Scott Peppet, Privacy Deals
Comment by: Tanya Forsheit
Workshop draft abstract:
This paper examines a previously unexplored way in which markets may act to constrain privacy violations: through privacy-related contractual deal terms in mergers, acquisitions, financings, and other corporate transactions. The thesis is that corporate actors perceive regulatory risk related to information security and privacy, and that they seek to moderate that risk when acquiring or financing other entities by conducting privacy-related due diligence and including privacy-related terms in their deals. To the extent that such diligence and terms are effective, they not only prevent or dampen the success of privacy-negligent target firms in a given transaction but also may create a more widespread fear in startups that privacy negligence will prevent future acquisition, financial exit, or growth. This more widespread fear — that ignoring privacy concerns may mean missing out on a future exit — may have pro-privacy effects far beyond the actual threat of regulatory enforcement or prosecution. This paper explores “privacy deals” by interviewing privacy lawyers focused on M&A. It reports on the findings of those interviews, in particular the types of privacy-related deal terms already in use. It also compares different types of corporate transactions — such as acquisitions versus venture financings — to determine when in the life cycle of technology-related firms privacy begins to have transactional implications. Throughout, the goal of the paper is to shed light on the ways in which corporate transactions may or may not be privacy-protective, and to raise the legal and policy implications of such “privacy deals.”
Jennifer King, “How Come I’m Allowing Strangers to Go Through My Phone?”: Smart Phones and Privacy Expectations
Comment by: Scott Peppet
Workshop draft abstract:
This study examines the privacy expectations of smart phone users by exploring two specific dimensions to smart phone privacy: participants’ concerns with other people accessing the personal data stored on their smart phones, and applications accessing this data via platform APIs. We interviewed 24 Apple iPhone and Google Android users about their smart phone usage, using Altman’s theory of boundary regulation and Nissenbaum’s theory of contextual integrity to shape our inquiry. We found these theories provided a strong rationale for explaining participants’ privacy expectations, but there were discrepancies between users’ privacy expectations, smart phone usage, and the current information access practices by application developers. We conclude by exploring this “privacy gap” and recommending design improvements to both the platforms and applications to address it.
Scott Peppet, Privacy Intermediaries
Comment by: Allan Friedman
Workshop draft abstract:
The Article explores the possibility of introducing “Privacy Intermediaries” into sensitive informational privacy domains. Privacy intermediaries are third parties that take on a neutral role as between two parties to an informational transaction (e.g., a web user and a web site, a search engine and an advertiser, a GPS-enabled smartphone user and a Starbucks, etc.). Privacy intermediaries gather information from one party and pass it to another, but they can de-identify or alter it to conceal a user’s identity. They have fiduciary duties to those they serve—duties not to reveal information without true consent; duties to secure information; duties to keep confidences. The general idea is that in some contexts, privacy intermediaries may be able to provide the information needed for efficiency purposes while keeping much raw data private.
Privacy intermediaries are not an entirely new idea. Computer scientists have studied “interactive techniques” involving active data administrators who selectively filter and disclose information; health regulators have built the (somewhat related) idea of “health information trustees” or “information custodians” into draft health information legislation; mobile technology developers are exploring the idea of “data vaults” to make sensor data useful but private; and privacy advocates have argued for personal data storage and vendor relationship management. Several recent startups—Personal.com, i-Allow.com, the Locker Project—are pursuing these ideas in the market. This Article is the first legal scholarship to investigate the idea of privacy intermediaries in depth, and the first to explore its legal implications.
Those implications are complex. Most recent privacy scholarship has questioned the growing power of Internet intermediaries; this Article argues that we may need to strengthen, not weaken, intermediaries to bolster privacy. But how would privacy intermediaries work? What business model makes sense, is there a case for governmental subsidy, and what legal reforms (to Section 230, the third party doctrine, etc.) might be needed to truly effect their potential?
This Article explores these questions. Although it examines a prescriptive idea—the call for neutral third-party fiduciary Internet intermediaries—it is less a prescriptive argument for privacy intermediaries than an investigation of their potential and problems.