March 2018

The Perils of Liability Disclaimers in ‘Internet of Things’ Contracts

ByMeirav Furth-Matzkin.

Read More
The “Internet of Things” (IoT) – the internetworking of devices, buildings, vehicles, and appliances – is rapidly expanding. Sensors, actuators, software, and network connectivity are increasingly embedded in everyday products such as smart cars, wearable and portable fitness trackers, and smart home security systems. As IoT products – capable of connecting, collecting, sending, and exchanging data – proliferate, they present not only opportunities but also serious security risks for consumers.

One major concern is cyber security and data protection: As Internet-connected devices gain more popularity, consumers are increasingly exposed to evolving cyber threats. Indeed, IoT devices provide hackers with more vulnerabilities to exploit in multiple environments. The level and type of security risks posed to consumers inevitably depend on the nature of the data and device. In the context of energy, hackers could target smart meters to cause shutdowns, or home security systems could be penetrated and exploited to facilitate burglaries. In terms of health and fitness-related devices, ongoing collection and sharing of personal information may violate patients’ confidentiality and convey sensitive details to untrusted entities. Moreover, a device such as a pacemaker could be hacked, risking the very life of its users. Prominent stories of hacked baby monitors or vehicles reflect a troubling phenomenon of a rapidly-growing and insecure technological landscape. A study by Hewlett Packard in 2014 found that 70% of the most widely used IoT devices contained grave security vulnerabilities.[1]

What happens if third parties exploit these vulnerabilities and hurt consumers? Imagine, for example, the following scenario: A manufacturer of an IoT device experiences a security breach, and the data collected by all of its devices then becomes available to hackers, who are able to place orders fraudulently with innocent’s consumers accounts for various goods. Such hacking can cause significant monetary harm and distress, but the prospect of a hacked car, pacemaker or home security system seems even more alarming.

Under tort law, a manufacturer may be held liable for harm caused to the consumer due to the manufacturer’s negligence or recklessness. Yet, what if the manufacturer includes a liability disclaimer in the fine print, indemnifying her from any liability or disclaiming any warranty that the product is secure and free of viruses or other vulnerable codes? Would the company be liable under such circumstances?

Although the law to date does not explicitly prohibit the use of such contractual clauses in IoT agreements, these terms may be susceptible to ex post judicial invalidation if they are deemed unconscionable, or if the court finds that the consumer did not consent to the company’s terms of service (for example because the terms were buried in the fine print and were not sufficiently conspicuous).

But what if consumers fail to realize that the contractual terms to which they had “consented” can, in fact, be subject to judicial scrutiny and invalidation? Empirical findings reveal that consumers are reluctant to bring claims to court when facing an unfavorable clause – such as an exculpatory clause, choice of law clause, or choice of forum clause – even when such a clause is unlikely to be upheld by the court.[2] In the housing market, for example, tenants feel bound by contractual terms to which they “consented” even when these terms are unenforceable and void according to applicable landlord and tenant law.[3] If this holds true in the context of IoT liability disclaimers, it has important policy implications. Namely, it may be desirable to back regulation with strong enforcement measures. This is because putting the onus on consumers to bring claims when they are taken advantage of is unlikely to succeed if consumers’ beliefs about contract norms tell them they have not been wronged, or if they misperceive the legal status of the fine print in such cases. Accordingly, agencies such as the FTC and CFPB must be prepared to take on the lion’s share of enforcement.

 

[1] See: http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-4759ENW&cc=us...

[2] Dennis P. Stolle & Andrew J. Slain, Standard Form Contracts and Contract Schemas: A Preliminary Investigation of the Effects of Exculpatory Clauses on Consumers’ Propensity to Sue, 15 Behav. Sci. L. 83 (1997); Tess Wilkinson-Ryan, The Perverse Behavioral Economics of Disclosing Standard Terms, 103 Cornell L. Rev. (2017).

[3] Meirav Furth-Matzkin, On the Unexpected Use of Unenforceable Contract Terms: Evidence from the Residential Rental Market, 9 J. Legal Analysis 1 (2017)

 

Read Less

Balancing National Security and Data Privacy: A Key Regulatory Challenge in Cyberspace

ByDeborah Housen-Couriel.

Read More
Balancing national security needs with individual data privacy rights remains a core dilemma at the forefront of rule of law concerns in cyberspace. Recent regulatory initiatives on the part of two major jurisdictions to address the privacy of individuals’ personal data in cyberspace – the European Union and China – serve as a reminder that this is a critical issue in cyberspace governance and that the stakes are high for getting the balance right. A third key jurisdiction, the United States, may be ripe for reform of its data protection regime in the wake of multiple data breaches in 2017 of unprecedented scope that resulted in major financial and reputational losses:[2] these included the Equifax breach, in which nearly half of US citizens’ personal data was compromised.[3]

Data privacy rights represent a special form of respect for the human right to privacy.[4] An individual’s right to have his or her personal data – name, telephone number, address, health, physical location, financial information, and other such identifiers[5] – protected from use by others without his or her consent is derived from the general right of the individual to privacy. This right has been codified at the international level, inter alia by the Universal Declaration of Human Rights,[6] the International Covenant on Civil and Political Rights (ICCPR),[7] the European Convention for the Protection of Human Rights and Fundamental Freedoms, and several other regional human rights treaties.[8] With the advent of the internet and intensive use of the internet by nearly half of the world’s population, the exponential increase in transborder data flows has led many countries to the conclusion that the “…general reference to the right to privacy was no longer considered sufficient to protect individual rights.”[9] Moreover, national and regional jurisdictions interpret and apply data privacy rights in different ways. Thus, in the cyberspace context, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations[10] notes that international human rights law applies to cyber-related activities of a state as a matter of lex lata,[11] and that individuals enjoy the same international human rights (such as privacy) with respect to cyber-related activities that they otherwise enjoy.[12] Yet the Manual emphasizes that the regional and national contexts in which these rights are realized must be considered is especially relevant in the cyber context[13] – a central challenge in the enforcement of data protection norms, for example, across jurisdictions.

Thus, data protection regimes on both the international and domestic planes are currently evolving in this new cyberspace context and aiming to balance national security, defense, public welfare and similar “public security” considerations with the protection of personal data privacy in the context of the global, trans-jurisdictional nature of the flow of personal data.[14]

Two recent examples of domestic regulation, both promulgated in 2016, have adopted models that exhibit an interesting combination of converging modalities and diverging regulatory approaches.[15] The EU’s General Data Protection Regulation (GDPR)[16] and China’s Cybersecurity Law (CCL)[17] both undertook this challenging regulatory task in the current dynamic cyberspace environment. Each regulatory initiative includes updated and explicit data protection regimes that share many similarities regarding the definition of protected personal data, requirement of data subject consent for data use, notification of data breaches, the right to rectification of erroneous data and other safeguards and modalities. On the other hand, the approaches of EU and Chinese regulators to carve out exemptions for security and law enforcement requirements reflect fundamentally different concepts of how this balancing should be implemented.

Setting aside important disparities in both the nature of governance and the understanding of the rule of law in these two regimes,[18] a key point distinguishes between their regulatory strategies: the degree of administrative and constitutional constraints on carve outs for public security considerations.[19] Both data protection regimes permit exemptions from the protection of data subject privacy rights in order to allow governmental authorities to collect personal data that otherwise enjoys a protected status. Yet while the GDPR incorporates within its “exemptions regime” a specific set of constraints setting out the permissible constitutional and administrative law limitations on the fundamental right of individual data privacy (inter alia – necessity, proportionality and fairness), the CCL lacks specific and transparent provisions setting out such limitations on those constraints that are intrinsic to the regulation itself.

This is a significant distinction at the level of rule of law safeguards. The 2011 Report of the UN Human Rights Council’s Special Rapporteur on the right to freedom of opinion and expression, emphasized the criticality of such constraints with regarded to individual internet privacy:

[T]he right to privacy can be subject to restrictions or limitations under certain exceptional circumstances. This may include State surveillance measures for the purposes of administration of criminal justice, prevention of crime, or combating terrorism. However, such interference is permissible only if the criteria for permissible limitations under international human rights law are met. Hence, there must be a law that clearly outlines the conditions whereby individuals’ right to privacy can be restricted under exceptional circumstances. Furthermore, measures encroaching upon this right must be taken on the basis of a specific decision by a State authority expressly empowered by law to do so…for the purpose of protecting the rights of others –for example, to secure evidence to prevent the commission of a crime –and must respect the principle of proportionality.[20] (emphases added)

In line with the Special Rapporteur’s view, an optimal regulatory balance between the protection of personal data and national security considerations will permit necessary and proportional exceptions to the protection regime. Criteria for swaying the balance away from individual privacy rights will be included in a transparent way within the statutory regime, so that judicial review of national security and other exceptions is feasible and available to data subjects who want to contest carve outs. In our view, both the GDPR and the CCL fall short of the ideal, in our view, although to different degrees.

Nonetheless, these two 2016 initiatives serve to push forward the important regulatory project of protection of data subject rights in a significant way, through the adoption of clear modalities and processes for data protection on an ongoing basis. Although a full engagement on the part of the EU, China and other jurisdictions with the dilemma of balancing data privacy with public security awaits, this common achievement strengthens guarantees for individual data privacy, and the chances for more robust and transparent balancing mechanisms in the long term.

 

[1] The funding for relevant research has been generously granted by the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center.

[2] Council of Econ. Advisers, The Cost of Malicious Cyber Activity to the US Economy (2018).

[3] Nuala O’Connor, Council on For. Rel., Reforming the US Approach to Data Protection and Privacy (2018), https://www.cfr.org/report/reforming-us-approach-data-protection.See also Consumer Privacy Protection Act of 2017, H.R. 4081, 115th Cong. (2017).

[4] See Christopher Kuner, Transborder Data Flows and Data Privacy Law (2013); Lee Andrew Bygrave, Data Privacy Law: An International Perspective (2014); and Lee A. Bygrave, Data Protection Pursuant to the Right to Privacy in Human Rights Treaties, 6 Int'l J.L. & Info. Tech. 247, 284 (1998).

[5] While definitions of protected personal data vary from jurisdiction to jurisdiction, they generally include any piece of information that can conclusively identify the individual independently or by readily-available cross-referencing. See GDPR art. 4 and CCL art. 76.5, infra notes 16 and 17.

[6] G.A. Res. 217 (III) A, Universal Declaration of Human Rights, art. 12 (Dec. 10, 1948).

[7] International Covenant on Civil and Political Rights art. 17, Dec. 16, 1966, 999 U.N.T.S. 171.

[8] See, i.e., European Convention for the Protection of Human Rights and Fundamental Freedoms, Council of Europe, art. 8, Sept. 3, 1953, 213 U.N.T.S. 221; American Convention on Human Rights art. 11, Nov. 22, 1969, 1144 U.N.T.S. 144; ASEAN Human Rights Declaration, art. 21, Nov. 18, 2012; League of Arab States, Arab Charter on Human Rights, September 15, 1994, art. 17, https://docs.google.com/viewer?url=http%3A%2F%2Fwww.humanrights.se%2Fwp-... League of Arab States, Arab Convention on Combating Information Technology Offences, art. 14, file:///C:/Users/house/Desktop/hu%20conference%20article/ASEAN-Human-Rights-Declaration.pdf.

[9] Paul de Hert and Vagelis Papakonstantinou, Three Scenarios for International Governance of Data Privacy: Towards an International Data Privacy Organization, Preferably a UN Agency? 9 ISJLP 271 (2013).

[10] Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2d ed. 2017).

[11] Id. at 182.

[12] Id. at 187-192.

[13] Id. at 180.

[14] Bygrave, Data protection pursuant to the right to privacy in human rights treaties, supra note 4.

[15] Samm Sacks, New China Data Privacy Standard Looks More Far-Reaching than GDPR, CSIS Critical Questions, January 29, 2017, https://www.csis.org/analysis/new-china-data-privacy-standard-looks-more....

[16] Council Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC, 2016 O.J. (L 119/1) [hereinafter GDPR]. 

[17] Cybersecurity Law (promulgated by the Standing Comm. Nat’l People’s Cong., Nov. 7, 2016, effective June 1, 2017) (China) [hereinafter CCL]; Cybersecurity Law, Nov. 16, 2016, http://www.chinalawtranslate.com/bilingual-2016-cybersecurity-law/?lang=en (unofficial English translation).

[18] See Hao Yeli, A Three-Perspective Theory of Cyber Sovereignty, 7 Prism, no. 2, 2018, http://cco.ndu.edu/PRISM-7-2/Article/1401954/a-three-perspective-theory-...

[19] The analysis focuses on the “law on the books” rather than de facto implementation. See the treatment of the “law in the books v. law in practice” issue in the context of personal data protection in Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 STAN. L. REV. 247, 295 (2011).

[20] Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, U.N. Doc. A/HRC/17/27 (May 16, 2011) at 15.

 

Read Less