186  NOTES

              Protection Regulation: Toward a Property Regime for Protecting Data Pri-
              vacy,” Yale Law Journal 123, 2 (2013): 515.
           24.  “Though the Regulation is framed in the fundamental-human-rights terms
              typical of European privacy law, this Comment argues that it can also be con-
              ceived of in property-rights terms. The Regulation takes the unprecedented
              step of, in effect, creating a property regime in personal data, under which
              the property entitlement belongs to the data subject and is partially alien-
              able.” Jacob M. Victor, “The EU General Data Protection Regulation: Toward
              a Property Regime for Protecting Data Privacy,” The Yale Law Journal 123 (2),
              November 2013. Available at http://www.yalelawjournal.org/comment/
              the-eu-general-data-protection-regulation-toward-a-property-regime-for-
              protecting-data-privacy.
           25.  Amitai Etzioni, “The Privacy Merchants: What Is To Be Done?” Journal of Con-
              stitutional Law 14, 4 (2012): 935.
           26.  For example, restrictions on certain kinds of personal data processing do not
              apply “where processing of the data is required for the purposes of preventive
              medicine, medical diagnosis, the provision of care or treatment or the manage-
              ment of health-care services, and where those data are processed by a health
              professional subject under national law or rules established by national compe-
              tent bodies to the obligation of professional secrecy or by another person also
              subject to an equivalent obligation of secrecy.” Alternately, “Member States may
              adopt legislative measures to restrict the scope of the obligations and rights
              provided for” by the directive “when such a restriction constitutes a necessary
              measure to safeguard: (a) national security; (b) defence; (c) public security; (d)
              the prevention, investigation, detection and prosecution of criminal offences,
              or of breaches of ethics for regulated professions; (e) an important economic
              or financial interest of a Member State or of the European Union, including
              monetary, budgetary and taxation matters,” or several other dimensions of the
              common good. See the text of the EU Data Protection Directive at http://www.
              dataprotection.ie/docs/EU-Directive-95-46-EC-Chapter-2/93.htm.
           27.  Christopher Millard, “Proposed EC Directives on Data Protection,” The Com-
              puter Law and Security Report 7, 1 (1991): 21.
           28.  Joris van Hoboken, personal correspondence, April 25, 2014.
           29.  Craig Mundie, “Privacy Pragmatism,” Foreign Affairs (March/April 2014): 30.
           30.  Not everyone agrees that this is the case. In private correspondence, Abraham
              Newman of Georgetown University wrote, “Many criticize European privacy
              rules as weak because they do not see large financial sanctions against firms.
              But this misses the key preventative dimension of such rules for firm compli-
              ance. Big players like eBay or IBM work closely with regulators and implement
              internal data privacy policies in order to head off a data privacy scandal. In
              other words, few people are ever audited by the IRS but we rarely criticize the
              IRS as a weak regulator.”
           31.  Eztioni, “A Cyber Age Privacy Doctrine.
           32.  Many scholars criticize the circular reasoning of the “reasonable expectation
              of privacy” text outlined in Katz. See, e.g., Richard A. Posner, The Uncertain
              Protection of Privacy by the Supreme Court, 1979 Sup. Ct. Rev. 188 (1979) (it is