Elodie Currier, Class of 2023, has won the American Bar Association’s Harvey Saferstein Consumer Protection Prize for her article, “The Myth of Anonymity: De-Identified Data as Legal Fiction.” The article is forthcoming in the New Mexico Law Review, and a version was published in the ABA Antitrust Law Section Newsletter.
Currier received a $5,000 scholarship award and an expense-paid trip to the Antitrust Law Section’s March 2023 annual meeting in Washington, D.C. The annual writing competition is open to second- and third-year law students who write on consumer protection issues. Its name honors antitrust and consumer protection lawyer Harvey Saferstein, who heads the litigation department at Eisner Jaffe in Los Angeles.
In her paper, Currier addresses the challenge of regulating the collection, processing, and sale of vast troves of electronic data Americans generate through their interactions with web browsers and sites, smart devices, and retail outlets. Until recently, consumers, policymakers, and judges have relied on what Currier reveals is a legal fiction: that certain types of data are less likely to be linked to individuals and therefore should be subject to fewer safeguards.
She builds on previous work by information privacy scholar Paul Ohm of Georgetown Law, computer scientist Latanya Sweeney of Harvard’s Kennedy School, and New York Times investigative reporter Max Fisher to refute this assumption. “Nearly all data can be traced back to its source,” she states.
When Currier examined consumer privacy laws and current jurisprudence addressing consumer privacy, she discovered that judges had little choice but to use this false premise. Beyond the explicit language of state laws, judicial economy required methods of easily sorting between data deserving of heightened protection and data whose disclosure could not cause harm. More concerningly, she found that many recently passed state laws designed to enhance data privacy protections failed to achieve their intended purposes, because they entrenched the false distinction between identifiable and non-identifiable data without addressing judicial economy concerns. “New laws won’t protect consumer privacy, as they remain grounded in the false assumption that some data is non-identifiable,” Currier said.
Technologies allowing companies to collect, store, and deploy consumer data have advanced so rapidly that state and federal decisionmakers have left judges in the difficult position of applying existing privacy laws, which are ultimately inadequate to safeguard consumers. The result: some data revealing intimate information remains vulnerable to bad actors who can use it to blackmail, harass, defame, frame, defraud, or discriminate against individual consumers.
Regulators seeking to enact more robust privacy protections face pushback, because the collection, processing, sale, and use of data is extremely profitable and entrenched. “Companies have massive financial incentives to collect and store as much data as they can on your habits, motivations, and preferences,” Currier writes. “Consumers may not be aware of the extent to which their data is shared or how to opt out.”
Currier suggests several options lawmakers can employ to offer consumers more robust privacy protection, such as replacing the “identifiable”/” non-identifiable” binary with a test closer to that used in declassification cases: sorting data based on its sensitivity and the ease with which it can be linked to an individual. She warns that consumers have grown increasingly aware their data may be directly traceable to them and that failure to enact laws that adequately safeguard sensitive information “reduces consumer confidence in the judicial system and deprives consumers and citizens of meaningful choice on data policy.”
She concludes by recommending that states explore data protection laws that balance the realities of de-identification with the judicial economy concerns that entrenched the legal fiction of “non-identifiable data” in the first place.
Currier found the initial inspiration for her paper while working as a summer associate at Willkie Farr & Gallagher in New York. She wrote it over 13 weeks for Associate Dean for Academic Affairs Lisa Bressman’s Legal Scholarship Seminar. “Part of my summer work involved reading through five new state laws on data privacy, and I noticed that definitions of de-identified data clashed with the capabilities of modern computer science—an issue which not only threatens consumers but can create barriers to compliance for data stewards,” she said. “The Legal Scholarship Seminar provided a unique opportunity to write on a topic of my choice and allowed me to dig into questions that had emerged from practice and explore the interpretation of data regulation laws by state and federal judges.”
Currier will serve as a 2023-24 law clerk for Judge Jon Phipps McCalla of the U.S. District Court for the Western District of Tennessee after graduation in May and then join Willkie Farr & Gallagher in New York as an associate in their data privacy and cybersecurity practice. She earned her undergraduate degree at Georgetown University’s Walsh School of Foreign Service. She is a native of West Hartford, Connecticut.
