Why I Don’t Teach the Privacy Torts in My Privacy Law Class

(Partial disclaimer — I do teach the privacy torts for part of one class, just so the students realize how narrow they are.)

I was talking the other day with Chris Hoofnagle, a co-founder of the Privacy Law Scholars Conference and someone I respect very much.  He and I have both recently taught Privacy Law using the text by Dan Solove and Paul Schwartz. After the intro chapter, the text has a humongous chapter 2 about the privacy torts, such as intrusion on seclusion, false light, public revelation of private facts, and so on.  Chris and other profs I have spoken with find that the chapter takes weeks to teach.

I skip that chapter entirely. In talking with Chris, I began to articulate why.  It has to do with my philosophy of what the modern privacy enterprise is about.

For me, the modern project about information privacy is pervasively about IT systems.  There are lots of times we allow personal information to flow.  There are lots of times where it’s a bad idea.  We build our collection and dissemination systems in highly computerized form, trying to gain the advantages while minimizing the risks.  Alan Westin got it right when he called his 1970’s book “Databanks in a Free Society.”  It’s about the data.

Privacy torts aren’t about the data.  They usually are individualized revelations in a one-of-a-kind setting.  Importantly, the reasonableness test in tort is a lousy match for whether an IT system is well designed.  Torts have not done well at building privacy into IT systems, nor have they been of much use in other IT system issues, such as deciding whether an IT system is unreasonably insecure or suing software manufacturers under products liability law.  IT systems are complex and evolve rapidly, and are a terrible match with the common sense of a jury trying to decide if the defendant did some particular thing wrong.

When privacy torts don’t work, we substitute regulatory systems, such as HIPAA or Gramm-Leach-Bliley.  To make up for the failures of the intrusion tort, we create the Do Not Call list and telemarketing sales rules that precisely define how much intrusion the marketer can make into our time at home with the family.

A second reason for skipping the privacy torts is that the First Amendment has rendered unconstitutional a wide range of the practices that the privacy torts might otherwise have evolved to address.  Lots of intrusive publication about an individual is considered “newsworthy” and thus protected speech.  The Europeans have narrower free speech rights, so they have somewhat more room to give legal effect to intrusion and public revelation claims.

It’s about the data.  Torts has almost nothing to say about what data should flow in IT systems.  So I skip the privacy torts.

Other profs might have other goals.  But I expect to keep skipping chapter 2.

 

You may also like...

4 Responses

  1. The privacy torts have many flaws, and they aren’t currently effective for dealing with more contemporary problems regarding data. But I still think they are important to teach because the cases contain a lot of great material about what “privacy” is. The cases present the way jurists think about privacy — often in antiquated ways — and this provides a wonderful opportunity to discuss the meaning and value of privacy. It also is a great way to introduce the First Amendment and the way it can clash with protecting privacy. So although the torts don’t have a ton of relevance for modern information gathering, processing, and use, they are useful to discuss conceptual foundations for privacy.

    Although the privacy torts aren’t particularly useful in regulating data flow, are the statutes much better? The statutes have more relevance, but many lack private rights of action and provide rights of notice and choice that aren’t particularly meaningful in practice. There are also enormous gaps in the statutory regime.

    Regarding the Gramm-Leach-Bliley Act, this law doesn’t have much bite at all, and it is a challenge to teach because it doesn’t have a particularly robust way of regulating information flow.

    HIPAA is much stronger, but in the healthcare context, the privacy torts as well as the breach of confidentiality tort are more robust and are not preempted, making the torts quite relevant.

    The great thing about the course is that it can be taught in many different ways, and I designed my book so that professors can use it however they want and can skip around. I personally love Chapter 2 and find it to be great at setting up the basic arguments and concepts for the course. But your points are well-taken — it is a shame that privacy tort law hasn’t developed more to deal with modern problems of information flow. I discuss this in depth in my piece with Neil Richards on Prosser: http://ssrn.com/abstract=1567693

  2. Peter Swire says:

    I agree entirely with Dan that “the great thing about the course is that it can be taught in many different ways.”

    A number of Dan’s comments go to the mis-match between how to govern modern data flows and where we get thoughtful court opinions. The privacy torts have really nice opinions about the values at stake, but have little relevance to modern data flows. In the U.S., constitutional law has little to say about data privacy, in contrast to the European human rights jurisprudence. And, the various statutes tend to have narrow decisions on statutory interpretation, rather than broader discussions of what is at stake.

    The lack of good case law helps us understand why there is so much emphasis on softer law, such as FTC or administration reports. That is where many of the debates about values actually occur.

    One area rich with case law — the Fourth Amendment. And, after Jones, we may get a new richness of case law there.

  3. Bruce Boyden says:

    If the sense is that the privacy torts are not often successful in actually regulating privacy, I would tend to agree, although some of them are still frequently pled, and thus worth knowing for that reason alone. But I agree with Dan — I think there is pedagogical value to the torts, and in putting the torts before the statutory material, which is that I think it forces students to grapple with the question: what is the flurry of statutory provisions *trying to achieve*? You refer to the question of controlling “what data should flow in IT systems” — control for what purpose? How do we assess whether a given regulation over-blocks or under-blocks? I don’t think it’s very easy to get there in a classroom discussion by talking about what the restrictions are under 16 CFR s 313.11(a) on affiliates receiving financial information.

  4. TJ McIntyre says:

    From my parochial perspective, it’s fascinating to compare the narrow US privacy torts with the much wider approach taken in the European common law jurisdictions, where breach of confidence (England and Wales) and the constitutional tort of breach of privacy (Ireland) have been pressed into service as all purpose remedies covering a variety of different situations. This points to one particular merit of the US approach – the different torts do tend to highlight the varying aspects of privacy which are implicated in each case. This is sometimes lost in the one size fits all torts currently used on this side of the Atlantic.