New governance, preemptive self-regulation, and the blurring of boundaries in regulatory theory and practice

Wisconsin Law Review

Volumn 2010, Issue 2, 2010, Pages 591-625

  Solomon, Jason M ^a  

^a UNIVERSITY OF GEORGIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 78650831959     PISSN: 0043650X     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Conference Paper

References (292)

1. John Braithwaite & Christine Parker, Regulation, in THE OXFORD HANDBOOK OF LEGAL STUDIES 119,119-20 (Peter Cane & Mark Tushnet eds., 2003).
2. IAN AYRES & JOHN BRAITHWAITE, RESPONSIVE REGULATION: TRANSCENDING THE DEREGULATION DEBATE 38-39 (1992).
3. See John Braithwaite, The New Regulatory State and the Transformation of Criminology, 40 BRIT. J. CRIMINOLOGY 222, 223-24 (2000) (arguing that the new regulatory state "holds up state steering and civil society rowing as the ideal").
4. Braithwaite borrows the steering-and-rowing metaphor from Osborne and Gaebler. See DAVID OSBORNE & TED GAEBLER, REINVENTING GOVERNMENT: HOW THE ENTREPRENEURIAL SPIRIT IS TRANSFORMING THE PUBLIC SECTOR 32-35 (1992).
5. See Orly Lobel, The Renew Deal: The Fall of Regulation and The Rise of Governance in Contemporary Legal Thought, 89 MINN. L. REV. 342, 354 (2004) ("Newness itself becomes the essential substance of the emerging paradigm.").
6. See Jason M. Solomon, Law and Governance in the 21st Century Regulatory State, 86 TEX. L. REV. 819, 826 (2008) (reviewing LAW AND NEW GOVERNANCE IN THE EU AND THE US (Gráinne de Btírca & Joanne Scott eds., 2006),
7. and LISA HEINZERLING & MARK V. TUSHNET, THE REGULATORY AND ADMINISTRATIVE STATE: MATERIALS, CASES, COMMENTS (2006)).
8. See, e.g., Lobel, supra note 4, at 442 ("[T]he obsessive maintenance of traditional boundaries-including those of public and private, profit and nonprofit, formal and informal, theory and practice, secular and religious, left and right-is no longer a major concern with the shift to the Renew Deal paradigm.").
9. Michael Dorf and Charles Sabei, though using the term "democratic experimentalism," describe it as deploying the private-sector techniques of "benchmarking, simultaneous engineering, and error detection" in service of the pragmatic, problem-solving approach to democracy they call "directly deliberative polyarchy" where a political community makes choices through "tiered governance councils-councils that organize service provision with the collaboration of local citizens, and pool their experience to inform their separate decisions." Michael C. Dorf & Charles F. Sabel, A Constitution of Democratic Experimentalism, 98 COLUM. L. REV. 267, 314, 320 (1998).
10. William Simon describes the "core operating premises of Legal Pragmatism," the underlying philosophy behind new governance, as "stakeholder negotiation, transparency, and rolling rule regimes." William H. Simon, Solving Problems vs. Claiming Rights: The Pragmatist Challenge to Legal Liberalism, 46 WM. & MARY L. REV. 127, 181 (2004).
11. Scott and Trubek describe the key attributes of new governance as "participation and power-sharing," "multi-level integration," "diversity and decentralisation," "deliberation," "flexibility and revisability," and "experimentation and knowledge creation." See Joanne Scott & David M. Trubek, Mind the Gap: Law and New Approaches to Governance in the European Union, 8 EUR. L.J. 1, 5-6 (2002). Also, Orly Lobel's list of the "organizing principles" of the new governance model include "participation and partnership," "collaboration," "diversity and competition," "decentralization and subsidiarity," "integration of policy domains," "flexibility and noncoerciveness (or softness-in-law)," "fallibility, adaptability, and dynamic learning," and "law as competence and orchestration."
12. Lobel, supra note 4, at 371-404.
13. See Colin Scott, Standard-Setting in Regulatory Regimes, in THE OXFORD HANDBOOK OF REGULATION (R. Baldwin et al. eds.) (forthcoming July 2010), available at http://ssrn.com/abstract= 1393647.
14. See generally David Zaring, Best Practices, 81 N.Y.U. L. REV. 294 (2006) (explaining this development).
15. Another major blurring of roles, of course, has been the performance of traditionally governmental services by private entities. For an overview of such developments, see GOVERNMENT BY CONTRACT: OUTSOURCING AND AMERICAN DEMOCRACY (Jody Freeman & Martha Minow eds., 2009).
16. For a look at how the financial crisis led to a new model of privatizing government functions altogether, see Stephen M. Davidoff & David Zaring, Regulation by Deal: The Government's Response to the Financial Crias, 61 ADMIN. L. REV. 464, 535-36 (2009).
17. Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. REV. 543 (2000).
18. See Michael P. Vandenbergh, The Private Life of Public Law, 105 COLUM. L. REV. 2029 (2005) (arguing that the role of private actors in the traditional government functions of standard-setting, implementation, and enforcement are even greater than previously identified).
19. It may also blur the boundary between law and policy, but that boundary may never have been so clear.
20. See AYRES & BRAITHWAITE, supra note 2, at 39.
21. See Kenneth Armstrong & Claire Kilpatrick, Law, Governance, or New Governance? The Changing Open Method of Coordination, 13 COLUM. J. EUR. L. 649, 652-53 (explaining that new governance can be seen as a regulatory "tool" or "instrument").
22. See Dorf & Sabei, supra note 7, at 322-23. This is more of a temporal limitation than a blurred boundary. The idea is that both the means and the ends of regulation ought be treated as provisional in light of inevitable uncertainty and limited knowledge. For discussion in the context of Gunther Teubner's "reflexive law,"
23. see Eric W. Orts, Reflexive Environmental Law, 89 Nw. U. L. REV. 1227, 1265 (1994) ("[R]eflexive law recognizes the cognitive and normative limitations of a legal system operating in a complex modern society.").
24. See Dorf & Sabei, supra note 7, at 292-314 (explaining how innovation in the private sector has increased the problem-solving abilities of firms).
25. See, e.g., Bradley C. Karkkainen, Information-Forcing Regulation and Environmental Governance, in LAW AND NEW GOVERNANCE IN THE EU AND THE US 293 (Gráinne de Búrea & Joanne Scott eds., 2006);
26. Joanne Scott & Jane Holder, Law and New Environmental Governance in the European Union, in LAW AND NEW GOVERNANCE IN THE EU AND THE US 211 (Gráinne de Btírca & Joanne Scott eds., 2006).
27. Dorf & Sabei, supra note 7, at 284.
28. See Solomon, supra note 5, at 835.
29. Edward Rubin, The Regulatizing Process and the Boundaries of New Public Governance, 2010 WIs. L. REV. 535, 545 (citation omitted).
30. See generally Guy Halfteck, Legislative Threats, 61 STAN. L. REV. 629 (2008).
31. There is an unexplored assumption here that a policy-maker or "policy entrepreneur" could have successfully pushed a new governance approach if motivated to do so, but did not; certainly this assumption is worth greater exploration. I make no attempt to explain why such an approach did not emerge in these cases.
32. Thanks to Alison Lerner, University of Georgia School of Law, class of 2010, for drafting the case study that served as the basis for this Section, and Matt Weiss, University of Georgia School of Law, class of 2008, for doing much of the initial research.
33. Press Release, Identity Theft Resource Center, Security Breaches (Jan. 8, 2008), http://www.idthefteenter.org/artman2/publish/lib-survey/Press-Release- 2007-Breach-List. shtml.
34. See generally Pavul N. Otto et al., The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information, IEEE SECURITY & PRIVACY, Sept.-Oct. 2007, at 15 (giving general background information on data breaches).
35. See Paul M. Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH. L. REV. 913, 920-23 (2007) (categorizing the institutions subject to notification laws into four categories: business-to-consumer retail, business-toconsumer financial, outsourcing entities, and data brokers).
36. Evan Perez, Identity Then Puts Pressure on Data Sellers, WALL ST. J., Feb. 18, 2005, at B1.
37. Id.
38. Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Belief at Exhibit C, In re ChoicePoint, Inc., Sec. Litig., No. 06-198 (N.D. Ga. Jan. 30, 2006), available at http://www.ftc.gov/os/caselist/choicepoint/ 0523069com>plaint.pdf;
39. Perez, supra note 28.
40. The federal government, through the Federal Trade Commission (FTC), can charge "consumer reporting agencies" with violations of the Fair Credit Reporting Act (FCRA) for data breaches. See Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Privacy Protection, 2006 U. III. L. REV. 357, 359-60 (2006) (describing the weakness inherent in using the FCRA to handle data-security breach cases).
41. The FCRA requires that consumer-reporting agencies institute procedures to ensure accuracy, and allows for procedures which have now become familiar, such as the ability to access one's credit report and correct mistakes on it.
42. Id. at 360.
43. Additionally, government agencies are subject to the Privacy Act of 1974, which regulates public sector use of confidential information and is modeled after the FCRA. Privacy Act of 1974, 5 U.S.C. §552a (2006). Finally, companies under the purview of the SEC may face violations of the Exchange Act for data security-breach incidents.
44. See Otto et al., supra note 26, at 17-18. However, data brokers like ChoicePoint are not covered under any of these statutes.
45. See id. at 15.
46. See Gramm-Leach-Bliley Act, 15 U.S.C. §§6801-6809 (2006). Under the 1999 Gramm-Leach-Bliley Act (GLBA), the financial services industry was subject to regulations "to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer." Id. §6801(b)(3) (emphasis added). The relevant agencies released a set of Guidelines that required financial institutions to develop and implement a set of procedures to protect against the release of confidential personal information.
47. See, e.g., Gideon Emcee Christian, A New Approach to Data Security Breaches, 7 CANADIAN J.L. & TECH. 149, 155-56 (2009) (describing the GLBA and subsequent agency action);
48. see also Ritu Singh, Two-Factor Authentication: A Solution to Times Past or Present? The Debate Surrounding the Gramm-Leach-Bliley Security Safeguards Rule and the Methods of Risk Assessment and Compliance, 2 I/S: J.L. & POL'Y FOR INFO. SOC'Y 761, 763-65 (2006) (discussing the implementation of the Guidelines and the lax enforcement and compliance with GLBA).
49. Individual Reference Services Group, Industry Principles - Commentary (Dec. 15, 1997), avilable at http://www.ftc.gov/os/1997/12/irsappe.pdf.
50. Comments of the Individual Reference Services Group on Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy Before the U.S. Dep't of Commerce (1998), http://www.ntia.doc. gov/ntiahome/privacy/mail/disk/irsgcom.html.
51. Bob Sullivan, Database Giant Gives Access to Fake Firms, MSNBC.COM, Feb. 14, 2005, http://www.msnbc.msn.com/id/6969799/.
52. Id.
53. Bill Husted, Crooks Duped Data Archive, ATLANTA J.-CONST., Feb. 16, 2005, at 1A.
54. Id.
55. Id.
56. In re ChoicePoint, Inc., Sec. Litig., No. 06-198 (N.D. Ga. Mar. 11, 2005).
57. Otto et al., Supra note 26, at 18.
58. ChoicePoint, Inc., Current Report (Form 8-K), at 4 (Mar. 4, 2005).
59. 38 AGs Send Open Letter to ChoicePoint, Assoc PRESS FIN. WIRE, Feb. 19, 2005.
60. Stipulated Final Judgment and Order For Civil Penalties, Permanent Injunction, and Other Equitable Relief, In re ChoicePoint, Inc., Sec. Litig., No. 06-198 (N.D. Ga. Feb. 10, 2006), available at http://www.fte.gov/os/ caselist/choicepoint/0523069stip.pdf [hereinafter FTC Consent Order];
61. Press Release, Federal Trade Commission, ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress (Jan. 26, 2006), http://www.ftc.gov/opa/2006/01/ choicepoint.shtm.
62. FTC Consent Order, supra note 44.
63. See Anthony D. Milewski Jr., Compliance with California Data Privacy Laws: Federal Law Also Provides Guidance to Businesses Nationwide, 2 SHIDLER J.L. COM. & TECH. 19, 19(2006).
64. Id.
65. California Security Breach Notification Act, CAL. CIV. CODE §1798.82 (West 2009).
66. See ALASKA STAT. §45.48.010 (2009);
67. ARIZ. REV. STAT. ANN. §447501(L)(4) (2009);
68. ARK. CODE ANN. §4-110-105(a)(1) (2009);
69. COLO. REV. STAT. §61-716 (d)(1) (2009);
70. CONN. GEN. STAT. §36a-701b(b) (2009);
71. DEL. CODE ANN. tit. 6, §12B-102(a) (2009);
72. D.C. CODE §28-3852(a) (2009);
73. FLA. STAT. §817.5681(1)(a) (2006);
74. GA. CODE. ANN. §10-1-912 (2009);
75. HAW. REV. STAT. §487N-2(a) (2009);
76. IDAHO CODE ANN. §28-51-104(5), 28-51-105 (2009);
77. 815 III. COMP. STAT. §530/10 (2008);
78. IND. CODE §24-4.9-3-1 (LexisNexis Supp. 2009);
79. IOWA CODE ANN. §715C.1-2 (West Supp. 2009);
80. KAN. STAT. ANN. §50-7a02(a) (2008);
81. LA. REV. STAT. ANN. §51: 3074(a) (West Supp. 2010);
82. MD. CODE ANN. §14-3502(A) (LexisNexis 2009);
83. MASS. GEN. LAWS eh. 93H, §3 (LexisNexis Supp. 2009);
84. MICH. COMP. LAWS ANN. §445.72 (West 2009);
85. MINN. STAT. ANN. §325E.61, Subdiv. 1, (West 2010);
86. Mo. ANN. STAT. §407.1500.2 (West 2010);
87. MONT. CODE ANN. §30-14-1704(1) (2009);
88. NEB. REV. STAT. ANN. §87-803 (LexisNexis 2009);
89. NEV. REV. STAT. ANN. §603A.220 (LexisNexis 2007);
90. N.H. REV. STAT. ANN. §359-C:19(V) (YEAR);
91. N.J. STAT. ANN. 56:8-163(12)(a) (West YEAR);
92. N.Y. GEN. BUS. LAW §899-aa.2 (Publisher YEAR);
93. N.C. GEN. STAT. §75-65 (YEAR);
94. N.D. CENT. CODE §51-30-02 (YEAR);
95. OHIO REV. CODE ANN. §1349.19(A)(1)(a) (Publisher YEAR);
96. 2008 H.B. 2245(a) (YEAR) (Okla.);
97. OR. REV. STAT. §646A.604 (2009);
98. 73 PA. CONS. STAT. §2303 (2008);
99. R.I. GEN. LAWS §11-49.2-3 (Supp. 2008);
100. S.C. CODE ANN. §39-1-90 (Supp. 2009);
101. TENN. CODE ANN. §47-18-2107(b) (Supp. 2009);
102. UTAH CODE ANN. §13-44-202(1)(a) (Supp. 2009);
103. VT. STAT. ANN. tit. 9, §2435(b)(1) (2006);
104. VA. CODE ANN. §18.2-186.6(D) (2009);
105. WASH. REV. CODE ANN. §19.255.010(1) (West 2007);
106. W. VA. CODE ANN. §46A.2A.102 (LexisNexis 2006);
107. WYO. STAT. ANN. §40-12-502(a) (2009).
108. Compare California Security Breach Notification Act, CAL. CIV. CODE §1798.82, with sources cited supra note 48. Other states adopted similar statutes using California's legislation as a template but varied based on their definitions of "personal information," their notification requirements related to encrypted information, conditions necessary to trigger notification requirements, the procedures necessary to satisfy actual notice, the situations in which substitute notice was permissible, and the timetable for notification, which ranged from a set time period (i.e., forty-five days in Florida) to more vague requirements (such as California's requirement to notify consumers in the "most expedient time possible and without unreasonable delay").
109. Id.
110. See GINA MARIE STEVENS ET AL., CONG. RESEARCH SERV., CRS REPORT FOR CONGRESS, DATA SECURITY: FEDERAL AND STATE LAWS (2006), available at http://assets.opencrs.com/rpts/RS22374-20060203.pdf>. While most states are like California in that they require notification when there has been any "unauthorized access" of personal information, several states have a higher threshold for when notification is triggered: instead of simply unauthorized access, these states require some determination of "likelihood of misuse."
111. Schwartz & Janger, supra note 27, at 932-34. For example, Florida's data-breach law requires disclosure when unauthorized access "materially compromises the security, confidentiality, or integrity of personal information . . . ." FLA. STAT. ANN. §817.5681(4) (West 2006).
112. CAL. CIV. CODE §1798.82;
113. CONG. RESEARCH SERV. , supra note 50.
114. CAL. CIV. CODE §1798.82;
115. CONG. RESEARCH SERV., supra note 50.
116. CAL. CIV. CODE §1798.82(g)(2)-(3);
117. CONG. RESEARCH SERV., supra note 50.
118. See Notification of Risk to Personal Data Act, S. 115, 109th Cong. (2005). The bill also broadened the scope of required disclosures, eliminated any safe harbor for disclosed encrypted information, and created additional federal agencies to combat identity theft and to oversee statutory compliance.
119. Id.
120. Enforcement authority was provided to the state attorneys general, who could sue the companies responsible for data breaches for civil remedies. Id.
121. Notification of Risk to Personal Data Act, S. 1326, 109th Cong. (2005) (introduced by Sen. Jeff Sessions (R-Ala.)).
122. See generally Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 LAW & SOC'Y REV. 691 (2003) (describing a regulatory approach where firms are directed to engage in a planning process designed to achieve public goals).
123. See, e.g., Identity Theft Protection Act, S. 1408, 109th Cong. §2(b)(1) (2005) (introduced by Sen. Gordon Smith (R-Or.)).
124. As with Senator Sessions's legislation, this bill required the implementation of a program to secure personal consumer information through "administrative, technical, and physical safeguards . ..." Id. The most robust such bill was introduced by, among others, Senators Arlen Specter (R-Pa.), and Patrick Leahy (D-Vt.), the Chairman and Ranking Democratic Member of the Senate Judiciary Committee.
125. Personal Data Privacy and Security Act of 2005, S. 1789, 109th Cong. (2005).
126. The bill mandated that companies create a personal data privacy and security program, id. §2, based in part on the Interagency Guidelines for financial institutions, and also set third-party contractors hired to process data, id. § 502.
127. Data Accountability and Trust Act, H.R. 4127, 109th Cong. §2(a)(1)(B) (2005) (DATA) (introduced by Rep. Cliff Stearns (R-Fla.). DATA required establishing a policy for information collection, appointing a data-security officer within the organization, taking preventative and corrective action, and creating a process for the disposal of obsolete data. Id. §2(a)(2). In the case of a breach, the FTC would then be authorized to require the data broker to submit its information protection policy to an FTC audit.
128. Id. §2(b).
129. See posting of Jeffrey D. Neuburger & Sara Krauss to Privacy L. Blog, Will Congress Enact Data Security Breach Provisions This Year - ? Guess What, It Already Has, http://privacylaw.proskauer.com/2009/03/articles/security- breach>-notification-1/will-congress-enact-data-security-breach-provisions- this-year-guess-what -it-already-has/ (Mar. 2, 2009) (noting that while Congress never actually passed datasecurity laws, changes to HIPAA require notification when health information is released without authorization).
130. Christopher J. Volkmer, Risk Allocation by Legislation: Proposed State Laws Allocate Costs of Data Breaches, 2 PRIVACY & DATA SEC. L.J. 764, 768-69 (2007).
131. Schwartz & Janger, supra note 27, at 952. Another critique of the current crop of state and federal data notification laws is that it is impossible for businesses to comply with a patchwork of state law plus federal regulation. Even without the federal legislation on the table, businesses today must be aware of forty-two subtly different notification laws, plus any applicable federal regulations under the FTC, SEC, and HIPAA.
132. Another model can be found in Schwartz and Janger's article. Id. at 96070 (proposing a coordinated response agent (CRA) that will be more comprehensive than simple notification laws).
133. Thanks to Rachel Goodrich, University of Georgia School of Law, class of 2010, for drafting the case study on which this Section is based.
134. See THE SURGEON GENERAL'S CALL TO ACTION TO PREVENT AND DECREASE OVERWEIGHT AND OBESITY (2001), available at http://www.surgeongeneral.gov/ topics/obesity/calltoaction/CalltoAction.pdf.
135. See id. at 19-21.
136. See id. at 33-35.
137. See also Child Nutrition and WIC Reauthorization Act of 2004, Pub. L. No. 108-265, 118 Stat. 729. The Act requires local educational institutions using the National School Lunch Program to establish local wellness policies setting forth "nutrition guidelines ... for all foods available on each school campus under the local educational agency during the school day with the objectives of promoting student health and reducing childhood obesity . ..." Id. §204(a)(2).
138. 42 U.S.C. §1779(b) (2006).
139. Nat'l Son Drink Ass'n v. Block, 721 F.2d 1348, 1354 (D.C. Cir. 1983).
140. National School Lunch Program, General Purpose and Scope, 7 C.F.R. pt. 210, app. B(a)(1) (2009).
141. Nat'l Soft Drink Ass'n, 721 F.2d at 1351.
142. Michelle M. Mello et al., The Interplay of Public Health Law and Industry Self-Regulation: The Case of Sugar-Sweetened Beverage Sales in Schools, 98 AM. J. PUB. HEALTH 595, 597 (2008) (quoting a 2002 National Soft Drink Association statement on efforts to ban or restrict the sale of carbonated soft drinks in schools).
143. Id. (citation omitted).
144. Id.
145. Id.
146. American Beverage Association, About ABA: History, http://www.ameribev. org/about-aba/history/ (last visited Feb. 9, 2010).
147. Mello et al., Supra note 72, at 600.
148. Id.; see American Beverage Association, Beverage Industry School Vending Policy, available at http://www.ia-sb.org/assets/2246ADC4-FBDl-46>C7-9631- 92091CBB4538.pdf (last visited Feb. 20, 2010) [hereinafter Vending Policy].
149. Mello et al., Supra note 72, at 600.
150. Id.
151. Id.; see Vending Policy, Supra note 78.
152. Jeffrey Kluger, How Bill Put the Fizz in the Fight Against Fat, TIME, May 15, 2006, at 22, 22.
153. Alliance for a Healthier Generation, About the Alliance, http://www.healthiergeneration.org/about.aspx (last visited Feb. 9, 2010).
154. Mello et al., supra note 72, at 600.
155. Id.
156. Id.
157. Id.
158. Id.
159. Id.
160. Id.
161. Id.
162. Id.
163. See Child Nutrition Promotion and School Lunch Protection Act of 2006, S. 2592, 109th Cong. (2006).
164. Id. §10(b)(1)(A).
165. Id. §10(b)(1)(B).
166. See Child Nutrition Promotion and School Lunch Protection Act of 2006, H.R. 5167, 109th Cong. (2005).
167. U.S. Senator Tom Harkin, Senator Harkin's Health and Wellness Update: Harkin Pushes Bipartisan Measure to Improve Kids Health, April 2006 (on file with author).
168. S. 934: Child Nutrition Promotion and School Lunch Protection Act of 2009, GOVTRACK.us, http://www.govtrack.us/congress/bill.xpd?bill=slll- 934&tab=related (last visited Feb. 26, 2010) (discussing the legislative history of the Child Nutrition Promotion and School Lunch Protection legislation in the current Senate bill 934, and previous House and Senate bills S. 771, H.R. 1363, S. 2592, H.R. 5167).
169. Woolsey and Harkin again introduced the bills in 2009. Deborah Lehmann, School Lunch Talk, Harkin Introduces School Food Bill in Senate, http://www.school foodpolicy.com/2009/05/06/harkin-introduces-school-food-bill- in-senate/
170. In 1993, the West Virginia Board of Education regulated competitive foods with some of the highest standards in the nation. Prevention Institute for the Center for Health Improvement, Competitive Foods, in NUTRITION POLICY PROFILES (2002) http://www.preventioninstitute.org/component/jlibrary/article/id-202/127. htmleight (click on "Competitive Foods" under "Associated File(s)"). In 2003, Arkansas banned vending machines accessible to elementary school students.
171. See Act 1220, 2003 Ark. Acts 4226, 4230. Colorado, Louisiana, Tennessee, and Washington followed Arkansas with bans on school vending machines in 2004. National Conference of State Legislatures, Vending Machines in Schools 2005, http://www.ncsl.org/issuesresearch/health/vendingmachinesinschools2005/ tabiďl4108/default.aspx.
172. CAL. EDUC. CODE §38,085 (West 2009).
173. More recently and with specific regard for beverage sales in schools, California enacted the Pupil Nutrition, Health, and Achievement Act of 2001 to take effect in 2006. The Pupil Nutrition, Health, and Achievement Act of 2001, ch. 913, §2, 2001 Cal. Legis. Serv. 5734, 5736 (West 2001) (codified at CAL. EDUC. CODE §49,431.5 (West 2006)).
174. Mello et al., Supra note 72, at 596.
175. Thanks to Alison Lerner, University of Georgia School of Law, class of 2010, for her excellent work in drafting the case study that served as the basis for this Section.
176. HUMAN RIGHTS WATCH, "RACE TO THE BOTTOM": CORPORATE COMPLICITY IN CHINESE INTERNET CENSORSHIP 3 (2006), available at http://www.hrw.org/en/ reports/2006/08/09/race-bottom [hereinafter RACE TO THE BOTTOM].
177. See id. at 9.
178. Andrew W. Lloyd, Increasing Global Demand for an Uncensored Internet-How the U.S. Can Help Defeat Online Censorship by Facilitating Private Action, 41 VAND. J. TRANSNAT'L L. 299, 318 (2008);
179. Internet Anti-Jamming Technology Companies Reach Milestone Agreement, Bus. WIRE, Dec. 18, 2006.
180. In 2002, the Chinese government implemented filtering software based on keywords, which greatly increased its ability to control content. Jill R. Newbold, Aiding the Enemy: Imposing Liability on U.S. Corporations for Selling China Internet Tools to Restrict Human Rights, 2003 U. III. J.L. TECH. & POL'Y 503, 511 (2003). In 2003, President Hu Jintao took office, and restrictions on speech tightened further.
181. See RACE TO THE BOTTOM, supra note 103, at 3. In 2004, the government jailed Shi Tao, a prominent anti-government blogger, in a highly publicized incident that created an outcry in the media around the world.
182. Id. at 32;
183. Information Supplied by Yahoo! Helped Journalist Shi Tao Get 10 Years in Prison, REPORTERS WITHOUT BORDERS, Sept. 6, 2005, http://en.rsf.org/spip.php? page=article&id-article = 14884.
184. In 2005, the Chinese government created yet more regulations, this time affecting news providers, dubbed "Internet News Information Sources" that significantly tightens the existing censorship requirements and took direct aim at companies like Google, Yahoo!, and MSN. Kaydee Smith, A Global First Amendment?, 6 J. TELECOMM. & HIGH TECH. L. 509, 514 (2008) (citation omitted);
185. see generally Trina K. Kissel, License to Blog: Internet Regulation in the People's Republic of China, 17 IND. INT'L & COMP. L. REV. 229 (2007) (providing an excellent overview of the dynamics of Chinese censorship and China's legal foundation allowing it).
186. Rachel Laing, Hitting Wall in China, SAN DIEGO UNION-TRIB., Feb. 15, 2006;
187. see generally Lloyd, supranote 105.
188. See William J. Cannici, Jr., The Global Online Freedom Act: A Critique of its Objectives, Methods, and Ultimate Effectiveness Combating American Businesses That Facilitate Internet Censorship in The People's Republic of China, 32 SETON HALL LEGIS. J. 123, 157-62 (2007) (discussing the role of corporations China and the companies' defenses to accusations of complicity).
189. For a discussion of the case, see JACK GOLDSMITH & TIM WU, WHO CONTROLS THE INTERNET?: ILLUSIONS OF A BORDERLESS WORLD 1-12 (2006).
190. Yahoo! brought the French government's requests to federal court in the United States to determine if they were enforceable in the U.S., but the court handily ducked the issue by declaring it moot-since Yahoo! had already complied with the order, without further action by the French government, there was no case. See Yahoo! Inc. v. La Ligue Contre Le Racisme et L'Antiseitisme, 433 F.3d 1199 (9th Cir. 2006). Yahoo! also came under fire in the mid-2000s for releasing information that ultimately lead to the arrest and imprisonment of the Chinese dissidents Li Zhi in 2003 and Shi Tao in 2004.
191. See Tom Zeller Jr., Internet Firms Facing Questions About Censoring Online Searches in China, N.Y. TIMES, Feb. 15, 2006, at C3.
192. See also RACE TO THE BOTTOM, supra note 103, at 107-10;
193. Information Supplied by Yahoo! Helped Journalist Shi Tao Get 10 Years in Prison, supra note 106. In addition to the disclosure to Chinese authorities of personal identifying information, Yahoo! also engages in the practice of de-listing Web sites in compliance with Chinese government speech laws, which means that certain Web sites are simply unavailable on Yahoo!'s Chineselanguage search engine.
194. See RACE TO THE BOTTOM, supra note 103, at 26.
195. Andrew Donaghue, Microsoft Censors Chinese Blogger, ZDNET UK, Jan. 4, 2006, http://news.zdnet.co.Uk/security/0,1000000189,39245583,OO.htm.
196. RACE TO THE BOTTOM, supra note 103, at 43-44.
197. Id. at 55;
198. Google to Censor Results on New Chinese Search Site, WASH. POST, Jan. 25, 2006, at DIO.
199. RACE TO THE BOTTOM, supranote 103, at 55;
200. Google to Censor Results on New Chinese Search Site, supra note 113.
201. Broadcasting Board of Governors, About the Agency, http://www.bbg.gov/ about/index.html (last visited Feb. 12, 2010);
202. Lloyd, supra note 105.
203. House Policy Committee, Policy Statement, Establishing Global Internet Freedom: Tear Down This Firewall, Sept. 19, 2002, available at http://web.archive.Org/web/20021014010556/http://policy.house.gov/html/ news-item.cfm?id= 112 [hereinafter Tear Down This Firewall].
204. Id.
205. Id.
206. After the initial introduction of the Global Internet Freedom Act in 2002, it was subsequently introduced twice more but failed to be made into law. See H.R. 4741: Global Internet Freedom Act, GOVTRACK.US http://www.govtrack.us/ congress/bill.xpd?bill=hl09-4741&tab=related (discussing successive Senate and House bills) (last visited Apr. 9, 2010).
207. Global Internet Freedom Act, H.R. 4741, 109th Cong. §4(a) (2006).
208. Id. §6.
209. Id. §2(1).
210. Id. §4(a);
211. see supra note 115 and accompanying text (discussing the IBB).
212. H.R. 4741 §3(5);
213. see supranote 105 and accompanying text (discussing of private anti-jamming companies).
214. U.S. Department of State, Internet Freedom, http://www.state.gov/e/eeb/ cip/cl7156.htm (last visited Feb. 5, 2010).
215. Smith, Supra note 106, at 518.
216. Id.
217. Greg Piper, Google, Yahoo Support "Independent Monitoring" of Foreign Practices, WASH. INTERNET DAILY, May 21, 2008.
218. The Internet in China: A Tool for Freedom or Suppression?: Joint Hearing Before the Subcomm. on Africa, Global Human Rights and International Operations and the Subcomm. on Asia and the Pacifíc of the H. Comm. on International Relations, 109th Cong. (2006) [hereinafter 2006Hearing].
219. Id. at 2 (statement of Rep. Smith).
220. Id.
221. Id. at 65-76 (statement of Elliot Schräge, Vice President for Corporate Communications & Public Affairs, Google, Inc.).
222. Richard Waters, Gates Suggests US Law to Guide on Internet Censorship Abroad, FIN. TIMES (London), Feb. 16, 2006, at 6 (alteration in original).
223. 2006 Hearing, supra note 129, at 4 (statement of Rep. Smith).
224. Id.
225. Global Online Freedom Act, H.R. 4780, 109th Cong. (2006).
226. Id.
227. Id. §104.
228. Id. §104(b)(6).
229. H.R. 4780: Global Online Freedom Act of 2006, GOVTRACK. US, http://www.govtrack.us/congress/bill.xpd?bill=hl09-4780> (last visited Feb. 5, 2010).
230. H.R. 275: Global Online Freedom Act of 2007, GOVTRACK.US, http://www.govtrack.us/congress/bill.xpd?bill=h110-275 (last visited Feb. 5, 2010).
231. Greg Piper, Internet Conduct Code Ready in "Months," Yahoo's Yang Says, WASH. INTERNET DAILY, Apr. 4, 2008.
232. Id.
233. Global Internet Freedom: Corporate Responsibility and the Rule of Law: Hearing Before the Subcomm. on Human Rights and the Law of the S. Comm. on the Judiciary, 110th Cong. (2008) [hereinafter 2008Hearing].
234. Id. at 3 (statement of Sen. Durbin).
235. Id. at 10-12 (statement of Arvind Ganesan, Director, Business and Human Rights Program, Human Rights Watch).
236. Id.
237. Id. at 12.
238. Id. Bill Gates himself, actually, suggested modeling legislation on the FCPA.
239. Waters, supra note 133. The FCPA works by requiring that companies put systems in place to prevent abuses, and then holds them accountable when abuses occur.
240. Id.
241. 2008 Hearing, supra note 144, at 119 (statement of John G. Palfrey, Jr., Clinical Professor of Law and Executive Director, Berkman Center for Internet & Society, Harvard Law School).
242. Id. at 115 (statement of Leslie Harris, President and CEO, Center for Democracy & Technology).
243. 2006 Hearing, supranote 129, at 34-35 (statement of Sen. Durbin).
244. Global Network Initiative, http://www.globalnetworkinitiative.org (last visited Apr. 19, 2008).
245. Global Network Initiative, Core Commitments, http://www. globalnetworkinitiative.org/corecommitments/index.php (last visited Feb. 5, 2010).
246. Id.
247. Global Network Initiative, Principles, http://www.globalnetwork initiative.org/principles/index.php (last visited Feb. 5, 2010).
248. Id.
249. Id.
250. Id.
251. Global Network Initiative, Implementation Guidelines, http://www.globalnetworkinitiative.org/implementationguidelines/index.php (last visited Feb. 5, 2010).
252. Id.
253. For example, the document recommends that human rights impact assessments should be employed when companies engage in the following practices: Reviewing and revising internal procedures for responding to government demands for user data or content restrictions in existing markets. Entering new markets, particularly those where freedom of expression and privacy are not well protected. Reviewing the policies, procedures and activities of potential partners, investments, suppliers and other relevant related parties for protecting freedom of expression and privacy as part of its corporate due diligence process. Designing and introducing new technologies, products and services.
254. Id.
255. Id.
256. Id.
257. Global Network Initiative, Governance, Accountability & Learning Framework, http://www.globalnetworkinitiative.org/governanceframework/index. phpgt;Oast visited Feb. 5, 2010).
258. Id.
259. Id.
260. Id.
261. Id. These core commitments are carried out by the group's stakeholders, which include the ISP companies and non-profits discussed earlier.
262. See Global Network Initiative, Participants, http://www. globalnetworkinitiative.org/participants/index.php (last visited Feb. 5, 2010). In addition to the human rights non-profits and academics that were active in the creation of the GNI, the members also include socially responsible investment firms like the Calvert Group and Trillium Asset Management.
263. Id. The only governmental participant is a United Nations Special Representative to the Secretary-General on Business & Human Rights, who has observer status.
264. Id.
265. See James Eagle, Wired Blog: Just a PR Exercise?, MORNING STAR (BRITAIN), Oct. 31, 2008, http://www.morningstaronline.co.uk/index.php/news/content/view/ full/67643;
266. Miguel Helft & John Markoff, Big Tech Companies Back Global Plan to Shield Online Speech, N. Y. TIMES, Oct. 28, 2008, at B8 (ending with scathing criticism of the GNI by human rights organizations);
267. Cyrus Farivar, Global Initiative Promises to Harmonize ICT and Human Rights: But How Much Leverage Will the GNI Actually Have?, http://machinist. salon.com/tech/machinist/blog/2008/10/29/gni (Oct. 29, 2008, 10:30).
268. See Farivar, supra note 170. Since its formation in October, the main action that GNI appears to have taken has been to hold a public forum in December, in conjunction with the International Seminar on Business and Human Rights in celebration of the sixtieth anniversary of the Universal Declaration of Human Rights.
269. GNI Successfully Holds First Public Forum, GLOBAL NETWORK INITIATIVE, Dec. 18, 2008, http://www.globalnetworkinitiative.org/newsandevents/GNI- Successfully-Holds-First-Public-Forum.php. It has also created several blog-style press releases.
270. See Global Network Initiative, News and Events, http://www. globalnetworkinitiative.org/newsandevents/index.php (last visited Feb. 5, 2010).
271. Sens. Leahy and Durbin and Rep. Berman Issue Statements in Support of the Global Network Initiative, GLOBAL NETWORK INITIATIVE, Oct. 29, 2008, http://www.globalnetworkinitiative.org/newsandevents/Sen-Dick-Durbin-and-Rep-Ho ward-Berman.php.
272. See Greg Piper, Code of Conduct Requires Companies to Press Governments for Legal Grounds, WASH. INTERNET DAILY, Oct. 29, 2008.
273. Jeffrey Rosen, Google's Gatekeepers, N.Y. TIMES, Nov. 30, 2008, at MM50.
274. See Governance, Accountability & Learning Framework, supra note 165.
275. Thanks to Alison Lerner for thoughts on this analogy.
276. See Edward J. Balleisen & Marc Eisner, The Promise and Pitfalls of CoRegulation: How Governments Can Draw on Private Governance for Public Purpose, in NEW PERSPECTIVES ON REGULATION 127 (David Moss & John Cisterino eds., 2009) (describing such self-regulatory organizations).
277. Solomon, supra note 5, at 824.
278. Of the twenty-four participants in the GNI as of this writing, fully half of them are high-profile and well-funded non-profit and academic organizations such as Human Rights Watch, the Berkman Center, the Center for Democracy and Technology, and the Electronic Frontier Foundation that were active during the 1990s and 2000s in monitoring and publicizing the activities of the Chinese government. See Global Network Initiative, supranote 169.
279. See generally Elaine Chen, Global Internet Freedom: Can Censorship and Freedom Coexist?, 13 DEPAUL-LCA J. ART & ENT. L. & POL'Y 229 (2003) (arguing for either the direct creation of OGIF as envisioned by GOFA or some similar body);
280. Kristen Farrell, Corporate Complicity in the Chinese Censorship Regime: When Freedom of Expression and Protability Collide, 11 J. INTERNET L. 1 (2008) (same);
281. Marc D. Nawyn, Code Red: Responding to the Moral Hazards Facing U.S. Information Technology Companies in China, 2007 COLUM. BUS. L. REV. 505 (2007) (same). Nawyn proposes a "hybrid solution" which fits the new governance model the closest.
282. Id. at 554-62.
283. See SARAH PALIN, GOING ROGUE: AN AMERICAN LIFE 105, 243, 273, 310 (2009) (describing her success in popularizing the phrase "drill, baby, drill" as shorthand for Republican energy policy).
284. Edward Balleisen and Marc Eisner refer to this as a well-established and crucial "tactic in the politics of deflection."
285. See Balleisen & Eisner, supra note 177, at 131 ("Whenever some corner of the business community faces a groundswell of popular support for regulations that will impinge on its commercial practices, the odds are good that its leaders will champion some form of industry-wide regulatory selfgovernance as a means to forestall more onerous rule making and enforcement by the state.").
286. See Bradley C. Karkkainen, Reply, "New Governance" in Legal Thought and in die World: Some Splitting as Antidote ta Overzealous Lumping, 89 MINN. L. REV. 471, 484 (2004) ("Writings of the 'democratic experimentalist' camp, in particular, emphasize the inherent and inescapable epistemic constraints that limit our ability to map and devise comprehensive solutions to complex and dynamic social problems, militating in favor of a regulatory architecture that embraces the provisionality, revisability, and experimental character of all policy determinations.").
287. Related ideas in the literature include "enforced self-regulation," see AYRES & BRAITHWAITE, supra note 2, at 101-32;
288. mandated self-regulation, see EUGENE BARDACH & ROBERT KAGAN, GOING BY THE BOOK: THE PROBLEM OF REGULATORY UNREASONABLENESS 224-26 (2002); and "meta-regulation,"
289. see Christine Parker, Meta-Regulation: Legal Accountability for Corporate Social Responsibility, in THE NEW CORPORATE ACCOUNTABILITY: CORPORATE SOCIAL RESPONSIBILITY AND THE LAW 207, 210-13 (Doreen McBarnet et al. eds., 2007).
290. See also Colin Scott, Self-Regulation and the Meta-Regulatory State, in REFRAMING SELF-REGULATION IN EUROPEAN PRIVATE LAW 131, 136-40 (Fabrizio Cafaggi ed., 2006) (providing "a taxonomy of the different forms of relationship between state actors and self-regulatory regimes").
291. Invent and use this new term of "industry capture" to refer to the distinct idea that there is this existing private-sector regulatory architecture which the public sector uses for its own ends. Another related idea is that of delegating regulatory authority to firms, explored in Kenneth A. Bamberger, Regulation as Delegation: Private Firms, Decisionmaking, and Accountability in the Administrative State, 56 DUKE L.J. 377, 377-78 (2006).
292. See AYRES & BRAITHWAITE, supra note 2, at 5 ("[T]he best [regulatory] strategy is shown to depend on context, regulatory culture, and history.").