Posts Tagged ‘privacy’

“What Does California’s New Data Privacy Law Mean? Nobody Agrees”

The new California law on consumer data is stringent but, as is so often the case with that state’s legislation, less than pellucidly clear [Natasha Singer, New York Times] :

“Companies have different interpretations, and depending on which lawyer they are using, they’re going to get different advice,” said Kabir Barday, the chief executive of OneTrust, a privacy management software service that has worked with more than 4,000 companies to prepare for the law. “I’ll call it a religious war.”

The new law has national implications because many companies, like Microsoft, say they will apply their changes to all users in the United States rather than give Californians special treatment.

Destructive rights of student inclusion

If you have wondered how the Parkland killer could have asserted a legal right to be “mainstreamed” into Marjory Stoneman Douglas High School despite a long history of violent tendencies, this investigation by the local newspaper may provide your answer.

In an eight-month investigation, the South Florida Sun Sentinel found that a sweeping push for “inclusion” enables unstable children to attend regular classes even though school districts severely lack the support staff to manage them. … Even threatening to shoot classmates is not a lawful reason to expel the child….

“It’s just a no-win scenario right now,” said attorney Julie Weatherly, of Mobile, Alabama, who advises school districts on the legal complexities of removing aggressive students when they have a disability. “Nobody wants a Parkland, of course. It’s this huge nightmare.”

Aside from IDEA, the federal disabled-rights-in-school laws, and its sometimes even more stringent state counterparts, federal education privacy laws are involved as well. A Broward County teacher chose to break the rules after an elementary student “obsessed” over a girl, tormented her if she withheld attention, and on being removed from the classroom one day cried and screamed her name while throwing himself against a door:

The girl’s mother had no idea her daughter was being terrorized. Because of the student’s federally protected privacy rights, Budrewicz’s bosses cautioned her not to tell the mother — a warning she ultimately defied. The mom cried and thanked her and removed her daughter from the class the next day, she said.

[Brittany Wallman and Megan O’Matz, South Florida Sun-Sentinel; earlier here and here]

German court: search engines must deindex reports of 1981 double murder

In case you were wondering exactly where the supposed “right to be forgotten” leads in Internet regulation:

A convicted murderer in Germany has the right to get all mention of his crime deleted from internet search results under the EU’s “right to be forgotten” provision, Germany’s highest court has ruled.

Let’s hope the United States never decides to follow Europe’s path by restricting speech rights in the name of personal data erasure. [Bill Bostock, Business Insider]

Class action roundup

Liability roundup

“Wuest’s litigation history is more than unusual”

Judge William Alsup of the federal court in San Francisco has refused a motion to certify a privacy class action in which the named plaintiff would be a man who has “filed 10 other California Invasion of Privacy Act actions, none of which ever reached the class certification stage” but instead concluded with private settlements [Mario Marroquin, Legal NewsLine; Alison Frankel, Reuters]

“Wuest’s litigation history is more than unusual,” Alsup wrote. “This order finds that it shows a pattern of using the threat of class action to extract an undeserved premium on an individual claim. This pattern is further evidenced by the fact that in several of the bases, both Wuest and his counsel received settlement amounts disproportionate to maximum recovery allowed under the statute.

“The pattern is quite clear. The premium was something rightfully due to the ‘class’ but no absent putative class member ever got anything. Wuest and his counsel got it all.”

August 7 roundup

  • “We got nailed once because someone barehanded a bag of lettuce without a glove.” Kitchen-eye tales of NYC’s restaurant inspection regime [Saxon Baird, NY Eater]
  • Positive reviews for new HUD regs on housing discrimination, affordability, and supply [National Review: Roger Clegg; Salim Furth]
  • Sony isn’t making its robot companion dog available in Illinois because its facial recognition features fall under the state’s onerous Biometric Information Privacy Act; an earlier in-state casualty was Google’s “which museum portrait is your selfie like?” service [Megan Wollerton, CNet, earlier here and here] Is there any hope of slowing down the rush of class action suits filed under the law? [Chris Burt, Biometric Update]
  • Victory on a-peel: “3rd Circuit rules maker of banana costume is entitled to ‘fruits of its intellectual labor'” [ABA Journal, earlier here, etc.]
  • D.C. Circuit “Rips ‘Legal Artifice’ in Kasowitz Firm’s Megabillions Whistleblower Case” [Dan Packel, The American Lawyer; Cory Andrews, WLF]
  • Congress passes a law framed as pro-veteran, doesn’t take the time to spell out quite how it works, years later we meet the (presumably unintended) losers in the form of nonprofits that employ blind and deaf workers [Julie Havlak, Carolina Journal, quotes me]

Now, a push for more disclosure of who owns businesses

Cato event featuring David R. Burton, Richard Hay, Karen Kerrigan, & Diego Zuluaga:

Policymakers on both sides of the aisle have proposed new regimes for small-business beneficial ownership reporting. The aim of such legislation is to eliminate opportunities for money laundering and financial crime. However, the proposals before Congress would place heavy new compliance costs on millions of America’s small businesses while continuing to provide opportunities for bad actors to engage in illicit financial activities. Beneficial ownership reporting would add to an already onerous anti-money-laundering/know-your-customer (AML/ KYC) regulatory burden, cited by community banks as the single most costly financial regulation. Furthermore, international experience with beneficial ownership reporting requirements suggests that it will be difficult to make such requirements work in the United States.

Earlier on money laundering and know your customer (KYC) regulations.

California Consumer Privacy Act: legislate in haste…

The California Consumer Privacy Act, drawn up hastily to avert a threatened ballot initiative, purports to create six new categories of data-related consumer rights, “including the right to know; the right of data portability; the right to deletion; the right to opt-out of data sales; the right to not be discriminated against as a user; and a private right of action for data breaches.” Although sometimes compared to the European GDPR, the two laws are different and compliance with the one enactment (which has been immensely expensive already) does not accomplish compliance with the other. Expect uncertainty, fines, the California specialty of entrepreneurial class-action litigation, and more tilting of compliance cost structures to the benefit of tech companies and advertising intermediaries big enough to afford to spread the high expense over large revenue streams [Alec Stapp, Truth on the Market; more: Al Saikali, Washington Legal Foundation; Petrina McDaniel, Elliot Golding and Keshia Lipscomb, Squire Patton Boggs]

One year later, the harms of Europe’s data-privacy law

The European Union’s General Data Protection Regulation (GDPR), which went into effect just over a year ago, has resulted in a broad array of consequences that are expensive, unintended, or both. Alec Stapp reports at Truth on the Market, with more discussion at Marginal Revolution:

GDPR can be thought of as a privacy “bill of rights.” Many of these new rights have come with unintended consequences. If your account gets hacked, the hacker can use the right of access to get all of your data. The right to be forgotten is in conflict with the public’s right to know a bad actor’s history (and many of them are using the right to memory hole their misdeeds). The right to data portability creates another attack vector for hackers to exploit.

Meanwhile, Stapp writes, compliance costs for larger U.S.-based firms alone are headed toward an estimated $150 billion, “Microsoft had 1,600 engineers working on GDPR compliance,” and an estimated 500,000 European organizations have seen fit to register data officers, while the largest advertising intermediaries, such as Google, appear to have improved their relative competitive position compared with smaller outfits. Venture capital investment in Euro start-ups has sagged, some large firms in sectors like gaming and retailing have pulled out of the European market, and as of March more than 1,000 U.S.-based news sites were inaccessible to European readers.

More in Senate testimony from Pinboard founder Maciej Ceglowski via Tyler Cowen:

The plain language of the GDPR is so plainly at odds with the business model of surveillance advertising that contorting the real-time ad brokerages into something resembling compliance has required acrobatics that have left essentially everybody unhappy.

The leading ad networks in the European Union have chosen to respond to the GDPR by stitching together a sort of Frankenstein’s monster of consent,a mechanism whereby a user wishing to visit, say, a weather forecast is first prompted to agree to share data with a consortium of 119 entities, including the aptly named “A Million Ads” network. The user can scroll through this list of intermediaries one by one, or give or withhold consent en bloc, but either way she must wait a further two minutes for the consent collection process to terminate before she is allowed to find out whether or it is going to rain.

This majestically baroque consent mechanism also hinders Europeans from using the privacy preserving features built into their web browsers, or from turning off invasive tracking technologies like third-party cookies,since the mechanism depends on their being present.

For the average EU citizen, therefore, the immediate effect of the GDPR has been to add friction to their internet browsing experience along the lines of the infamous 2011 EU Privacy Directive (“EU cookie law”) that added consent dialogs to nearly every site on the internet.

On proposals to base legislation in the United States on similar ideas, see Roslyn Layton and Pranjal Drall, Libertarianism.org. [cross-posted from Cato at Liberty]