LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Regulatory Law

Michael I. Shamos, Ph.D., J.D.Institute for Software Research

School of Computer ScienceCarnegie Mellon University

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Regulation

• Most law is not made by legislatures, but by adminstrative agencies (ministries)

• Reason:– Governing involves many details. Legislatures spend their

time on high-level policies, leaving the details to career professionals

– Administration requires special expertise. Example: the Federal Aviation Administration (FAA) knows much more about flying than Congress does

• Solution: Allow administrative agencies to makes laws (which are called regulations)!

• But: the regulations must not violate statutes

Regulation• Administrative agencies of the government have “rulemaking”

(regulatory) power• Examples:

– Securities and Exchange Commission regulates securities offerings and markets

– Dept. of Agriculture inspects meat– Federal Communications Commission (FCC) regulates the radio

frequency spectrum– Comptroller of the Currency regulates certain banks– Patent & Trademark Office issues patents

• Where do these powers fit into the legislative scheme?• Rules properly made have the force of law (unless they are

inconsistent with statute)

Overlapping Powers(Example: Financial Regulation)

SOURCE: FINANCIAL TIMES

Some Technology Agencies

• Federal Communications Commission• Environmental Protection Agency• Department of Transportation• Department of Agriculture• Federal Aviation Administration• U.S. Election Assistance Commission• U.S. International Trade Commission• U.S. Patent and Trademark Office• Federal Trade Commission

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Agency Actions

• Issue rules or regulations (which mean the same thing), having the effect as statutes

• Licenses, which include permits, certificates, other types of permission

• Advisory opinions, authoritative interpretations of statutes and regulation but not binding on courts

• Orders, final disposition of any agency action, other than rulemaking

• Decisions, which resolve disputes over interpretation of statutes or regulations

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Federal Rulemaking• In general, government agencies may prescribe rules

and regulations “not inconsistent with law” in furtherance of their mission

• Example: setting time limits, fees, fines, procedures• The process is complex

– Agency must publish the proposed rule in the Federal Register– The public has 60 days to send comments– The agency MUST consider the comments– Agency submits a “final rule” to Congress and published is in

the Federal Register– The rule becomes a “regulation having the effect of law” without

further approval

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Notice of Proposed Rulemaking

Code of Federal Regulations• Final rules are published in the Code of Federal

Regulations (CFR). View Electronic CFR• Courts treat the CFR as law

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Software Lending Notice Regulation37 C.F.R. §201.24

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Limits of Rulemaking• Each agency is created by Congress and is given

certain powers• Later statutes may expand or reduce those powers• Agencies may not exceed their powers• If they do, a Court can vacate (remove) an illegal rule

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Example: Privacy and the FTC• The Federal Trade Commission was created by the

Federal Trade Commission Act in 1914• It gives the FTC power to stop unfair or deceptive

trade practices at 15 U.S.C. §45:

FTC Rulemaking• The FTC is given rulemaking power at 15 U.S.C.

§57a:

NOV. 29, 2011

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Appeals From Agency Decisions

• Agencies are bound by their own rules• Must appeal within agency before going to court• Administrative Procedure Act, 5 U.S.C. §500ff:• Court shall “hold unlawful and set aside” actions that are:

arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law;

contrary to constitutional right, power, privilege, or immunity;

in excess of statutory jurisdiction or authority; without observance of procedure required by law; unsupported by substantial evidence; or unwarranted by the facts

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Major Ideas

• Most law is regulatory, not statutory• Reason: expertise, level of detail• Agencies receive power from legislatures• Courts ensure that agencies do not exceed their

authority

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

QA&

Children’s Online Privacy Protection Act

• SEC. 1302. DEFINITIONS. • In this title:• (1) CHILD.—The term "child" means an individual under the age of

13.• (2) OPERATOR.—The term "operator"— • (A) means any person who operates a website located on the

Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service

• (3) COMMISSION.—The term "Commission" means the Federal Trade Commission.

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Children’s Online Privacy Protection Act

• SEC. 1303. REGULATION OF UNFAIR AND DECEPTIVE ACTS AND PRACTICES (a) ACTS PROHIBITED.—

• (1) IN GENERAL.—It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

Children’s Online Privacy Protection Act

• (b) REGULATIONS.—

• (1) IN GENERAL.—Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate under section 553 of title 5, United States Code, regulations that—

• (A) require the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child—

• (i) to provide notice on the website of what information is collected from children by the operator, how the operator uses such information, and the operator's disclosure practices for such information; and

• (ii) to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children;

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS

LAW OF COMPUTER TECHNOLOGY FALL 2015 © 2015 MICHAEL I. SHAMOS