(Partial disclaimer — I do teach the privacy torts for part of one class, just so the students realize how narrow they are.)
I was talking the other day with Chris Hoofnagle, a co-founder of the Privacy Law Scholars Conference and someone I respect very much. He and I have both recently taught Privacy Law using the text by Dan Solove and Paul Schwartz. After the intro chapter, the text has a humongous chapter 2 about the privacy torts, such as intrusion on seclusion, false light, public revelation of private facts, and so on. Chris and other profs I have spoken with find that the chapter takes weeks to teach.
I skip that chapter entirely. In talking with Chris, I began to articulate why. It has to do with my philosophy of what the modern privacy enterprise is about.
For me, the modern project about information privacy is pervasively about IT systems. There are lots of times we allow personal information to flow. There are lots of times where it’s a bad idea. We build our collection and dissemination systems in highly computerized form, trying to gain the advantages while minimizing the risks. Alan Westin got it right when he called his 1970’s book “Databanks in a Free Society.” It’s about the data.
Privacy torts aren’t about the data. They usually are individualized revelations in a one-of-a-kind setting. Importantly, the reasonableness test in tort is a lousy match for whether an IT system is well designed. Torts have not done well at building privacy into IT systems, nor have they been of much use in other IT system issues, such as deciding whether an IT system is unreasonably insecure or suing software manufacturers under products liability law. IT systems are complex and evolve rapidly, and are a terrible match with the common sense of a jury trying to decide if the defendant did some particular thing wrong.
When privacy torts don’t work, we substitute regulatory systems, such as HIPAA or Gramm-Leach-Bliley. To make up for the failures of the intrusion tort, we create the Do Not Call list and telemarketing sales rules that precisely define how much intrusion the marketer can make into our time at home with the family.
A second reason for skipping the privacy torts is that the First Amendment has rendered unconstitutional a wide range of the practices that the privacy torts might otherwise have evolved to address. Lots of intrusive publication about an individual is considered “newsworthy” and thus protected speech. The Europeans have narrower free speech rights, so they have somewhat more room to give legal effect to intrusion and public revelation claims.
It’s about the data. Torts has almost nothing to say about what data should flow in IT systems. So I skip the privacy torts.
Other profs might have other goals. But I expect to keep skipping chapter 2.