Computers, Privacy & the Constitution

A New Regulatory Scheme for Protecting Data Privacy

-- By JackFurness - 29 Apr 2021

Technology and the law go hand in hand. New technologies create a need for legislation to regulate previously unknown or unforeseeable behavior, but when the law fails to keep pace with technological growth, corporations tend to do what they do best: find ways to exploit these gaps for profit. Innovation has birthed a vast and pervasive trade in consumers’ data, but half a century on from the dawn of the internet, the ‘data economy’ has easily outgrown a regulatory framework that was never meant to constrain such activities. In the Wild West of the data economy, a piecemeal set of state and federal regulations, ill-suited constitutional provisions, and judge-made common law work to prevent the wholesale theft of user data for profit, but these efforts are a band-aid at best.

Without a new framework for data privacy, the band-aids can do little to stop the bleeding. However, a regulatory scheme pervasive enough to rein in data mining must surmount a dizzying array of legal challenges. One of the most significant of these is the constitutional commercial speech doctrine. Couched in a broad reading of the First Amendment, commercial speech doctrine requires that laws regulating the “speech” of corporations be carefully tailored to achieve the State’s goals and that the enacting government demonstrate a substantial interest that the law protects.

Recently, in Sorrell v. IMS Health, the Supreme Court clarified the contours of this doctrine as it applies to the data economy, making two points clear. First, the data privacy regulatory scheme must be either content-neutral or based on broad sectoral legislation resting on sweeping economic policy reforms. Second, the framework must focus not on the particular forms of speech to be regulated, but rather on the individual rights to be protected. Crafting a legislative proposal that meets these criteria is no easy task, but it’s here that the work must be done.

The Blueprint: A New Scheme for Regulating Commercial Speech

Early efforts to craft data privacy laws have largely been ineffective and may even do more harm than good. The statute at issue in Sorrell, for example, attempted to protect physicians’ privacy but instead led to the ossification of an expansive reading of the First Amendment that treats data mining as a protected form of speech. Thus, however counterintuitive it may seem, a systemic overhaul of the regulatory framework is less likely to offend commercial free speech doctrine.

A Non-Discriminatory Approach to Data Privacy

The first requirement for a data privacy regulatory scheme post- Sorrell is that the law must not discriminate on the basis of the entity doing the speaking. This can be accomplished either by making the law content-neutral or otherwise situating it in a sweeping overhaul of economic policy, broad enough to avert any challenges that the law unfairly targets individual sectors or actors.


A national data privacy law could avoid the pitfalls of Sorrell altogether by being content-neutral. That is, the law should limit, prohibit, or regulate the transfer of data wholesale, rather than attempt to do so only for certain types of data. While it is tempting to single out the most culpable actors with targeted litigation, such a law would violate the basic notion that commercial speech regulations must be justified without reference to the content of the regulated speech. Thus, a law that solely limits the ability of Facebook to collect user data for targeted advertising would be a violation of this principle, as would a law that prevents Google from harvesting a certain type of data from their users. Lawmakers should instead avoid naming or recognizing particular industries or actors altogether, crafting a law that applies with equal force from Big Tech on down.

A New Economic Policy Arrangement

A more aspirational approach would be to situate the regulation within an even broader set of economic policy initiatives. The Securities and Exchange Act of 1934 regulates the entities that trade securities, such as the New York Stock Exchange, as well as the act of trading itself, including the transfer of securities whether physical or virtual. The legal basis for such a regulation is Congress’ power to regulate interstate commerce. Today, securities can be bought and sold with the tap of a finger on a smartphone, and yet these ethereal, effortless transactions are still regulated by the Securities and Exchange Commission (SEC).

Much in the same way that the SEC regulates the transaction of securities, Congress could establish a new, independent agency to regulate the commercial exchange of consumers’ data. The mandate of such a commission would be to protect consumers and maintain orderly markets for consumer data like the SEC does for securities. This commission could require corporations that trade in user data to follow proper guidelines, set by the commission in a way that maximize privacy and shift control over user data into the hands of consumers.

Protecting Individual Rights

The second requirement for this scheme is that it must clearly identify and respond to individual rights or freedoms. While regulations that burden a form of protected speech are presumptively invalid, laws protecting individual rights and freedoms, including an individual’s reasonable expectation of privacy, are not prohibited.

Most data collected online is done so surreptitiously. The government undoubtedly has an interest in protecting an individual’s expectation of privacy, and therefore this longstanding legal right, grounded in Fourth Amendment doctrine, should be the focus of the new data privacy regime. Congress could undertake to study the vastness of user data being bought and sold and demonstrate how unaware most consumers are of the consequences of this. By framing the motive behind the regulatory scheme as protecting a reasonable expectation of privacy rather than a prohibition on certain types of speech, Congress could more easily enact a law narrowly tailored to achieve that end.

Creating a new regulatory scheme for protecting data privacy is a herculean task, but such a framework is neither unimaginable nor unprecedented. A way forward exists, there need only be the will to make it a reality.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r11 - 29 Apr 2021 - 20:14:12 - JackFurness
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM