Towards a Global Data Privacy Standard

Total Page:16

File Type:pdf, Size:1020Kb

Towards a Global Data Privacy Standard Florida Law Review Volume 71 Issue 2 Article 3 Towards a Global Data Privacy Standard Michael L. Rustad Thomas H. Koenig Follow this and additional works at: https://scholarship.law.ufl.edu/flr Part of the Privacy Law Commons Recommended Citation Michael L. Rustad and Thomas H. Koenig, Towards a Global Data Privacy Standard, 71 Fla. L. Rev. 365 (). Available at: https://scholarship.law.ufl.edu/flr/vol71/iss2/3 This Article is brought to you for free and open access by UF Law Scholarship Repository. It has been accepted for inclusion in Florida Law Review by an authorized editor of UF Law Scholarship Repository. For more information, please contact [email protected]. Rustad and Koenig: Towards a Global Data Privacy Standard TOWARDS A GLOBAL DATA PRIVACY STANDARD1 Michael L. Rustad* & Thomas H. Koenig** Abstract This Article questions the widespread contention that recent updates to European Union (EU) data protection law will drive a disruptive wedge between EU and United States (U.S.) data privacy regimes. Europe’s General Data Protection Regulation (GDPR), which took effect in May 2018, gives all EU citizens easier access to their data, a right to portability, a right to be forgotten, and a right to learn when their data has been hacked. These mandatory privacy protections apply to non-EU companies that offer goods or services to EU consumers, whether through a subsidiary or a website. The “Brussels Effect” hypothesis projects a “race to the top” as multinational entities find it easier to adopt the most stringent data protection standards worldwide, rather than satisfying divergent data privacy rules. The GDPR is said to be a prime example of the Brussels Effect because of its aggressive extraterritorial scope that unilaterally imposes EU law on U.S. entities. This Article acknowledges a Brussels Effect, but there is also an overlooked “D.C. Effect” reflected in the GDPR’s adoption of many U.S. data privacy innovations. The GDPR imports long-established U.S. tort concepts for the first time into European privacy law, including deterrence-based fines, collective redress, wealth-based punishment, and arming data subjects with the right to initiate public enforcement. Under the GDPR, the EU Commission adopted “Privacy by Design” and security breach notification obligations, innovations pioneered in the U.S. The net effect of the GDPR is a bilateral transatlantic privacy convergence, which is rapidly evolving into a global data privacy 1. The authors would like to acknowledge the support, encouragement, and ideas of Professor Sara Dillon, who teaches European Union Law at Suffolk University and is Director of Suffolk University Law School’s program at the National University of Ireland-Galway. The research and editorial contributions of Suffolk University Law School research assistants Gherardo Astaldi, Sarah E. Halstorm, Leonard Phillips, Gerardo Santali, Elizabeth Saylor, and Oliver Stark were very valuable. Elif Kavusturan, a Suffolk Law School SJD student, and Noe Leiva, Esquire provided insightful suggestions. Thanks also to Seth Markley, Michael Rustad’s administrative assistant, for his technical and other assistance on this document. * Michael L. Rustad, the Thomas F. Lambert Jr. Professor of Law, is the Co-Director of Suffolk University Law School’s nationally ranked Intellectual Property Concentration. Professor Rustad is a member of the American Law Institute and served on the ABA Business Law Section’s Subcommittee on Information Licensing. In 2017 and 2018, Professor Rustad taught law school courses on U.S. v. EU privacy law in Suffolk’s summer program at the National University of Ireland-Galway. ** Thomas H. Koenig is a professor and former chair of the Sociology and Anthropology Department at Northeastern University in Boston. Professor Koenig is a founding member of both Northeastern University’s Law and Public Policy and its Cybersecurity Ph.D. programs. 365 Published by UF Law Scholarship Repository, 1 Florida Law Review, Vol. 71, Iss. 2 [], Art. 3 366 FLORIDA LAW REVIEW [Vol. 71 standard. Nations around the world, some U.S. states, and the major U.S.- based data processors are instituting policies harmonized with the GDPR. This Article argues that the GDPR has the potential to not only bring an end to the transatlantic data privacy wars, but to become the basis of a worldwide “gold standard” for global data privacy. INTRODUCTION .....................................................................................367 I. EU and U.S. Data Protection Compared ................................371 A. The Fundamentals of EU Data Privacy Law .................372 1. EU Privacy as a Fundamental Right .......................372 2. Charter of Fundamental Rights of the European Union ......................................................373 3. Data Protection Directive of 1995...........................373 4. The General Data Protection Regulation ................375 B. An Overview of U.S. Privacy Law..................................381 1. Sector-Specific Statutes ..........................................381 2. The FTC’s Role as a National Data Privacy Constable.................................................................381 3. FTC Enforcement Actions ......................................383 4. Privacy-Based Torts ................................................384 5. The ALI’s Data Privacy Principles Embody EU Privacy Norms ..................................................385 II. EVIDENCE OF A BRUSSELS EFFECT ON U.S. DATA PRIVACY LAW .........................................................................387 A. U.S. Companies Are Complying with the GDPR ...........389 B. U.S. Compliance with EU Data Transfer Rules.............396 1. Safe Harbor 1.0 .......................................................398 2. The ECJ’s Reversal of Safe Harbor 1.0 ..................400 3. Privacy Shield .........................................................402 4. Brussels Effect in the United States ........................403 C. Against the Brussels Effect: Areas of Divergence..........405 1. The Right to Be Forgotten & U.S. Privacy Law .....405 2. The Right to Rectification.......................................409 3. EU Consumers Have Rights Just Beginning to Evolve in the United States.................................410 III. THE “D.C. EFFECT” ON EUROPEAN DATA PROTECTION ..........411 A. How the United States Shapes EU Data Privacy Law ...411 1. Consent as a Common Cornerstone ........................412 2. Data Minimization ..................................................413 3. Privacy by Design ...................................................417 B. “U.S.- Style” Remedies Imported into the GDPR..........419 https://scholarship.law.ufl.edu/flr/vol71/iss2/3 2 Rustad and Koenig: Towards a Global Data Privacy Standard 2019] TOWARDS A GLOBAL DATA PRIVACY STANDARD 367 1. The GDPR Imports “U.S.-Style” Enforcement.......420 2. Data Security Breach Notification ..........................422 3. The U.S. Pioneered Laws Protecting Children’s Privacy...................................................424 4. Collective Redress Under the GDPR ......................425 5. Privacy Enforcement & Wealth-Based Punishment..............................................................429 IV. TOWARDS A GLOBAL DATA PRIVACY STANDARD...................431 A. The GDPR as a Global Privacy Standard......................431 1. African Data Privacy Law is Generally Undeveloped ...........................................................432 2. Most Asian Countries Align With the GDPR.........434 3. Central America’s Data Protection Developments..........................................................440 4. Eastern and Central America ..................................441 5. The GDPR is in Effect in Europe............................441 6. Data Protection Development in the Middle East .............................................................442 7. GDPR Compliance in North America.....................443 8. Oceania Data Protection Developments..................444 9. Data Protection Reform in South America .............445 10. Data Privacy in the Caribbean.................................448 B. Evidence for an Emerging Global Data Privacy Standard............................................................449 CONCLUSION .......................................................................................452 INTRODUCTION Dublin’s Silicon Docks is the center of operations for the European divisions of Twitter, Facebook, LinkedIn, and other top-ranked information technology companies.2 These subsidiaries of United States (U.S.) multinational companies must either comply with European Union (EU) privacy law or withdraw from the largest economy in the world.3 2. Other examples of U.S.-based high technology companies with subsidiaries headquartered in Ireland include Google Dublin, Apple Operations Dublin, Cisco Galway, Dropbox, and Dell/EMC. 3. The European Commission Directorate-General for Trade stated: Although growth is projected to be slow, the EU remains the largest economy in the world with a GDP per head of €25 000 for its 500 million consumers. The EU is the world's largest trading block. The EU is the world’s largest trader of manufactured goods and services. The EU ranks first in both inbound and outbound international investments. The EU is the top trading partner for 80 Published by UF Law Scholarship Repository, 3 Florida Law Review, Vol. 71, Iss. 2 [], Art. 3 368 FLORIDA LAW REVIEW [Vol. 71 Michael Rustad taught a course titled
Recommended publications
  • ICO – Privacy Impact Assessment Handbook
    Using this handbook Part 1 – Background information Part 2 – The PIA process Appendix 1 – The PIA screening questions Appendix 2 – Data protection compliance checklist template Appendix 3 – PECR compliance checklist template Appendix 4 – Privacy strategies Using this handbook Back to ICO homepage Advice on using this handbook Because organisations vary greatly in size, the extent to which their activities intrude on privacy, and their experience in dealing with privacy issues makes it difficult to write a ‘one size fits all’ guide. The purpose of this handbook is to be comprehensive. It is important to note now that not all of the information provided in this handbook will be relevant to every project that will be assessed. The handbook is split into two distinct parts. Part I (Chapters I and II) are designed to give background information on the privacy impact assessment (PIA) process and privacy. Part II is a practical “how to” guide on the PIA process. The handbook’s structure is intended to enable a reader who is knowledgeable about privacy to quickly start working on the PIA. Background information on privacy and PIAs is provided for other readers who would like some general information prior to starting the PIA process. It is also important to note that some of the recommendations in this handbook may overlap with work which is being done to satisfy other requirements, such as information security and assurance, other forms of impact assessment or requirements to carry out broader consultations during the development of a project. A PIA does not have to be conducted as a completely separate exercise and it can be useful to consider privacy issues in a broader policy context.
    [Show full text]
  • Reconciling Data Privacy and the First Amendment
    RECONCILING DATA PRIVACY AND THE FIRST AMENDMENT Neil M. Richards This Article challenges the First Amendment critique of data privacy regulaion- the claim that data privacy rules restrict the dissemination of truthful information and thus violate the FirstAmendment. The critique, which is ascendant in privacy discourse, warps legislative and judicial processes and threatens the consti- tutionalization of information policy. The First Amendment critique should be rejected for three reasons. First, it mistakenly equates privacy regulation with speech regulation. Building on scholarship examining the boundaries of First Amendment protection, this Article suggests that "speech restrictions" in a wide variety of commercial contexts have never triggered heightened First Amendment scru- tiny, refuting the claim that all information flow regulations fall within the First Amendment. Second, the critique inaccurately describes current First Amendment doctrine. To demonstrate this point, this Article divides regulations of information flows into four analytic categories and demonstrates how, in each category, ordinary doctrinal tools can be used to uphold the constitutionality of consumer privacy rules. Third, the critique is normatively unpersuasive. Relying on recent intellectual histories of American constitutional law, this Article argues that fundamental jurisprudentialreasons counsel against acceptance of the First Amendment critique. From the perspective of privacy law, there are striking parallels between the critique's advocacy of "freedom of information" and the discredited "freedom of contract" regime of Lochner. More importantly, from the perspective of First Amendment law, the critique threatens to obliterate the distinction between economic and political rights at the core of post-New Deal constitutionalism. Rejecting the FirstAmendment critique thus has real advantages.
    [Show full text]
  • Afghanistan ICT Assessment.Docx
    Assessment of Information and Communication Technologies in Afghan Agricultural Extension Written by Megan Mayzelle Maria-Paz Santibañez, Jessica Schweiger, and Courtney Jallo International Programs Office College of Agriculture and Environmental Sciences University of California Davis December 2014 © 2014 International Programs of CA&ES Environmental Horticulture Building Room #1103 University of California, Davis One Shields Avenue Davis, CA 95616 Tel: (530) 754-0275 http://ip.ucdavis.edu/ This document was developed under the auspices of the e-Afghan Ag project, which was funded by the United States Department of Agriculture and implemented by the International Programs Office of the College of Agricultural and Environmental Sciences at the University of California Davis from 2011-2014, as well as the Afghan Agricultural Extension Project, funded by the United States Agency for International Development and implemented by a consortium of universities led by the International Programs Office of the College of Agricultural and Environmental Sciences at the University of California Davis from 2014-2017. The primary purpose of the assessment was to inform project efforts and build organizational knowledge. The results have been positive in this regard, and we therefore provide the document to others with the aim to inform organizations seeking to employ information and communication technologies in Afghan agricultural development. While we have attempted to be as thorough and objective as possible, the information in this report is not based on systematic field tests and surveys, but rather but rather interviews, case studies, and literature reviews. Consequently, we refrain from making concrete recommendations. Rather, this report should be viewed as an introduction to information and communication technologies for agricultural development in Afghanistan.
    [Show full text]
  • Canadian Privacy Law: the Personal Information Protection and Electronic Documents Act (PIPEDA)
    International In-house Counsel Journal Vol. 2, No. 7, Spring 2009, 1135–1146 Canadian Privacy Law: The Personal Information Protection and Electronic Documents Act (PIPEDA) DOMINIC JAAR PATRICK E. ZELLER Legal Counsel Vice President & Deputy General Counsel Ledjit Consulting, Inc. Guidance Software, Inc. Canada United States This white paper provides a general overview of the Personal Information Protection and Electronic Documents Act (“PIPEDA”), and discusses both the privacy requirements imposed by that Act as well as the rules governing the use of electronic documents that it sets out. Overview Introduction to PIPEDA PIPEDA is the federal legislative response to growing concerns over the protection and use of personal information that is accumulated by both public and private organizations in the course of their day-to-day operations.1 The Act sets out rules governing how such information should be handled by the organizations that collect it, and under what circumstances it may be disclosed, either to third parties or to the individual who is the subject of the information. The Act contains two main parts. The first part sets out the rules governing the collection, retention and disclosure of personal information, as well as the remedies available in the event of a suspected breach. In essence, this part of the Act establishes a framework which attempts to balance the privacy rights of individuals with the needs of organizations to collect, use, and disclose personal information in the course of commercial activities. This part of the Act is discussed in sections I and II of this document. The second part of the Act describes the circumstances in which electronic alternatives may be used to fulfill legal obligations, which, under federal laws, require the use of paper documents to record or communicate information or transactions.
    [Show full text]
  • Off the Grid: Pinpointing Location-Based Technologies and the Law
    Off the Grid: Pinpointing Location-based Technologies and the Law Written By: Geoffrey White, Barrister & Solicitor External Counsel The Public Interest Advocacy Centre 1204 - ONE Nicholas St. Ottawa, Ontario K1N 7B7 June 2015 Copyright 2015 PIAC Contents may not be commercially reproduced. Any other reproduction with acknowledgment is encouraged. The Public Interest Advocacy Centre (PIAC) Suite 1204 ONE Nicholas Street Ottawa, ON K1N 7B7 Tel: (613) 562-4002 Fax: (613) 562-0007 E-mail: [email protected] Website: www.piac.ca Canadian Cataloguing and Publication Data ISBN 978-1-927707-03-6 Off the Grid? Pinpointing Location-Based Technologies and the Law Off the Grid? Pinpointing Location-Based Technologies and the Law Page 2 of 109 Acknowledgement Financial support from Industry Canada to conduct the research on which this report is based is gratefully acknowledged. The views expressed in this report are not necessarily those of Industry Canada or of the Government of Canada. The author would also like to thank Kent Sebastian, PIAC Student-at-Law 2014-15, Sarah Mavula, PIAC Summer Student 2014, and Jonathan Bishop, PIAC’s Research & Parliamentary Affairs Analyst, for their research and contributions. Any mistakes are solely the author’s. Off the Grid? Pinpointing Location-Based Technologies and the Law Page 3 of 109 Executive Summary Knowledge of the whereabouts of a person, and of a person’s movement patterns, can be very valuable, from a marketing perspective. Indeed, the scale and scope of the business opportunities associated with so-called location-based behavioural marketing and location- based services (collectively, location-based technologies) have been well-documented in the business literature.
    [Show full text]
  • Privacy Online: a Report to Congress
    PRIVACY ONLINE: A REPORT TO CONGRESS FEDERAL TRADE COMMISSION JUNE 1998 FEDERAL TRADE COMMISSION Robert Pitofsky Chairman Mary L. Azcuenaga Commissioner Sheila F. Anthony Commissioner Mozelle W. Thompson Commissioner Orson Swindle Commissioner BUREAU OF CONSUMER PROTECTION Authors Martha K. Landesberg Division of Credit Practices Toby Milgrom Levin Division of Advertising Practices Caroline G. Curtin Division of Advertising Practices Ori Lev Division of Credit Practices Survey Advisors Manoj Hastak Division of Advertising Practices Louis Silversin Bureau of Economics Don M. Blumenthal Litigation and Customer Support Center Information and Technology Management Office George A. Pascoe Litigation and Customer Support Center Information and Technology Management Office TABLE OF CONTENTS Executive Summary .......................................................... i I. Introduction ........................................................... 1 II. History and Overview .................................................... 2 A. The Federal Trade Commission’s Approach to Online Privacy ................. 2 B. Consumer Privacy Online ............................................. 2 1. Growth of the Online Market ...................................... 2 2. Privacy Concerns ............................................... 3 C. Children’s Privacy Online ............................................. 4 1. Growth in the Number of Children Online ............................ 4 2. Safety and Privacy Concerns ...................................... 4 III. Fair
    [Show full text]
  • Spotlight On… Protection of Sensitive Data Including Personal Information
    Spotlight On… Protection of Sensitive Data including Personal Information Purpose On Sept. 7, 2017 media reports indicated that a large American credit score bureau had been breached, exposing the personal information of millions of consumers in the U.S. and in the U.K. and potentially affecting 8,000 individuals in Canada. On November 28, 2017 the Canadian arm of this U.S. company posted information on its website indicating that an additional 11,670 Canadians had been affected by the breach, bringing the total number of Canadians affected to about 19,000. In response to CCIRC partner questions concerning this event, this product provides information on what organizations can do to reduce the risk of sensitive data, such as personal information, being exfiltrated from their organization. Information in this note includes: . The Canadian statutory definitions of personal information . Upcoming regulatory changes to data breach reporting in Canada . Examples of reported breaches of Canadian personal information . Tactics, techniques, and procedures employed to target Canadian personal information . Tips for safeguarding sensitive information . Advice from the Royal Canadian Mounted Police (RCMP) for individuals who believe their personal information may have been compromised What is “Personal Information”? According to the Office of the Privacy Commissioner of Canada (OPC), these are the statutory provisions relevant to the meaning of “Personal Information” in Canada: Section 2(1) of the Personal Information Protection and Electronic Documents
    [Show full text]
  • Digital Gerrymandering 24
    00 01 02 03 04 05 06 07 08 09 10 11 12 Policy & Government Digital Gerrymandering Near-future pessimistic scenario Electoral districts have long been shaped and manipulated to the benefit or disadvantage of certain political parties, and as network connectivity becomes a major factor affecting citizens’ quality of life, access to resources, and even the ability to vote, the practice of gerrymandering is translated to the digital realm. Building on the tactics of traditional gerrymandering, some districts are “packed”— incumbent politicians strategically place high-speed internet in a select few districts to consolidate constitu- ents of the opposing party in fewer locales, minimizing their presence in contested districts and thus weakening their ability to sway elections. Other districts, where constituents of the opposing are already concentrated, are “cracked”—incumbent politicians throttle connectivity or undermine the installation and maintenance of network infrastructure in order to disperse their opponents’ vot- ers, diluting their electoral impact. No politician will give up the opportunity to gain an advantage over their rivals, and weaponizing connectivity is a clever (if sinister) way to do just that. Scenarios24 © 2021 Future Today Institute 00 01 02 03 04 05 06 07 08 09 10 11 12 Policy & Government Watch Closely Informs Strategy Act Now 2ND YEAR ON THE LIST Techno-Nationalism KEY INSIGHT EXAMPLES DISRUPTIVE IMPACT EMERGING PLAYERS A great decoupling is underway, as the • U.S. Department of State In the digital age, a China’s new Foreign Investment Law U.S. and Chinese tech sectors are cleaved imposes strict rules for vetting foreign • Committee on Foreign Investment in nation’s technology apart by national governments.
    [Show full text]
  • Principles of Internet Privacy
    Maurer School of Law: Indiana University Digital Repository @ Maurer Law Articles by Maurer Faculty Faculty Scholarship 2000 Principles of Internet Privacy Fred H. Cate Indiana University Maurer School of Law, [email protected] Follow this and additional works at: https://www.repository.law.indiana.edu/facpub Part of the Computer Law Commons, and the Law and Society Commons Recommended Citation Cate, Fred H., "Principles of Internet Privacy" (2000). Articles by Maurer Faculty. 243. https://www.repository.law.indiana.edu/facpub/243 This Article is brought to you for free and open access by the Faculty Scholarship at Digital Repository @ Maurer Law. It has been accepted for inclusion in Articles by Maurer Faculty by an authorized administrator of Digital Repository @ Maurer Law. For more information, please contact [email protected]. Principles of Internet Privacy FRED H. CATE* I. INTRODUCTION Paul Schwartz's InternetPrivacy and the State makes an important and original contribution to the privacy debate that is currently raging by be- ginning the process of framing a new and more useful understanding of what "privacy" is and why and how it should be protected.' The definition developed by Brandeis, Warren,2 and Prosser,3 and effectively codified by Alan Westin in 1967---"the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others"---worked well in a world in which most privacy concerns involved physical intrusions (usually by the government) or public disclosures (usually by the media), which, by their very nature, were comparatively rare and usually discovered.
    [Show full text]
  • GDPR Is Here: What to Expect Now?
    GDPR Is Here: What to Expect Now? Brett Lockwood Smith, Gambrell & Russell, LLP June 19, 2018 Agenda Principal Obligations Related Developments Under GDPR & What’s Ahead E.U. / U.S. Compliance Comparison & Best Practices GDPR Obligations Summary • E.U. General Data Protection Regulation (GDPR) was effective May 25, 2018 • Replaces 1995 E.U. Privacy Directive, with many new provisions: enhanced personal rights, affirmative consent, breach notice and DPO requirements • Very broad and process oriented • Essentially: If you process personal data of a person in the E.U. or processing is in the uE.U. or yo are a controller or processor in the E.U. then GDPR applies • Penalties –greater of €20 MM or up to 4% of worldwide revenue GDPR Obligations Key Definitions • Data Subject: an identified or identifiable natural person • Personal Data: any information relating to a Data Subject • Processing: any operation which is performed on personal data • Controller: one who determines the purposes and means for the processing of personal data • Processor: one who processes personal data on behalf of a controller (Art. 4) GDPR Obligations Major Requirements • Governing Principles for Processing Personal Data (Arts. 5, 24 & 25) ► Processing must be lawful, fair and transparent ► Processed for specified, explicit and legitimate purpose ► Adequate, relevant and limited to processing purpose ► Must be accurate and kept updated without delay ► Maintained only as long as necessary for processing purpose ► Must ensure appropriate security GDPR Obligations Major Requirements (Continued) • Affirmative consent from data subject (or guardian) or another lawful basis (e.g., legitimate interest or contract fulfillment) is needed to process data (Arts.
    [Show full text]
  • Annex E Aid-For-Trade Case Stories Overview
    ANNEX E AID-FOR-TRADE CASE STORIES OVERVIEW Reference Author Title Sector number 1 International Trade Moroccan businesses boost exports of processed food, Public sector case story Centre seafood and leather goods www.oecd.org/aidfortrade/casestories/casestories-2017/CS%2001-Moroccan-businesses-boost-exports-of-processed- foods-seafood-and-leather-goods%20.pdf 2 Alliance for Affordable Affordability Report 2015/16 Academia and NGOs Internet (A4AI) case story www.oecd.org/aidfortrade/casestories/casestories-2017/CS-02-A4AI-Affordability-Report-2015-16.pdf 3 Alliance for Affordable Affordable internet in Ghana: the status quo and Academia and NGOs Internet (A4AI) the path ahead case story www.oecd.org/aidfortrade/casestories/casestories-2017/CS-03-A4AI-Affordable-Internet-in-Ghana.pdf 4 Alliance for Affordable Affordable Internet in the Dominican Republic Academia and NGOs Internet (A4AI) case story www.oecd.org/aidfortrade/casestories/casestories-2017/CS-04-A4AI-Affordable-Internet-in-the-Dominican-Republic.pdf 5 Alliance for Affordable Delivering affordable internet in Myanmar Academia and NGOs Internet (A4AI) case story http://www.oecd.org/aidfortrade/casestories/casestories-2017/CS%2005-A4AI-Affordable-Internet-in-Myanmar.pdf 6 Alliance for Affordable Nigeria: how Africa's largest economy is prioritising Academia and NGOs Internet (A4AI) affordable internet case story www.oecd.org/aidfortrade/casestories/casestories-2017/CS-06-A4AI-Affordable-Internet-in-Nigeria.pdf 7 Mace Promotions, Ltd. Sustainability and Empowerment Initiative Private
    [Show full text]
  • Law, Technology, and Public Health in the COVID-19 Crisis
    Privacy in Pandemic: Law, Technology, and Public Health in the COVID-19 Crisis Tiffany C. Li* The COVID-19 pandemic has caused millions of deaths and disastrous consequences around the world, with lasting repercussions for every field of law, including privacy and technology. The unique characteristics of this pandemic have precipitated an increase in use of new technologies, including remote communications platforms, healthcare robots, and medical AI. Public and private actors alike are using new technologies, like heat sensing, and technologically influenced programs, like contact tracing, leading to a rise in government and corporate surveillance in sectors like healthcare, employment, education, and commerce. Advocates have raised the alarm for privacy and civil liberties violations, but the emergency nature of the pandemic has drowned out many concerns. This Article is the first comprehensive account of privacy in pandemic that maps the terrain of privacy impacts related to technology and public health responses to the COVID-19 crisis. Many have written on the general need for better health privacy protections, education privacy protections, consumer privacy protections, and protections against government and corporate surveillance. However, this Article is the first comprehensive article to examine these problems of privacy and technology specifically in light of the pandemic, arguing that the lens of the pandemic exposes the need for both wide-scale and small-scale reform of privacy law. This Article approaches these problems with a focus on technical realities and social * Visiting Clinical Assistant Professor, Boston University School of Law; Fellow, Yale Law School Information Society Project. The author thanks Tally Amir, Chinmayi Arun, Jack M.
    [Show full text]