FALL 2007

Computer Law

Course No.  9200 711 001
Th 6:30 - 9:30 p.m.
Room W-214
Professor Jay Dratler, Jr.
Room 231D (IP Alcove)
(330) 972-7972
dratler@uakron.edu, dratler@neo.rr.com
Copyright © 2000, 2001, 2002, 2004, 2007   Jay Dratler, Jr.   For permission, see CMI.

Introduction to Data Privacy

1.  In the European Union, a comprehensive Directive governs the privacy of personal data.  An edited version of the Directive appears in the Casebook.

Unfortunately, there is no similar comprehensive law on privacy in the United States.  Instead, the United States protects the privacy of personal data with a hodge-podge of specialized laws for specific purposes.  These include: (1) the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510 - 2521, 2710 - 2712, whose two chapters protect electronic communications in transit and in electronic storage; (2) the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, which prohibits certain kinds of unauthorized access to computers; (3) the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 - 1681u, which protects consumers against certain unauthorized uses of credit reports about them and gives them limited rights to review and correct those reports; (4) the Right to Financial Privacy Act of 1978, 12 U.S.C. §§ 3401 - 3422, which protects financial records in the hands of financial institutions from unauthorized access by governmental authorities; and (5) various state laws, including the four common-law torts described in the seminal article by Warren & Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890).  

2.  Because privacy protection in the United States is such a hodge-podge, asserting an individual's right to privacy—or even determining whether she has any—can be a frustrating and time-consuming job.  Often the answer is unknown or uncertain until litigation has established a new interpretation of an existing statute or an old common-law right.  This singe session on the subject is necessarily just a brief introduction.  Further study of privacy is included in the course on Cyberlaw.

3.  What is the legal effect of the EU's privacy directive?  Does it operate automatically on all private persons and firms within the EU, or does it require implementing legislation in each member state?  If the latter, might the EU become as much of a hodge-podge as the United States?

4.  What is the scope of the EU Directive or national legislation that enforces it?  Does it apply to (1) data entering the EU, (2) data exiting the EU, (3) data transmitted within the EU, (4) all of the above, or (5) none of the above?  Could it apply to data made available on a website from the United States?  from the EU?  If so, under what circumstances?

5.  What should an American firm do with the Safe Harbor Principles provided by the U.S. Department of Commerce?  Should its response depends upon how much business it does in the EU?  upon how whether and much personal data it gets from the EU?  upon how much personal data it provides to the EU, through a website or otherwise?  If a firm embarks on a privacy compliance audit for purposes of the hodge-podge of United States law, should it also do so with respect to EU law?  with respect to the Safe Harbor Principles only?

6.  Andrews is a decision under the Fair Credit Reporting Act involving identity theft.  What were the principal legal issues and what language in the statute invoked them?  Note that the court let the jury decide the substantive issues, while deciding the evidentiary issue against the plaintiff.  When the case goes back on remand, would you expect the jury to find the remaining issue in the plaintiff's favor?  Why or why not?     
Back to Top