GGLT student paper

,

Three Years of GDPR: Enforcement (or Lack Thereof) and Its Impact on Cross-Border Contracts

,

The General Data Protection Regulation (GDPR) is widely touted as the greatest shift in data privacy regulation of the century—with protections of users’ rights in commercial use, as well as cross-border transfers, the GDPR establishes fundamental freedoms within digital spaces and codifies the rights of users across the European Union (EU). When the GDPR was introduced, the EU had high expectations of changing practices in relation to data collection, processing and transfer. Despite examples of penalties and fines being imposed on businesses, three years after the GDPR entered into force, the question remains: Has GDPR enforcement (or lack thereof) changed the way cross-border contracting is carried out? This article describes the EU’s initial plans for enforcement under the GDPR, discusses actual instances of enforcement over its three years of existence, and queries whether anything about the GDPR has changed cross-border contracting practices.

Since inception, EU supervisory authorities have levied approximately 1,034 fines and 1.6 billion Euro in penalties for violations under the GDPR. Nonetheless, since 2021, authorities appear to have ramped up enforcement. Between January and November 2021, DPAs filed 395 fines against companies, totaling over 1 billion Euro (eighty-one percent of all fines issued from the inception of the GDPR to November 2021) .

However, very few enforcement actions have addressed cross-border contracting. Companies engaging in cross-border contracting could interpret this lack of interest from regulatory bodies as a sign that things may carry on as they did before the GDPR came into effect. While corporations may have altered attitudes towards customer engagement and data processing based on the GDPR, there is little evidence of changes to nuanced practices associated with cross-border contracts. Businesses seem far more focused on compliance with requirements related to contracts with user than requirements for contractual relationships internationally. Similar enforcement trends in the narrowed context of Chapter V protections against improper and unjustifiable cross-border data tranfsers remain to be seen.

Published in The Year in Review: An Annual Publication of the ABA International Law Section (vol 56 ABA/ILS YIR 67-72 (2022)). The article was written by Ali Strongwater (JD ‘23) and Izak Rosenfeld (Associate General Counsel, Access Now) during Ali’s externship at Access Now in Fall 2021.

Illicit Antiquities and the Internet: The Trafficking of Heritage on Digital Platforms

The contemporary internet has become the transnational marketplace for the sale and trafficking of illicit products, from drugs and guns to malware and stolen user information. Given the scale of these activities, these marketplaces have drawn the attention of international and national law enforcement bodies as well as scholars of cybersecurity and criminal activities. As such, these platforms have moved to the ‘dark web’ or other encrypted communication channels and separated from the ‘surface web’ platforms run by global platform companies, which are the increasing focus of both government regulation and scholars of data privacy law. Among such illicit goods, one is often ignored though globally traded via established marketplaces on social media platforms: looted antiquities. Although representing only a portion of an already small global illicit trafficking network, such activities on internet platforms, particularly Facebook, can cause immense damage to archaeological and cultural heritage sites. Such marketplaces on major internet platforms provide a unique case study in global data privacy and cybersecurity law that has largely gone unstudied. This paper analyzes the trafficking of illicitly acquired antiquities on a variety of internet platforms—particularly Facebook—as an illustration of issues with both the current framework of global data privacy law and the moderation and regulation of such transnational criminal activity. This note will review and critique the existing literature on platform moderation and digital infrastructure and propose and examine various solutions to the mechanisms by which illicit activities endure, specifically by focusing on the potential of multistakeholder collaboration to bring effectively targeted moderation to the trade in illicit antiquities online.

Published in the New York University Journal of International Law and Politics, Vol. 54 (2022), pp. 659-698. It received the journal’s award for the best student note published in the spring 2022 edition of the publication.

This paper originated in the Guarini Colloquium: Regulating Global Digital Corporations convened by Thomas Streinz and Joseph Weiler in fall 2020.

The Digital Markets Act (DMA): A Procompetitive Recalibration of Data Relations?

Since its publication in December 2020, the European Commission’s regulatory proposal for a Digital Markets Act (DMA) continues to be the subject of sustained political and academic interest, particularly in the United States and Europe. Part of the “European strategy for data”, the DMA is designed to address “the most salient incidences of unfair practices and weak contestability” in the digital economy, responding to concerns about the data-derived dominance of U.S. technology companies operating in Europe. This paper aims to provide the first comprehensive legal analysis of the DMA’s recalibration of data relations in the European Union. Through an analysis of the data-specific obligations imposed on gatekeepers under the DMA and their interaction with existing laws and jurisprudence, this paper finds that the proposed access rights and limitations on the collection, combination and use of data give rise to significant ambiguities and could make “Big Tech” the winners of an act originally designed to tackle their dominance. This paper also finds that the DMA may recalibrate data relations in favor of Chinese tech companies wishing to strengthen their position in the EU against their U.S. competitors. Nevertheless, this paper will show that the adoption of the DMA will be a positive first step in the direction of recalibrating data relations in a way that – once teased out by future enforcement and caselaw – could allow for a more active contestation of digital markets, and a freer flow of data.

This paper originated in the Global Data Law course. It was published by the Illinois Journal of Law, Technology and Policy, Volume 2022, Issue 1 (pp. 101-154).

Governing Data Markets in China: From Competition Litigation and Government Regulation to Legislative Ordering

Data, the most valuable commodity of our age, fuels today’s digital economy. Who owns these data and the rights associated therewith is now an inescapable question and a central concern. Under the current societal backdrop of powerful internet platforms able to wield the increasingly important economic role of data for their own advantage, current legislative frameworks have failed to keep pace with technological progress.

There is of yet no comprehensive nor global legal framework of data property rights. In the People’s Republic of China (“PRC”), as in many other jurisdictions, domestic data ownership law remains unsettled. In this uncertain legal milieu, Chinese platform companies wage intense legal battles with each other and, in rare cases, with their service suppliers over control of user data. Paradoxically, China’s digital economy has boomed without the clear specification of data ownership. How has China managed the massive growth of its data markets and inter-company data disputes without any legal determinations as to who owns data?

This Article finds that the basic rules of Chinese data markets have developed through litigation between private companies under the precepts of anti-unfair competition law, by government mediation in high-profile cases between market-making entities, and by-means-of government regulation using existing and new legal and policy frameworks, including anti-monopoly law and other data-specific government policies on antitrust and cybersecurity. In addition, the Chinese central and local governments have enacted general legislation on key data issues and are refining their policy efforts via experimental pilot projects in various locales to further develop data markets.

The case studies in this Article reveal the present condition and the limitations of a legal regime in which the reality of data monetization precedes the legal issues of “ownership,” and illustrate the efforts taken by the Chinese government thus far. However, in its analysis of the Shenzhen legislative experiment, this Article offers a cautionary perspective on those reform efforts in the absence of a new comprehensive legal framework, by spotlighting the controversy within the Chinese academic and legal communities over issues of how ownership rights granted prematurely can introduce new challenges to the emerging questions of competition, innovation, knowledge, transparency, accountability, privacy, and the broader public interest.

Incremental development and experimentation, in the form of judicial rulings by the Chinese courts and state regulatory guidance as well as legislative actions that influence the evolution of existing law based on established principles of antitrust enforcement, IP regimes, and contracts, is a promising path to allay the concerns of premature legislation on data property rights—as any new legislation that upholds the status quo could run the risk of stifling both market innovation and competition.

Published in the George Mason International Law Journal, Vol. 13, Issue 1, pp. 1-27 (2022). The paper originated in Guarini Global Law & Tech’s Global Data Law course.

Potential Expropriation Claims Against Data Sharing Requirements

This paper explores potential expropriation claims against data sharing requirements. It finds that in formulating a viable claim of expropriation against mandatory data disclosures, the nature of the disclosure requirement matters. If the disclosure is likely to substantially affect the investor’s ability to benefit from the investment, it is likely to be considered an expropriation. As most data-driven businesses derive an economic benefit from their data through revenue and profit, it is likely an expropriation will be found where follow-on disclosure of data collected through a mandatory data disclosure regime to third parties substantially disrupts the investor from deriving revenue and profit from that data.

This paper was published as a commentary in the New York University Journal of International Law & Politics, Vol 54, Number 1 (Fall 2021), p. 249. The paper originated in the Global Data Law course.

Milling the F/LOSS: Export Controls, Free and Open Source Software, and the Regulatory Future of the Internet

This Note investigates U.S. export controls as they relate to free and open source software (FOSS), arguing that the U.S. government has responded to the challenges of modern software by attempting to force an ill-fitting framework to accommodate FOSS. A contemporary reexamination of the state of export controls over FOSS can help in mapping out the responses generated by national security interests to the challenges of the internet. In particular, the Note offers a detailed account of the ways in which federal export controls have excluded FOSS from their regulatory purview through a powerful public availability exemption. In doing so, regulators have essentially labeled publicly available software as unthreatening to national security, regardless of the potential uses of any particular code.

This paper has been published by the NYU Journal of Legislation & Public Policy, Vol 23, Issue 3 (2021). It originated in the Guarini Colloquium: Regulating Global Digital Corporations and also contributed to the Open Source Software as Digital Infrastructure project.

Personalization of Smart-Devices: Between Users, Operators, and Prime-Operators

Your relationships with your devices are about to get complicated. Remote operability of smart-devices introduces new actors into the previously intimate relationship between the user and the device—the operators. The Internet of Things (IOT) also allows operators to personalize a specific smart-device for a specific user. This Article discusses the legal and social opportunities and challenges that remote operability and personalization of smart-devices bring forth.

Personalization of smart-devices combines the dynamic personalization of code with the influential personalization of physical space. It encourages operators to remotely modify the smart-device and influence specific users’ behaviors. This has significant implications for the creation and enforcement of law: personalization of smart-devices facilitates the application of law on spaces and activities that were previously unreachable, thereby also paving the way for the legalization of previously unregulated spaces and activities.

The Article also distinguishes between two kinds of smart-devices operators: ordinary and prime-operators. It identifies different kinds of ordinary operators and modes of constraints they can impose on users. It then normatively discusses the distribution of first-order and second-order legal powers between ordinary operators.

Finally, the Article introduces the prime-operators of smart-devices. Prime-operators have informational, computational, and economic advantages that uniquely enable them to influence millions of smart-devices and extract considerable social value from their operation. They also hold unique moderating powers—they govern how other operators and users operate the smart-devices, and thereby influence all interactions mediated by smart-devices. The Article discusses the nature and role of prime-operators and explores paths to regulate them.

Published in the DePaul Law Review, Vol. 70, Issue 3 (Spring 2021), pp. 497-549. This paper originated in the Global Tech Law: Selected Topics Seminar.

Transparency as a First Step to Regulating Data Brokers

Over the past few years a number of legislative bodies have turned their focus to ‘data brokers.’ Data brokers hold huge amounts of data, both personally identifiable and otherwise, but attempts at data regulation have failed to bring them sufficiently out of the shadows. A few recent regulations, however, aim to increase transparency in this secretive industry. While transparency alone will not fully address concerns surrounding the data brokerage industry without additional actionable consumer rights, it is an important and necessary first step.

These bills present a new course for legislatures interested in protecting consumer privacy. The primary effect of these measures is to heighten transparency. The data brokerage industry lacks transparency because these companies do not have direct relationships with the consumers whose data they buy, package, analyze, and resell, and there is no opportunity for the consumer to opt out, correct, or even know of the data that is being sold. For companies regulated by the Fair Credit Reporting Act, such as traditional credit bureaus, customers have the right to request their personal data and request corrections if anything is wrong. But most collectors of data are not covered by the FCRA, and in those instances consumers often agree to click-wrapped Terms of Service provisions that include buried provisions allowing the collecting company to resell their data. Customers are left unaware that they have signed up to have their data sold, and with no assurances that that data is accurate.

Concerns with data brokers center on brokers’ relative opacity and the lack of public scrutiny over their activities. They control data from consumers with which they have no relationship, and in turn, consumers do not know which data brokers may have their data, or what they are doing with it. Standard Terms of Service contracts allow the original data collector to sell collected data to third parties, and allow those buyers to sell the data in turn, which creates a rapid cascade in which consumers, agreeing to the terms of service of one company, have allowed their personal data to proliferate to numerous companies of whose existence they may not even be aware. Proposed legislation would increase consumers’ access to information about how their data is being used, shining a light on the data brokerage industry and enabling consumers to limit the unfettered sharing of their data.

This paper was published by the NYU Journal of Legislation & Public Policy. Dillon took the first iteration of the Global Data Law course and worked subsequently as a Student Research Assistant in the Global Data Law project.

The Global “Last Mile” Solution: High-Altitude Broadband Infrastructure

This paper explains the reasons for communications infrastructure underdevelopment historically, taking into account the myriad ways governments, usually through national universal service mechanisms, have attempted to correct the underprovision and positing why this opportunity to create global broadband infrastructure has surfaced. In essence, this portion of the paper explains the last mile problem that innovative infrastructure projects purport to solve. It then describes the broadband infrastructure projects, the consequences of multi-jurisdictional regulatory complexities for bringing the projects to market, and the disruptive potential of the infrastructure to change the economics of broadband access and provision. Lastly, it considers whether the companies are indeed solving the last mile problem beyond mere provision. Accordingly, the potential impacts of Internet access are surveyed using Amartya Sen’s capability approach, which seeks to place the individual and his or her freedom at the center of development.

The paper originated in what was then the IILJ Colloquium: “International Law of Google” and is now the Guarini Colloquium: Regulating Global Digital Corporations. It got published in the Georgetown Law Technology Review, Vol. 4 (2019), 47-123.

 

© 2018-2024 New York University School of Law. 
40 Washington Sq. South, New York, NY 10012  
Tel. (212) 998-6100