The Program on Economics & Privacy (PEP) at George Mason University Antonin Scalia Law School invites applications for the 2019 – 2020 Privacy Fellowship. We seek authors to develop and present original work that focuses on the law and economics of issues surrounding the increasing regulatory scrutiny of online platforms. Issues of interest include, but are not limited to:
PEP marked the end of the academic year with the seventh annual Public Policy Symposium on the Law & Economics of Privacy and Data Security. Speakers included:
Public demand for stronger privacy laws has reached a critical point, and congress is likely to pass sweeping, cross-technology and cross-industry privacy legislation for the first time in US history. This is an exciting juncture for information policy, but also a perilous one. Poorly constructed privacy laws can frustrate the interests of the people they are meant to protect.
In her newest white paper, PEP Director Jane Bambauer explains why an evidence-based privacy law would not look like the GDPR or the CCPA, and offers the contours (and even model language) of a statutory scheme that would better serve the modern American consumer.
You can read the full paper and model legislation here.
Registration is now open for PEP’s Seventh Annual Public Policy Symposium on the Law & Economics of Privacy and Data Security. The Symposium will be held Friday, May 10, 2019 in the Founders Hall Auditorium at GMU’s Scalia Law School.
Click here for the Symposium agenda and to register.
On March 12, 2019, PEP Director Jane Bambauer testified before the Senate Judiciary Committee on the likely impact of GDPR and the CCPA on innovation and consumer welfare. Following her testimony, Senator Lindsey Graham requested that Jane expand her testimony by answering a series of written questions. Jane provided her responses on April 3, 2019.
You can read the Committee’s questions and Jane’s responses here.
On Tuesday, March 12, 2019, PEP Director Jane Bambauer will give testimony to the Senate Judiciary Committee on The Perils of Privacy as Property: The Likely Impact of GDPR and the CCPA on Innovation and Consumer Welfare.
You can read Jane’s prepared testimony here.
This dispatch of the PEP report takes a fly-over view of the year that just came to a close. Here are a few of the most important developments in policy and research related to privacy, data security, and data stewardship.
Story of the Year
News that Cambridge Analytica collected data on millions of Facebook users and exploited it to perform political consulting services has caused a seismic shift in privacy debates. For many observers, the scandal moved our attention to the particulars of data ownership over to more fundamental questions about the nature of data-related harm. Most of the observations from civil society describe that harm in terms of manipulation and deceit. For example, a report by the New America Foundation summarizes the Cambridge Analytica events and other related scandals this way:
“The central theme in these scandals is the power of the major digital media platforms to track, target, and segment people into audiences that are highly susceptible to manipulation. These companies have all profited enormously from this market structure, and they have done little to mitigate potential harms.”
In 2014 and 2015, the research company Cambridge Analytica was able to amass a database of information on 87 million Facebook users, based on the survey results of just a few hundred thousand personality quiz participants. The company then used this data to try to get political consulting clients. In her new white paper, Program on Economics & Privacy Director Jane Bambauer argues that while almost everyone agrees that something went wrong here, defining the harm such that it can elucidate the best course for public policy is an exceedingly difficult task.
This issue raises multiple concerns, each deserving of careful consideration, but which have divergent implications for how policymakers should respond. Professor Bambauer’s paper uses the Cambridge Analytica episode to explore why the meaning of a privacy-related harm is so difficult to define and why lawmakers are wise to proceed with caution as they develop new privacy laws.
You can read the full paper here.
In his new white paper, Are Firms and Consumers Investing Enough in Data Security?, Program on Economics & Privacy affiliated scholar, Sasha Romanosky surveys the cybersecurity terrain and shows the gaps in the tool set used to assess cyber risks and resulting harms in order to answer the question of whether firms and consumers take enough care to protect personal information.
Many consumer advocates and security and privacy professionals have concluded that companies are not spending enough on IT security. Their assessments are buttressed by the numerous reported cyber incidents and data spills over the past decade. Clearly, these security breaches, privacy intrusions, and software vulnerabilities show that companies are not spending enough to protect consumers’ data and produce safe applications. But there are two problems with this conventional wisdom. First, it ignores the consumer in the model of optimal data security. And second, it wrongly assumes that the right level of security investment would eliminate data breaches altogether.
This white paper helps correct the discussion on both counts.
Read the full report here.
The Federal Trade Commission is hosting a series of hearings on Big Data to air and understand our current evidence base. Last week, the hearings on “Competition and Consumer Protection in the 21st Century” were held at American University Washington College of Law. (You can watch the speakers here.) This post will provide a summary of the first panel of the hearings, which I thought was one of the highlights of the event.