Frohe Weihnachten

Image posted by u/ManCrisp to Reddit, Dec. 6, 2018. Republished with permission; all rights reserved.  Hat tip @StevenZoni.

CFP: UMass Law Review calls for papers, presentations in law and media

The UMass Law Review has issued the following call for papers. Download the call in PDF here, and please share it with any interested scholarly communities.

UNIVERSITY OF MASSACHUSETTS LAW REVIEW
CALL FOR SYMPOSIUM PAPERS AND PRESENTATIONS

November 14, 2018

We are pleased to announce the 2019 UMass Law Review Roundtable Symposium, currently titled “Law and Media.” In the age where the 24/7 news cycle and social media have impacted current politics and where data protection, personal branding, and technology have affected entertainment and media as well as the rule of law, an investigation of the relationship between law and the media of our current times is timely and warranted. Accordingly, the UMass Law Review seeks thoughtful, insightful, and original presentations relating to the impact of the law on media as well as the impact of media on the law.

Interested participants should submit a 500-word abstract to cshannon@umassd.edu, with “Attn: Conference Editor – Symposium Submission” in the subject line by December 31st, 2018 for consideration. Selected participants will be notified by the end of January and invited to present their work at the 2019 UMass Law Review Symposium taking place in late March of 2019. Selected participants may also submit a scholarly work for potential publication in the 2019-2020 UMass Law Review Journal. If you have questions about submissions or the Symposium, please contact our Business/Conference Editor, Casey Shannon or Editor-In-Chief, Kayla Venckauskas (kvenckauskas@umassd.edu). We thank you in advance for your submission.

Sincerely,

Kayla Venckauskas
Editor-in-Chief

Casey Shannon
Business/Conference Editor

Revenge porn law can survive First Amendment scrutiny by requiring 'actual malice'

Last week a Tyler, Texas, appellate court struck the state’s criminal revenge porn law as fatally overbroad, so facially unconstitutional, under the First Amendment to the federal Constitution.  The ruling garnered headlines heralding the unconstitutionality of revenge porn law, which could have big implications in privacy law and policy nationwide—even ramifications for U.S. foreign relations.

However, the court’s ruling was not so broad as headlines have suggested.  In fact, the court gave wise and constructive feedback on what a revenge porn law needs to look like to pass constitutional muster—which it can.  It seems in the end that the Texas law was just not well drafted.  Accordingly, the revenge porn laws that have proliferated in the United States, now in 38 states (collected at Cyber Civil Rights Initiative), should be scrutinized and, if necessary, corrected.  (Constitutional problems with Vermont and Arizona laws were mentioned just today by the U.K. Register, here.)

The Texas case, Ex parte Jones, No. 12-17-00346 (Tex. Ct. App. Apr. 18, 2018), involved a criminal information against Jones under Texas Penal Code section 21.16(b), which criminalizes the “unlawful disclosure of intimate visual materials.”  The statute reads:

A person commits an offense if:

  (1) without the effective consent of the depicted person, the person intentionally discloses visual material depicting another person with the person’s intimate parts exposed or engaged in sexual conduct;

  (2) the visual material was obtained by the person or created under circumstances in which the depicted person had a reasonable expectation that the visual material would remain private;

  (3) the disclosure of the visual material causes harm to the depicted person; and

  (4) the disclosure of the visual material reveals the identity of the depicted person in any manner[.]

The statute, section 21.16(a), furthermore defines “visual material” broadly (“any film, photograph, videotape, negative, or slide or any photographic reproduction that contains or incorporates in any manner any film, photograph, videotape, negative, or slide,” as well as electronic transmission) and “intimate parts” specifically (““the naked genitals, pubic area, anus, buttocks, or female nipple of a person”).

The court’s First Amendment analysis was sound.  The court applied de novo review to test the constitutionality of a criminal statute.  The court rejected a narrow construction that would confine the law to mere obscenity, as stringently defined by federal precedent.  Because the statute is then a content-based restriction of expressive content, the court charged the government with the burden of rebutting presumptive unconstitutionality.  The State conceded at oral argument that the law must survive strict scrutiny, i.e., advance a compelling state interest and be narrowly tailored to do so.  Intimate privacy passes muster on the first prong, but the statute facially fails narrow tailoring.  The court acknowledged that overbreadth doctrine is “strong medicine”; nevertheless, the statute could not measure up.

The court illustrated the statute’s fatal flaw with a hypothetical, unattributed so presumably original, that seems drawn from a law school or bar exam:

“Adam and Barbara are in a committed relationship. One evening, in their home, during a moment of passion, Adam asks Barbara if he can take a nude photograph of her. Barbara consents, but before Adam takes the picture, she tells him that he must not show the photograph to anyone else. Adam promises that he will never show the picture to another living soul, and takes a photograph of Barbara in front of a plain, white background with her breasts exposed.

“A few months pass, and Adam and Barbara break up after Adam discovers that Barbara has had an affair. A few weeks later, Adam rediscovers the topless photo he took of Barbara. Feeling angry and betrayed, Adam emails the photo without comment to several of his friends, including Charlie. Charlie never had met Barbara and, therefore, does not recognize her. But he likes the photograph and forwards the email without comment to some of his friends, one of whom, unbeknownst to Charlie, is Barbara’s coworker, Donna. Donna recognizes Barbara and shows the picture to Barbara’s supervisor, who terminates Barbara’s employment.”

“In this scenario,” the court observed, “Adam can be charged under Section 21.16(b), but so can Charlie and Donna.”

Therein lies the problem: not necessarily as applied to Adam, but as applied to Charlie and Donna, who are ignorant of the circumstances under which the photo came to be.  Certainly Charlie, who received the photo from Adam “without comment,” might as well believe that Adam ripped the photo of a stranger from a pornographic website.  However indecent the photo, both Charlie and Donna have a First Amendment right to communicate the photo “downstream.”  Yet without Barbara’s consent, Charlie and Donna run afoul of the revenge porn law.  Given the ease with which persons can share visual images in the age of electronic and online communication, the court found “alarming breadth” in this potential criminalization of expression.  In First Amendment overbreadth doctrine, a facially overbroad criminal law must be ruled unconstitutional even if it might be constitutional as applied to the defendant before the court.

The court distilled the law’s flaws in two dimensions related to culpability.  Typically of a criminal prohibition, the statute requires intent.  But intent pertains only to the republication of the image.  The statute does not require that the actor have “knowledge or reason to know the circumstances surrounding the material’s creation, under which the depicted person’s reasonable expectation of privacy arose.”  Second, the statute does not require “intent to harm the depicted person,” or even knowledge “of the depicted person’s identity.”  Borrowing the language of civil law (meaning common law tort), one would say that the statute requires volitional intent, but not intent to commit a wrong or to cause an injury.

The requisite intent to survive constitutional challenge may be likened to “actual malice,” which is used in both civil and criminal defamation law to describe “knowledge of falsity or reckless disregard of truth or falsity.”  In the context of revenge porn, a constitutional law might require “actual knowledge of the depicted person’s reasonable and continuing expectation of privacy in the image, or reckless disregard of same.”  If Charlie knew the identity of Barbara, so might infer the circumstances under which the photo had been taken, then the State might at least allege recklessness.  Donna, who did know Barbara’s identity, might be charged.  But she should be entitled to defend upon a qualified privilege, borrowed again from common law defamation, to share information in the interest of a recipient or third party when the defendant should disclose according to general standards of decency.  A corrected statute would hold Adam accountable without a constitutional problem.

Also just last week, the Rhode Island legislature (my home state) passed a revenge porn bill (2018-H 7452A) that has the support of the Governor Gina Raimondo (AP).  Raimondo vetoed a revenge porn bill in 2016, objecting on free speech grounds (Providence Journal).  Her position now is bolstered by the Texas decision in Jones.  Beefing up the intent requirement is precisely one of the R.I. legislative fixes that brought the latest bill to fruition.  The Rhode Island bill requires that the defendant intentionally disseminated, published, or sold “[w]ith knowledge or with reckless disregard for the likelihood that the depicted person will suffer harm, or with the intent to harass, intimidate, threaten or coerce the depicted person.”

I still have qualms about extending the “reasonable expectation of privacy” (REP) standard—which is drawn from Fourth Amendment jurisprudence as a bulwark against improper state action—being extended into the realm of private criminal or civil liability.  REP is potentially much broader than the intimate-depiction definitions of revenge porn laws.  And criminalization and civil liability are not the same.  Even though criminal defamation is constitutional when qualified by actual malice, contemporary human rights norms discourage the criminalization of expression at all.

At the same time, I have argued in favor of evolving U.S. law to recognize downstream control of private information, in consonance with both American values in the information age and emerging global legal norms.  Revenge porn laws—as against Adam, to the exclusion of Charlie and Donna—are a modest step in that direction, which European observers will welcome of us.  We will have to remain vigilant to continue to protect freedom of expression in tandem with expanding privacy rights, especially in a time in which the latter at the expense of the former is the fashion.  Conscientious actors such as the Jones panel (Worthen, C.J., and Hoyle and Neeley, JJ.) and Governor Raimondo are doing well, so far.

Popular singer's 'right to be forgotten' outweighs free speech in Italian case over archival video and biting commentary

Because Manchester City FC might need it after today's derby match, let's consider the right to be forgotten.

As an aspect of European, and increasingly global, data protection law, "the right to be forgotten," or right to erasure, unsettles the tummies of American media advocates.  The right to erasure runs up against the presumptive rule of U.S. First Amendment law that there can be no punishment for the republication of truthful information lawfully obtained.  Read more about that here (predating implementation of the EU General Data Protection Regulation).  The Italian Court of Cassation has issued a potentially important decision at the intersection of the right to erasure and the freedom of expression.  

Hat tip @TheItalianLawJournal.  For a few months to come, or until a better translation comes to light, I'm parking a very rough Google Translate rendition of the ruling here in PDF.  The translations that follow here are mine, refining the Google Translate rendering. The original court decision can be found here.

Antonello Venditti by Angela_Anji (CC BY-NC-SA 2.0)

The case stemmed from a TMZ-style confrontation by an RAI-1 "Live Life" («La vita in diretta») crew of Italian singer Antonello Venditti (Facebook) in 2000.  I've not seen the video, but Venditti apparently resisted the interrogators with sufficient gruffness that he earned his way onto the program's 2005 "ranking of the most obnoxious and grumpy characters in the entertainment world."  The story occasioned rebroadcast of the 2000 segment, along with commentary mocking his diminished fame in the intervening years.  Antonello took offense and sued, claiming "a right to be forgotten" attached to the 2000 video. 

Of peculiar resonance with current events in the United States, the Italian court took note of a German right-to-erasure case about "an affair in which a German citizen, who held a major political and business position in Germany, had requested the erasure of information from the web relating to an episode of collusion with Russian crime dating back several years earlier, republished several years after."  The Court of Justice of the EU ruled that "the public's interest in information prevailed over the individual's interest in oblivion."  However, the Italian court observed, the ruling resulted from a fact-intensive inquiry.

The court must engage with "the search for the right balance between the interest of Internet users in information and the fundamental rights of the person," the Italian court explained.  "Therefore, the editor of a newspaper that stores in its historical archive on the internet the news, making it available to a potentially unlimited number of people, is required to prevent, through the dissemination of even remote facts, without any meaningful and current public interest, possible harm to the right to be forgotten by the people who were involved."

The freedom of expression must yield to the right to erasure, the court held, upon analysis according to five factors:

1. the contribution made by the dissemination of the image or of the news to a matter of public interest;
2. the actual and current interest in the dissemination of the image or news (for reasons of justice, police, or protection of the rights and liberties of others, or for scientific, educational, or cultural purposes), to be considered absent in case of prevalence of a popular interest [italics added; in original, divulgativo: I'm not sure how to translate that and don't think "popular" or "informed" is right], or, worse, merely economic or commercial interest of the subject that spreads the news or the image; 
3. the high degree of notoriety of the subject represented, for the economic or political reality of the country;
4. the methods used, for the particular position held in public life, and, in particular, to obtain and give information, which must be truthful (because it is drawn from reliable sources, and with a diligent research work), disseminated in ways that are not excessive for information purposes, in the interest of the public, and free from insinuations or personal considerations, so as to highlight an exclusive objective interest in the new dissemination;
5. the preventive information about the publication or transmission of the news or image at a distance of time, in order to allow the interested party the right of reply before its disclosure to the general public.

Applying its multi-factor test, the court decided that RAI's interest in the rebroadcast video segment was outweighed by Antonello's privacy and data protection rights.  The court below had erred by finding Antonello's fame dispositive.  Reminding one of the analysis of Elmer Gertz in U.S. defamation lore, the court held that Antonello's large public following "certainly" did "not invest[ him] with a primary role in national public life."  Moreover, RAI's purpose, five years on, lacked merit. The court found it "undeniable that the reiterated broadcast ... had [the] unique purpose of allowing the inclusion of the singer ... in a ranking of ... 'the most obnoxious and grumpy of the entertainment world,' invented by the same broadcaster, allowing, in this way, the satisfaction of an interest that is exclusively informative [again, divulgativo], for commercial purposes, and for the television operator's audience."  The broadcaster's derogatory comments about Antonello's fame in 2005 aggravated the offense, the court added.  

The court also rejected "satire" as a defense.  The representation of Antonello was not "paradoxical, surreal and hyperbolic critique," but referred to "true fact," "clearly directed to a mere and unjustified denigration of the artist."  The broadcaster sought to use the 2000 video to represent Antonello in 2005 as "a singer, for years, in decline."

This case is the very stuff of American media advocates' nightmares.  Newspapers decry the right to erasure as a threat to online archives—though representations in archives, as archives, are readily factually distinguishable from the Antonello case.  The more realistic threat would be to the "TMZ"/"Talk Soup" format of entertainment media, or even the clever uses of archival video that have become the staple of commentary on The Daily Show with Trevor Noah and Last Week with John Oliver.  Certainly under a rule such as the Italian court employed, broadcasters, even straight news broadcasters, would have to take more care with their use of B roll.  

I've advocated in favor of evolving U.S. privacy law toward European data protection norms.  But the Italian court went too far here, lending credence to American nay-saying.  I fault the court's analysis of Antonello as, in U.S. terms, a "private figure."  The lower court got it right in finding Antonello's public status dispositive relative to this RAI commentary.  It's especially telling and troubling that as to the satire argument—the RAI program seems on the mild side of the Talk Soup genre—the court faulted RAI commenters for the truth in their observation of Antonello's waning fame.  The court set up the Italian judiciary to be a "super editor" of popular media, an arbiter of taste.  American courts appropriately struggle with newsworthiness determinations in privacy law because they do not want that job.

SCOTUS 'Microsoft' privacy case likely moot, R+C blog reports

It looks like we won't get an answer from the U.S. Supreme Court in the Microsoft privacy case.  For the Data + Privacy Security Insider at Robinson + Cole, Kathleen Porter and Connor Duffy report that the Government and Microsoft agree that the case was mooted by the CLOUD Act, signed into law in March as part of omnibus spending legislation. 

The CLOUD Act gives the Government the authority to compel Microsoft to produce the sought-after data, whether stored at home or abroad, and the Government already has attained a warrant under the new law.  Microsoft's reported statement indicates that the company's position was exonerated insofar as it maintained that the legislature was the appropriate branch of government in which to resolve the matter.

I wrote about Microsoft and the pending Carpenter case for the winter 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the ABA Section of International Law (published just last month, March 2018).

Brief argues public interest in social science research, FOI, while managing privacy risk

Representing the National Association of Scholars, UCLA Professor Eugene Volokh, UALR Professor Robert Steinbuch, and I filed an amicus brief in a California appellate case in which we argue the public interest in social science research, especially freedom of information in the area of legal education and admission to the bar, while managing risks to personal privacy.  Below is the introduction.  A longer excerpt appears here on TaxProf Blog, along with a link to the full brief in PDF.  My thanks to two formidable writing partners and a dedicated client.

Introduction

The public good often depends on social science research that employs personal data. Volumes of scientific breakthroughs based on data accumulated through access to public information demonstrate the importance and feasibility of enabling research in the public interest while still respecting data privacy. For decades, reliable and routine technical methods have ensured protection for personal privacy by de-identifying personal data.

Social science research into legal education and admission to the bar is presently a matter of urgent public interest and importance, requiring solid empirical analysis of anonymized personal data that government authorities possess. Social science research of the very kind proposed by Appellants Sander and The First Amendment Coalition represents standard, indeed commonplace, research practice furthering the public interest, while employing established methodologies that minimize the risk to privacy.

Fourth Amendment privacy case, set for oral argument Nov. 29, touches on US-EU data protection divide

I've published a short preview of Carpenter v. United States, 819 F.3d 880 (6th Cir. 2016), cert. granted, No. 16-402 (U.S. June 5, 2017) (SCOTUSblog), a Stored Communications Act, 18 U.S.C. § 2703(d), set for oral argument in the U.S. Supreme Court on Wednesday, November 29.  Here's an excerpt; link below to the full article and the ABA publication in which it appears.

U.S. Supreme Court accepts cell phone privacy case with transnational implications

A privacy case headed to the U.S. Supreme Court will give justices an opportunity to examine “the third-party doctrine” in U.S. constitutional law. The doctrine manifests a central feature of American privacy policy, marking a divide that has flummoxed transnational data transfer negotiators.

*  *  *

The urgent problem on the transnational scene is that the secrecy paradigm is incompatible with emerging global privacy norms. In EU data protection, for example, privacy follows data downstream. A person can divulge information with strings attached, and the strings are enforceable against subsequent recipients, such as Internet retailers. Even in public places, a data collector, such as a surveillance camera owner, has affirmative obligations to captured subjects. This incompatibility goes a long way to explain the incongruence of European apoplexy and American nonchalance in reaction to global surveillance by the U.S. National Security Agency.

*  *  *

However suspenseful, Carpenter proffers bad facts to kill the third-party doctrine outright. As the Sixth Circuit observed, ordinary people know that cell phones communicate with nearby towers, and their location data are not as damningly precise as GPS. The privacy intrusion was therefore modest, and statute afforded some safeguard. What will be interesting to see in Carpenter is whether more justices lend their voices to the Alito or Sotomayor position, and whether the replacement of Justice Scalia with Justice Gorsuch unsettles the Court’s fealty to originalism.

Read the article at pp. 5-6 of the fall 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the Section of International Law of the American Bar Association, available here in PDF. 

Intimate large parties and the duty to protect privacy

I had to take a blog break over the holidays in order to get a hefty book read and to write a review of it.  I’ll post on that when it comes closer to publication.  Meanwhile, my, how the world has changed!  Let me kick off the new year with a look at some related developments in privacy law.

As Marion Oswald of the University of Winchester wrote recently for the journal of Information Communication & Technology Law (open source), to paraphrase, privacy ain’t what it used to be.  Oswald opened with a quote from The Great Gatsby, so it goes without saying that that needs to be reiterated here.  She wrote,

At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”

From that paradox, Oswald builds the case that privacy must be redefined to protect individuals in the digital world.  She observes the inadequacy of the “reasonable expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the objective test’s tendency to drive itself to extinction in a world of objectively diminishing privacy.  Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures.  Oswald is not the first to reach her conclusion, but she does so compellingly.

Two recent cases, from Pennsylvania and Massachusetts, reached different conclusions on the question of a corporate defendant’s duty to safeguard private data.  The cases show the struggle under way in U.S. courts to do just what Oswald proposed—to redefine privacy in the digital age.  The United States is increasingly at odds with Europe, and for that matter the rest of the world, on this question.  Heralded as a modern human right in Europe, data protection is a burgeoning global legal field—and corporate obligation.

Duty

First, a quick primer on duty in U.S. tort law.

Tort law in the United States usually provides for a “duty” by “default” in negligence—that is, all persons owe to all other a persons a duty to exercise reasonable care (or not to act negligently), to avert harm to all others.  But the default rule of duty is subject to some important limitations.   

One limitation is the economic loss rule, which circumscribes negligence liability.  The rule precludes a plaintiff’s action for nonphysical, economic injury alone.  There are plenty of exceptions to the rule, and some scholars even think it’s not really a rule at all.  For example, negligent misrepresentation, which is like fraud but without intent, can be supported by economic loss within the context and expectations of a business relationship.

Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality.  U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem.  That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.

The other limitation on duty by default is that U.S. law imposes no affirmative duty to protect, or to render aid.  This rule, too, is subject to many exceptions, such as a parent’s duty to protect a child, contractual and statutory duties to protect, and a duty not to abandon a rescue undertaken.

Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty.  In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief.  (The problem in proximate causation is integrally related.)

So on to the cases.  Remember, "[i]t takes two to make an accident."

Pennsylvania

A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer.  (Hat tip to Richard Borden at Robinson + Cole.)  University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.

The court applied a five-factor test for duty: 

1. the relationship between the parties;

2. the social utility of the actor's conduct;

3. the nature of the risk imposed and foreseeability of the harm incurred;

4. the consequences of imposing a duty upon the actor; and,

5. the overall public interest in the proposed solution.

UPMC prevailed in common pleas and superior courts, the latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests.  On the affirmative duty question, the court pointed to attenuated causation and professed willingness to defer to the state legislature.  As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch: 

The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.

Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.

Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.

The court then bolstered its conclusion by pointing to the economic loss rule as well. 

Massachusetts

Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.

The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of a docudrama.  According to the court, Thomas was fleeing police at high speed when he crashed his car into Adams's.  Thomas was driving the car of his girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance.  Meanwhile Burgos was both customer and customer service manager of defendant insurance agency Congress.  She reported her car stolen and filed her own insurance claim. 

Adams could identify Thomas.  So Burgos used her computer access at work to identify Adams and passed his identity to Thomas.  Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote.  Though I bet Thomas didn’t say just “F.”

Adams sued Congress on multiple theories, including negligent failure to safeguard private data.  At the trial level, according to the appeals court, “the motion judge . . . rul[ed] that expert testimony was required to establish whether the agency owed a duty to Adams to safeguard his personal information, what that duty entailed, and whether the agency breached that duty.”

It’s odd that the motions judge sought expert testimony, because, as the appeals court aptly observed, duty is unique among the four elements of negligence—duty, breach, proximate cause, and injury—for being purely a question of law, guided by public policy.  Courts do not ordinarily hear expert testimony on what the law is.  The theory goes that figuring that out is the judge’s main job.  (Too bad, or being a law professor would be more lucrative.  I was gently tossed from the witness stand once when a lawyer made a valiant but futile attempt to squeeze me past the rule.)

Unlike the Pennsylvania Superior Court, the Massachusetts Appellate Court found its way to a legal duty.  The court held “that the agency had a legal duty to Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Adams provided to process his automobile insurance claim.”  Where the Pennsylvania court had pointed to statute to justify judicial restraint, the Massachusetts court pointed to state data breach law to show that the legislature had green-lighted legal duty (albeit "a single green light, minute and far away").

“Just as those with physical keys to the homes of others have a duty of reasonable care to preserve their security,” the Massachusetts court reasoned, “companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against the misuse of that data.”  Indeed, the court cited a keys case as applicable precedent.  The court made no fuss over the rule of affirmative duty or the rule of economic loss.  In a discussion of causation, the court seemed content to resort to foreseeability on the facts.

Summary judgment for defendant Congress was vacated, and the case was remanded for trial.

Conclusion

Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic.  That’s not true.  Not yet.

Data protection in the United States is confounded by the rules of affirmative duty and economic loss.  And that’s not bad; those rules exist for sound public policy reasons.  They also are excepted for sound reasons.

I’ve written before (e.g., here and here) that popular thinking and expectations with respect to individual privacy are converging in the United States and Europe, even if a legal bridge lags behind.  Common law negligence can be a vital building block of that bridge.  But it’s a work in progress.

“‘Don’t believe everything you hear, Nick.’”