• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).


2016: Year of Internet Standards

Starting with privacy.

January 4, 2016

Five areas of Internet law and policy stand out: privacy, security, accessibility, intellectual property and governance.  A central theme undergirds them all: standards.  Hence I shall deem 2016 the Year of Internet Standards.

Today I begin with privacy. Privacy is the most important area of law in the 21st century. It is brought to you by technology pushing the social norms envelope. It is also sufficiently comprehensive of a topic as to cover a wide swath of different types of law. Finally, privacy just might turn out to be the vocabulary that has the greatest chance to harmonize law and policy practices on the Internet.

Consumer Privacy

For example, with data privacy safe harbor knocked out of the box last year by the European Court of Justice, this year should bring a new agreement between the EU and the US on the handling of personally identifiable information.  Needless to say, we need harmonization on this front. Cross-continental transaction underpins global commerce.  Both the EU and US have to shave the excesses off of their positions to properly negotiate.

Each party’s strength is also its weakness. Believing that privacy is a fundamental human right, the EU stands forward on information privacy in a way the United States does not. This stance is wide but not deep, however.  The US has not made such a profound ideological commitment, at least not in the area of information privacy. Its sectoral approach in federal legislation (e.g. FERPA, GLBA, HIPAA) is chaotic and its mish-mash of state data breach laws are a mess. But it also should be acknowledged that within the silos of federal law there are more security controls and enforcement teeth than Europe. 

Readers of this blog already know that among different standards sets I go with the International Standards Organization (ISO). Why? The Internet is global by nature. For those who want to wear the U.S. flag in their approach, mapping exists between ISO standards and NIST, so no one need to get their knickers in a twist about which ones to adopt. If you do a lot of international business the choice should be obvious. Your legal counsel may have to take a few extra moments to absorb both international privacy law in consultation with your IT staff to adopt privacy practices and security controls. Donuts to dollars, you will be glad for the investment.  No one wants to be the institution that makes headlines because it failed to handle the data of its EU students appropriately, and especially if you have assets in an EU country. Moreover, higher education can and should set an example of harmonized transcontinental information privacy. ISO standards do the trick.

Government Surveillance Privacy

U.S. Congress should pass the LEADS Act. It is not a silver bullet that will address all surveillance privacy concerns domestically or internationally about the United States, but it is a practical and important start.

LEADS will clarify the gap in what rules are, or are not, in place by which law enforcement executes papers for content U.S. Internet companies store in servers abroad. Right now those rules are a Bleak House and not consistent even with legislation designed to address the point (such as our old friend, the Electronic Communications Privacy Act, or ECPA). This mess has resulted in a leading case on privacy and due process in the Second Circuit, U.S. v. Microsoft.  Congress doesn’t like when the courts make law, but what else is to be done when Congress fails in their responsibility to do so in the first place. 

LEADS Act also substantively sets the bar for content at a warrant.  That is an appropriate place given the landmark 1967 U.S. v. Katz case that established the Fourth Amendment rule for electronic communications. Internal inconsistencies plague ECPA but its fundamental problem is that it does not map the technology of the Internet to the Fourth Amendment in as clean of a manner as it was able to do for telephony in the year of its promulgation, 1986. LEADS alone will not fully correct that problem, but as an amendment to ECPA it sets reform at the correct legal level.

Pipe Dreams

Finally, repeating myself from 2013 new year hopes, perhaps Congress might get serious about reform of ECPA in 2016? It would be pretty to think so, but I am not holding my breath. So I will suggest something much more modest. Could we please have a simple, straight-forward federal data breach notification law that incorporates baseline international privacy and security standards? For the sake of our country’s own economic interests in a global market, it would be a boon if only we could get around our own self-defeating exceptionalism tropes. 


Be the first to know.
Get our free daily newsletter.


Back to Top