engineers and lawyers in privacy protection peter swire professor, moritz college of law visiting...
TRANSCRIPT
![Page 1: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/1.jpg)
“Engineers and Lawyersin Privacy Protection”
Peter SwireProfessor, Moritz College of Law
Visiting Professor, Georgia Institute of Technology
IAPP SummitPanel: “Re-engineering Privacy Law”
March 8, 2013
![Page 2: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/2.jpg)
Overview
• How lawyers make simple things complicated
• How engineers make simple things complicated
• Why it is reasonable to use the term “reasonable” in privacy rules
• How to achieve happiness when both lawyers and engineers are in the room
![Page 3: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/3.jpg)
How Lawyers Make Simple Things Complicated
![Page 4: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/4.jpg)
First Year Torts
• Law: did defendant show “reasonable care”?• Is defendant liable?
• What counts as an answer?• Statute• Custom• Jury’s view of a “reasonable person” in the
community
![Page 5: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/5.jpg)
Palsgraf Case
• Exam answer for the famous Palsgraf case• Man climbs on a train pulling out of the
station• Railroad conductor assists man • Man drops package tucked under arm• Oops, firecrackers• Knocks over scales at other end of
platform• Scales hit woman, causing injury
• Is the railroad liable?
![Page 6: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/6.jpg)
Good Law Student Answer
• Exam answer for the famous Palsgraf case• Man climbs on a train pulling out of the
station (man negligent, moving train)• Railroad conductor assists man
(employee violates law)• Man drops package tucked under arm• Oops, firecrackers (foreseeable?)• Knocks over scales at other end of
platform (proximate cause)• Scales hit woman, causing injury
• Is the railroad liable? (Close call)
![Page 7: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/7.jpg)
Slightly Exaggerated Engineer Answer
• Exam answer for the famous Palsgraf case• Man climbs on a train pulling out of the
station• Railroad conductor assists man • Man drops package tucked under arm• Oops, firecrackers• Knocks over scales at other end of
platform• Scales hit woman, causing injury
• Is the railroad liable? (No)
![Page 8: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/8.jpg)
What I Say to the Engineer (I)
• It’s the journey, not the destination• I can’t give you credit unless you write it
down• Show your reasoning• Persuade me, don’t tell me the answer
![Page 9: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/9.jpg)
What I Say to the Engineer (II)
• Your job is on the line• You are the lawyer for the railroad• Will cost railroad $$$ if liable• You have to find every scenario or fact
where we may be able to make an argument
• Spot every issue• Delay if it helps our case – more discovery• Argue for the client, not the “right” answer• Did I say your job is on the line?
![Page 10: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/10.jpg)
“Right Answer” & The Adversary System
• “Beyond a reasonable doubt” for criminal cases
• Defense lawyer just needs one gap in prosecutor’s argument
• The jury decides, so lawyer can try many arguments to make the weaker case appear the stronger
• The defendant wins if prosecutor is only probably correct
![Page 11: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/11.jpg)
How Engineers Make Simple Things Complicated
![Page 12: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/12.jpg)
With Thanks to Stuart Shapiro
• Assignment: our company has to comply with new privacy rule
• Lawyers: • We will apply the Fair Information Privacy
Principles• We know the rules: notice, choice,
access, security, accountability• Engineers:
• How do you write that in C++?
![Page 13: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/13.jpg)
From Legal Rule to Getting it Built
• Privacy principles (legal rules)• General privacy requirements• Contextual privacy requirements
• Business process• System development• Operations• System
• Detailed system requirements• System tests
![Page 14: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/14.jpg)
Data Minimization Example
• FIPP: “data minimization”• “Data minimization” is in Do Not Track for
how long keep data for a permitted use• Security• Anti-fraud• Debugging• Financial auditing
![Page 15: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/15.jpg)
Data Minimization
• Lawyer: “data minimization”• Shapiro as engineer:
• System requirements:• 50 requirements• 100 associated tests
• Input to our system is permitted only for pre-determined data elements
• When query an external database, only queries to the approved data fields
• Executable test – apply to test data and confirm under various scenarios
![Page 16: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/16.jpg)
Why it is reasonable to use the term “reasonable” in privacy
rules
![Page 17: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/17.jpg)
“Reasonable” HIPAA Measures
• Security: “reasonable and appropriate security measures”
• Documentation: “reasonable and appropriate polices and procedures”
• Minimum necessary: “reasonable efforts to limit … to the minimum necessary”
• Domestic violence: “reasonable belief” and can disclose
• Business associate: “reasonable steps to cure the breach”
• And 30 more
![Page 18: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/18.jpg)
The Lawyer & the Engineer
• Software engineer: how write in C++?• Lawyer:
• The HIPAA rule lasts decade or more• Hard to update and amend
• Technology neutrality• Many use cases & business models• FAQs and guidance over time• If are more specific, then will be wrong, a
lot• No better alternative to saying
“reasonable”
![Page 19: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/19.jpg)
How to achieve happiness when both lawyers and
engineers are in the room
![Page 20: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/20.jpg)
How to achieve happiness when both lawyers and
engineers are in the room
What do lawyers know about how to achieve happiness?
![Page 21: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/21.jpg)
Lawyers and Engineers
• Similarities of lawyers & engineers• Very analytic• Can drill down and get very detailed
• (And each is glad when the other gets to do those details)
![Page 22: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/22.jpg)
Lawyers & Engineers
• Differences in output• Engineers build things
• Systems that work and can be tested• The right answer• Testable• It works if it runs
• Lawyers build arguments• A lot of words: “brief”• Adversary system• It “works” if it meets the client’s goals
![Page 23: Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit](https://reader034.vdocuments.us/reader034/viewer/2022051515/5519a975550346e40d8b466e/html5/thumbnails/23.jpg)
Conclusion
• In practice:• Need a team• To comply, need lawyers AND engineers• Become aware of how create answers
that count for both• An optimistic note
• In privacy, legal and engineering systems come together
• Your own work improves if you become bilingual
• A challenge and reward if you can work together