Showing posts with label Europe. Show all posts
Showing posts with label Europe. Show all posts

Friday, February 5, 2021

Court: UK hospital's mishandling of corpse after suspicious death violated human rights convention

St. James's Hospital is among those managed by the Leeds group
(image by CommsLTHT 2020 CC BY-SA 4.0).

From the eastern shore of the pond comes an unusual spin on the tort of mishandling a corpse.

The usual mishandling case invokes the longstanding common law exception to the rule against recovery in negligence for emotional distress in the absence of physical injury to person or property.  There was more at stake in this case, as The Guardian explained:

The family of a woman whom they suspect was killed has won a lawsuit against a health trust that allowed her body to decompose to the point that experts were unable to rule out third-party involvement in the death ....

The court ruled that the Leeds, England, hospital violated Article 8 of the European Convention of Human Rights, on the right to respect for private and family life.

The case is Brennan v. Leeds Teaching Hospitals NHS Trust, per High Court Judge Andrew Saffman.  I cannot locate the opinion online.  Besides The Guardian, there is more coverage at the Yorkshire Evening Post and Wharfedale Observer.  Hat tip to Professor Steve Hedley's Private Law Theory.  See also Professor Eugene Volokh's compelling 2019 missive on "the tort of loss of sepulcher."

Monday, April 6, 2020

Colorful U.S. case of baroness, Swiss bank makes waves in international jurisdiction, student note reports

Swiss banks in Geneva. Photo by torange.biz CC BY 4.0.
Spencer K. Schneider, my eminently able teaching and research assistant, has published a short case note in a research journal, the International Journal of Procedural Law, on a Massachusetts jurisdictional case with interesting facts.
The Massachusetts Appeals Court handed a win to a Swiss heiress who claims she was suckered into a bad investment in alchemy by a fellow aristocrat, a storied Swiss bank, and American entrepreneurs. The lower court erred when it dismissed defendant Swiss bank Rothschild for want of personal jurisdiction, the American appeals court ruled in June 2019.
Mr. Schneider aptly considers: "The American approach to jurisdiction over foreign corporations via personal agency feeds the possibility of inconsistency with jurisdictional law elsewhere in the world, such as under the Brussels Convention in Europe."

The note is Spencer K. Schneider, Aristocrats’ Squabble Over Fortune Squandered on American Alchemy May Expose Swiss Bank to U.S. Jurisdiction, in Michele Angelo Lupoi, Grandes Décisions/Leading Cases, 9:2 Int'l J. Proc. L. 339, 360 (2019).

The case is Von Schönau-Riedweg v. Rothschild Bank AG, 95 Mass. App. Ct. 471, 128 N.E.3d 96 (2019) (Casetext).

Tuesday, October 22, 2019

Legal comparatists meet in Missouri

Maxeiner
Last week the American Society of Comparative Law (ASCL) met at the University of Missouri Law School.  I was privileged to participate among 120 scholars from 20 countries.

As part of the works-in-progress program at the front end of the conference, I presented the most recent iteration of my work on access to information law, comparing private-sector transparency and accountability measures in South Africa with selected standards in Europe. 

Maxeiner's 2018 book on
"failures" in Amercian
lawmaking

Yoo
I benefited from exchange of critique from a room full of participants, including co-panelists James Maxeiner of the University of Baltimore and Kwanghyuk (David) Yoo of the University of Iowa.  Maxeiner presented a fascinating comparative study of lawmaking in Germany and the United States, showing the inventive ways that lobbying-driven American lawmakers might learn from Germany's variegated means of incubating potential legislation.  Yoo talked about U.S. and European Union court decisions on antitrust challenges to patent settlements in the pharmaceutical industry: when a company settles a lawsuit to keep a patent challenger out of the market, when does dispute resolution cross into anti-competitive misconduct?

The panel was moderated by Missouri’s Mekonnen Ayano, a Harvard doctoral graduate and formerly an Ethiopian judge and World Bank legal counsel.  University of Missouri Dean Lyrissa Lidsky, an accomplished media law scholar, attended and live-tweeted the panel.

[UPDATE: Vainly adding photos with me in them, courtesy of Mizzou Law.]

Prof. Maxeiner and I listen in the lecture hall.

I puzzle over dinner options.

I ramble about ATI in Africa with the generous ear of moderator Prof. Ayano.

Saturday, September 28, 2019

EU court rules for Google, narrows French 'right to be forgotten' order to Europe

In the latest battle of the feud between Google and the French data protection authority (CNIL), the Court of Justice of the European Union ruled that the CNIL's "right to be forgotten" order should be limited to internet users in Europe.  However, the court did not rule out the possibility of a worldwide order if the facts warrant.

The court wrote:

[T]he right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality....  Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world. 

While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679 [GDPR], struck a balance between that right and that freedom so far as the Union is concerned ... it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.

"Proportionality" is a core principle of EU human rights law when regulation collides with individual rights, or, as here, state power is implicated to favor one individual's rights over those of others.  The same principle also constrains supra-national authority over member states.

The case arose from a CNIL fine of Google.  The French authority had ordered Google to de-list search results to protect certain individuals' privacy under the "right to be forgotten," or "right to erasure," when those individuals were searched by name.  "De-listing" or "de-referencing" search results is the front line of right-to-erasure court challenges today, though the specter of erasure orders that reach content providers directly looms on the horizon.

Google complied with the CNIL order only for European domains, such as "google.fr" for France, and not across Google domains worldwide.  Google employs geo-blocking to prevent European users from subverting de-listing simply by searching at "google.com" (United States) or "google.com.br" (Brazil).  Determined users still can beat geo-blocking with sly technocraft, so CNIL was dissatisfied with the efficacy of Google's solution.  Undoubtedly, a dispute will arise yet in which the CNIL or another European data protection authority tests its might with a more persuasive case for global de-listing.

The case is Google, LLC v. Commission Nationale de L’informatique et des Libertés (CNIL), No. C-507/17 (E.C.J.), Sept. 24, 2019.  Several free speech and digital rights NGOs intervened on behalf of Google, including Article 19, the Internet Freedom Foundation, the Reporters Committee for Freedom of the Press, and the Wikimedia Foundation, as well as Microsoft Corp.  The case arose initially under the 1995 EU Data Protection Directive, but carries over to the new regime of the General Data Protection Regulation (GDPR).

Monday, September 23, 2019

EU frets over Privacy Shield adequacy, and NGO insists, emperor still naked

The Commission of the European Union is reviewing the U.S.-EU Privacy Shield framework for conformity with the General Data Protection Regulation (GDPR), and NGO AccessNow is again demanding an inadequacy finding.

A lot is at stake.  For the uninitiated, European regulators have a dramatically different take on the protection of personal information than the free-wheeling free marketeers of the United States.  I've written some about the problem here and elsewhere (e.g., here and here), arguing that the American people are not so far from European privacy norms, but it's our law that lags behind the democratic will.  For my money, the definitive macro analysis of why American and European approaches to privacy have differed is James Q. Whitman's.  Anyway, the GDPR does not allow the export from Europe of information to countries that do not comport with its privacy protections, and that creates a monumental problem for the trans-Atlantic flow of not only information, but commerce.

The problem is not new and existed under the GDPR's predecessor law, the 1995 Data Protection Directive (DPD).  A number of mechanisms were devised to work around the problem, and they were approved by European regulators under the umbrella of "the Safe Harbor agreement."  But it's widely understood, at least on the European side, that Safe Harbor was something of a sham: No one with a straight face could argue that U.S. law was comparable to the DPD.  Safe Harbor in practice comprised mostly industry standards, voluntarily adopted and barely enforced by U.S. regulators.  There's also an important piece of this problem in the vein of national security, government spying, and personal information; I'm not even getting into that.

Privacy Shield is stronger than Safe Harbor, but the GDPR is a lot stronger than the DPD.  There have been remarkable advancements in privacy law in some states, notably California, in the EU direction.  And quite a number of court challenges have followed, winding their way through the process, some derived from objections in the commercial sphere, some the civil rights sphere: you've probably heard of "the right to be forgotten."  But our patchwork state laboratories hardly sum reassurance to Europe.  So in the absence of a comprehensive peace offering at the federal level, the debate over the EU's adequacy determination regarding Privacy Shield pretty much boils down to whether or not we're going to admit that the emperor is naked.

AccessNow, a global NGO and sponsor of RightsCon, has consistently called for honesty about the emperor's sorry state.  A recent memo calls on the Commission to rule Privacy Shield inadequate, and AccessNow has invited republication of a new infographic in support of its position.  I hereby oblige. It's past time we get serious about protecting personal information in the United States and stop commercial exploitation of human identity upon industry's abusive invocations of civil rights such as the freedom of speech and freedom to contract.

[UPDATE, 23 Oct. 2019, at 13:53 U.S. EDT: Privacy Shield still good, per EC report issued today.]

Thursday, August 8, 2019

Polish court enjoins Facebook 'private censorship':
just one sign of new norms in digital rights

Much worry about censorship today focuses on the private sector, specifically and especially the large tech companies--Google, Facebook, Twitter--who have so much power over what we read, hear, and see.  When I was in journalism school, in ethics class in the early 1990s, a student once mentioned the possibility of a news organization withholding a sensitive story and worried that that would be "censorship."  Professor Lou Hodges--a great teacher, great person, since deceased--vigorously corrected the student, saying that censorship by definition must be governmental action. 

Louis Hodges, W&L
Well denotational niceties aside, and with the great respect due to Professor Hodges, I'm not sure the distinction remains salient.  I've been worried about the private sector in the free speech realm for a long while.  I've already posited in print that the greatest looming threat to the freedom of information around the world today is not government, but private corporations, and I've started writing about what can be done (what already is being done in Africa, relative to: the United States, India, and Europe, forthcoming).  Indeed, even the classical distinction between freedom of expression and the freedom of information has lost much salience in the information age.

In the United States, for good historical reasons, our constitutional law draws a sharp line between the freedom of speech and the freedom of information, and also between state action, "censorship," and private action, so-called "private censorship."  Both of those lines have eroded in the real world, while our law stubbornly insists on them.

Foreign constitutional systems, such as the European and African human rights regimes, do not come with the historical baggage that carved these lines in U.S. constitutional law.  These younger systems are proving more adept at navigating the problem of private action that would suppress speech and information.  That flexibility has meant full employment for lawyers in the counsel offices of Big Tech.

It also means that the law of the internet and the law of digital rights is no longer being authored in the United States.

In Poland, a digital rights organization called the Panoptykon Foundation--I assume named for the legendary imaginings of English philosopher Jeremy Bentham--is litigating without shame against Big Tech, Google and Facebook included.  In a suit against Facebook, Panoptykon has taken up for "SIN," an (acronymed appropriately if coincidentally?) anti-drug NGO in Poland.  SIN apparently suffered content-based take-downs and blocks on Facebook.  It's not clear why Facebook (algorithms? censors?) targeted SIN, though TechCrunch speculated that it might have to do with SIN's strategy on drug counseling: more of a "use responsibly" approach than an abstention-only approach.

The action is based on Polish statute, which guarantees freedom of speech and does not get hung up on any American-style state-action limitation.  In June, a Warsaw court ex parte ordered (in Polish, via Panoptykon) Facebook to stop blocking or removing any online SIN content, pending litigation.  Technically the respondent in the case is Facebook Ireland.  But one can imagine that American Facebook execs are on alert, as foreign courts fuss ever less over the public-private distinction.

Professor Hodges might roll over in his grave to hear me say it, but I am confident that "private censorship" will be the free speech story of the 21st century.  America will be dragged into a new world of legal norms in digital rights, willingly or not.  I would rather see us embrace this new world order and confront the problem of a runaway private sector than see our civil rights law relegated to legal anachronism.

Read about SIN v. Facebook at Panoptykon.  Hat tip @ Observacom.

Friday, October 12, 2018

Dutch court upholds dike against climate change, while Trump Administration seeks to stop climate-change 'trial of the century' in Oregon

"Little Dutch boy" at Madurodam, The Hague,
by Kara van Malssen (CC BY-NC-SA 2.0)
On Tuesday, an intermediate appellate court in the Netherlands upheld a verdict against the government demanding more state action to curb carbon emissions and combat climate change.  The court's decision (unofficial English translation) in favor of energy NGO Urgenda came just one day after the dire 12-year warning of the special report of the U.N. Intergovernmental Panel on Climate Change.  Meanwhile the Trump Administration filed an emergency motion in federal court in Oregon today in its latest bid to stop climate-change litigation in the United States.

The Netherlands is working mightily already to reduce carbon emissions.  The state projects a reduction in the neighborhood of 20% by 2020 over 1990 levels.  But that number still falls short of 25%, which the court calculated as the nation's minimum treaty commitment.  That difference, The Guardian reported, could be enough to force the shutdown of a recently opened coal-fired power plant.  The court's decision chiefly references the 1992 U.N. Framework Convention on Climate Change and traces the development of states' legal obligations through the history of climate conferences from Kyoto in 1997 to Bonn in 2017.

As the state observed in the case, "Dutch emissions are minor in absolute terms and ... the Netherlands cannot solve the global problem of climate change on its own" (¶ 30).  So the global significance of the decision is mostly symbolic, and, activists hope, an example for climate-change activism in the courts around the world.

American iterations of climate-change litigation are many, but the one case that has captured the public imagination more than any other is Juliana v. United States in the District of Oregon.  The case has played well in media because the plaintiff effort is spearheaded by a not-so-camera-shy youth group, the Earth Guardians, led by indigenous activist, hip-hop artist, and let's be honest, teen heartthrob Xiuhtezcatl Martinez.  (Below: new promo video for Martinez's debut album, Break Free.)


Juliana might yet be described best as "ill fated."  Unlike myriad climate-change-aiming lawsuits in areas such as environmental and business regulation, or upon collateral constitutional theories, such as the Commerce Clause or First Amendment, Juliana is a direct assault on the federal government under constitutional due process—literally, the right to life.

At first blush, this approach seems to face insurmountable hurdles before the merits could ever be reached: namely, standing, justiciability, official immunity, not to mention the hundred other reasons civil rights lawsuits are awfully hard to win.  Then at the threshold of the merits lie the conventional tort problems of affirmative duty, causation, and injury.  In the "constitutional tort" vein, the plaintiffs seek to breathe new breadth into the "public trust doctrine," which posits that government holds natural resources in trust for the public good.  The doctrine has seen modest success in, for example, beach access cases, but jurisprudential conservatives do not enthusiastically embrace the raw, public-policy-driven invitation to judicial intervention.

Despite conventional wisdom, the Juliana suit survived both a motion to dismiss in the trial court and an aggressive effort by the Trump Administration to shut the action down in the Court of Appeals.  (To be fair, the Obama Administration also was not ra-ra plaintiffs on this one.)  In November 2016, District Judge Ann Aiken recognized, "This is no ordinary lawsuit."  Upon detailed analysis, she rejected the government's arguments on both standing and justiciability, finding the question presented "squarely within the purview of the judiciary."

Judge Aiken speaking on recidivism reduction
at ReInvent Law in 2013 (from video CC BY 3.0)
Then, analogizing to the Supreme Court's reasoning on due process in the 2015 gay marriage case, Obergefell v. Hodges, Judge Aiken "ha[d] no doubt that the right to a climate system capable of sustaining human life is fundamental to a free and ordered society."  The Ninth Circuit in March rejected the government's bold demand that the case be dismissed to protect the separation of powers, finding the government's claim premature and well shy of the high bar for writ of mandamus.  In July, the U.S. Supreme Court denied the government's appeal for a stay.

Thus back on the District of Oregon docket, Juliana was scheduled to open at trial on October 29.  A headline in The Japan Times, over a pro-plaintiff commentary by Princeton bioethics professor Peter Singer, titled Juliana "the trial of the century."  One week ago, on October 5, the Administration filed another motion for stay in the trial court.  Undoubtedly buoyed by the appointment of Justice Brett Kavanaugh, the Government today renewed its motion to stay and asserted its intention to petition the U.S. Supreme Court for mandamus relief.

In the Dutch case, the government tried to fend off the lawsuit on grounds equivalent to standing and justiciability, but to no avail.  The Dutch Civil Code authorizes class actions (a rarity in Europe) specifically by interest groups on behalf of citizens.  Moreover, the court reasoned that individual human rights claims must be justiciable in Dutch courts if individuals could bring the same claims in the European Court of Human Rights.  The government argued "trias politica," that is, separation of powers, to which the court responded (cheekily?): "This defence does not hold water. The Court is obliged to apply provisions with direct effect of treaties to which the Netherlands is party, including [the European human rights convention].  After all, such provisions form part of the Dutch jurisdiction and even take precedence over Dutch laws that deviate from them" (¶ 69).

Under the European human rights convention, Urgenda relied on articles 2 and 8, respectively the rights to life and privacy, the latter including the inviolability of family life—the same two notions cited by Judge Aiken in her Obergefell-inspired due process analysis under the Fifth and Fourteenth Amendments.

You can await the next development in Juliana via PACER under case no. 6:15-cv-01517.

[UPDATE: U.S. Supreme Court issued an extraordinary stay on Oct. 19.  See, e.g., Richard Franks @ Legal Planet.  HT @ Flannery Rogers.]

[UPDATE: Joel Stronberg at Resilience reported that despite the earlier Roberts stay, SCOTUS issued an order on November 2 clearing the way for Juliana to go to trial.]

[UPDATE:  Juliana returns to oral argument in the Ninth Circuit in Portland, Oregon, on June 4, 2019. Track the case at Climate Case Chart, which explains: "The government [appellant argues] that the plaintiffs lacked standing and that their lawsuit was not a cognizable case or controversy under Article III of the Constitution. The government contended that a 'quick look at the climate change issues and actions pending before Congress and the Executive Branch'—including the Green New Deal, carbon tax legislation, and the replacement for the Clean Power Plan—'confirms that Plaintiffs have petitioned the wrong branch.' The government also argued that the plaintiffs were required to proceed under the Administrative Procedure Act and that their constitutional claims failed on the merits."]

[UPDATE: The Dutch Supreme Court upheld the outcome in Urgenda on Dec. 20, 2019.]

[UPDATE: On January 17, 2020, the Ninth Circuit dismissed Juliana for failure of standing. An appeal to the U.S. Supreme Court is inevitable, but extremely unlikely to succeed. The case is Juliana v. United States, No. 18-36082.]


Saturday, April 7, 2018

Popular singer's 'right to be forgotten' outweighs free speech in Italian case over archival video and biting commentary

Because Manchester City FC might need it after today's derby match, let's consider the right to be forgotten.

As an aspect of European, and increasingly global, data protection law, "the right to be forgotten," or right to erasure, unsettles the tummies of American media advocates.  The right to erasure runs up against the presumptive rule of U.S. First Amendment law that there can be no punishment for the republication of truthful information lawfully obtained.  Read more about that here (predating implementation of the EU General Data Protection Regulation).  The Italian Court of Cassation has issued a potentially important decision at the intersection of the right to erasure and the freedom of expression.  

Hat tip @TheItalianLawJournal.  For a few months to come, or until a better translation comes to light, I'm parking a very rough Google Translate rendition of the ruling here in PDF.  The translations that follow here are mine, refining the Google Translate rendering. The original court decision can be found here.


Antonello Venditti by Angela_Anji (CC BY-NC-SA 2.0)
The case stemmed from a TMZ-style confrontation by an RAI-1 "Live Life" («La vita in diretta») crew of Italian singer Antonello Venditti (Facebook) in 2000.  I've not seen the video, but Venditti apparently resisted the interrogators with sufficient gruffness that he earned his way onto the program's 2005 "ranking of the most obnoxious and grumpy characters in the entertainment world."  The story occasioned rebroadcast of the 2000 segment, along with commentary mocking his diminished fame in the intervening years.  Antonello took offense and sued, claiming "a right to be forgotten" attached to the 2000 video. 

Of peculiar resonance with current events in the United States, the Italian court took note of a German right-to-erasure case about "an affair in which a German citizen, who held a major political and business position in Germany, had requested the erasure of information from the web relating to an episode of collusion with Russian crime dating back several years earlier, republished several years after."  The Court of Justice of the EU ruled that "the public's interest in information prevailed over the individual's interest in oblivion."  However, the Italian court observed, the ruling resulted from a fact-intensive inquiry.

The court must engage with "the search for the right balance between the interest of Internet users in information and the fundamental rights of the person," the Italian court explained.  "Therefore, the editor of a newspaper that stores in its historical archive on the internet the news, making it available to a potentially unlimited number of people, is required to prevent, through the dissemination of even remote facts, without any meaningful and current public interest, possible harm to the right to be forgotten by the people who were involved."

The freedom of expression must yield to the right to erasure, the court held, upon analysis according to five factors:

  1. the contribution made by the dissemination of the image or of the news to a matter of public interest;
  2. the actual and current interest in the dissemination of the image or news (for reasons of justice, police, or protection of the rights and liberties of others, or for scientific, educational, or cultural purposes), to be considered absent in case of prevalence of a popular interest [italics added; in original, divulgativo: I'm not sure how to translate that and don't think "popular" or "informed" is right], or, worse, merely economic or commercial interest of the subject that spreads the news or the image; 
  3. the high degree of notoriety of the subject represented, for the economic or political reality of the country;
  4. the methods used, for the particular position held in public life, and, in particular, to obtain and give information, which must be truthful (because it is drawn from reliable sources, and with a diligent research work), disseminated in ways that are not excessive for information purposes, in the interest of the public, and free from insinuations or personal considerations, so as to highlight an exclusive objective interest in the new dissemination;
  5. the preventive information about the publication or transmission of the news or image at a distance of time, in order to allow the interested party the right of reply before its disclosure to the general public.
Applying its multi-factor test, the court decided that RAI's interest in the rebroadcast video segment was outweighed by Antonello's privacy and data protection rights.  The court below had erred by finding Antonello's fame dispositive.  Reminding one of the analysis of Elmer Gertz in U.S. defamation lore, the court held that Antonello's large public following "certainly" did "not invest[ him] with a primary role in national public life."  Moreover, RAI's purpose, five years on, lacked merit. The court found it "undeniable that the reiterated broadcast ... had [the] unique purpose of allowing the inclusion of the singer ... in a ranking of ... 'the most obnoxious and grumpy of the entertainment world,' invented by the same broadcaster, allowing, in this way, the satisfaction of an interest that is exclusively informative [again, divulgativo], for commercial purposes, and for the television operator's audience."  The broadcaster's derogatory comments about Antonello's fame in 2005 aggravated the offense, the court added.  

The court also rejected "satire" as a defense.  The representation of Antonello was not "paradoxical, surreal and hyperbolic critique," but referred to "true fact," "clearly directed to a mere and unjustified denigration of the artist."  The broadcaster sought to use the 2000 video to represent Antonello in 2005 as "a singer, for years, in decline."

This case is the very stuff of American media advocates' nightmares.  Newspapers decry the right to erasure as a threat to online archives—though representations in archives, as archives, are readily factually distinguishable from the Antonello case.  The more realistic threat would be to the "TMZ"/"Talk Soup" format of entertainment media, or even the clever uses of archival video that have become the staple of commentary on The Daily Show with Trevor Noah and Last Week with John Oliver.  Certainly under a rule such as the Italian court employed, broadcasters, even straight news broadcasters, would have to take more care with their use of B roll.  

I've advocated in favor of evolving U.S. privacy law toward European data protection norms.  But the Italian court went too far here, lending credence to American nay-saying.  I fault the court's analysis of Antonello as, in U.S. terms, a "private figure."  The lower court got it right in finding Antonello's public status dispositive relative to this RAI commentary.  It's especially telling and troubling that as to the satire argument—the RAI program seems on the mild side of the Talk Soup genre—the court faulted RAI commenters for the truth in their observation of Antonello's waning fame.  The court set up the Italian judiciary to be a "super editor" of popular media, an arbiter of taste.  American courts appropriately struggle with newsworthiness determinations in privacy law because they do not want that job.

Tuesday, January 24, 2017

Intimate large parties and the duty to protect privacy



I had to take a blog break over the holidays in order to get a hefty book read and to write a review of it.  I’ll post on that when it comes closer to publication.  Meanwhile, my, how the world has changed!  Let me kick off the new year with a look at some related developments in privacy law.

As Marion Oswald of the University of Winchester wrote recently for the journal of Information Communication & Technology Law (open source), to paraphrase, privacy ain’t what it used to be.  Oswald opened with a quote from The Great Gatsby, so it goes without saying that that needs to be reiterated here.  She wrote,

At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”

From that paradox, Oswald builds the case that privacy must be redefined to protect individuals in the digital world.  She observes the inadequacy of the “reasonable expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the objective test’s tendency to drive itself to extinction in a world of objectively diminishing privacy.  Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures.  Oswald is not the first to reach her conclusion, but she does so compellingly.

Two recent cases, from Pennsylvania and Massachusetts, reached different conclusions on the question of a corporate defendant’s duty to safeguard private data.  The cases show the struggle under way in U.S. courts to do just what Oswald proposed—to redefine privacy in the digital age.  The United States is increasingly at odds with Europe, and for that matter the rest of the world, on this question.  Heralded as a modern human right in Europe, data protection is a burgeoning global legal field—and corporate obligation.

Duty

First, a quick primer on duty in U.S. tort law.

Tort law in the United States usually provides for a “duty” by “default” in negligence—that is, all persons owe to all other a persons a duty to exercise reasonable care (or not to act negligently), to avert harm to all others.  But the default rule of duty is subject to some important limitations.   

One limitation is the economic loss rule, which circumscribes negligence liability.  The rule precludes a plaintiff’s action for nonphysical, economic injury alone.  There are plenty of exceptions to the rule, and some scholars even think it’s not really a rule at all.  For example, negligent misrepresentation, which is like fraud but without intent, can be supported by economic loss within the context and expectations of a business relationship.

Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality.  U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem.  That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.

The other limitation on duty by default is that U.S. law imposes no affirmative duty to protect, or to render aid.  This rule, too, is subject to many exceptions, such as a parent’s duty to protect a child, contractual and statutory duties to protect, and a duty not to abandon a rescue undertaken.

Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty.  In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief.  (The problem in proximate causation is integrally related.)

So on to the cases.  Remember, "[i]t takes two to make an accident."

Pennsylvania

A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer.  (Hat tip to Richard Borden at Robinson + Cole.)  University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.

The court applied a five-factor test for duty: 

1. the relationship between the parties;
2. the social utility of the actor's conduct;
3. the nature of the risk imposed and foreseeability of the harm incurred;
4. the consequences of imposing a duty upon the actor; and,
5. the overall public interest in the proposed solution.

UPMC prevailed in common pleas and superior courts, the latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests.  On the affirmative duty question, the court pointed to attenuated causation and professed willingness to defer to the state legislature.  As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch

The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.

Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.

Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.

The court then bolstered its conclusion by pointing to the economic loss rule as well. 

Massachusetts

Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.

The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of a docudrama.  According to the court, Thomas was fleeing police at high speed when he crashed his car into Adams's.  Thomas was driving the car of his girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance.  Meanwhile Burgos was both customer and customer service manager of defendant insurance agency Congress.  She reported her car stolen and filed her own insurance claim. 

Adams could identify Thomas.  So Burgos used her computer access at work to identify Adams and passed his identity to Thomas.  Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote.  Though I bet Thomas didn’t say just “F.”

Adams sued Congress on multiple theories, including negligent failure to safeguard private data.  At the trial level, according to the appeals court, “the motion judge . . . rul[ed] that expert testimony was required to establish whether the agency owed a duty to Adams to safeguard his personal information, what that duty entailed, and whether the agency breached that duty.”

It’s odd that the motions judge sought expert testimony, because, as the appeals court aptly observed, duty is unique among the four elements of negligence—duty, breach, proximate cause, and injury—for being purely a question of law, guided by public policy.  Courts do not ordinarily hear expert testimony on what the law is.  The theory goes that figuring that out is the judge’s main job.  (Too bad, or being a law professor would be more lucrative.  I was gently tossed from the witness stand once when a lawyer made a valiant but futile attempt to squeeze me past the rule.)

Unlike the Pennsylvania Superior Court, the Massachusetts Appellate Court found its way to a legal duty.  The court held “that the agency had a legal duty to Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Adams provided to process his automobile insurance claim.”  Where the Pennsylvania court had pointed to statute to justify judicial restraint, the Massachusetts court pointed to state data breach law to show that the legislature had green-lighted legal duty (albeit "a single green light, minute and far away").

“Just as those with physical keys to the homes of others have a duty of reasonable care to preserve their security,” the Massachusetts court reasoned, “companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against the misuse of that data.”  Indeed, the court cited a keys case as applicable precedent.  The court made no fuss over the rule of affirmative duty or the rule of economic loss.  In a discussion of causation, the court seemed content to resort to foreseeability on the facts.

Summary judgment for defendant Congress was vacated, and the case was remanded for trial.

Conclusion

Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic.  That’s not true.  Not yet.

Data protection in the United States is confounded by the rules of affirmative duty and economic loss.  And that’s not bad; those rules exist for sound public policy reasons.  They also are excepted for sound reasons.

I’ve written before (e.g., here and here) that popular thinking and expectations with respect to individual privacy are converging in the United States and Europe, even if a legal bridge lags behind.  Common law negligence can be a vital building block of that bridge.  But it’s a work in progress.

“‘Don’t believe everything you hear, Nick.’”