximation for the statute’s term of “interactive computer services”; I address this concern by acknowledging it with this parenthetical). This immunity has long been a bedrock principle of Internet law; it has also long been controversial; and those controversies are very much at the fore of discussion today.

Read the full piece here.

Continue reading
Data Security & Privacy

There’s Nothing “Conservative” About Trump’s Views on Free Speech and the Regulation of Social Media

TOTM Despite the simplistic narrative tying President Trump’s vision of the world to conservatism, there is nothing conservative about his views on the First Amendment and how it applies to social media companies.

Yesterday was President Trump’s big “Social Media Summit” where he got together with a number of right-wing firebrands to decry the power of Big Tech to censor conservatives online. According to the Wall Street Journal

Read the full piece here.

Continue reading
Data Security & Privacy

Section 230 Principles for Lawmakers and a Note of Caution as Trump Convenes his “Social Media Summit”

TOTM This morning a diverse group of more than 75 academics, scholars, and civil society organizations — including ICLE and several of its academic affiliates — published a set of seven “Principles for Lawmakers” on liability for user-generated content online, aimed at guiding discussions around potential amendments to Section 230 of the Communications Decency Act of 1996.

This morning a diverse group of more than 75 academics, scholars, and civil society organizations — including ICLE and several of its academic affiliates — published a set of seven “Principles for Lawmakers” on liability for user-generated content online, aimed at guiding discussions around potential amendments to Section 230 of the Communications Decency Act of 1996.

Read the full piece here.

Continue reading
Data Security & Privacy

10 Reasons Why the California Consumer Privacy Act (CCPA) Is Going to Be a Dumpster Fire

TOTM Last year, real estate developer Alastair Mactaggart spent nearly $3.5 million to put a privacy law on the ballot in California’s November election. He then negotiated a deal with state lawmakers to withdraw the ballot initiative if they passed their own privacy bill. That law — the California Consumer Privacy Act (CCPA) — was enacted after only seven days of drafting and amending.

Last year, real estate developer Alastair Mactaggart spent nearly $3.5 million to put a privacy law on the ballot in California’s November election. He then negotiated a deal with state lawmakers to withdraw the ballot initiative if they passed their own privacy bill. That law — the California Consumer Privacy Act (CCPA) — was enacted after only seven days of drafting and amending. CCPA will go into effect six months from today.

Read the full piece here.

Continue reading
Data Security & Privacy

Concluding Comments: The Weaknesses of Interventionist Claims (FTC Hearings, ICLE Comment 11)

Written Testimonies & Filings FTC Hearings on Competition & Consumer Protection in the 21st Century. Comments of the International Center for Law & Economics: Summing Up the FTC Hearings: Advocates for Increased Antitrust Intervention Failed to Make Their Case. Submitted Jun 30, 2019.

These comments represent ICLE’s review and commentary of the detailed record set forth during the FTC’s Hearings on Competition and Consumer Protection in the 21st Century. The hearings — and these comments — covered a wide range of topics from data security and privacy, to horizontal and vertical merger policy, anticompetitive unilateral behavior, and a host of contemporary issues that have arisen around the question of whether antitrust law is capable of dealing with potential harms to competition from modern firms. 

Specifically, the summary comments deal with the following topics.

I. The Consumer Welfare Standard

Opponents of the consumer welfare standard seek to return antitrust to the bygone era of courts arbitrarily punishing firms for successfully outcompeting their rivals or simply growing “too large.” The Commission should tread carefully before incorporating these ideas, which, during the course of its evolution in the 20th century, antitrust law carefully and correctly selected out.

II. Vertical Mergers

Based on the testimony heard during the hearings, there is no need to change the non-horizontal merger guidelines. If anything, vertical merger review should be pared back out of a recognition that the failure to account for dynamic effects (and the inherent difficulty of doing so) means it is likely that pro-competitive mergers are being deterred.

III. Vertical Discrimination

Concerns regarding vertical discrimination are predicated on the erroneous assumption that big tech platforms might be harming competition by favoring their content over that of their complementors. Not only is this fear overblown, but even the harms alleged are frequently ambiguous and provide benefits to some consumers.

IV. Technology Platforms and Innovation

Much of the analysis of popular technology companies is predicated on traditional market definition analysis, which infers future substitution possibilities from existing or past market conditions. This leads to overly-narrow market definitions and erroneous market power determinations. Thus, Amazon, Facebook, and Google are assumed — erroneously — to be unassailable monopolies.

V. Data Competition and Privacy

Data is a valuable input for companies competing in the digital economy. It is not, however, a magic bullet or holy grail, as some commenters suggested. As with other assets, companies can use data in both pro-competitive and anti-competitive ways. “Big data” may be a new term, but it does not pose unique problems for competition policy.

Click here to read the full concluding comments.

Continue reading
Antitrust & Consumer Protection

Gus Hurwitz appears on the Skating On Stilts Podcast

Presentations & Interviews In the “News Roundup” of episode 269. A McLaughlin Group for Cybersecurity, Gus Hurwitz covers the Supreme Court’s ruling on when a forum is subject . . .

In the “News Roundup” of episode 269. A McLaughlin Group for Cybersecurity, Gus Hurwitz covers the Supreme Court’s ruling on when a forum is subject to First Amendment limits. The full episode is embedded below.

https://www.steptoe.com/podcasts/TheCyberlawPodcast-269.mp3

 

Continue reading
Data Security & Privacy