NewYorkUniversity
LawReview
Current Issue

Volume 94, Number 4

October 2019
Symposium Articles

Safe Sharing Sites

Lisa M. Austin, David Lie

In this Article we argue that data sharing is an activity that sits at the crossroads of privacy concerns and the broader challenges of data governance surrounding access and use. Using the Sidewalk Toronto “smart city” proposal as a starting point for discussion, we outline these concerns to include resistance to data monopolies, public control over data collected through the use of public infrastructure, public benefit from the generation of intellectual property, the desire to broadly share data for innovation in the public interest, social—rather than individual— surveillance and harms, and that data use be held to standards of fairness, justice, and accountability. Data sharing is sometimes the practice that generates these concerns and sometimes the practice that is involved in the solution to these concerns.

Our safe sharing site approach to data sharing focuses on resolving key risks associated with data sharing, including protecting the privacy and security of data subjects, but aims to do so in a manner that is independent of the various legal contexts of regulation and governance. Instead, we propose that safe sharing sites connect with these different contexts through a legal interface consisting of a registry that provides transparency in relation to key information that supports different forms of regulation. Safe sharing sites could also offer assurances and auditability regarding the data sharing, further supporting a range of regulatory interventions. It is therefore not an alternative to these interventions but an important tool that can enable effective regulation.

A central feature of a safe sharing site is that it offers an alternative to the strategy of de-identifying data and then releasing it, whether within an “open data” context or in a more controlled environment. In a safe sharing site, computations may be performed on the data in a secure and privacy-protective manner without releasing the raw data, and all data sharing is transparent and auditable. Transparency does not mean that all data sharing becomes a matter of “public” view, but rather that there is the ability to make these activities visible to organizations and regulators in appropriate circumstances while recognizing the potential confidentiality interests in data uses.

In this way, safe sharing sites facilitate data sharing in a manner that manages the complexities of sharing while reducing the risks and enabling a variety of forms of governance and regulation. As such, the safe sharing site offers a flexible and modular piece of legal-technical infrastructure for the new economy.

The False Promise of Health Data Ownership

Jorge L. Contreras

In recent years there have been increasing calls by patient advocates, health law scholars, and would-be data intermediaries to recognize personal property interests in individual health information (IHI). While the propertization of IHI appeals to notions of individual autonomy, privacy, and distributive justice, the implementation of a workable property system for IHI presents significant challenges. This Article addresses the issues surrounding the propertization of IHI from a property law perspective. It first observes that IHI does not fit recognized judicial criteria for recognition as personal property, as IHI defies convenient definition, is difficult to possess exclusively, and lacks justifications for exclusive control. Second, it argues that if IHI property were structured along the lines of traditional common law property, as suggested by some propertization advocates, prohibitive costs could be imposed on socially valuable research and public health activity and IHI itself could become mired in unanticipated administrative complexities. Third, it discusses potential limitations and exceptions on the scope, duration, and enforceability of IHI property, both borrowed from intellectual property law and created de novo for IHI.

Yet even with these limitations, inherent risks arise when a new form of property is created. When owners are given broad rights of control, subject only to enumerated exceptions that seek to mitigate the worst effects of that control, constitutional constraints on governmental takings make the subsequent refinement of those rights difficult if not impossible, especially when rights are distributed broadly across the entire population. Moreover, embedding a host of limitations and exceptions into a new property system simply to avoid the worst effects of propertization begs the question whether a property system is needed at all, particularly when existing contract, privacy, and anti-discrimination rules already exist to protect individual privacy and autonomy in this area. It may be that one of the principal results of propertizing IHI is enriching would-be data intermediaries with little net benefit to individuals or public health. This Article concludes by recommending that the propertization of IHI be rejected in favor of sensible governmental regulation of IHI research coupled with existing liability rules to compensate individuals for violations of their privacy and abusive conduct by data handlers.

Contracting for Personal Data

Kevin E. Davis, Florencia Marotta-Wurgler

Is contracting for the collection, use, and transfer of data like contracting for the sale of a horse or a car or licensing a piece of software? Many are concerned that conventional principles of contract law are inadequate when some consumers may not know or misperceive the full consequences of their transactions. Such concerns have led to proposals for reform that deviate significantly from general rules of contract law. However, the merits of these proposals rest in part on testable empirical claims. We explore some of these claims using a hand-collected data set of privacy policies that dictate the terms of the collection, use, transfer, and security of personal data. We explore the extent to which those terms differ across markets before and after the adoption of the General Data Protection Regulation (GDPR). We find that compliance with the GDPR varies across markets in intuitive ways, indicating that firms take advantage of the flexibility offered by a contractual approach even when they must also comply with mandatory rules. We also compare terms offered to more and less sophisticated subjects to see whether firms may exploit information barriers by offering less favorable terms to more vulnerable subjects.

Machines as the New Oompa-Loompas: Trade Secrecy, The Cloud, Machine Learning, and Automation

Jeanne C. Fromer

In previous work, I wrote about how trade secrecy drives the plot of Roald Dahl’s novel Charlie and the Chocolate Factory, explaining how the Oompa-Loompas are the ideal solution to Willy Wonka’s competitive problems. Since publishing that piece I have been struck by the proliferating Oompa-Loompas in contemporary life: computing machines filled with software and fed on data. These computers, software, and data might not look like Oompa-Loompas, but they function as Wonka’s tribe does: holding their secrets tightly and internally for the businesses for which these machines are deployed.

Computing machines were not always such effective secret-keeping Oompa Loompas. As this Article describes, at least three recent shifts in the computing industry—cloud computing, the increasing primacy of data and machine learning, and automation—have turned these machines into the new Oompa-Loompas. While new technologies enabled this shift, trade secret law has played an important role here as well. Like other intellectual property rights, trade secret law has a body of built-in limitations to ensure that the incentives offered by the law’s protection do not become so great that they harm follow-on innovation—new innovation that builds on existing innovation—and competition. This Article argues that, in light of the technological shifts in computing, the incentives that trade secret law currently provides to develop these contemporary Oompa-Loompas are excessive in relation to their worrisome effects on follow-on innovation and competition by others. These technological shifts allow businesses to circumvent trade secret law’s central limitations, thereby overfortifying trade secrecy protection. The Article then addresses how trade secret law might be changed—by removing or diminishing its protection—to restore balance for the good of both competition and innovation.

Data Standardization

Michal S. Gal, Daniel L. Rubinfeld

With data rapidly becoming the lifeblood of the global economy, the ability to improve its use significantly affects both social and private welfare. Data standardization is key to facilitating and improving the use of data when data portability and interoperability are needed. Absent data standardization, a “Tower of Babel” of different databases may be created, limiting synergetic knowledge production. Based on interviews with data scientists, this Article identifies three main technological obstacles to data portability and interoperability: metadata uncertainties, data transfer obstacles, and missing data. It then explains how data standardization can remove at least some of these obstacles and lead to smoother data flows and better machine learning. The Article then identifies and analyzes additional effects of data standardization. As shown, data standardization has the potential to support a competitive and distributed data collection ecosystem and lead to easier policing in cases where rights are infringed or unjustified harms are created by data-fed algorithms. At the same time, increasing the scale and scope of data analysis can create negative externalities in the form of better profiling, increased harms to privacy, and cybersecurity harms. Standardization also has implications for investment and innovation, especially if lock-in to an inefficient standard occurs. The Article then explores whether market-led standardization initiatives can be relied upon to increase welfare, and the role governmental-facilitated data standardization should play, if at all.

Global Data Privacy: The EU Way

Paul M. Schwartz

EU data protection law is playing an increasingly prominent role in today’s global technological environment. The cornerstone of EU law in this area, the General Data Protection Regulation (GDPR), is now widely regarded as a privacy law not just for the EU, but for the world. In the conventional wisdom, the EU has become the world’s privacy cop, acting in a unilateral fashion and exercising de facto influence over other nations through its market power. Yet, understanding the forces for convergence and divergence in data privacy law demands a more nuanced account of today’s regulatory environment.

In contrast to the established narrative about EU power, this Article develops a new account of the diffusion of EU data protection law. It does so through case studies of Japan and the United States that focus on how these countries have negotiated the terms for international data transfers from the EU. The resulting account reveals the EU to be both collaborative and innovative.

Three important lessons follow from the case studies. First, rather than exercising unilateral power, the EU has engaged in bilateral negotiations and accommodated varied paths for non-EU nations to meet the GDPR’s “adequacy” requirement for international data transfers. Second, while the adequacy requirement did provide significant leverage in these negotiations, it has been flexibly applied throughout its history. Third, the EU’s impressive regulatory capacity rests on a complex interplay of institutions beyond the European Commission. Not only are there a multiplicity of policy and lawmaking institutions within the EU, but the EU has also drawn on non-EU privacy innovations and involved institutions from non-EU countries in its privacy policymaking.

Finally, this Article identifies two overarching factors that have promoted the global diffusion of EU data protection law. The first such factor regards legal substance. Public discourse on consumer privacy has evolved dramatically, and important institutions and prominent individuals in many non-EU jurisdictions now acknowledge the appeal of EU-style data protection. Beyond substance, the EU has benefited from the accessibility of its omnibus legislative approach; other jurisdictions have been drawn to the EU’s highly transplantable legal model. In short, the world has weighed in, and the EU is being rewarded for its success in the marketplace of regulatory ideas.

Notes

Incentivizing the Care of Adult Family Members Through a Two-Part Tax Credit

Alexandra M. Ferrara

In the United States, nearly thirty-four million individuals provide informal care for their adult family members each year. Adult care recipients experience positive emotional and health-related outcomes when cared for by relatives, but this responsibility also places significant stress on caregivers. The government should subsidize and encourage family adult care, not only because of these social impacts, but also because this care can reduce healthcare costs. Family caregivers help their relatives avoid expensive institutional care and are also cost-efficient providers of care due to their relationships with the care recipients. The tax code is an effective and politically palatable vehicle through which the government can provide this subsidy, despite some structural limitations. However, existing and recently proposed tax incentives do not adequately target the benefits associated with family caregiving. Therefore, this Note proposes a new two-part advanced refundable tax credit that will help the government reduce costs and enhance social benefits.

Antitrust and Commitment Issues: Monopolization of the Dating App Industry

Evan Michael Gilbert

The Department of Justice and the Federal Trade Commission have largely abdicated their role to scrutinize and challenge mergers in zero-priced industries. This abdication derives from a Chicago School assumption that concentration in these industries will not lead to consumer harm. Due to the agencies’ hands-off approach to merger review, the digital economy is rapidly concentrating as firms are permitted to acquire their competitors with no meaningful antitrust supervision. Increased consolidation of ownership is evident in the dating app industry. One firm has acquired twenty-five rival dating apps in the past decade and now operates over forty-five distinct dating sites, including Tinder, OkCupid, and Hinge. In this Note, I argue that increased concentration and decreased competition in the dating app sector can lead to three types of consumer harm: price discrimination, deterioration of quality, and reduced data privacy.

Rejecting the Class Action Tolling Forfeiture Rule

James J. Mayer

This Note analyzes a circuit split over the application of the Forfeiture Rule, which holds that plaintiffs forfeit American Pipe tolling when they file individual actions before class certification has been resolved in the underlying putative class action. This Note rejects the Forfeiture Rule and argues that it misunderstands the purpose and rationale of American Pipe and class action tolling. Given the increased uncertainty facing class action plaintiffs, the policy and equity interests that motivated courts to adopt the Forfeiture Rule now require courts to abandon it. This is the first article to analyze the Forfeiture Rule’s history and evolution, to explore the impact of changes in class action jurisprudence on statutes of limitations on the Forfeiture Rule, and to argue against the continued viability of the Forfeiture Rule across the federal judicial system.

Local Government Plaintiffs and the Opioid Multi-District Litigation

Morgan A. McCollum

In late 2017, the U.S. Judicial Panel on Multidistrict Litigation ordered the consolidation of a few hundred cases pending around the country against opioid manufacturers and distributors into a Multi-District Litigation (MDL) in the Northern District of Ohio. Today, the Opioid MDL consists of over 1900 opioid-related cases brought primarily by states, cities, counties, and other local entities, and that number is growing weekly. Strikingly, these lawsuits are not, in their main, seeking damages for injuries to individuals. Rather, they are seeking compensation for the cost of public services needed to address the consequences of addicted communities, ranging from emergency response capabilities to rehabilitation services. The Opioid MDL is the first mass litigation to involve this number of local government plaintiffs, and although this Note predicts that the Opioid MDL, like most MDLs, will resolve in an aggregate settlement, the presence of local governments poses a unique problem for achieving that outcome. Mass litigation can only result in settlement if the settlement provides some guarantees to the defendants of “global peace”—meaning that the settlement forecloses all, or close to all, current and future litigation against the defendants—and any settlement arising out of the Opioid MDL will have to contend with resolving the claims of around 33,000 city, township, and county governments. Even though only a fraction of these local governments are currently part of the Opioid MDL, their presence leaves open the threat that absent localities will sue later, undermining the likelihood or value of any settlement. This Note discusses the various ways that a settlement could be structured with local governments by looking to prior mass tort litigation and applying the settlement tactics used in those cases to the Opioid MDL. In doing so, this Note proposes that even though the players in this MDL are unique, the solutions are not.

Title IX and Criminal Law on Campus: Against Mandatory Police Involvement in Campus Sexual Assault Cases

Meghan Racklin

This Note argues that policy proposals mandating law enforcement involvement in campus sexual assault cases are harmful to survivors of sexual assault and are inconsistent with Title IX. Title IX’s gender-equality goals require schools to address sexual assault as a civil rights issue, with a focus on its impact on survivors’ continued access to education. Mandatory police involvement proposals will frustrate that goal. These proposals take a criminal law view rather than a civil rights approach, and in doing so, import obstacles that survivors have long faced in the criminal system into the campus process. What is more, these proposals will have the effect of making it more difficult for survivors, particularly those from marginalized communities, to report their sexual assaults to their schools. If survivors are not able to report, they will not be able to access the accommodations they need to continue their education, and schools will not have the information they need to adequately combat sexual assault on campus. Efforts at reform would be better served by focusing on improving the campus process than on limiting survivors’ options.

Humberto in the Field: The Racialization of H-2A Migrant Farmworkers and a Dual Solution to Its Resulting Abuses

Camil A. Sanchez-Palumbo

“That Mexican’s probably off right now in some bar, laughing at us.” Humberto Casarrubias-Sanchez, thirty-six, was a husband, father of three, and first-time beneficiary of the United States’ H-2A temporary agricultural worker visa. Hailing from Morelos, Mexico, he had just begun his first day of detasseling corn in Illinois when, by day’s end, Humberto was nowhere to be found. Presuming he had fled, crew leaders shrugged their shoulders, ending the search for him early. His body was found fifty days later in the middle of that same cornfield. Using Humberto’s story and the crew leader’s words as evidence, this Note argues that historic racialization of Latina/o immigrants has transcended into the H-2A agricultural workers visa program, and that burgeoning migrant farmworker coalitions are rewriting these racialized narratives through political action that may create the cultural groundswell for government change. Racialization, or the way in which society places nonwhites within a racial hierarchy, has resulted in a system of abuses of H-2A workers, including wage theft, sexual harassment, and human trafficking. Through direct appeals to top food purchasers, coalitions of migrant farmworkers have subverted their racialized identities via political empowerment, perhaps ultimately attaining a “dual solution” to this racialization that would include necessary government support.