Gregory M. Dickinson (Stanford Law School) has posted “Toward Textual Internet Immunity” (Stanford Law & Policy Review, Forthcoming) on SSRN. Here is the abstract:
Internet immunity doctrine is broken. Under Section 230 of the Communications Decency Act of 1996, online entities are absolutely immune from lawsuits related to content authored by third parties. The law has been essential to the internet’s development over the last twenty years, but it has not kept pace with the times and is now deeply flawed. Democrats demand accountability for online misinformation. Republicans decry politically motivated censorship. And Congress, President Biden, the Department of Justice, and the Federal Communications Commission all have their own plans for reform. Absent from the fray, however—until now—has been the Supreme Court, which has never issued a decision interpreting Section 230. That appears poised to change, however, following Justice Thomas’s statement in Malwarebytes v. Enigma in which he urges the Court to prune back decades of lower-court precedent to craft a more limited immunity doctrine. This Essay discusses how courts’ zealous enforcement of the early internet’s free-information ethos gave birth to an expansive immunity doctrine, warns of potential pitfalls to reform, and explores what a narrower, text-focused doctrine might mean for the tech industry.
Graham Greenleaf (University of New South Wales, Faculty of Law) has posted “China Issues a Comprehensive Draft Data Privacy Law” ((2020) 168 Privacy Laws & Business International Report 1, 6-10) on SSRN. Here is the abstract:
The long-anticipated Law of the People’s Republic of China on the Protection of Personal Information (Draft) (‘PPIL’) was released by the Standing Committee of the National People’s Congress (SC-NPC), the second-highest legislative body in China, on 21 October 2020. Its enactment will be the culmination of a decade-long evolution. The article analyses the draft PPIL and considers where it goes beyond the previous benchmark, the CyberSecurity Law (CSL) of 2016, and compares aspects of the EU’s GDPR.
The article concludes that, while detailed conclusions await enactment, some things are clear enough. China’s draft law is well within the normal global range of data privacy laws, shows many GDPR influences, and goes beyond the GDPR on some points. It goes further in many respects than the 2016 CSL, and the 2017 PI Standard. The ‘enforcement toolkit’ is diverse, with ‘dissuasive’ sanctions, as the GDPR puts it. These apparently strong data privacy rights in the private sector must co-exist with a high level of government surveillance (including the ‘Social Credit’ system) but they are likely to be enforceable because China needs there to be public trust in its e-commerce sector, and aspects of e-governance, so credible data privacy laws are necessary.
Other than the absence of a DPA (specialised, or independent), the most important departure from ‘European’ norms is that the data export restrictions are largely at the discretion of the CAC, with no objective criteria, and other forms of data localisation are similar. Multiple risk points for foreign and local companies will result.
For other countries attracted to ideologies of ‘data sovereignty’, the ‘Chinese model’ (explained in the article) may prove an attractive one to emulate. Internationally, this will fit uncomfortably with both the EU’s GDPR and US laissez-faire. Disputes before international trade forums are likely to result.
Cary Coglianese (University of Pennsylvania Law School) has posted “Administrative Law in the Automated State” (Daedalus (Forthcoming)) on SSRN. Here is the abstract:
In the future, administrative agencies will rely increasingly on digital automation powered by machine learning algorithms. Can U.S. administrative law accommodate such a future? Not only might a highly automated state readily meet longstanding administrative law principles, but the responsible use of machine learning algorithms might perform even better than the status quo in terms of fulfilling administrative law’s core values of expert decision-making and democratic accountability. Algorithmic governance clearly promises more accurate, data-driven decisions. Moreover, due to their mathematical properties, algorithms might well prove to be more faithful agents of democratic institutions. Yet even if an automated state were smarter and more accountable, it might risk being less empathic. Although the degree of empathy in existing human-driven bureaucracies should not be overstated, a large-scale shift to government by algorithm will pose a new challenge for administrative law: ensuring that an automated state is also an empathic one.
David Erdos (University of Cambridge – Faculty of Law; Trinity Hall) has posted “The UK and the EU Personal Data Framework After Brexit: Another Switzerland?” on SSRN. Here is the abstract:
The UK-EU Trade and Cooperation Agreement sets out a pathway for the UK to have the closest relationship on personal data with the EU outside of the European Economic Area (EEA) and Switzerland. This is principally apparent in the area of justice and security where there is very extensive provision for data exchange including DNA and fingerprints. This exchange rests on specified common standards and will likely be complemented by the first ever EU adequacy agreement under the Law Enforcement Directive. In some contrast, understandings in the general area of data protection (at least outside direct marketing) point only to mutual adequacy. Whilst mandating “essentially equivalent” (GDPR, recital 104) protection, significant flexibility is retained. Given the UK’s distinct approach to data protection, the EU may find that it adopts a more divergent approach in the medium term than, for example, Switzerland. Bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar for a more graduated regime which also seeks to clearly reconcile data protection with competing rights. The paper tentatively examines what that might entail for the proactive transparency rules, sensitive data regime, integrity provisions and specific restrictions. Any such reform would require great care and should not detract from the need for much more effective practical enforcement.