Law in the Internet Society

Privacy Federalism

-- By PatricioMartinezLlompart - 10 Dec 2016

Call it “progressive federalism” or “state rights for the left,” the future of liberal criminal justice, immigration, and climate change policy may rest with local politicians willing to contest the Trump Administration on its legislative and administrative priorities. The local is also an important arena in which to mediate and consider the fate of privacy in the digital age.

Contra the federal executive’s and judiciary’s minimal efforts to protect digital privacy, in recent years, states have taken measures of varying degrees to safeguard personal privacy as the Net’s behavior-collection capabilities increased. Our historical moment makes the role of subnational governments as laboratories for political and legislative action of this sort only more urgent. But enthusiasm for the privacy protections that may arise subnationally must be qualified. With notable exceptions, the reach of current state privacy laws seems insufficient, and the most ambitious protections face potential constitutional challenges.

Contours of Subnational Action

In 2003 California pioneered a data breach notification law that requires both private and public organizations to notify consumers if their unencrypted personal data is acquired by unauthorized persons. Similar statutes have been adopted in almost every other state. California was also first to mandate via legislation that commercial websites and online services publish a privacy policy. The California Online Privacy Protection Act applies to mobile applications and was amended in 2013 to require disclosures by websites and other online services that monitor user activity "to build profiles of [user] behavior and interests.” Most recently, twenty-five states have legislated to bar employers from demanding access to their employees’ social media accounts as a condition of employment. More than a dozen states have adopted similar bills to protect student social media accounts from unwarranted access by their academic institutions.

Nonetheless, perhaps the high watermark of subnational privacy lawmaking are the statutes that regulate corporate collection and retention of biometrics—or attributes like fingerprints, retina scans, and facial geometry that can be used to identify a person. Biometric identifiers have become pervasive in the private sector. Financial institutions increasingly use biometric data to authenticate consumer identities, whereas social media networks employ biometrics in their photo tagging applications. Unlike replaceable identifiers such as social security numbers, breaches of biometric data may compromise a person’s identity for a lifetime.

Illinois became the first state to institute comprehensive biometric data protections, imposing stringent notice and consent requirements on companies that handle such information. Since 2008, the Illinois Biometric Information Privacy Act (BIPA) (1) requires businesses to obtain affirmative, informed consent before collecting biometrics; (2) prohibits the sale of biometric data; (3) mandates the creation of data retention guidelines; and (4) allows a private right of action for individuals harmed by violations of the act. Texas is the only other state to have enacted similar legislation, although it permits companies to sell biometric data under certain circumstances and does not create a private right of action.

Is Federalism Salvation?

It is unlikely existing federal law preempts state-level biometric regulation. Paul Schwartz observes most federal statutes mandating privacy guidelines for particular industries only set a floor, or basic threshold of protection, that states can well exceed. But the success of state biometric statutes may ultimately hinge on whether they impose an undue burden on interstate commerce and/or clash with the “Dormant” Commerce Clause. Generally, state regulation that affects interstate commerce is constitutional if it advances a legitimate local public interest and its “burden…on such commerce is not excessive in relation to putative local benefits.” A state law, however, may be unconstitutional when it conflicts with “dormant” interstate commerce. While states can regulate their local affairs in ways that affect interstate commerce “as long as they do not impermissibly trespass upon national interests,” the absence of federal regulation could reflect congressional desire that a particular issue remain unregulated, making state laws to the contrary constitutionally vulnerable.

Faced with a Commerce Clause challenge, Illinois and other states that adopt expansive biometrics regulations are likely to assert they have a legitimate interest in creating statutory safeguards for their citizens’ identities and personal information in the digital age. In turn, affected interstate market actors would maintain the burden of state-specific biometric regulation on their businesses transcends an “intangible,” governmental interest in the protection of individual privacy. For example, social media or photo-sharing platforms that employ biometric tools as a default would have to locate residents of BIPA states and provide them with an opportunity to provide affirmative consent. This, the companies would argue, translates into higher design and engineering costs just to engage in business within BIPA jurisdictions—the sort of burden on interstate commerce the Supreme Court rejected in Pike and South Pacific Co. v. Arizona as excessive in relation to a countervailing local public interest. Facebook recently pleaded a similar argument in its active litigation with a class of Illinois residents who allege the network’s “opt in” face-recognition photo tagging system violates BIPA. Companies could also contend BIPA violates dormant commerce on grounds that a patchwork of state-level biometric regulations clashes with a presumptive federal interest in national uniformity with regards to privacy law.

Salvation is Individual

Most states have yet to limit online service providers' capacity to profit off our digital lives. Disclosure mandates are insufficient if corporations act legally when they aggregate and package our behavior for sale. But despite the observable limits of current attempts at lawmaking, short-term legislative or legal innovations to protect digital privacy are likely to stem from this subnational scene. Local public officials across the partisan spectrum have demonstrated their willingness to talk privacy and grapple with the implications of its erosion in the digital era. Since the beginning of 2017, the legislatures of four states—Alaska, Connecticut, New Hampshire, and Washington—have introduced bills to regulate biometric data modeled after Illinois’ BIPA. It’s on us to mobilize and advocate for more. Only then will the promise of a right that enshrines privacy as a robust triad of secrecy, anonymity, and autonomy no longer be elusive.

Navigation

Webs Webs

r6 - 21 Feb 2017 - 03:19:21 - PatricioMartinezLlompart
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM