Regulatory Law Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Regulation • Most law is not made by legislatures, but by adminstrative agencies (ministries) • Reason: – Governing involves many details. Legislatures spend their time on high-level policies, leaving the details to career professionals – Administration requires special expertise. Example: the Federal Aviation Administration (FAA) knows much more about flying than Congress does • Solution: Allow administrative agencies to makes laws (which are called regulations)! • But: the regulations must not violate statutes LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Regulation • Administrative agencies of the government have “rulemaking” (regulatory) power • Examples: – Securities and Exchange Commission regulates securities offerings and markets – Dept. of Agriculture inspects meat – Federal Communications Commission (FCC) regulates the radio frequency spectrum – Comptroller of the Currency regulates certain banks – Patent & Trademark Office issues patents • Where do these powers fit into the legislative scheme? • Rules properly made have the force of law (unless they are inconsistent with statute) Overlapping Powers (Example: Financial Regulation) SOURCE: FINANCIAL TIMES Some Technology Agencies • • • • • • • • • Federal Communications Commission Environmental Protection Agency Department of Transportation Department of Agriculture Federal Aviation Administration U.S. Election Assistance Commission U.S. International Trade Commission U.S. Patent and Trademark Office Federal Trade Commission LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Agency Actions • Issue rules or regulations (which mean the same thing), having the effect as statutes • Licenses, which include permits, certificates, other types of permission • Advisory opinions, authoritative interpretations of statutes and regulation but not binding on courts • Orders, final disposition of any agency action, other than rulemaking • Decisions, which resolve disputes over interpretation of statutes or regulations LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Federal Rulemaking • In general, government agencies may prescribe rules and regulations “not inconsistent with law” in furtherance of their mission • Example: setting time limits, fees, fines, procedures • The process is complex – Agency must publish the proposed rule in the Federal Register – The public has 60 days to send comments – The agency MUST consider the comments – Agency submits a “final rule” to Congress and published is in the Federal Register – The rule becomes a “regulation having the effect of law” without further approval LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Notice of Proposed Rulemaking Code of Federal Regulations • Final rules are published in the Code of Federal Regulations (CFR). View Electronic CFR • Courts treat the CFR as law LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Software Lending Notice Regulation 37 C.F.R. §201.24 LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Limits of Rulemaking • Each agency is created by Congress and is given certain powers • Later statutes may expand or reduce those powers • Agencies may not exceed their powers • If they do, a Court can vacate (remove) an illegal rule LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Example: Privacy and the FTC • The Federal Trade Commission was created by the Federal Trade Commission Act in 1914 • It gives the FTC power to stop unfair or deceptive trade practices at 15 U.S.C. §45: FTC Rulemaking • The FTC is given rulemaking power at 15 U.S.C. §57a: NOV. 29, 2011 Appeals From Agency Decisions • • • • Agencies are bound by their own rules Must appeal within agency before going to court Administrative Procedure Act, 5 U.S.C. §500ff: Court shall “hold unlawful and set aside” actions that are: arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law; contrary to constitutional right, power, privilege, or immunity; in excess of statutory jurisdiction or authority; without observance of procedure required by law; unsupported by substantial evidence; or unwarranted by the facts LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Major Ideas • • • • Most law is regulatory, not statutory Reason: expertise, level of detail Agencies receive power from legislatures Courts ensure that agencies do not exceed their authority LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Q&A LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Children’s Online Privacy Protection Act • SEC. 1302. DEFINITIONS. • In this title: • (1) CHILD.—The term "child" means an individual under the age of 13. • (2) OPERATOR.—The term "operator"— • (A) means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service • (3) COMMISSION.—The term "Commission" means the Federal Trade Commission. LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Children’s Online Privacy Protection Act • SEC. 1303. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES (a) ACTS PROHIBITED.— • (1) IN GENERAL.—It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b). LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS Children’s Online Privacy Protection Act • (b) REGULATIONS.— • (1) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate under section 553 of title 5, United States Code, regulations that— • (A) require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child— • (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices for such information; and • (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children; LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS