Showing posts with label Fourth Amendment. Show all posts
Showing posts with label Fourth Amendment. Show all posts

Monday, October 5, 2020

U.S. White Paper on 'Schrems II': Emperor still clothed

A new U.S. white paper on data protection means favorably to supplement the record on U.S. surveillance practices that, in part, fueled the European Court of Justice (ECJ) decision in "Schrems II," in July, rejecting the adequacy of the Privacy Shield Framework to secure EU-to-US data transfers.

From the U.S. Department of Commerce, Department of Justice, and Office of the Director of National Intelligence, the white paper suggests that the ECJ ruling was interim in nature, pending investigation of U.S. national security practices to better understand whether they comport with EU General Data Protection Regulation norms, such as data minimization, which means collecting only data necessary to the legitimate purpose at hand.  The paper states:

A wide range of information about privacy protections in current U.S. law and practice relating to government access to data for national security purposes is publicly available.  The United States government has prepared this White Paper to provide a detailed discussion of that information, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring personal data from the EU to the United States. The White Paper provides an up-to-date and contextualized discussion of this complex area of U.S. law and practice, as well as citations to source documents providing additional relevant information. It also provides some initial observations concerning the relevance of this area of U.S. law and practice that may bear on many companies’ analyses. The White Paper is not intended to provide companies guidance about EU law or what positions to take before European courts or regulators. 

Armed with this additional information, then, the message to the private sector seems to be, Keep Calm and Carry On, using the very same "standard contractual clauses" (SCCs) that the ECJ invalidated.  Yet if the information featured in the white paper has been publicly available, why assume that the ECJ was ill informed?  (Read more about SCC revisions under way, and their likely shortcomings, at IAPP.)

Unfortunately for the U.S. position, the ECJ opinion was not, to my reading, in any way temporary, or malleable, pending further development of the record.  The white paper comes off as another installment in the now quarter-century-old U.S. policy that the emperor is fully clothed.

I hope this white paper is only a stop-gap.  As I said in a Boston Bar CLE recently, no privacy bill now pending in Congress will bridge the divide between the continents on the subject of U.S. security surveillance.  A political negotiation, which might involve some give from the American side at least in transparency, seems now to be our only way forward.

The white paper is Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (Sept. 2020).

Wednesday, April 29, 2020

Recent commentaries ponder privacy in license plates, history of animal identity

Two blog entries tangentially related to areas of interest of mine crossed my desk this week.

CC TV (Adrian Pingstone CC0)
Privacy law.  For The Volokh Conspiracy at Reason, UC Berkeley Professor Orin Kerr wrote about the Massachusetts Supreme Judicial Court decision in Commonwealth v. McCarthy, No. SJC-12750, on April 16.  The Court considered the implications of automatic license plate readers under the Fourth Amendment, concluding that there are constitutional consequences, if not resulting in a violation of the defendant's rights in the instant drug case.  Kerr considers the case relative to the Supreme Court's 2018 cell-tower-location decision, Carpenter v. United States, and against the background of his own work on mosaic theory in privacy law (he's not a fan).  In a purely civil context, mosaic theory, born in the national security arena, has long been a key underpinning of personal privacy rights in their encroachment on the freedom of information, an accelerating conflict in the information age.  The commentary is "Automated License Plate Readers, the Mosaic Theory, and the Fourth Amendment: The Massachusetts Supreme Judicial Court Weighs In" (Apr. 22, 2020).

Peacock plumage (Jatin Sindhu CC BY-SA 4.0)
Animal law.  Evolution of animals at law was the subject of an Earth Day commentary for Legal History Miscellany by history Professor Krista Kesselring at Dalhousie University in Nova Scotia.  She traced the historical change in cultural and common law regard for animals from aesthetic adornment, to property of utility, to something, perhaps, at last, with intrinsic value.  The commentary is "Can You Steal a Peacock? Animals in Early Modern Law" (Apr. 22, 2020).  U.S. courts have evidenced a dawning recognition of animals as more than mere personal property, even in a civil context, moving beyond welcome developments in criminal anti-cruelty statutes.  The nascent trend is evident and needed especially in the area of tort damages, in which the valuation of a pet as an item of property fails profoundly to account for real and rational emotional suffering upon loss.  See furthermore the recent: Richard L. Cupp, Jr., Considering the Private Animal and Damages (SSRN last rev. Apr. 2, 2020).  HT @ Private Law Theory.

Tuesday, March 31, 2020

COVID-19 stresses United States on domestic borders; war analog might foster state solidarity upon federal power

Rhode Island Governor Gina Raimondo was recently
threatened with a lawsuit by New York Governor Andrew
Cuomo.  U.S. Air National Guard Photo
by Master Sgt Janeen Miller (2016).
I have just published at the new blog, Law Against Pandemic. Here is the abstract:

The coronavirus pandemic is stressing not only our healthcare systems, but our political and legal systems.  The pandemic has challenged our sense of identity in humankind, pitching us back and forth between a spirit of global solidarity and a competition of human tribes for resources and survival.  That tension plays out in our political and legal responses to the pandemic, manifesting the natural human temptation to tribalism in both international and intranational dimensions.

As policymakers struggle to respond to the pandemic and to curb the outbreak of COVID-19, I have been struck by the emergence of interstate tensions in the United States.  The pressure of the pandemic, aggravated by a slow and uncertain governmental response at the federal level, has been a brusque reminder that the United States are a plural: a federation of states that famously endeavored “to form a more perfect Union,” but that, like human governance itself, remains a work in progress.


Read more at the new blog, Law Against Pandemic

 

Tuesday, April 24, 2018

Revenge porn law can survive First Amendment scrutiny by requiring 'actual malice'


Last week a Tyler, Texas, appellate court struck the state’s criminal revenge porn law as fatally overbroad, so facially unconstitutional, under the First Amendment to the federal Constitution.  The ruling garnered headlines heralding the unconstitutionality of revenge porn law, which could have big implications in privacy law and policy nationwide—even ramifications for U.S. foreign relations.

However, the court’s ruling was not so broad as headlines have suggested.  In fact, the court gave wise and constructive feedback on what a revenge porn law needs to look like to pass constitutional muster—which it can.  It seems in the end that the Texas law was just not well drafted.  Accordingly, the revenge porn laws that have proliferated in the United States, now in 38 states (collected at Cyber Civil Rights Initiative), should be scrutinized and, if necessary, corrected.  (Constitutional problems with Vermont and Arizona laws were mentioned just today by the U.K. Register, here.)

The Texas case, Ex parte Jones, No. 12-17-00346 (Tex. Ct. App. Apr. 18, 2018), involved a criminal information against Jones under Texas Penal Code section 21.16(b), which criminalizes the “unlawful disclosure of intimate visual materials.”  The statute reads:


A person commits an offense if:
  (1) without the effective consent of the depicted person, the person intentionally discloses visual material depicting another person with the person’s intimate parts exposed or engaged in sexual conduct;
  (2) the visual material was obtained by the person or created under circumstances in which the depicted person had a reasonable expectation that the visual material would remain private;
  (3) the disclosure of the visual material causes harm to the depicted person; and
  (4) the disclosure of the visual material reveals the identity of the depicted person in any manner[.]


The statute, section 21.16(a), furthermore defines “visual material” broadly (“any film, photograph, videotape, negative, or slide or any photographic reproduction that contains or incorporates in any manner any film, photograph, videotape, negative, or slide,” as well as electronic transmission) and “intimate parts” specifically (““the naked genitals, pubic area, anus, buttocks, or female nipple of a person”).

The court’s First Amendment analysis was sound.  The court applied de novo review to test the constitutionality of a criminal statute.  The court rejected a narrow construction that would confine the law to mere obscenity, as stringently defined by federal precedent.  Because the statute is then a content-based restriction of expressive content, the court charged the government with the burden of rebutting presumptive unconstitutionality.  The State conceded at oral argument that the law must survive strict scrutiny, i.e., advance a compelling state interest and be narrowly tailored to do so.  Intimate privacy passes muster on the first prong, but the statute facially fails narrow tailoring.  The court acknowledged that overbreadth doctrine is “strong medicine”; nevertheless, the statute could not measure up.

The court illustrated the statute’s fatal flaw with a hypothetical, unattributed so presumably original, that seems drawn from a law school or bar exam:


“Adam and Barbara are in a committed relationship. One evening, in their home, during a moment of passion, Adam asks Barbara if he can take a nude photograph of her. Barbara consents, but before Adam takes the picture, she tells him that he must not show the photograph to anyone else. Adam promises that he will never show the picture to another living soul, and takes a photograph of Barbara in front of a plain, white background with her breasts exposed.

“A few months pass, and Adam and Barbara break up after Adam discovers that Barbara has had an affair. A few weeks later, Adam rediscovers the topless photo he took of Barbara. Feeling angry and betrayed, Adam emails the photo without comment to several of his friends, including Charlie. Charlie never had met Barbara and, therefore, does not recognize her. But he likes the photograph and forwards the email without comment to some of his friends, one of whom, unbeknownst to Charlie, is Barbara’s coworker, Donna. Donna recognizes Barbara and shows the picture to Barbara’s supervisor, who terminates Barbara’s employment.”


“In this scenario,” the court observed, “Adam can be charged under Section 21.16(b), but so can Charlie and Donna.”

Therein lies the problem: not necessarily as applied to Adam, but as applied to Charlie and Donna, who are ignorant of the circumstances under which the photo came to be.  Certainly Charlie, who received the photo from Adam “without comment,” might as well believe that Adam ripped the photo of a stranger from a pornographic website.  However indecent the photo, both Charlie and Donna have a First Amendment right to communicate the photo “downstream.”  Yet without Barbara’s consent, Charlie and Donna run afoul of the revenge porn law.  Given the ease with which persons can share visual images in the age of electronic and online communication, the court found “alarming breadth” in this potential criminalization of expression.  In First Amendment overbreadth doctrine, a facially overbroad criminal law must be ruled unconstitutional even if it might be constitutional as applied to the defendant before the court.

The court distilled the law’s flaws in two dimensions related to culpability.  Typically of a criminal prohibition, the statute requires intent.  But intent pertains only to the republication of the image.  The statute does not require that the actor have “knowledge or reason to know the circumstances surrounding the material’s creation, under which the depicted person’s reasonable expectation of privacy arose.”  Second, the statute does not require “intent to harm the depicted person,” or even knowledge “of the depicted person’s identity.”  Borrowing the language of civil law (meaning common law tort), one would say that the statute requires volitional intent, but not intent to commit a wrong or to cause an injury.

The requisite intent to survive constitutional challenge may be likened to “actual malice,” which is used in both civil and criminal defamation law to describe “knowledge of falsity or reckless disregard of truth or falsity.”  In the context of revenge porn, a constitutional law might require “actual knowledge of the depicted person’s reasonable and continuing expectation of privacy in the image, or reckless disregard of same.”  If Charlie knew the identity of Barbara, so might infer the circumstances under which the photo had been taken, then the State might at least allege recklessness.  Donna, who did know Barbara’s identity, might be charged.  But she should be entitled to defend upon a qualified privilege, borrowed again from common law defamation, to share information in the interest of a recipient or third party when the defendant should disclose according to general standards of decency.  A corrected statute would hold Adam accountable without a constitutional problem.

Also just last week, the Rhode Island legislature (my home state) passed a revenge porn bill (2018-H 7452A) that has the support of the Governor Gina Raimondo (AP).  Raimondo vetoed a revenge porn bill in 2016, objecting on free speech grounds (Providence Journal).  Her position now is bolstered by the Texas decision in Jones.  Beefing up the intent requirement is precisely one of the R.I. legislative fixes that brought the latest bill to fruition.  The Rhode Island bill requires that the defendant intentionally disseminated, published, or sold “[w]ith knowledge or with reckless disregard for the likelihood that the depicted person will suffer harm, or with the intent to harass, intimidate, threaten or coerce the depicted person.”

I still have qualms about extending the “reasonable expectation of privacy” (REP) standard—which is drawn from Fourth Amendment jurisprudence as a bulwark against improper state action—being extended into the realm of private criminal or civil liability.  REP is potentially much broader than the intimate-depiction definitions of revenge porn laws.  And criminalization and civil liability are not the same.  Even though criminal defamation is constitutional when qualified by actual malice, contemporary human rights norms discourage the criminalization of expression at all.

At the same time, I have argued in favor of evolving U.S. law to recognize downstream control of private information, in consonance with both American values in the information age and emerging global legal norms.  Revenge porn laws—as against Adam, to the exclusion of Charlie and Donna—are a modest step in that direction, which European observers will welcome of us.  We will have to remain vigilant to continue to protect freedom of expression in tandem with expanding privacy rights, especially in a time in which the latter at the expense of the former is the fashion.  Conscientious actors such as the Jones panel (Worthen, C.J., and Hoyle and Neeley, JJ.) and Governor Raimondo are doing well, so far.

Thursday, April 5, 2018

SCOTUS 'Microsoft' privacy case likely moot, R+C blog reports

It looks like we won't get an answer from the U.S. Supreme Court in the Microsoft privacy case.  For the Data + Privacy Security Insider at Robinson + Cole, Kathleen Porter and Connor Duffy report that the Government and Microsoft agree that the case was mooted by the CLOUD Act, signed into law in March as part of omnibus spending legislation. 

The CLOUD Act gives the Government the authority to compel Microsoft to produce the sought-after data, whether stored at home or abroad, and the Government already has attained a warrant under the new law.  Microsoft's reported statement indicates that the company's position was exonerated insofar as it maintained that the legislature was the appropriate branch of government in which to resolve the matter.

I wrote about Microsoft and the pending Carpenter case for the winter 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the ABA Section of International Law (published just last month, March 2018).

Friday, November 24, 2017

Fourth Amendment privacy case, set for oral argument Nov. 29, touches on US-EU data protection divide

I've published a short preview of Carpenter v. United States, 819 F.3d 880 (6th Cir. 2016), cert. granted, No. 16-402 (U.S. June 5, 2017) (SCOTUSblog), a Stored Communications Act, 18 U.S.C. § 2703(d), set for oral argument in the U.S. Supreme Court on Wednesday, November 29.  Here's an excerpt; link below to the full article and the ABA publication in which it appears.

U.S. Supreme Court accepts cell phone privacy case with transnational implications

A privacy case headed to the U.S. Supreme Court will give justices an opportunity to examine “the third-party doctrine” in U.S. constitutional law. The doctrine manifests a central feature of American privacy policy, marking a divide that has flummoxed transnational data transfer negotiators.
*  *  *

The urgent problem on the transnational scene is that the secrecy paradigm is incompatible with emerging global privacy norms. In EU data protection, for example, privacy follows data downstream. A person can divulge information with strings attached, and the strings are enforceable against subsequent recipients, such as Internet retailers. Even in public places, a data collector, such as a surveillance camera owner, has affirmative obligations to captured subjects. This incompatibility goes a long way to explain the incongruence of European apoplexy and American nonchalance in reaction to global surveillance by the U.S. National Security Agency.
*  *  *

However suspenseful, Carpenter proffers bad facts to kill the third-party doctrine outright. As the Sixth Circuit observed, ordinary people know that cell phones communicate with nearby towers, and their location data are not as damningly precise as GPS. The privacy intrusion was therefore modest, and statute afforded some safeguard. What will be interesting to see in Carpenter is whether more justices lend their voices to the Alito or Sotomayor position, and whether the replacement of Justice Scalia with Justice Gorsuch unsettles the Court’s fealty to originalism.

Read the article at pp. 5-6 of the fall 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the Section of International Law of the American Bar Association, available here in PDF

Tuesday, January 24, 2017

Intimate large parties and the duty to protect privacy



I had to take a blog break over the holidays in order to get a hefty book read and to write a review of it.  I’ll post on that when it comes closer to publication.  Meanwhile, my, how the world has changed!  Let me kick off the new year with a look at some related developments in privacy law.

As Marion Oswald of the University of Winchester wrote recently for the journal of Information Communication & Technology Law (open source), to paraphrase, privacy ain’t what it used to be.  Oswald opened with a quote from The Great Gatsby, so it goes without saying that that needs to be reiterated here.  She wrote,

At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”

From that paradox, Oswald builds the case that privacy must be redefined to protect individuals in the digital world.  She observes the inadequacy of the “reasonable expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the objective test’s tendency to drive itself to extinction in a world of objectively diminishing privacy.  Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures.  Oswald is not the first to reach her conclusion, but she does so compellingly.

Two recent cases, from Pennsylvania and Massachusetts, reached different conclusions on the question of a corporate defendant’s duty to safeguard private data.  The cases show the struggle under way in U.S. courts to do just what Oswald proposed—to redefine privacy in the digital age.  The United States is increasingly at odds with Europe, and for that matter the rest of the world, on this question.  Heralded as a modern human right in Europe, data protection is a burgeoning global legal field—and corporate obligation.

Duty

First, a quick primer on duty in U.S. tort law.

Tort law in the United States usually provides for a “duty” by “default” in negligence—that is, all persons owe to all other a persons a duty to exercise reasonable care (or not to act negligently), to avert harm to all others.  But the default rule of duty is subject to some important limitations.   

One limitation is the economic loss rule, which circumscribes negligence liability.  The rule precludes a plaintiff’s action for nonphysical, economic injury alone.  There are plenty of exceptions to the rule, and some scholars even think it’s not really a rule at all.  For example, negligent misrepresentation, which is like fraud but without intent, can be supported by economic loss within the context and expectations of a business relationship.

Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality.  U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem.  That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.

The other limitation on duty by default is that U.S. law imposes no affirmative duty to protect, or to render aid.  This rule, too, is subject to many exceptions, such as a parent’s duty to protect a child, contractual and statutory duties to protect, and a duty not to abandon a rescue undertaken.

Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty.  In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief.  (The problem in proximate causation is integrally related.)

So on to the cases.  Remember, "[i]t takes two to make an accident."

Pennsylvania

A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer.  (Hat tip to Richard Borden at Robinson + Cole.)  University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.

The court applied a five-factor test for duty: 

1. the relationship between the parties;
2. the social utility of the actor's conduct;
3. the nature of the risk imposed and foreseeability of the harm incurred;
4. the consequences of imposing a duty upon the actor; and,
5. the overall public interest in the proposed solution.

UPMC prevailed in common pleas and superior courts, the latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests.  On the affirmative duty question, the court pointed to attenuated causation and professed willingness to defer to the state legislature.  As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch

The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.

Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.

Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.

The court then bolstered its conclusion by pointing to the economic loss rule as well. 

Massachusetts

Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.

The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of a docudrama.  According to the court, Thomas was fleeing police at high speed when he crashed his car into Adams's.  Thomas was driving the car of his girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance.  Meanwhile Burgos was both customer and customer service manager of defendant insurance agency Congress.  She reported her car stolen and filed her own insurance claim. 

Adams could identify Thomas.  So Burgos used her computer access at work to identify Adams and passed his identity to Thomas.  Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote.  Though I bet Thomas didn’t say just “F.”

Adams sued Congress on multiple theories, including negligent failure to safeguard private data.  At the trial level, according to the appeals court, “the motion judge . . . rul[ed] that expert testimony was required to establish whether the agency owed a duty to Adams to safeguard his personal information, what that duty entailed, and whether the agency breached that duty.”

It’s odd that the motions judge sought expert testimony, because, as the appeals court aptly observed, duty is unique among the four elements of negligence—duty, breach, proximate cause, and injury—for being purely a question of law, guided by public policy.  Courts do not ordinarily hear expert testimony on what the law is.  The theory goes that figuring that out is the judge’s main job.  (Too bad, or being a law professor would be more lucrative.  I was gently tossed from the witness stand once when a lawyer made a valiant but futile attempt to squeeze me past the rule.)

Unlike the Pennsylvania Superior Court, the Massachusetts Appellate Court found its way to a legal duty.  The court held “that the agency had a legal duty to Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Adams provided to process his automobile insurance claim.”  Where the Pennsylvania court had pointed to statute to justify judicial restraint, the Massachusetts court pointed to state data breach law to show that the legislature had green-lighted legal duty (albeit "a single green light, minute and far away").

“Just as those with physical keys to the homes of others have a duty of reasonable care to preserve their security,” the Massachusetts court reasoned, “companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against the misuse of that data.”  Indeed, the court cited a keys case as applicable precedent.  The court made no fuss over the rule of affirmative duty or the rule of economic loss.  In a discussion of causation, the court seemed content to resort to foreseeability on the facts.

Summary judgment for defendant Congress was vacated, and the case was remanded for trial.

Conclusion

Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic.  That’s not true.  Not yet.

Data protection in the United States is confounded by the rules of affirmative duty and economic loss.  And that’s not bad; those rules exist for sound public policy reasons.  They also are excepted for sound reasons.

I’ve written before (e.g., here and here) that popular thinking and expectations with respect to individual privacy are converging in the United States and Europe, even if a legal bridge lags behind.  Common law negligence can be a vital building block of that bridge.  But it’s a work in progress.

“‘Don’t believe everything you hear, Nick.’”

Sunday, November 13, 2016

Digital forgetting in America




Yesterday I spoke on a panel at the annual conference of the National Communication Association (NCA) on “the right to be forgotten,” or “right to erasure,” in data protection law. 

RTBF is a way for someone to get unwanted Internet content taken down, or at least de-listed, or de-indexed, from search results, because the content causes the person injury.  RTBF is regarded in Europe as a function of the human right to data protection, an outgrowth of the fundamental right to privacy in European law.  The history of the right is now well documented online for the reader of every interest level, so I won’t belabor it here.  Suffice to say that a landmark moment came in the case of Mario Costeja González in the European Court of Justice in 2014 (Wikipedia; the case in English).  He had complained about the online publication of an archived 1998 newspaper report of a debt.  The court sided with the Spanish Data Protection Authority in ordering Google Spain to de-index the report from search results.

The Costeja case rattled media on the American side of the Atlantic, who raised the alarm about a threat to the freedom of expression.  U.S. law has always been a problematic analog to European privacy law.  The disparity stems from a basic, initial problem, which is that the only place our Constitution plainly recognizes privacy law is in the Fourth Amendment right against unreasonable searches and seizures.  To the dismay of constitutional textualists, the U.S. Supreme Court has sometimes located a right of privacy in various other provisions, as well as in their “penumbras and emanations” (Griswold v. Conn., 381 U.S. 479, 484 (1965) (LII)).  But at the end of the day, our constitutional notion of a privacy right has remained largely constrained by the state action doctrine, meaning the right restrains only governmental power, not the private operators of search engines and newspaper archives. When statutory or common law privacy collides with the free speech rights of online publishers, the constitutional imperative prevails.

Meanwhile RTBF has been recognized explicitly in the General Data Protection Regulation (GDPR) of the European Union.  The doctrine has spawned its own body of administrative and case law in European national courts, some of it tied more to the human right of privacy than to the GDPR.  RTBF court rulings have spawned a labor-intensive takedown request service within Google.  The courts and the Internet giant are sparring now over whether search engines can be compelled to de-index websites worldwide or only in national iterations of the service (e.g., google.fr for France).  Scholars are looking hard at whether there should be a legal difference between a search engine and a primary information provider, such as a newspaper, in the area of Internet intermediary liability.   RTBF was a sore point in the trans-Atlantic negotiation over the data protection Privacy Shield agreement, and still key details remain to be worked out in implementation.  And RTBF and its balance with free expression remains a point of debate around the world as countries such as Brazil look to overhaul and update their data protection and privacy laws.

I made the moral case for RTBF in a Washington Post op-ed two years ago, so I won’t reiterate that here.  I’ve since been looking into the law of RTBF in the United States.  Saturday I reported my belief that the First Amendment hurdles are surmountable.  

To give just the flavor of that presentation, take for example the prior restraint doctrine in U.S. First Amendment law.  The prior restraint doctrine essentially forbids restraints on free expression backed by government power prior to adjudication of the expression as unlawful.  One need look no farther than the vigorous notice and takedown (N&TD) regime of the Digital Millennium Copyright Act (DMCA) to see that the prior restraint doctrine is a manageable problem.  To be clear, I’m on record agreeing with those who think that DMCA N&TD has gotten out of control and needs to be reined in, not to mention that the underlying scope of copyright protection is excessive.  But the analogy holds.  When nude celebrity photos of the likes of Jennifer Lawrence were leaked online, the remedy employed by some—for the rabidly popular Lawrence, it wasn’t possible—to recall their images from circulation was copyright N&TD, rather than tortious invasion of privacy.  It makes no sense to compel the use of intellectual property law to remedy what is plainly a privacy problem.  Tort law is up to the job.  Moreover, I see a clear and constitutional path to injunctive remedies for privacy torts, better than for ill-fitting copyright infringements.

I am also engaging the idea that in this age of information commodification, the provision of information is sometimes more a commercial enterprise than an expressive enterprise.  Certainly that's the case for data brokers, such as Acxiom.  Researchers such as Nikolas Ott and Hugo Zylberberg in the Kennedy School Review have described the commercial value of the wash of data that our appliances will generate in the Internet of Things era.  A Spanish court in an RTBF case against the newspaper El País held that the newspaper's online publication of archives was a commercial act rather than a journalistic one.  Commercial communication is protected by the First Amendment, but to a much lesser extent than is political or artistic expression.

I am grateful to Dr. Kyu Ho Youm, the John Marshall First Amendment chair at the University of Oregon School of Journalism and Communication, who invited me to be a part of the NCA program that he designed and proposed.  I am also indebted for thought-provoking reflection to my co-panelists: Dr. Ed Carter, professor and director of the School of Communication at Brigham Young University; Dr. Stefan Kulk, a researcher at the Centre for Intellectual Property Law of Utrecht University in the Netherlands; and Dr. Ahran Park, a senior researcher for the Korea Press Foundation in South Korea.