EU frets over Privacy Shield adequacy, and NGO insists, emperor still naked

The Commission of the European Union is reviewing the U.S.-EU Privacy Shield framework for conformity with the General Data Protection Regulation (GDPR), and NGO AccessNow is again demanding an inadequacy finding.

A lot is at stake.  For the uninitiated, European regulators have a dramatically different take on the protection of personal information than the free-wheeling free marketeers of the United States.  I've written some about the problem here and elsewhere (e.g., here and here), arguing that the American people are not so far from European privacy norms, but it's our law that lags behind the democratic will.  For my money, the definitive macro analysis of why American and European approaches to privacy have differed is James Q. Whitman's.  Anyway, the GDPR does not allow the export from Europe of information to countries that do not comport with its privacy protections, and that creates a monumental problem for the trans-Atlantic flow of not only information, but commerce.

The problem is not new and existed under the GDPR's predecessor law, the 1995 Data Protection Directive (DPD).  A number of mechanisms were devised to work around the problem, and they were approved by European regulators under the umbrella of "the Safe Harbor agreement."  But it's widely understood, at least on the European side, that Safe Harbor was something of a sham: No one with a straight face could argue that U.S. law was comparable to the DPD.  Safe Harbor in practice comprised mostly industry standards, voluntarily adopted and barely enforced by U.S. regulators.  There's also an important piece of this problem in the vein of national security, government spying, and personal information; I'm not even getting into that.

Privacy Shield is stronger than Safe Harbor, but the GDPR is a lot stronger than the DPD.  There have been remarkable advancements in privacy law in some states, notably California, in the EU direction.  And quite a number of court challenges have followed, winding their way through the process, some derived from objections in the commercial sphere, some the civil rights sphere: you've probably heard of "the right to be forgotten."  But our patchwork state laboratories hardly sum reassurance to Europe.  So in the absence of a comprehensive peace offering at the federal level, the debate over the EU's adequacy determination regarding Privacy Shield pretty much boils down to whether or not we're going to admit that the emperor is naked.

AccessNow, a global NGO and sponsor of RightsCon, has consistently called for honesty about the emperor's sorry state.  A recent memo calls on the Commission to rule Privacy Shield inadequate, and AccessNow has invited republication of a new infographic in support of its position.  I hereby oblige. It's past time we get serious about protecting personal information in the United States and stop commercial exploitation of human identity upon industry's abusive invocations of civil rights such as the freedom of speech and freedom to contract.

[UPDATE, 23 Oct. 2019, at 13:53 U.S. EDT: Privacy Shield still good, per EC report issued today.]

Frohe Weihnachten

Image posted by u/ManCrisp to Reddit, Dec. 6, 2018. Republished with permission; all rights reserved.  Hat tip @StevenZoni.

Popular singer's 'right to be forgotten' outweighs free speech in Italian case over archival video and biting commentary

Because Manchester City FC might need it after today's derby match, let's consider the right to be forgotten.

As an aspect of European, and increasingly global, data protection law, "the right to be forgotten," or right to erasure, unsettles the tummies of American media advocates.  The right to erasure runs up against the presumptive rule of U.S. First Amendment law that there can be no punishment for the republication of truthful information lawfully obtained.  Read more about that here (predating implementation of the EU General Data Protection Regulation).  The Italian Court of Cassation has issued a potentially important decision at the intersection of the right to erasure and the freedom of expression.  

Hat tip @TheItalianLawJournal.  For a few months to come, or until a better translation comes to light, I'm parking a very rough Google Translate rendition of the ruling here in PDF.  The translations that follow here are mine, refining the Google Translate rendering. The original court decision can be found here.

Antonello Venditti by Angela_Anji (CC BY-NC-SA 2.0)

The case stemmed from a TMZ-style confrontation by an RAI-1 "Live Life" («La vita in diretta») crew of Italian singer Antonello Venditti (Facebook) in 2000.  I've not seen the video, but Venditti apparently resisted the interrogators with sufficient gruffness that he earned his way onto the program's 2005 "ranking of the most obnoxious and grumpy characters in the entertainment world."  The story occasioned rebroadcast of the 2000 segment, along with commentary mocking his diminished fame in the intervening years.  Antonello took offense and sued, claiming "a right to be forgotten" attached to the 2000 video. 

Of peculiar resonance with current events in the United States, the Italian court took note of a German right-to-erasure case about "an affair in which a German citizen, who held a major political and business position in Germany, had requested the erasure of information from the web relating to an episode of collusion with Russian crime dating back several years earlier, republished several years after."  The Court of Justice of the EU ruled that "the public's interest in information prevailed over the individual's interest in oblivion."  However, the Italian court observed, the ruling resulted from a fact-intensive inquiry.

The court must engage with "the search for the right balance between the interest of Internet users in information and the fundamental rights of the person," the Italian court explained.  "Therefore, the editor of a newspaper that stores in its historical archive on the internet the news, making it available to a potentially unlimited number of people, is required to prevent, through the dissemination of even remote facts, without any meaningful and current public interest, possible harm to the right to be forgotten by the people who were involved."

The freedom of expression must yield to the right to erasure, the court held, upon analysis according to five factors:

1. the contribution made by the dissemination of the image or of the news to a matter of public interest;
2. the actual and current interest in the dissemination of the image or news (for reasons of justice, police, or protection of the rights and liberties of others, or for scientific, educational, or cultural purposes), to be considered absent in case of prevalence of a popular interest [italics added; in original, divulgativo: I'm not sure how to translate that and don't think "popular" or "informed" is right], or, worse, merely economic or commercial interest of the subject that spreads the news or the image; 
3. the high degree of notoriety of the subject represented, for the economic or political reality of the country;
4. the methods used, for the particular position held in public life, and, in particular, to obtain and give information, which must be truthful (because it is drawn from reliable sources, and with a diligent research work), disseminated in ways that are not excessive for information purposes, in the interest of the public, and free from insinuations or personal considerations, so as to highlight an exclusive objective interest in the new dissemination;
5. the preventive information about the publication or transmission of the news or image at a distance of time, in order to allow the interested party the right of reply before its disclosure to the general public.

Applying its multi-factor test, the court decided that RAI's interest in the rebroadcast video segment was outweighed by Antonello's privacy and data protection rights.  The court below had erred by finding Antonello's fame dispositive.  Reminding one of the analysis of Elmer Gertz in U.S. defamation lore, the court held that Antonello's large public following "certainly" did "not invest[ him] with a primary role in national public life."  Moreover, RAI's purpose, five years on, lacked merit. The court found it "undeniable that the reiterated broadcast ... had [the] unique purpose of allowing the inclusion of the singer ... in a ranking of ... 'the most obnoxious and grumpy of the entertainment world,' invented by the same broadcaster, allowing, in this way, the satisfaction of an interest that is exclusively informative [again, divulgativo], for commercial purposes, and for the television operator's audience."  The broadcaster's derogatory comments about Antonello's fame in 2005 aggravated the offense, the court added.  

The court also rejected "satire" as a defense.  The representation of Antonello was not "paradoxical, surreal and hyperbolic critique," but referred to "true fact," "clearly directed to a mere and unjustified denigration of the artist."  The broadcaster sought to use the 2000 video to represent Antonello in 2005 as "a singer, for years, in decline."

This case is the very stuff of American media advocates' nightmares.  Newspapers decry the right to erasure as a threat to online archives—though representations in archives, as archives, are readily factually distinguishable from the Antonello case.  The more realistic threat would be to the "TMZ"/"Talk Soup" format of entertainment media, or even the clever uses of archival video that have become the staple of commentary on The Daily Show with Trevor Noah and Last Week with John Oliver.  Certainly under a rule such as the Italian court employed, broadcasters, even straight news broadcasters, would have to take more care with their use of B roll.  

I've advocated in favor of evolving U.S. privacy law toward European data protection norms.  But the Italian court went too far here, lending credence to American nay-saying.  I fault the court's analysis of Antonello as, in U.S. terms, a "private figure."  The lower court got it right in finding Antonello's public status dispositive relative to this RAI commentary.  It's especially telling and troubling that as to the satire argument—the RAI program seems on the mild side of the Talk Soup genre—the court faulted RAI commenters for the truth in their observation of Antonello's waning fame.  The court set up the Italian judiciary to be a "super editor" of popular media, an arbiter of taste.  American courts appropriately struggle with newsworthiness determinations in privacy law because they do not want that job.

Intimate large parties and the duty to protect privacy

I had to take a blog break over the holidays in order to get a hefty book read and to write a review of it.  I’ll post on that when it comes closer to publication.  Meanwhile, my, how the world has changed!  Let me kick off the new year with a look at some related developments in privacy law.

As Marion Oswald of the University of Winchester wrote recently for the journal of Information Communication & Technology Law (open source), to paraphrase, privacy ain’t what it used to be.  Oswald opened with a quote from The Great Gatsby, so it goes without saying that that needs to be reiterated here.  She wrote,

At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”

From that paradox, Oswald builds the case that privacy must be redefined to protect individuals in the digital world.  She observes the inadequacy of the “reasonable expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the objective test’s tendency to drive itself to extinction in a world of objectively diminishing privacy.  Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures.  Oswald is not the first to reach her conclusion, but she does so compellingly.

Two recent cases, from Pennsylvania and Massachusetts, reached different conclusions on the question of a corporate defendant’s duty to safeguard private data.  The cases show the struggle under way in U.S. courts to do just what Oswald proposed—to redefine privacy in the digital age.  The United States is increasingly at odds with Europe, and for that matter the rest of the world, on this question.  Heralded as a modern human right in Europe, data protection is a burgeoning global legal field—and corporate obligation.

Duty

First, a quick primer on duty in U.S. tort law.

Tort law in the United States usually provides for a “duty” by “default” in negligence—that is, all persons owe to all other a persons a duty to exercise reasonable care (or not to act negligently), to avert harm to all others.  But the default rule of duty is subject to some important limitations.   

One limitation is the economic loss rule, which circumscribes negligence liability.  The rule precludes a plaintiff’s action for nonphysical, economic injury alone.  There are plenty of exceptions to the rule, and some scholars even think it’s not really a rule at all.  For example, negligent misrepresentation, which is like fraud but without intent, can be supported by economic loss within the context and expectations of a business relationship.

Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality.  U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem.  That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.

The other limitation on duty by default is that U.S. law imposes no affirmative duty to protect, or to render aid.  This rule, too, is subject to many exceptions, such as a parent’s duty to protect a child, contractual and statutory duties to protect, and a duty not to abandon a rescue undertaken.

Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty.  In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief.  (The problem in proximate causation is integrally related.)

So on to the cases.  Remember, "[i]t takes two to make an accident."

Pennsylvania

A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer.  (Hat tip to Richard Borden at Robinson + Cole.)  University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.

The court applied a five-factor test for duty: 

1. the relationship between the parties;

2. the social utility of the actor's conduct;

3. the nature of the risk imposed and foreseeability of the harm incurred;

4. the consequences of imposing a duty upon the actor; and,

5. the overall public interest in the proposed solution.

UPMC prevailed in common pleas and superior courts, the latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests.  On the affirmative duty question, the court pointed to attenuated causation and professed willingness to defer to the state legislature.  As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch: 

The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.

Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.

Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.

The court then bolstered its conclusion by pointing to the economic loss rule as well. 

Massachusetts

Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.

The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of a docudrama.  According to the court, Thomas was fleeing police at high speed when he crashed his car into Adams's.  Thomas was driving the car of his girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance.  Meanwhile Burgos was both customer and customer service manager of defendant insurance agency Congress.  She reported her car stolen and filed her own insurance claim. 

Adams could identify Thomas.  So Burgos used her computer access at work to identify Adams and passed his identity to Thomas.  Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote.  Though I bet Thomas didn’t say just “F.”

Adams sued Congress on multiple theories, including negligent failure to safeguard private data.  At the trial level, according to the appeals court, “the motion judge . . . rul[ed] that expert testimony was required to establish whether the agency owed a duty to Adams to safeguard his personal information, what that duty entailed, and whether the agency breached that duty.”

It’s odd that the motions judge sought expert testimony, because, as the appeals court aptly observed, duty is unique among the four elements of negligence—duty, breach, proximate cause, and injury—for being purely a question of law, guided by public policy.  Courts do not ordinarily hear expert testimony on what the law is.  The theory goes that figuring that out is the judge’s main job.  (Too bad, or being a law professor would be more lucrative.  I was gently tossed from the witness stand once when a lawyer made a valiant but futile attempt to squeeze me past the rule.)

Unlike the Pennsylvania Superior Court, the Massachusetts Appellate Court found its way to a legal duty.  The court held “that the agency had a legal duty to Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Adams provided to process his automobile insurance claim.”  Where the Pennsylvania court had pointed to statute to justify judicial restraint, the Massachusetts court pointed to state data breach law to show that the legislature had green-lighted legal duty (albeit "a single green light, minute and far away").

“Just as those with physical keys to the homes of others have a duty of reasonable care to preserve their security,” the Massachusetts court reasoned, “companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against the misuse of that data.”  Indeed, the court cited a keys case as applicable precedent.  The court made no fuss over the rule of affirmative duty or the rule of economic loss.  In a discussion of causation, the court seemed content to resort to foreseeability on the facts.

Summary judgment for defendant Congress was vacated, and the case was remanded for trial.

Conclusion

Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic.  That’s not true.  Not yet.

Data protection in the United States is confounded by the rules of affirmative duty and economic loss.  And that’s not bad; those rules exist for sound public policy reasons.  They also are excepted for sound reasons.

I’ve written before (e.g., here and here) that popular thinking and expectations with respect to individual privacy are converging in the United States and Europe, even if a legal bridge lags behind.  Common law negligence can be a vital building block of that bridge.  But it’s a work in progress.

“‘Don’t believe everything you hear, Nick.’”