Information Privacy & Data Protection (Spring 2021)

Overview

This course is an introduction to information privacy and data protection law and policy. Governments and every sector of the economy collect, use, store, and share personal data. The headlines mirror the ubiquity of data use; nearly every day there is a new story about government surveillance, location tracking, identity theft, corporate data breaches, predictive analytics, or artificial intelligence. As these concerns have grown, so has the body of law surrounding them, from the paradigm-shifting U.S. v. Carpenter case in 2018, to the EU’s General Data Protection Regulation that went into effect in 2018, and the California Privacy Rights Act, passed by ballot initiative just this past November, which itself rewrote the California Consumer Privacy Act—of 2018.

The course combines a practical approach to the daily problems that a privacy lawyer will face with the theory necessary to understand how the law is developing. We will cover the constitutional, statutory, and common law rules of privacy, as well as federal and state enforcement activity. We will learn about the policy questions arising from data-driven technologies, the theory behind them, and the questions to ask when assessing information practices. We will also examine privacy and data protection law through a critical lens, asking how the concepts interact with questions of discrimination, poverty, due process, and justice.

Course Objectives

At the end of this course you will be able to:

  • Articulate and differentiate the different concepts and values contained in the idea of privacy
  • Understand the basic structure of information privacy and data protection regulation in the United States and European Union, as well as how they interact
  • Recognize the types of problems a privacy lawyer faces in practice and how one might approach them
  • Critically evaluate the effects of data use and regulation on power relationships in society, including effects on consumers, relationships between individuals and governments, and effects on marginalized populations
  • Anticipate how the legal landscape on data protection is likely to change in the near future

Class Meetings, Review Session, Final Exam

We will meet Monday, Tuesday, and Thursday, from 10:45–12:00 PM, on Zoom (link on MyLaw page).

The review session for this course is scheduled for Thursday, May 6, 9–10:15AM. The final exam will be on Thursday, May 13. You will have a 24 hour period to complete what I expect will be a 4-hour exam. (This is what I think is most likely right now, but the specific details are subject to change with plenty of notice).

Materials

The casebook for this course will be McGeveran, Privacy and Data Protection Law. The 2019 Supplement is available in the OneDrive folder, linked to the right. Other readings, handouts, and lecture slides will also be made available there.

Attendance

Regular attendance is required for all classes at UCLA Law. Pursuant to our academic standards, students who do not regularly attend class may, at my discretion, be prohibited from sitting for the final exam, resulting in a grade of “F” or being dropped from the class. Students for whom this may be an issue will receive a written warning before this final action, and may need to attend all remaining classes after the written warning is given. If you must miss a class because of a medical need, or serious familial, religious, or professional obligation, please email me at least 2 hours before class to request an excused absence. Class will be recorded and the recordings will be available for review, but attendance will be taken and watching the recording is not a substitute for attending class sessions.

Grading

Your grade will be based on your performance on the final exam (80%) and your class participation (20%).

Your grade will be based on your performance on the final exam and to a limited degree, your class participation. (I have decided to change this because it is too hard to account for class participation in a fair enough way, given the inequities inherent in each of us logging in from different home environments.)

Class Participation

I expect you to come prepared to participate in class discussion. Good preparedness requires both reading and thinking about the material before showing up in class. Because this is an upper-level course, we will not necessarily discuss every bit of the reading assignments at length. I do want you to read the material for a full understanding of the topic. I encourage questions about anything you find puzzling.

Please note that you will be assessed on the quality, not the quantity, of your participation (though there is certainly correlation). Quality does not mean giving the “correct” answer; thoughtful discussions are more important than facile answers. We will be exploring many new topics for which the answers may change year to year or even week to week, so the answer today might not be the answer tomorrow; it is much more important to learn how to reason through the issues. The key is to be prepared and engaged. Any poor assessment regarding your participation will be the result of protracted absence from class, unexcused lack of participation, disrespectful comments, or sustained evidence of lack of preparation and engagement.

You are expected to support each other as colleagues in a joint learning community. Each class member is entitled to your respect, your professionalism, and a presumption that their views are being offered in good faith—even if they are views with which you sharply disagree. My hope is that much of the conversation will proceed like a free-flowing seminar, and I expect and encourage respectful disagreement in class discussions. Such disagreement will allow us to more thoroughly address the different topics and will result in better learning opportunities.

Because you are assessed on quality, not quantity, I also ask that you also be cognizant of your speaking time. Some students will be especially keen to volunteer, which I appreciate — but sometimes I will stop calling on frequent speakers to get a diversity of voices. I will also call on students at random sometimes, because I do not want a small number of students to do the large majority of the talking. If you find that you are speaking often, please consider making space for others in the room who speak less frequently to have their turn.

Office Hours

My office hours will be Tuesday after class, in the Zoom classroom. I’ll stick around as long as you have questions, until 1PM. If you cannot make that time or want to have a private conversation, please email me to schedule another time. My office hours are subject to change if required.

Video

Discussion, participation, and presence are essential to all law school classes. I ask that each of you please turn on your video whenever possible so we can be as fully engaged as possible while in a remote setting. If you must turn your video off for personal reasons or for bandwidth reasons, please let me know in advance where possible, and please limit it to be the exception rather than the rule. Please note that I am requesting camera usage to aid classroom discussion and presence, not as a way to introduce surveillance into the class; if you have a momentary need to turn off your camera for whatever reason, please do so at your own discretion. If the video is off for an extended period and you do not tell me ahead of time, I may come check on you, not because you’re in trouble, but because I will take that as a sign that something is wrong and I will want to see that you’re ok.

Privacy

Per University policy, UCLA Student Conduct Code 102.28 says that expectations of privacy apply, and it specifically prohibits recording without the consent of all recorded parties and prohibits taking photographs where there is a reasonable expectation of privacy. In remote teaching, advising, chatting, and other engagement in course activities remotely there is a reasonable expectation that photographing, screen capture, or other copying methods or recordings will not occur without express permission from all participants. A violation subjects a student to the disciplinary process. Do not record your courses, do not take screen shots of your classes, professors, or classmates, and do not release, post, email, text, or otherwise share or sell course materials to others.

Accommodations

UCLA Law strives to provide accommodations in a way that supports students with disabilities while maintaining their anonymity and the fundamental nature of our law program. As such, students needing academic accommodations should not contact their professors directly, but contact Carmina Ocampo, Director of Student Life or the UCLA Center for Accessible Education (CAE) When possible, students should start this process within the first two weeks of the semester, as reasonable notice is needed to coordinate accommodations. 

Resources for Health and Wellness

Students needing assistance with medical or mental health issues, substance abuse, anxiety or depression or other health-related matters should contact the Office for Student Affairs, UCLA Counseling and Psychological Services (CAPS) at 310-825-0768 (Courtney Walters is the counselor regularly assigned to the law school) or the Ashe Student Health & Wellness Center at 310-825-4073.

Structure of the Course

  • Part I: Foundations
    • Constitutional Law
    • Tort Law
    • Consumer Protection
    • Data Protection
  • Part II: The Life Cycle of Data
    • Collection
    • Processing and Use
    • Storage and Security
    • Disclosures and Transfers
  • Part III: Sector-Specific Regulation (specific topics subject to change)
    • National Security
    • Government Data Collection
    • Employment
    • Medical Information
    • Biometric Information and Facial Recognition
  • Part IV: Information, Power, and Inequality

Assignments

Reading assignments are below. Because this is my first time teaching the course, I am unsure how fast we’ll move through the material, or precisely what we will and will not cover. Accordingly, the list begins with the first two weeks, and reading assignments will be updated here as needed to match our pace. Most of the readings will be from the casebook (CB) or supplement (Supp). The supplement and other readings will be posted in the course OneDrive, along with any other handouts.

The book contains “Practice” problems in many of the sections that are meant to get you thinking about how you might advise a client on the issues presented in that chapter. I suggest that you spend some of your reading time trying to work through them. I cannot promise that we will always discuss them in class, but my intent is to do so with some frequency.

The first two weeks of casebook assignments have been scanned and posted on MyLaw and in the OneDrive to give you time to buy the book. Unfortunately, due to the pandemic, the library is closed and there is no casebook reserve, a fact that surely will impact some of you, but which I can do little about; I’m not sure there’s a way around buying the book, but hopefully you can find it used.

Note: The Berkeley Center on Law and Technology is hosting a symposium on April 15–16 honoring Professor Joel Reidenberg, a pioneer in the privacy law field, who passed away last year. The event was inspired by his most important work, titled Lex Informatica: The Formulation of Information Policy Rules through Technology, which argues that the design of technology can set rules that are as binding as law, and which has been foundational to how lawyers think in law and technology. The symposium’s panels are mostly not about privacy, per se, but they touch on many ideas adjacent to our material, and include prominent scholars and lawyers whose work we will read.

Class will be canceled on April 15, and in lieu of class, I ask that you attend at least one of the panels, but hopefully, you will find it interesting enough to go to more. Please pre-register for the conference at the link above as soon as you can. There will be Q&A available, so I encourage you to ask questions as well. We will discuss what we learned the following Monday in class.

DateAssignment Topic
1/25 (Mon)CB 1; Skinner-Thompson, Privacy at the Margins, Ch. 1 (pdf)

Before you read, try to come up with a defintion of “privacy.” Then as you read, think about all the ways the concept of privacy is used in the chapter, and see if they fit within your definition, and if not, consider how your defintion might change.
Introduction: Why Privacy Matters
1/26 (Tue)CB 88–97; Nissenbaum – Privacy in Context (excerpt) (pdf); Cohen – Configuring the Networked Self Ch.6 (pdf)

Heavy reading day, but you can mostly skim the latter two pieces. The big ideas are more important than the details for today, and they will help set the stage for the rest of the term.
Introduction: Perspectives on Privacy
1/28 (Thu)CB 3–21Constitutional Law: Fourth Amendment Foundations
2/1 (Mon)Supp. 2–24Constitutional Law: Contemporary Fourth Amendment Challenges
2/2 (Tue)CB 43–66; 715–722Constitutional Law: First Amendment; Substantive Due Process
2/4 (Thu)CB 66–86Other Constitutional Systems
2/8 (Mon)CB 97–129Tort Law: Intrusion & Disclosure
2/9 (Tue)CB 129–163

Optional: Richards & Solove, Prosser’s Privacy Law (Parts II & III, pdf). The piece explains how we ended up with these specific four privacy torts, and the ways in which they are limited.
Tort Law: Appropriation, False Light, Limitations
2/11 (Thu)no new readingCatchup Day
2/15 (Mon)NO CLASSPRESIDENTS’ DAY
2/16 (Tue)CB 165-180Consumer Protection: Privacy Policies and Self-Regulation
2/18 (Thu)CB 180–88, 194–199 (nn. 1–6, 10); Robins v. Spokeo (9th Cir. 2017) (pdf); Rosenbach v. Six Flags Entm’t Corp. (Ill. 2019) (pdf)Consumer Protection: Consumer Lawsuits and Standing
2/22 (Mon)CB 200–232Consumer Protection: Intro to FTC Privacy & Security Regulation
2/23 (Tue)CB 233–247; Supp. 24–36; Blog post comparing CCPA and CPRAConsumer Protection: Scope of FTC Authority; CCPA & CPRA
2/25 (Thu)CB 259–261; Supp. 36-51; CB 274-283; CB 300-302

Optional: Kaminski & Jones, An American’s Guide to the GDPR (pdf). The piece reviews lays out the main ideas in and behind the GDPR for U.S. lawyers, and reads like a supplement for the GDPR.
Data Protection: GDPR + Enforcement
3/1 (Mon)CB 302–324Data Protection: COPPA
3/2 (Tue)CB 325–363Collection: Cookies & Wiretap Act
3/4 (Thu)CB 364–380Collection: Stored Communications Act
3/8 (Mon)CB 381–404Processing and Use: Big Data & FCRA
3/9 (Tue)Explainer on adverse action notices; Selbst & Barocas – The Intuitive Appeal of Explainable Machines (excerpt; pdf)Catchup Day (FCRA)
3/11 (Thu)CB 404–411 (remember that the Directive is no longer in force, but the concepts are similar); GDPR arts. 12–15 & 22; Kaminski, The Right to Explanation, Explained (pdf)

Guest Lecturer: Prof. Margot Kaminski
Processing and Use: GDPR, Transparency, and Explanation
3/15 (Mon)CB 413–438Storage & Security: PCI Case Study, Civil Suits
3/16 (Tue)CB 438–55; 457–60; Van Buren v. U.S. (pending Supreme Court case) (read case preview; listen to oral argument)Storage & Security: Best Practices; Breach Notification; CFAA
3/18 (Thu)CB 475–503Disclosures and Transfers: Facebook Case Study
3/22 (Mon)NO CLASSSPRING BREAK
3/23 (Tue)NO CLASSSPRING BREAK
3/25 (Thu)NO CLASSSPRING BREAK
3/29 (Mon)GDPR arts. 44-47 ; CB 504–519 (skip n.5 on 514), Requirements of Privacy Shield over and above Safe Harbor (chart version here); Summary of Schrems II (i.e. The CJEU saying “Yeah, nice try but still not good enough”)

Optional, for your reference: Standard Contractual Clauses, EU controller to non-EU controller, approved under the Data Protection Directive. The Annex has the actual clauses. The other SCCs are here.
Disclosures and Transfers: International Data Transfers
3/30 (Tue)CB 520–547Disclosures and Transfers: Speech Protections
4/1 (Thu)CB 549–578National Security: Foundations
4/5 (Mon)no new readingcatch-up day
4/6 (Tue)CB 578–610National Security: The Communications Metadata Controversy
4/8 (Thu)CB 611–649Government Data Collection
4/12 (Mon)CB 665–689Employment and Privacy: Screening
4/13 (Tue)CB 689–714Employment and Privacy: Monitoring
4/15 (Thu)NO CLASS – Attend at least one panel of the Berkeley Conference. We will discuss Monday.Lex Informatica Symposium
4/19 (Mon)CB 731–732, 752–771; HIPAA & Wearables; In re Flo Health Inc (pdf, skim)Medical Information: HIPAA & Health Tracking Apps
4/20 (Tue)CB 774–788; Rich, How our outdated privacy laws doomed contact-tracing apps; Illinois Biometric Privacy Information Act (pdf); Medical Information: GINA, Contact Tracing; start Biometric Privacy
4/22 (Thu)Hill, The Secretive Company That Might End Privacy as We Know It; WA Facial Recognition Law (pdf) (Skim section headings; read Secs. 3(23), 8, 14, 15); Commercial Facial Recognition Privacy Act (pdf; skim headings); Deeks & Mercer, Facial Recognition Software: Costs and Benefits; Hartzog & Selinger, Facial Recognition Is the Perfect Tool for Oppression

Optional: Hill, Your Face Is Not Your Own (a much deeper dive on Clearview AI)
Biometric Privacy and Facial Recognition