Against Geofences
74 STAN. L. REV. 385 (2022)
442
the geofence context fits into this broader trend.
348
But while Google may have
post-Snowden economic incentives to consider privacy concerns, it remains a
body with little direct accountability. Absent legislation, Google is beholden
only to its shareholders and its corporate purpose.
Privacy “on the ground” thus remains the product of corporate norms and
private review processes.
349
While the European Union has mandated a robust
privacy regime under the General Data Protection Regulation (GDPR),
350
the
United States remains a regulatory patchwork lacking meaningful, binding
national privacy requirements.
351
Without clear standards from legislation,
corporations fashion their own protocols and thresholds for responding to
subpoenas, warrants, and other law-enforcement requests.
352
Democratic
oversight is dangerously absent, a shortcoming that even some technology
companies are eager to see remedied. As Apple CEO Tim Cook told the
348. See Brewster, supra note 67; Rozenshtein, supra note 345, at 109 (“Intermediaries couple
a proceduralism that rejects voluntary cooperation with government requests to an
aggressive litigiousness against government demands for data and restrictions on
publicizing those requests.” (emphasis omitted)).
349. See Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the
Ground, 63 S
TAN. L. REV. 247, 261-63 (2011) (describing the rise of corporate privacy
audits, privacy certification programs, and chief privacy officers).
350. Council Regulation 2016/679, 2016 O.J. (L 119) 1; see The EU General Data Protection
Regulation: Questions and Answers, H
UM. RTS. WATCH (June 6, 2018, 5:00 AM EDT),
https://perma.cc/M6A3-RYHV (surveying the GDPR’s various requirements,
including consumer consent, special protections for sensitive information, disclosure,
privacy by design, and the right to be forgotten).
351. See Michael Beckerman, Opinion, Americans Will Pay a Price for State Privacy Laws, N.Y.
TIMES (Oct. 14, 2019), https://perma.cc/RDA7-T8S9 (arguing that federal inaction on
data privacy legislation has resulted in “inconsistent treatment of data depending on a
variety of factors, including the residency of the consumer and the type of businesses
with whom they interact”). The standards that do exist are long outdated, with
Congress continually refusing to update the Electronic Communications Privacy Act
of 1986 (ECPA), which rests on an understanding of technology that is now obsolete.
See ECPA (Part 1): Lawful Access to Stored Content: Hearing Before the Subcomm. on Crime,
Terrorism, Homeland Sec., & Investigations of the H. Comm. on the Judiciary, 113th Cong. 1
(2013) (statement of Rep. F. James Sensenbrenner, Jr., Chairman, Subcomm. on Crime,
Terrorism, Homeland Sec., & Investigations of the H. Comm. on the Judiciary) (“The
Electronic Communications Privacy Act of 1986 . . . is complicated, outdated, and
largely unconstitutional.”); id. at 48 (statement of Richard Salgado, Director, Law
Enforcement and Information Security, Google Inc.) (“The distinctions that ECPA
made in 1986 were foresighted in light of technology at the time. But in 2013, ECPA
frustrates users’ reasonable expectations of privacy.”); see also Kerr, supra note 320, at
1208 (noting that the Stored Communications Act, which forms part of ECPA, “is a bit
outdated and has several gaps in need of legislative attention”).
352. The absence of legislation also allows corporations to self-regulate in other realms
traditionally protected by the Constitution, including speech. See Klonick, supra
note 339, at 1615, 1666-69 (describing how moderation by private online platforms
shapes U.S. speech norms).