Posted May 15, 2020. To settle a pandemic-related financial crisis at UMass Dartmouth, law faculty are not receiving research compensation in summer 2020. I will be away from my desk, May 16 to August 15. Blog posts will be sparse, and I will not receive email. On the upside, summer 🌞! If you need to reach me, please send a message through the faculty assistants’ office (Ms. Cain and Ms. Rittenhouse). Stay thirsty.

Tuesday, April 7, 2020

First Circuit dismisses Mount Ida student class action, incidentally limits emerging data protection theory

Holbrook Hall, Mount Ida College, Newton, Mass. John Phelan CC BY 3.0
An angle in a recent First Circuit decision deserves a mention in U.S. data protection circles.  I hadn't been aware of this angle of the case, so hat tip to attorney Melanie A. Conroy at Pierce Atwood in Boston for analyzing the case carefully in the The National Law Review.

The First Circuit affirmed dismissal in the ugly and unfortunate matter of Mount Ida College students' class action against the school after its abrupt closure and sale to the University of Massachusetts system.  Conroy's rundown on the case is thorough.  I want only to highlight one important point: the court refused to recognize, in Massachusetts law, a fiduciary duty owed by university to student.

The decision comports with multistate norms, but is nonetheless important in limiting an emerging doctrine of data protection in U.S. common law tort.  State courts that have recognized something like a data protection right in civil cases have used fiduciary duty to bootstrap their way there.

American common law invasion of privacy is too stringent to get the job done, that is, to articulate a data protection right, for various reasons.  One reason is its incorporation of what Professor Daniel Solove termed "the secrecy paradigm": information must be kept secret to remain secret.  Thus, I cannot complain when my bank tells someone about my financial transactions, because I already let my bank know about them.  My resort must be to banking privacy law, by statute.  And there arises the second problem for privacy plaintiffs: statutes are too stringent to get the job done.  I might be unhappy if my employer divulges information about my psychiatric condition to my insurer, but neither one of them is a healthcare provider covered by the federal patient privacy law ("HIPAA"), which does not (directly) provide for a cause of action anyway.

In 2018, the Connecticut Supreme Court bridged the common law gap from statutory insufficiency to actionable privacy claim by relying on the physician-patient duty of confidentiality.  In short, the court held, HIPAA + duty of confidentiality = protectible common law interest.  The court thereby allowed a woman to sue her ObGyn provider upon an allegation of breached confidentiality.  That duty of confidentiality is a form of fiduciary duty.  So a theory emerged of how U.S. common law might stumble its way to recognition of what the rest of the world, especially Europe, calls "data protection."

There are a lot of ways for us to start catching up with the rest of the world in recognizing people's right to personal data integrity; this is just one.  And it remains.  But it is limited by the scope of duties that might stand in for that second piece of the equation.  The Mount Ida case shows correctly that it will be harder for a plaintiff to get there against a business defendant that is not a professional, and the data held are financial information tangential to the nature of the relationship, here, educational.

The First Circuit aptly instructed Mount Ida students that if they wanted better protection for their personal information in state law, their remedy was with the state legislature.  The same can be said for Americans, data protection, and our torpid Congress.

The case is Squeri v. Mount Ida College, No. 19-1624 (1st Cir. Mar. 25, 2020).  U.S. Circuit Judge Lynch wrote for the panel, which also included Stahl and Kayatta, JJ.

No comments:

Post a Comment