Froomkin, Arencibia & Colangelo on Safety as Privacy

A. Michael Froomkin (University of Miami – School of Law; Yale ISP), Phillip J. Arencibia (Duane Morris LLP), and Zak Colangelo (Lewis Brisbois Bisgaard & Smith LLP) have posted “Safety as Privacy” on SSRN. Here is the abstract:

New technologies, such as internet-connected home devices we have come to call ‘the Internet of Things (IoT)’, connected cars, sensors, drones, internet-connected medical devices, and workplace monitoring of every sort, create privacy gaps that can cause danger to people. In Privacy as Safety, 95 Wash. L. Rev. 141 (2020), two of us sought to emphasize the deep connection between privacy and safety, in order to lay a foundation for arguing that U.S. administrative agencies with a safety mission can and should make privacy protection one of their goals. This article builds on that foundation with a detailed look at the safety missions of several agencies. In each case, we argue that the agency has the discretion, if not necessarily the duty, to demand enhanced privacy practices from those within its jurisdiction, and that the agency should make use of that discretion.

This is the first article in the legal literature to identify the substantial gains to personal privacy that several U.S. agencies tasked with protecting safety could achieve under their existing statutory authority. Examples of agencies with untapped potential include the Federal Trade Commission (FTC), the Consumer Product Safety Commission (CPSC), the Food and Drug Administration (FDA), the National Highway Traffic Safety Administration (NHTSA), the Federal Aviation Administration (FAA), and the Occupational Safety and Health Administration (OSHA). Five of these agencies have an explicit duty to protect the public against threats to safety (or against risk of injury) and thus – as we have argued previously – should protect the public’s privacy when the absence of privacy can create a danger. The FTC’s general authority to fight unfair practices in commerce enables it to regulate commercial practices threatening consumer privacy. The FAA’s duty to ensure air safety could extend beyond airworthiness to regulating spying via drones. The CPSC’s authority to protect against unsafe products authorizes it to regulate products putting consumers’ physical and financial privacy at risk, thus sweeping in many products associated with the IoT. NHTSA’s authority to regulate dangerous practices on the road encompasses authority to require smart car manufacturers include precautions protecting drivers from misuses of connected car data due to the car-maker’s intention and due to security lapses caused by its inattention. Lastly, OSHA’s authority to require safe work environments encompasses protecting workers from privacy risks that threaten their physical and financial safety on the job.

Arguably an omnibus, federal statute regulating data privacy would be preferable to doubling down on the U.S.’s notoriously sectoral approach to privacy regulation. Here, however, we say only that until the political stars align for some future omnibus proposal, there is value in exploring methods that are within our current means. It may be only second best, but it is also much easier to implement. Thus, we offer reasonable legal constructions of certain extant federal statutes that would justify more extensive privacy regulation in the name of providing enhanced safety, a regime that would we argue would be a substantial improvement over the status quo yet not require any new legislation, just a better understanding of certain agencies’ current powers and authorities. Agencies with suitably capacious safety missions should take the opportunity to regulate to protect relevant personal privacy without delay.

Lubin on The Prohibition on Extraterritorial Enforcement Jurisdiction in the Datasphere

Asaf Lubin (Indiana University Maurer School of Law; Berkman Klein Center for Internet & Society; Yale University – Information Society Project; Federmann Cybersecurity Center, Hebrew University of Jerusalem Faculty of Law) has posted “The Prohibition on Extraterritorial Enforcement Jurisdiction in the Datasphere” (Handbook on Extraterritoriality in International Law (Austen L. Parrish and Cedric Ryngaert eds., forthcoming, 2022)) on SSRN. Here is the abstract:

The omnipresent and ever-fluid nature of the datasphere complicates the work of our cyber constables. Our conventional understanding of a sovereign’s right to exclude others—the prohibition on extraterritorial enforcement jurisdiction that was reaffirmed in the famous Lotus case—may start to feel somewhat anachronistic in the face of new emerging technologies for remote searches and seizures. Modern law enforcement agencies are further bolstered by a data ecosystem which centers around powerful corporate intermediaries who may, on occasion, be coopted or coerced to collaborate in incidents of extraterritorial enforcement overreach.

Consider, for example, the following non-exhaustive list of cyber enforcement activities. Which of these techniques might you deem tolerable when employed against a target abroad without the consent or knowledge of the foreign state? Which of these might you consider to be crossing a threshold, and what factual and legal factors might influence your determination?

(1) Data scraping from social media platforms, other websites, and open-access databases located on servers abroad to import information.
(2) Subverting the command-and-control server of an anonymized botnet operating from one of the corners of the “dark web.”
(3) Electronically tracing and restoring cryptocurrency payments that were paid to a foreign criminal cyber gang involved in a crippling ransomware attack.
(4) Compelling a domestically registered company to release certain data concerning a national involved in a domestic crime, where the data is stored abroad.

In this chapter I explore each of these four scenarios. Each scenario ties to a different aspect of the datasphere which frays at the edges of traditional doctrine. These four aspects are: (1) consent, (2) anonymization, (3) piracy, and (4) data un-territoriality. For each of these aspects I try to demonstrate how jurisdictional rules may evolve, as a matter of lex ferenda, to better balance territorial integrity and cyber stability. My analysis thus attempts to provide a preliminary taxonomy of certain categories of cyber policing activity that could serve as a roadmap for future rule-prescribers and rule-appliers. Given the rise in cybercrime in recent years the paper ultimately challenges the normative validity and factual sustainability of the current doctrinal tradeoffs between external sovereignty and cyber stability.

Pohle & Thiel on Digital Sovereignty

Julia Pohle (WZB Berlin Social Science Center) and Thorsten Thiel (same) have posted “Digital Sovereignty” (in Herlo, et al. (eds.): Practicing Sovereignty, Digital Involvement in Times of Crises (2021)) on SSRN. Here is the abstract:

Over the last decade, digital sovereignty has become a central element in policy discourses on digital issues. Although it has become popular in both centralized/authoritarian and democratic countries alike, the concept remains highly contested. After investigating the challenges to sovereignty apparently posed by the digital transformation, this essay retraces how sovereignty has re-emerged as a key category with regard to the digital. By systematizing the various normative claims to digital sovereignty, it then goes on to show how, today, the concept is understood more as a discursive practice in politics and policy than as a legal or organizational concept.