06 June 2015

Metadata and Divides

'Judicial Review of Mass Metadata Surveillance in the Post-Snowden Era' (University of Cambridge Faculty of Law Research Paper No. 32/2015) by Nora Ni Loideain comments
Legal frameworks exist within democracies to prevent the misuse and abuse of personal data that law enforcement authorities obtain from private communication service providers. The fundamental rights to respect for private life and the protection of personal data underpin this framework within the European Union. Accordingly, the protection of the principles and safeguards required by these rights is key to ensuring that the oversight of State surveillance powers is robust and transparent. Furthermore, without the robust scrutiny of independent judicial review, the principles and safeguards guaranteed by these rights may become more illusory than real. 
Following the Edward Snowden revelations, major concerns have been raised worldwide regarding the legality, necessity and proportionality standards governing these laws. 
In 2014, the highest court in the EU struck down the legal framework that imposed a mandatory duty on communication service providers to undertake the mass retention of metadata for secret intelligence and law enforcement authorities across the EU. This article considers the impact of the Snowden revelations on this landmark judgment. Subsequently, the analysis explores the significance of this ruling for the future reform of EU law governing metadata surveillance and its contribution to the worldwide debate on blanket and covert monitoring in the post-Snowden era.
'Overcoming the Public-Private Divide in Privacy Analogies' by Victoria Schwartz in (2015) Hastings Law Journal (forthcoming) comments
When a photographer takes unauthorized aerial photographs of a company’s plant, the legal framework under which courts evaluate the case, as well as its likely outcome, depends on whether the photographer was hired by a private actor or the government. If a competitor hired the photographer, the aerial photography would likely constitute improper trade secret misappropriation. If, however, the government hired the photographer, the aerial photography would not violate the Fourth Amendment. This scenario illustrates a public-private divide in which privacy violations by the government are treated separately from privacy violations by the private sector. Despite this divide, some courts have analogized from the Fourth Amendment into the trade secret context, while the Supreme Court has rejected such an analogy in the opposite direction. 
A similar but reverse phenomenon occurs in the workplace privacy context. Traditionally, whether an employee whose privacy has been invaded by an employer is likely to prevail in court depends in part on whether the employer is in the public or private sector. The longstanding wisdom is that public sector employees receive stronger workplace privacy protections than similarly situated private sector employees as a result of Fourth Amendment protections. Nonetheless, Supreme Court precedent suggests that private sector analogies are appropriate in evaluating public workplace privacy cases. 
Neither courts nor scholars have offered any systematic criteria for evaluating when privacy analogies across the public-private divide are appropriate. Rather courts import or reject privacy analogies between the public and private sectors without any meaningful consideration of when such analogies make sense. This Article offers a coherent and consistent normative framework to analyze when privacy analogies are appropriate across the public-private divide. In deciding whether such privacy analogies make sense, courts ought to apply a multi-factored test in which they consider the presence or absence of factors within the privacy-invading actor that could justify the traditional public-private distinction. These factors include the power of coercion, ability to harm identity formulation or the protection of democracy, access to superior technology, and presence of bureaucratic features.

05 June 2015

Cognitive Capital

'The New Cognitive Property: Human Capital Law and the Reach of Intellectual Property' by Orly Lobel in (2015) 93 Texas Law Review 789 [PDF] comments
Contemporary law has become grounded in the conviction that not only the outputs of innovation—artistic expressions, scientific methods, and technological advances—but also the inputs of innovation—skills, experience, know-how, professional relationships, creativity, and entrepreneurial energies—are subject to control and propertization. In other words, we now face a reality of not only the expansion of intellectual property (IP) but also “cognitive property.” The new cognitive property has emerged under the radar, commodifying intellectual intangibles that have traditionally been kept outside of the scope of intellectual property. This Article introduces the growing field of human capital law at the intersections of IP law, contract and employment law, and antitrust law and cautions against the devastating effects of the growing enclosure of cognitive capacities in contemporary markets. 
Regulatory and contractual controls on human capital—postemployment restrictions, including noncompetition contracts, nonsolicitation, nonpoaching, and antidealing agreements; collusive do-not-hire talent cartels; pre-invention assignment agreements of patents, copyright, as well as nonpatentable and noncopyrightable ideas; and nondisclosure agreements, trade secret laws, and economic-espionage prosecution against former insiders—are among the fastest growing frontiers of market battles. 
Regionally and globally, these disputes heavily shape industrial competition. Through this web of extensively employed mechanisms, knowledge that has traditionally been deemed part of the public domain becomes proprietary. Pre-innovation assignment agreements regularly go beyond the subjects that IP deems commodifiable. They also regularly reach into the future, propertizing innovation that has not yet been conceived. Nondisclosure agreements span beyond traditionally defined secrets under trade secrecy laws and are routinely enforced by courts. Violations of secrecy requirements are also increasingly criminalized, chilling exchanges that are recognized as productive and consistent with professional norms. Noncompete agreements are now required in almost every industry and position, stymieing job mobility and information flows. Beyond the individualized agreements between firms and employees, new antitrust investigations of Silicon Valley giants, including Apple, Google, Intel, eBay, and Pixar, reveal the rise of collusive antipoaching agreements between firms. Postemployment restrictions have become so widespread that they form a cognitive property thicket that curtails efficient recruitment efforts and entrepreneurship. While IP law restricts knowledge and information that cannot be taken out of the public domain, this delicate balance is subverted in the emerging field of human capital law. In patent law, the lines between nonpatentable abstract ideas and patentable inventions are heavily monitored. Most recently, in June 2014, the Supreme Court unanimously ruled that a computer-implemented electronic escrow service for facilitating financial transactions was ineligible for patent protection because the claims were drawn to an abstract idea rather than a patentable invention. Similarly, in copyright law, the boundaries between expressions and ideas are extensively policed to ensure that ideas themselves will not become property. And yet, this Article uncovers how the logic of IP, cautiously maintaining a balance between monopolized information and the public domain, between propertized intangibles and knowledge flow, is undermined by a second, rapidly growing layer of cognitive controls through human capital law. The expansion of controls over human capital has thus become the blind spot of IP debates.
The talent wars are heated. More than ever before, the recruitment, retention, and engagement of employees sit atop businesses’ priority lists,  and yet human capital law remains diffuse and murky. Analyzing the current state of human capital law against new empirical research, this Article challenges orthodox economic assumptions about the need for cognitive property, demonstrates the inadvertent harm from the unrestrained shifts toward such controls, and calls for the recognition of human capital as a shared public resource. The realities of twenty-first-century production and competition, which have changed work patterns and increased the premium on constant innovation, coincide with the accumulation of new empirical insights on innovation and knowledge creation. While these developments are of great significance, legal scholarship on human capital remains surprisingly thin. The traditional and underdeveloped analysis of human capital law views controls over human capital as necessary to generate investment and growth. At the same time, a growing body of empirical evidence indicates that excessive human capital controls have detrimental effects. Law’s role in safeguarding and promoting human capital as a shared resource is little understood. A closer study of human capital law regimes suggests that the most successful regional economies have relied on legal regimes that nurture a cognitive commons, protect mobility, and encourage the densification of knowledge networks. 
The Article proceeds as follows: Part I argues that the contemporary IP debates have obscured the broader ways in which knowledge and the potential to innovate are restricted. The Part presents three interrelated expansions of human capital controls. First, subject-wise, through agreements assigning all innovation “whether patentable or nonpatentable; whether copyrightable or noncopyrightableas well as through developments in trade secret law, the propertization of intangible assets has expanded deep into the intangibility spectrum, enclosing knowledge that falls outside the scope of patent and copyright. The increased criminalization of trade secret protections, far more amorphously defined than other IP pillars, functions to further subvert the boundaries between protectable and nonprotectable knowledge. Second, time-wise, ownership has expanded to future innovation as well as attempts to go back in time and capture prior knowledge that an employee held when joining a firm. The expansion includes a rise in both pre-innovation assignment contracts, including trailer clauses, which reach into the postemployment period to assign IP ownership back to the firm, as well as new legal constructs, including the assignor estoppel doctrine, which prevents assignors from challenging the validity of a patent. The assignor estoppel doctrine dramatically limits the defenses available to former employees who seek to compete in the industry and turns these experienced employees into legal liabilities of the new firms that recruit them. Third, scope-wise, recent years have witnessed a colossal rise in the use of noncompetes along with a shift from individualized controls to metacontrols—cognitive cartels—as evidenced in the ongoing antitrust class action suit against Silicon Valley high-tech giants for their no-poaching agreements. 
Analyzing new empirical research on the nexus between innovation and human capital, Part II uncovers the harms of the new cognitive property by developing a novel taxonomy of different types of knowledge as they relate to human capital flows: tacit, relational, networked, motivational, and disruptive. Each aspect of knowledge helps explain the various harmful effects of the new cognitive property. The Part analyzes these effects of contemporary human capital law through the lens of new economic research about endogenous growth, labor-market search, and innovation networks, demonstrating the extent to which markets benefit from continuous investment in shared cognitive capital. 
Part III argues that the rise in cognitive controls should be understood as the Third Enclosure Movement, turning human capital and intangibles of the mind—knowledge, experience, skill, creativity, and network—into property, with detrimental effects on the public domain. This Part explains these developments in relation to the ongoing shift from viewing IP through the lens of antitrust to the lens of property. The expanding lens of property into the intangibles of the mind has now reached the next frontier, enclosing not merely innovation but the potential for innovation. This Part further shows how regions that promote employee mobility encourage positive spillovers and densification of knowledge networks, which lead to economic growth and innovation, and conversely how regions that restrict employee mobility stifle growth. Finally, this Part demonstrates how the threat of litigation diminishes the quality of human capital and encourages companies to hire employees with no experience rather than seasoned employees. The new cognitive property benefits incumbent firms with superior resources and chills new market entry. The Article concludes with a call to reform human capital law from a nebulous set of harmful doctrines to a body of law committed to the promotion of innovation, knowledge flow, and economic growth.

03 June 2015

The MelbIT Sale

'Market Disclosure and Governance Challenges When Floating University Research on the Stock Market: The Float of Melbourne IT Limited by the University Of Melbourne' by John Selby in 23(2) Journal of Law, Information and Science seeks
to inform stakeholders within Australian universities of some of the risks and opportunities to make better use of information in their governance processes relating to research commercialisation so as to capture a greater proportion of the profits generated by floating research companies on the Australian Stock Exchange. This article applies agency theory to argue that several internal incentive structures, information asymmetries, and decision-making processes within the governance systems of the University of Melbourne led to the university receiving a significantly smaller proportion of the overall profits from the float of MelbIT than it otherwise could have achieved. It also argues that the failure to disclose adequately to the investing public the existence of sales contracts signed by MelbIT before the closing date for subscriptions to the initial public offering of the company may have amounted to a breach of the Corporations Act 1989 (Cth), which was in force at the time. It offers valuable insights for senior managers in Australian universities who may find themselves in similar circumstances in the future.

Catch of the day jellyfish

What happens when you are a retailer, a data breach involves release of addresses and other personal information, you don't reveal the breach until three years later and the national privacy agency then takes a year to investigate?

In a word, not much!

The Office of the Australian Information Commissioner - recently praising its own diligence and effectiveness (presumably on the basis that if other people won't commend you it's necessary to resort to loud self-congratulation) - has announced that it
has finalised enquiries into Australian retail company Catchoftheday.com.au Pty Ltd (COTD), following a data breach notification received in June 2014. 
The breach featured a range of personal information.

The OAIC states that
COTD informed the Australian Privacy Commissioner of a data breach it experienced in 2011, which resulted in the compromise of personal information of COTD’s Australian customer base.
As a result, the OAIC "conducted enquiries in relation to this incident". Those enquiries took a year and of course the Commissioner has not released details.

The statement regarding finalisation - buried in the OAIC site, not as a media release or on the homepage - indicates that
the Commissioner expressed concern about the size of the breach, the possible compromise of financial information, and the significant delay between COTD becoming aware of the incident and notifying affected individuals.
Presumably COTD quivered when belatedly questioned amid the media furore that included the explanation
We unreservedly apologise to our customers for this incident. We take data security seriously and have taken strong measures to protect their personal information. We have committed significant resources both internally, with a large dedicated team and externally via expert consultants to ensure we meet industry standards.
Quite so.

The OAIC states that
COTD has taken a range of steps in response to the incident including notifying banks, credit card companies, and the police; commissioning a third party expert to investigate the issue; rebuilding the e-commerce platform that was the subject of the attack; and upgrading its infrastructure to ensure compliance with the Payment Card Industry Data Security Standards (PCI-DSS). COTD completed an internal Privacy Compliance Assessment, resulting in 20 recommendations that go to improving COTD’s privacy governance arrangements and related matters.
We can sleep soundly, knowing that the tireless bureaucrats have
recommended that COTD improve its processes for notifying customers of data breach incidents in future.
In light of the steps COTD has taken to prevent a similar incident from recurring, the OAIC does not intend to take any further action in relation to the incident at this time. However, COTD has been asked to provide a report about the implementation of the above recommendations within three months.
A sceptic might conclude that it's quite ok for an organisation to experience a major breach ... several years later the OAIC will take twelve months to conduct an investigation that culminates in being savagely flailed with a limp lettuce leaf.

The OAIC states that it
may conduct further enquiries if complaints are received from people who have been adversely affected by this incident.
Given the very substantial delays experienced by individuals who do complain to the OAIC it would be unsurprising if people don't bother making those complaints.

The OAIC response - slow-moving, insubstantial, easily-missed - resembles a jellyfish. We might reasonably look for more spine, more energy, more substance.

What are the "industry standards"? Are they adequate? Are they a matter of lowest common practice?

Should we expect more than a recommendation that COTD - and by extension its peers - "improve its processes for notifying customers of data breach incidents in future"?

Just as saliently, the response is a reminder of the need for timely, clear and comprehensive reporting by public and private sector entities that experience a data breach. We shouldn't have to wait several years. We will presumably continue to wait until there is mandatory data breach reporting, with reporting to data subjects rather than merely to a regulator that is either unwilling or incapable of using its soft power to encourage best practice on the part of database operators. Overseas jurisdictions offer proof that such mandatory reporting is feasible.

Failure on the part of the OAIC is deeply regrettable but, alas, unsurprising, given the agency's history of underperformance and resistance to external scrutiny. It fosters perceptions of regulatory incapacity (potentially regulatory capture) that encourage ongoing financial stringencies on the part of the Government. It also fosters questions about the need to establish a more vigorous, independent and properly resourced agency … particularly an agency that actively engages with civil society rather than on private consultations with unidentified entities that are not necessarily representative of business or consumers.

In the era of big data - and potential big data breaches - we need a watchdog, not an indolent bureaucratic jellyfish.

AI and torts

'Regulating Artificial Intelligence Systems: Risks, Challenges, Competencies, and Strategies' by Matthew U. Scherer comments 
Artificial intelligence technology (or AI) has developed rapidly during the past decade, and the effects of the AI revolution are already being keenly felt in many sectors of the economy. A growing chorus of commentators, scientists, and entrepreneurs has expressed alarm regarding the increasing role that autonomous machines are playing in society, with some suggesting that government regulation may be necessary to reduce the public risks that AI will pose. Unfortunately, the unique features of AI and the manner in which AI can be developed present both practical and conceptual challenges for the legal system. These challenges must be confronted if the legal system is to positively impact the development of AI and ensure that aggrieved parties receive compensation when AI systems cause harm. This article will explore the public risks associated with AI and the competencies of government institutions in managing those risks. It concludes with a proposal for an indirect form of AI regulation based on differential tort liability.

Myriad

'The Supreme Court's Myriad Effects on Scientific Research: Definitional Fluidity and the Legal Construction of Nature' by Peter Lee in (2015) 5 U.C. Irvine Law Review examines -
the implications for biomedical research of the Supreme Court’s ruling in Association for Molecular Pathology v. Myriad Genetics that isolated DNA does not comprise patentable subject matter but that complementary DNA (cDNA) does. Although most of the commentary surrounding this case has focused on the availability of genetic diagnostic tests, this Article considers the related and important implications of this opinion for scientific research. At the outset, it argues that this issue is beset with definitional complexity, as it is often difficult to disentangle “commercial” from “research” uses of patented genes. This Article further argues that context matters significantly in assessing the impact of the Court’s ruling on research. Accordingly, this Article examines the implications of Myriad Genetics from three perspectives. First, considering the conduct of Myriad Genetics itself, it argues that the Supreme Court’s decision creates greater real and perceived freedom to operate for uses of BRCA genes that may yield important scientific insights. Second, reviewing the literature on gene patents and anticommons, this Article argues that the Court’s ruling will help enhance access to diagnostic testing more generally, thus advancing biomedical research. Third, at a doctrinal level, this Article suggests that Myriad Genetics may have significant long-term implications. The Court’s opinion reflects a strong policy interest in excluding “nature” from patentable subject matter as well as a high degree of discretion in determining the contours of nature for that purpose. Such a policy-oriented, pragmatic approach to patent eligibility may create significant flexibility to challenge patents in research contexts going forward.

Assemblage

'Copyright and the New Materialism' by Dan L. Burk in Jessica Lai & Antoinette Maget (eds.) Intellectual Property and Access To Im/Material Goods (Forthcoming)  comments
Copyright has long rested upon a series of dualistic doctrinal structures, including the fundamental dichotomy between the immaterial “work” and its fixation in a physical “copy.” This distinction, which was never entirely coherent even in traditional media, has broken down in the face of digital instantiations of creativity. The disconnection between legal doctrine and new media has now resulted in decades of incomprehensible decisions regarding the fixation of works in computer circuitry or the transmission of works across telecommunications media, particularly the Internet. However, during the past several years, an increasing number of scholars in a variety of fields have begun to re-emphasize the centrality of matter in their exploration of the world. New materialism might offer copyright a path out of such unsustainable distinctions, by providing a viewpoint that traverses the artificial opposition of work and copy, recognizing the primacy of matter in the development of creative expression.

01 June 2015

Online Blocking under s 313

The House of Representatives Standing Committee on Infrastructure and Communications (Communications Committee) has released its report into the use by government agencies of section 313 of the Telecommunications Act 1997 (Cth).

The report states that "Government agencies need to have the power to disrupt illegal online services". 

The Committee examined the use of s.313 by government agencies in the disruption of illegal online services, including the widely-reported inadvertent blocking in 2013 of a mere 250,000 websites by ASIC in 2013. Section 313
provides Australian government agencies (including state government agencies) with the ability to obtain assistance from the telecommunications industry when upholding Australian laws. Amongst other things, it enables government agencies to request Internet Service Providers (ISPs) to provide such help as is reasonably necessary to disrupt the operation of illegal online services by blocking access to websites. Requests for assistance are not covered by warrants or court orders but rather the broader obligation of industry to comply with the law. This gives ISPs some flexibility in their response. ...
Section 313 deals with the obligations of carriers and carriage service providers. Subsections 1 and 2 deal with preventing the use of telecommunications networks in the commission of offences. Subsections 3 and 4 concern the giving of assistance to government agencies. Subsections 5 and 6 provide protection for carriers and carriage service providers, and their employees, from liability for actions undertaken under s.313. Subsection 7 refers to the giving of help under certain circumstances. ....
With regard to the disruption of illegal online services, subsection 3 is the operative provision. It states:
(3) A carrier or carriage service provider must, in connection with:
(a) the operation by the carrier or provider of telecommunications networks or facilities; or
(b) the supply by the carrier or provider of carriage services;
give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for the following purposes:
(c) enforcing the criminal law and laws imposing pecuniary penalties;
(ca) assisting the enforcement of the criminal laws in force in a foreign country;
(d) protecting the public revenue;
(e) safeguarding national security.
The report comments
In March 2013, the Australian Securities and Investments Commission (ASIC) used powers available under

s.313 of the Telecommunications Act 1997 to disrupt websites perpetrating financial fraud against Australians. This action led to the inadvertent disruption of a number of online services and raised questions regarding the transparency and accountability of the use of s.313 by government agencies to disrupt illegal online services.
In particular, concerns were raised that website owners and users were generally unaware that:
  • an illegal online service had been disrupted; 
  • why it had been disrupted; 
  • who requested the action taken; and 
  • who could be contacted to appeal the decision.
The Committee was asked to consider:
(a) which government agencies should be permitted to make requests pursuant to section 313 to disrupt online services potentially in breach of Australian law from providing these services to Australians
(b) what level of authority should such agencies have in order to make such a request
(c) the characteristics of illegal or potentially illegal online services which should be subject to such requests, and
(d) what are the most appropriate transparency and accountability measures that should accompany such requests, taking into account the nature of the online service being dealt with, and what is the best/appropriate method for implementing such measures:
a. Legislation
b. Regulations, or
c. Government policy.
The Committee received 21 submissions from organisations, government agencies and individuals (including one from myself) but essentially channelled the Australian Federal Police.

Its report recommends the adoption of guidelines for use by government agencies, which will include:
  • the development of agency-specific internal policies consistent with the guidelines; 
  • clearly defined authorisations for website disruption at a senior level; 
  • defining activities subject to disruption; 
  • industry and stakeholder consultation; 
  • use of stop pages to identify the requesting agency, reason for disruption, agency contact, and avenue for review; 
  • public announcements, where appropriate; 
  • review and appeal processes; and 
  • reporting arrangements. 
The Committee also recommends that all agencies using s.313 have "the necessary level of technical expertise to carry out such activity, or procedures for drawing on the expertise of other agencies".

31 May 2015

Warrants

One of the rationales advanced by Australian law enforcement bodies in calling for warrantless access to telecommunication and other personal information has been that judges and magistrates are too restrictive in approving warrants.

In submissions to law reform inquiries and testimony to parliamentary committees I have questioned such assertions, commenting that independent supervision is necessary and appropriate and that there is no evidence that the courts are being obstructive or dilatory. Put simply, we should be aware of confusing bureaucratic convenience with the accountability that is foundational in a liberal democratic society.

Today's SMH features an article that goes some way to substantiating my criticism. (There's been no comprehensive study of the number of surveillance warrants sought across the Australian jurisdictions, the time taken to process applications and percentage of refusals.)

The SMH states
NSW courts have refused less than 2 per cent of police applications for secret recordings, reigniting claims judges are "rubber stamping" privacy intrusion, new data shows. 
Only six out of 363 applications for surveillance device warrants were rejected in the first half of 2014. This was an increase from no refusals, out of 878 applications, in the prior 12 months. 
"The very low rate of refusals suggests either that applications for surveillance device warrants by NSW police are consistently of an almost perfect standard, or that the process of approval lacks rigour," said shadow NSW attorney-general Paul Lynch. "In light of evidence recently in the Legislative Council, this is of great concern. There needs to be a proper review of this process." 
An upper house inquiry into Ombudsman Bruce Barbour's handling of the police bugging police scandal found at least one application for a listening device warrant didn't fulfill the grounds to justify recording the private conversations of 46 people. 
The Inspector of the Police Integrity Commission, David Levine, told the inquiry that as a judge he never refused a warrant, and instead "looked to see if there is someone named in this warrant who is named as 'M.Mouse ' or 'D.Duck' ''. 
The inquiry urged the Baird government to review the system for granting warrants, and consider establishing an independent office to test the veracity of surveillance device applications by police. 
Queensland has a Public Interest Monitor who can appear in court to test the validity of police applications. 
The Ombudsman's latest report on the use of the Surveillance Devices Act found police were systemically failing to destroy recordings that weren't needed for criminal investigations, in breach of the Act. Instead, they were being archived. 

Autonomy

'Constructing Autonomy' by Bailey H. Kuklin in (2015) 9 NYU Journal of Law & Liberty 375 argues
Legal and moral norms have strengthened their protection of individual autonomy over the centuries. The emphasis and impressions by most scholars regarding this progress have, nonetheless, often been misleading. It is not that we have developed better standards by which to protect a pre-existing notion of autonomy. This puts the endeavor backwards. It is, to the contrary, that our evolving rules and standards of rights and duties create and delineate what we mean by autonomy. Autonomy, in a nutshell, is that which is protected by adopted norms. This article unpacks the principles supporting this conclusion and offers guidance for further progress.
Kuklin comments
This article examines the meaning and reach of autonomy. More particularly, it analyzes the means by which personal autonomy boundaries are established and, relatedly, the notion of crossing an autonomy boundary, which gives rise to an autonomy invasion. Plausible autonomy boundaries between persons are looked at mainly from an individualistic, deontic viewpoint. I take the perspective of persons making personal claims against one another, typically in light of existing legal, moral, and social norms. The autonomy claims of entities other than individuals, such as collectives (e.g., the state, corporations), are set aside because they are not natural persons with independent moral status. 
The currently preponderant strain of legal analysis generally embraces an internal point of view. The dominant internal orientation of modern tort scholarship is especially noteworthy. Tort scholars who base their theories on corrective justice, such as Ernest Weinrib, Jules Coleman, and Arthur Ripstein, identify and mainly support the corrective justice principles that they see as immanent in existing tort doctrine, and typically reject inconsistent tort doctrine or principles as incoherent. Tort scholars with an economic orientation who look to the Hand formula as signaling the central organizing principle of tort law negligence, such as Richard Posner, suggest that the formula implies that the goal of efficiency is recognized as immanent in existing tort law, and commonly dismiss inconsistent authority as counterproductive. Criminal law and contracts scholars, other than those with a strong law and economics commitment, do not seem to emphasize a single, identified immanent principle of their legal subjects as much as do most torts scholars. They often acknowledge the existence or acceptability of polycentric values. 
In contrast to this current strain of legal thought, my approach looks outside existing law to the overarching principles of individual rights however they may align with today’s law. These principles stem from Immanuel Kant’s categorical imperative. This inspiration from Kant reflects the predominant thinking of modern legal, moral, and political commentators. Writers as diverse as John Rawls and Robert Nozick ground their fundamental conceptions on Kant’s works. In seeking a rounded understanding of personal autonomy, reliance on the lessons of existing law is of limited usefulness. There is little reason to believe that the body of private common law would reflect a coherence that is ascribed to it by some commentators. It is still largely influenced by the old writ system. This system emerged as a means to obtain the jurisdiction of the courts of the English sovereign. As some commentators have made so clear, it was not designed for, nor did it ever achieve, a comprehensive, logical ordering of the private law. The common law is complete in the sense that every issue brought before the courts can be resolved one way or another. But in light of its quirky and historically contingent origins, it would be amazing if the substantive principles and doctrines of the common law entirely harmonised. At best, the common law would take a very long time to evolve towards and achieve harmony because of the braking constraints of the doctrine of stare decisis and the ebb and flow of the moral and political inclinations of the law’s agents. Even with an overall trend towards coherence in the common law, which I do not deny, path dependence would point toward a limited orbit of likely end points short of a radical reorientation of the common law process. Akin to Pareto optimality, the common law could reach a state of completeness and coherence without satisfying any ideal body of substantive principles. One should be very doubtful about finding a fully justifiable moral “ought” in the “is” of the common law. 
A somewhat comparable tale can be told about the origins and development of criminal law doctrine. Here, however, we should expect greater, though perhaps not complete, order. The body of criminal law has historically been subject to comprehensive adjustments through legislation. Subject to constitutional limitations, the legislative process allows for giant steps, backwards and forwards, and the opening of entirely new avenues, such as those needed to cope with abuses relating to the emerging forms of power being generated by the computer revolution. None of these cautions regarding the origin and growth of the law goes to reject the claim that conceptions of corrective justice and retribution are, at least partially, immanent in the private and criminal law. Bypassing the powerful arguments by legal economists and other commentators that additional principles are, and should be, immanent in the law, the problem remains that corrective justice and retribution are formal concepts only. They instruct us on limitations to what we may properly do, but they do not tell us exactly what we should do. 
The central orientation of my search for the meaning of autonomy is Kantian, with needed and enlightening help from Aristotle. In considering the range of an individual’s plausible deontic claims, I will identify points at which normative choices may or must be made when adopting substantive principles and, when they are violated, requital principles for the autonomy invasions. Atop a strictly formal, Kantian foundation, just law allows for a considerably broader range of acceptable doctrine and precepts than is generally acknowledged. Under this orientation, political obligation (the duty to obey the law) must be grounded on individualistic principles alone, such as consent. For instance, to the claim for requital since “you broke the law,” the claimee may properly respond, “but I am not obligated to obey that particular law. I did not consent to it.” Although Kant insisted that one has a moral duty to obey universalized laws, his position involves a nonconsensual social contract imposed by the state. For purposes of the strongly individualistic analysis here, a nonconsensual grounding for a social contract is deemed inadequate. 
Here is a roadmap of what follows. In the private sphere primarily addressed, autonomy boundaries, within which is one’s autonomy space, are established by each person’s adopted deontic maxims (e.g., “do not batter another person”). Under the common, formal interpretation of the categorical imperative, an individual’s chosen, substantive, first-order maxims may vary from person to person. Each individual’s set of maxims must be complete, in that it addresses all possible conflicts with the interests of other persons, for otherwise the autonomy boundaries are not fully drawn and thereby leave gaps. Each set of maxims must also be coherent, that is, all the maxims in the set must be consistent with one another. In adopting maxims to establish autonomy boundaries, two sorts of freedoms are balanced and delineated: first, the liberty to choose and act; and second, the security, essentially, from being acted upon by others. Once a person’s autonomy space is plotted, she may adjust its boundaries by consent, within limits (e.g., no slavery contracts), by granting another party rights and, correlatively, assuming duties. When an autonomy boundary has been impermissibly crossed, that is, there has been an autonomy invasion producing a wrongful harm (e.g., a battery), requital is available to the invadee. This response requires the invocation of adopted, requital, second-order maxims. In the private law the requital standards are conceptions of corrective justice, while in the public (criminal) law, they are conceptions of retribution or distributive justice. For the violation of a first-order maxim against battery, for instance, an invadee may seek damages under a second-order requital maxim based on corrective justice. Because independent claims of the state are here discounted, conceptions of corrective justice and retribution focus entirely on individual rights and duties. 
The conceptions of corrective justice that are adopted, like the substantive maxims that initially mark autonomy boundaries, are matters of individual choice that, again, must simply meet the categorical imperative and establish a complete and coherent set of requitals to cover all the possible invasions of autonomy space determined directly by substantive maxims. For example, there could be one or more remedial conceptions of corrective justice to deal with harmful ultrahazardous activities, and other ones to deal with negligence, as where distinct degrees of wrongful risk are accounted for. Furthermore, the conceptions may vary according to the differences in the ensuing harms, such as physical versus psychic harms. The combination of first- and second-order maxims establishes a person’s overall autonomy space. Because these maxims are matters of personal choice, the maxims adopted by different individuals may conflict. A claimant may charge another person with invading her autonomy space by violating one of her first-order maxims. The claimee may properly respond that he has not adopted this particular maxim and that his conduct fully meets the full set of maxims consistent with the categorical imperative that he has personally adopted. Consequently, as a practical matter, the state cannot be entirely excluded from choosing maxims and imposing them on individuals. The state must act as an arbiter of inconsistent sets of maxims as a second-best solution to an otherwise intractable problem. Similarly, for retribution the state must be the arbiter of conflicting claims and the implementer of apt punishment. But this second-best solution is resorted to only when unavoidable, for it runs contrary to strict individualistic principles. 
In unpacking common conceptions of corrective justice and retribution, there are three key notions that are often, if not always, elements: harm, wrongfulness, and blameworthiness. For example, “when one wrongfully harms another person by blameworthy conduct, she is to compensate that person to the extent of the wrongful harm.” As in this conception of corrective justice, one or more of the key notions may relate to whether requital is called for and, if met, affect the measure of that requital. Furthermore, specification of the notions may vary from context to context, as where, say, a greater degree or type of blameworthiness is required to recover for purely psychic harms than for purely physical harms. Harms are, in short, of four kinds: physical, economic, psychic, and dignitary. This last kind of harm, dignitary, has not received extensive attention in existing law, though dignity is central to Kant’s development of practical reason. It does receive much attention here. Wrongfulness, or wrongful harm, occurs when a substantive, first-order maxim is violated, as, say, when an agent purposely puts another person at an unreasonable risk of harm. Blameworthiness refers to two notions. First, it refers to the extent to which an actor is responsible for the conduct in question. This responsibility turns on her relative freedom from ignorance and coercion when choosing the act or omission. The more she knows about the potential consequences of her considered conduct, the freer she is to make an un-encumbered choice, the more she is responsible and blameworthy for the wrongful harms that ensue. Second, blameworthiness refers to the actor’s mental state and conduct regarding the invadee. This blameworthiness is gauged by the degree of her disrespectfulness of the invadee’s dignity. Fellow moral agents are entitled to equal respect. Depending on the particular adopted maxims, both forms of blameworthiness may affect the delineation of autonomy space. 
Once an agent has worked out a deontically acceptable range of meanings for the three key moral notions, she is ready to consider and adopt a full set of first- and second-order maxims. This article aims to help her get to that point of being ready to work out her own autonomy boundaries. I leave it to future articles to help her further along. The bottom line, it will be seen, is that the deontic constraints on delineating autonomy boundaries are much looser than is commonly supposed. A very wide range of potential rights and duties are consistent with the claims of individualism.
'The Impact of EU Fundamental Rights on Private Relationships: Direct or Indirect Effect?' by Matteo Fornasier in (2015) 23(1) European Review of Private Law 29-46 argues
 Traditionally, the primary goal of fundamental rights has been to limit the power of the state over individuals. However, it is undisputed in most legal orders today that fundamental rights also have an impact on the relationship between private parties. The present paper looks at how the fundamental rights guaranteed at the level of EU law may affect private law relationships. In particular, the paper analyzes whether EU fundamental rights have direct or indirect effect in private relations, that is to say, whether they are, as such, binding on private parties or whether they impose obligations on individuals only through the medium of an implementing act. It will be shown that, contrary to what has been written by a number of authors, this question actually matters in practice, especially in the context of the social rights guaranteed by the Charter of Fundamental Rights of the European Union. Special attention is devoted to the more recent case law of the CJEU, which in the view of some commentators supports the notion of direct horizontal effect.

Anonymity, Authentication and Suppression Orders

'An Unprincipled Mess: Party Anonymity in Legal Proceedings in the United Kingdom' by Merris Amos in A. Koltay (ed.) The Fundamentals of Media Law (CompLex, 2016) argues
Over the last ten years in the United Kingdom (UK) there has been a significant increase in the willingness of courts and tribunals to grant anonymity to the parties to legal proceedings. In 15 percent of the judgments made by the Supreme Court in 2014, at least one of the parties had been granted anonymity. In 2010, the figure was even higher at 24 percent of all judgments for that year. By contrast in 2006, seven percent of the judgments of the highest court were anonymised and in 2002, it was only two percent. The rise in party anonymity has not gone unnoticed and the Supreme Court itself has observed that its docket can “read like alphabet soup”. Many media organisations are dissatisfied and maintain that there should be less anonymity in the courts whilst some campaigners and commentators argue that there should be more, particularly for those accused of a crime but not yet charged. The purpose of this chapter is not to take sides in this debate but to attempt to make sense of the present position and identify the main principles consistently applied by the courts when anonymity is requested by a party. Each principle is assessed to determine if its interpretation and application is sufficiently supported by the relevant jurisprudence. In the light of this assessment, a revised set of principles is suggested and the chapter concludes with a reconsideration, in the light of these revised principles, of a recent anonymity judgment as well as a discussion of how the revised principles might apply to a person accused of a sexual offence, but not yet charged. 
 'Data Security and Multi-Factor Authentication: Analysis of Requirements Under EU Law and in Selected EU Member States' (Queen Mary School of Law Legal Studies Research Paper No. 194/2015) by Elizabeth Kennedy and Christopher Millard considers
certain legal requirements relating to data security in the EU, and specifically the use of multi-factor authentication as a method of meeting the security obligations established by European Directive 95/46 EC on the processing of personal data (the “Directive”). Following this Executive Summary, the Report comprises two sections: a discussion of the requirements of data security under European data protection legislation, and a study of selected national positions.

Clouds

'Cloud Investigations by European Data Protection Authorities: An Empirical Account by Vranaki Asma in John Rothchild (ed) Research Handbook on Electronic Commerce Law (Edward Elgar, 2016) is described as drawing on
 qualitative interviews, documentary analysis and observation data to analyse how European data protection authorities (‘EU DPAs’) exercise one of their statutory enforcement powers, namely, investigations more frequently to determine the compliance of cloud providers with the relevant data protection laws. The empirical analysis presented in this chapter supports two arguments. Firstly, the investigations of cloud providers by EU DPAs ('Cloud Investigations') are complex regulatory processes that often involve different co-operative relationships between various actors, such as DPAs. In reality, manifold interactions and practices, such as facilitative instruments, are deployed to form and perform such collaborations which are vital in ensuring the consistent application and enforcement of common data protection principles in an increasingly globalised context. Secondly, Cloud Investigations are also dynamic as they can involve continually evolving regulatory enforcement styles and compliance attitudes. Cloud Providers can often resist the attempts of the EU DPAs to direct the investigative process in specific ways. How such resistance is resolved is very much context-dependent.