A Long-Standing Debate: Reflections on \u3ci\u3eRisk and Anxiety: A Theory of Data Breach Harms\u3c/i\u3e by Daniel Solove and Danielle Keats Citron

This jointly-authored Article contributes mightily to our understanding of a critical aspect of privacy: harm. As Professors Solove and Citron carefully evidence, courts are reticent to countenance the harms that flow from a violation of privacy, even as they compensate similar harms in other contexts. Thus while exposing a plaintiff to an environmental or health risk may be compensable, few decisions vindicate victims of a data breach unless or until they experience actual identity theft. Courts have recognized subjective harms such as fear since the night W de S threw his fateful axe at M de S. But courts seldom recognize harm in anxieties over data exposure so significant that they have contributed to suicide. Despite my widespread agreement with Risk and Anxiety, I suspect the analysis is missing a step. Presumably Congress can create a protectable interest—including a privacy interest—where none existed before. The question is whether Congress, with enough specificity of intent, could create a right to be free from privacy risk or anxiety or whether the very nature of these injuries somehow offends Article III. In this way, privacy harm turns out to be an interesting testing ground for a longstanding debate about the limits of legislatively conferred standing. And solving the puzzle of privacy harm arguably requires addressing this debate directly

Regulating Real-World Surveillance

A number of laws govern information gathering, or surveillance, by private parties in the physical world. But we lack a compelling theory of privacy harm that accounts for the state\u27s interest in enacting these laws. Without a theory of privacy harm, these laws will be enacted piecemeal. Legislators will have a difficult time justifying the laws to constituents; the laws will not be adequately tailored to legislative interest; and courts will find it challenging to weigh privacy harms against other strong values, such as freedom of expression. This Article identifies the government interest in enacting laws governing surveillance by private parties. Using social psychologist Irwin Altman\u27s framework of boundary management as a jumping-off point, I conceptualize privacy harm as interference in an individual\u27s ability to dynamically manage disclosure and social boundaries. Stemming from this understanding of privacy, the government has two related interests in enacting laws prohibiting surveillance: an interest in providing notice so that an individual can adjust her behavior; and an interest in prohibiting surveillance to prevent undesirable behavioral shifts. Framing the government interest, or interests, this way has several advantages. First, it descriptively maps on to existing laws: These laws either help individuals manage their desired level of disclosure by requiring notice, or prevent individuals from resorting to undesirable behavioral shifts by banning surveillance. Second, the framework helps us assess the strength and legitimacy of the legislative interest in these laws. Third, it allows courts to understand how First Amendment interests are in fact internalized in privacy laws. And fourth, it provides guidance to legislators for the enactment of new laws governing a range of new surveillance technologies--from automated license plate readers (ALPRs) to robots to drones

Controversy Over Information Privacy Arising From the Taiwan National Health Insurance Database Examining the Taiwan Taipei High Administrative Court Judgement No. 102-SU-36 (Tsai v. NHIA)

This article examines the limitations of the application of traditional information privacy theory to disputes relating to modern technologies. If information privacy is understood as an individual’s right to full control over his information, activities involving the collection, process and use of personal data cannot be conducted without the data subject’s consent because his privacy rights would be affected as a result of such activities. Instead of the privacy interest approach, this article introduces a privacy harm approach to reconcile the defects of traditional privacy theory. The privacy interest approach helps identify situations in which an individual’s information privacy conflicts with the free flow of information, and the privacy harm approach comes into play to precisely evaluate and determine the reasonable extent of protection of the respective interest. This article applies this privacy-harm-oriented approach to Taiwan Taipei High Administrative Court Judgment, Tsai v. NHIA, to examine that the modified information privacy theory is helpful to resolve the information privacy dispute at issue. This article elaborates the reasons why imposing a universal rule that the data controller must obtain the data subject’s consent before using his health data is of no real help in protecting health privacy and is detrimental to medical research. This notion can be supported by the following concepts: 1. shifting the liability of privacy protection to the data subject will increase the risk of privacy invasion; 2. in the multi-faceted privacy interest concept, granting decision-making rights to an individual cannot guarantee privacy protection; 3. it will add unreasonable costs to medical research. By applying the privacy harm approach, this article further analyzes the importance of considering the likelihood of privacy harm regarding health information. In this approach, because identifiable health information and identified health information are subject to different likelihoods of privacy harm, different degrees of privacy protection and privacy rules should apply to them in their respective contexts

The Hunt for Privacy Harms After \u3ci\u3eSpokeo\u3c/i\u3e

In recent years, due both to hacks that have leaked the personal information of hundreds of millions of people and to concerns about government surveillance, Americans have become more aware of the harms that can accompany the widespread collection of personal data. However, the law has not yet fully developed to recognize the concrete privacy harms that can result from what otherwise seems like ordinary economic activity involving the widespread aggregation and compilation of data. This Note examines cases in which lower federal courts have applied the Supreme Court’s directions for testing the concreteness of alleged intangible privacy injuries, and in particular how that inquiry has affected plaintiffs’ suits under statutes that implicate privacy concerns. This Note proposes that, in probing the concreteness of these alleged privacy harms, the courts, through the doctrine of standing, are engaging in work that could serve to revitalize the judiciary’s long-dormant analysis of the nature of privacy harms. It suggests that courts should look beyond the four traditional privacy torts to find standing for plaintiffs who bring claims against entities that collect and misuse personal information. This Note urges courts to make use of a nexus approach to identify overlapping privacy concerns sufficient for standing, which would allow the federal judiciary to more adequately address emerging privacy harms

A Feeling of Unease About Privacy Law

This essay responds to Daniel Solove\u27s recent article, A Taxonomy of Privacy. I have read many of Daniel Solove\u27s privacy-related writings, and he has made many important scholarly contributions to the field. As with his previous works about privacy and the law, it is an interesting and substantive piece of work. Where it falls short, in my estimation, is in failing to label and categorize the very real harms of privacy invasions in an adequately compelling manner. Most commentators agree that compromising a person\u27s privacy will chill certain behaviors and change others, but a powerful list of the reasons why this is a negative phenomenon that the law should seek to prevent is not a significant attribute of Solove\u27s taxonomy. That omission left this reader a little concerned about the ultimate usefulness of the privacy framework that Solove has developed. To phrase it colloquially, in this author\u27s view, the Solove taxonomy of privacy suffers from too much doctrine, and not enough dead bodies. It frames privacy harms in dry, analytical terms that fail to sufficiently identify and animate the compelling ways that privacy violations can negatively impact the lives of living, breathing human beings beyond simply provoking feelings of unease

Regulating Data Breaches: A Data Superfund Statute

Collecting and processing large amounts of personal data has become a fundamental feature of the modern economy. Personal data, combined with good data analytics, are valuable to businesses as they can provide highly detailed information about individual preferences and behaviors. This data collection can also be valuable to the consumer as it generates innovative products and digital platforms. The era of big data promises great rewards, but it is not without its costs. Data breaches, or the release of personal data into unwanted hands, are pervasive and increasingly massive in scale. Despite the personal privacy harm caused by data breaches, businesses can largely externalize the costs of these breaches to the public. While privacy harm is undoubtedly an important issue, the release of data generates arguably more significant social costs. This Note argues that policy makers should view the unwanted release of data as a form of pollution that dilutes critical public goods. As such, an effective regulatory solution to data breaches should mirror the current regulatory approaches to environmental pollution. Like the physical environment, the data environment is a complex and highly interconnected system; accordingly, there is unlikely to be a single best way to regulate it. Thus far, the United States has approached data regulation in a stepwise and targeted fashion, much like environmental regulation. This approach has some advantages, but there is a pressing need for more comprehensive regulation. Current proposals point to omnibus privacy laws like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act as a solution. However, these regulations are ultimately privacy focused and impose high costs on the data economy. To balance these concerns, this Note proposes that Congress enact federal legislation implementing a data protection statute modeled after the Comprehensive Environmental Response, Compensation, and Liability Act

Understanding the Influence of Temporal Focus on Users’ Self-Disclosure on Social Networking Sites

Self disclosure decision making on social networking sites (SNSs) can be considered an intertemporal choice between gaining benefits at the present and experiencing privacy harm in the future. Prior research shows that people tend to overemphasize the immediate benefits while discounting the delayed risks, but it remains unclear how and why different SNS users may subjectively discount the long term risks against the short-term benefits. This paper considers heterogeneity in users’ self disclosure decisions by focusing on the effects of temporal focus (i.e., the degree to which people think about the past, present, and future) on users’ self disclosure willingness. Using online experiments, this study tests the effectiveness of different interventions that manipulate people’s temporal focus in influencing SNS self disclosure willingness. The findings of this study provide practical implications for the design of SNS platforms and development of data policies