Image posted by u/ManCrisp to Reddit, Dec. 6, 2018. Republished with permission; all rights reserved. Hat tip @StevenZoni.
Showing posts with label data protection. Show all posts
Showing posts with label data protection. Show all posts
Tuesday, December 11, 2018
Frohe Weihnachten
Image posted by u/ManCrisp to Reddit, Dec. 6, 2018. Republished with permission; all rights reserved. Hat tip @StevenZoni.
Monday, November 26, 2018
CFP: UMass Law Review calls for papers, presentations in law and media
The UMass Law Review has issued the following call for papers. Download the call in PDF here, and please share it with any interested scholarly communities.
UNIVERSITY OF MASSACHUSETTS LAW REVIEW
CALL FOR SYMPOSIUM PAPERS AND PRESENTATIONS
November 14, 2018
We are pleased to announce the 2019 UMass Law Review Roundtable Symposium, currently titled “Law and Media.” In the age where the 24/7 news cycle and social media have impacted current politics and where data protection, personal branding, and technology have affected entertainment and media as well as the rule of law, an investigation of the relationship between law and the media of our current times is timely and warranted. Accordingly, the UMass Law Review seeks thoughtful, insightful, and original presentations relating to the impact of the law on media as well as the impact of media on the law.
Interested participants should submit a 500-word abstract to cshannon@umassd.edu, with “Attn: Conference Editor – Symposium Submission” in the subject line by December 31st, 2018 for consideration. Selected participants will be notified by the end of January and invited to present their work at the 2019 UMass Law Review Symposium taking place in late March of 2019. Selected participants may also submit a scholarly work for potential publication in the 2019-2020 UMass Law Review Journal. If you have questions about submissions or the Symposium, please contact our Business/Conference Editor, Casey Shannon or Editor-In-Chief, Kayla Venckauskas (kvenckauskas@umassd.edu). We thank you in advance for your submission.
Sincerely,
Kayla Venckauskas
Editor-in-Chief
Casey Shannon
Business/Conference Editor
Tuesday, April 24, 2018
Revenge porn law can survive First Amendment scrutiny by requiring 'actual malice'
Last week a Tyler, Texas, appellate court struck the state’s
criminal revenge porn law as fatally overbroad, so facially unconstitutional,
under the First Amendment to the federal Constitution. The ruling garnered headlines heralding the
unconstitutionality of revenge porn law, which could have big implications in privacy
law and policy nationwide—even ramifications
for U.S. foreign relations.
However, the
court’s ruling was not so broad as headlines have suggested. In fact, the court gave wise and constructive
feedback on what a revenge porn law needs to look like to pass constitutional
muster—which it can. It seems in the end
that the Texas law was just not well drafted.
Accordingly, the revenge porn laws that have proliferated in the United
States, now in 38 states (collected at Cyber Civil Rights
Initiative), should be scrutinized and, if necessary, corrected. (Constitutional problems with Vermont and Arizona
laws were mentioned just today by the U.K. Register,
here.)
The Texas case, Ex
parte Jones,
No. 12-17-00346 (Tex. Ct. App. Apr. 18, 2018), involved a criminal
information against Jones under Texas Penal
Code section 21.16(b), which criminalizes the “unlawful disclosure of
intimate visual materials.” The statute
reads:
A person commits an offense if:(1) without the effective consent of the depicted person, the person intentionally discloses visual material depicting another person with the person’s intimate parts exposed or engaged in sexual conduct;(2) the visual material was obtained by the person or created under circumstances in which the depicted person had a reasonable expectation that the visual material would remain private;(3) the disclosure of the visual material causes harm to the depicted person; and(4) the disclosure of the visual material reveals the identity of the depicted person in any manner[.]
The statute, section
21.16(a), furthermore defines “visual material” broadly (“any film,
photograph, videotape, negative, or slide or any photographic reproduction that
contains or incorporates in any manner any film, photograph, videotape,
negative, or slide,” as well as electronic transmission) and “intimate parts”
specifically (““the naked genitals, pubic area, anus, buttocks, or female
nipple of a person”).
The court’s First Amendment analysis was sound. The court applied de novo review to test the constitutionality of a criminal
statute. The court rejected a narrow
construction that would confine the law to mere obscenity, as stringently
defined by federal precedent. Because
the statute is then a content-based restriction of expressive content, the
court charged the government with the burden of rebutting presumptive
unconstitutionality. The State conceded at
oral argument that the law must survive strict scrutiny, i.e., advance a compelling
state interest and be narrowly tailored to do so. Intimate privacy passes muster on the first
prong, but the statute facially fails narrow tailoring. The court acknowledged that overbreadth
doctrine is “strong medicine”; nevertheless, the statute could not measure up.
The court illustrated the statute’s fatal flaw with a
hypothetical, unattributed so presumably original, that seems drawn from a law school or bar exam:
“Adam and Barbara are in a committed relationship. One evening, in their home, during a moment of passion, Adam asks Barbara if he can take a nude photograph of her. Barbara consents, but before Adam takes the picture, she tells him that he must not show the photograph to anyone else. Adam promises that he will never show the picture to another living soul, and takes a photograph of Barbara in front of a plain, white background with her breasts exposed.“A few months pass, and Adam and Barbara break up after Adam discovers that Barbara has had an affair. A few weeks later, Adam rediscovers the topless photo he took of Barbara. Feeling angry and betrayed, Adam emails the photo without comment to several of his friends, including Charlie. Charlie never had met Barbara and, therefore, does not recognize her. But he likes the photograph and forwards the email without comment to some of his friends, one of whom, unbeknownst to Charlie, is Barbara’s coworker, Donna. Donna recognizes Barbara and shows the picture to Barbara’s supervisor, who terminates Barbara’s employment.”
“In this scenario,” the court observed, “Adam can be charged
under Section 21.16(b), but so can Charlie and Donna.”
Therein lies the problem: not necessarily as applied to
Adam, but as applied to Charlie and Donna, who are ignorant of the
circumstances under which the photo came to be.
Certainly Charlie, who received the photo from Adam “without comment,”
might as well believe that Adam ripped the photo of a stranger from a
pornographic website. However indecent
the photo, both Charlie and Donna have a First Amendment right to communicate
the photo “downstream.” Yet without
Barbara’s consent, Charlie and Donna run afoul of the revenge porn law. Given the ease with which persons can share
visual images in the age of electronic and online communication, the court
found “alarming breadth” in this potential criminalization of expression. In First Amendment overbreadth doctrine, a facially
overbroad criminal law must be ruled unconstitutional even if it might be
constitutional as applied to the defendant before the court.
The court distilled the law’s flaws in two dimensions
related to culpability. Typically of a
criminal prohibition, the statute requires intent. But intent pertains only to the republication
of the image. The statute does not
require that the actor have “knowledge or reason to know the circumstances surrounding
the material’s creation, under which the depicted person’s reasonable
expectation of privacy arose.” Second, the
statute does not require “intent to harm the depicted person,” or even
knowledge “of the depicted person’s identity.”
Borrowing the language of civil law (meaning common law tort), one would
say that the statute requires volitional intent, but not intent to commit a wrong
or to cause an injury.
The requisite intent to survive constitutional challenge may
be likened to “actual malice,” which is used in both civil and criminal
defamation law to describe “knowledge of falsity or reckless disregard of truth
or falsity.” In the context of revenge
porn, a constitutional law might require “actual knowledge of the depicted
person’s reasonable and continuing expectation of privacy in the image, or
reckless disregard of same.” If Charlie
knew the identity of Barbara, so might infer the circumstances
under which the photo had been taken, then the State might at least allege
recklessness. Donna, who did know
Barbara’s identity, might be charged.
But she should be entitled to defend upon a qualified privilege,
borrowed again from common law defamation, to share information in the interest
of a recipient or third party when the defendant should disclose according to
general standards of decency. A
corrected statute would hold Adam accountable without a constitutional problem.
Also just last week, the Rhode Island legislature (my home
state) passed a revenge porn bill (2018-H
7452A) that has the support of the Governor Gina Raimondo (AP). Raimondo vetoed a revenge porn bill in 2016, objecting
on free speech grounds (Providence
Journal). Her position now is
bolstered by the Texas decision in Jones. Beefing up the intent requirement is precisely
one of the R.I. legislative fixes that brought the latest bill to
fruition. The Rhode Island bill requires
that the defendant intentionally disseminated, published, or sold “[w]ith
knowledge or with reckless disregard for the likelihood that the depicted
person will suffer harm, or with the intent to harass, intimidate, threaten or
coerce the depicted person.”
I still have qualms about extending the “reasonable
expectation of privacy” (REP) standard—which is drawn from Fourth Amendment
jurisprudence as a bulwark against improper state
action—being extended into the realm of private criminal or civil
liability. REP is potentially much
broader than the intimate-depiction definitions of revenge porn laws. And criminalization and civil liability are not the same. Even though criminal defamation is constitutional when qualified by actual malice, contemporary human rights norms discourage the criminalization of expression at all.
At the same time, I have argued in favor of evolving U.S.
law to recognize downstream control of private information, in consonance with both
American values in the information age and emerging global legal norms. Revenge porn laws—as against Adam, to the
exclusion of Charlie and Donna—are a modest step in that direction, which European observers will welcome of
us. We will have to remain vigilant to continue
to protect freedom of expression in tandem with expanding privacy rights,
especially in a time in which the latter at the expense of the former is the
fashion. Conscientious actors such as the Jones panel (Worthen, C.J., and Hoyle and Neeley, JJ.) and Governor Raimondo are
doing well, so far.
Saturday, April 7, 2018
Popular singer's 'right to be forgotten' outweighs free speech in Italian case over archival video and biting commentary
Because Manchester City FC might need it after today's derby match, let's consider the right to be forgotten.
As an aspect of European, and increasingly global, data protection law, "the right to be forgotten," or right to erasure, unsettles the tummies of American media advocates. The right to erasure runs up against the presumptive rule of U.S. First Amendment law that there can be no punishment for the republication of truthful information lawfully obtained. Read more about that here (predating implementation of the EU General Data Protection Regulation). The Italian Court of Cassation has issued a potentially important decision at the intersection of the right to erasure and the freedom of expression.
Hat tip @TheItalianLawJournal. For a few months to come, or until a better translation comes to light, I'm parking a very rough Google Translate rendition of the ruling here in PDF. The translations that follow here are mine, refining the Google Translate rendering. The original court decision can be found here.
The case stemmed from a TMZ-style confrontation by an RAI-1 "Live Life" («La vita in diretta») crew of Italian singer Antonello Venditti (Facebook) in 2000. I've not seen the video, but Venditti apparently resisted the interrogators with sufficient gruffness that he earned his way onto the program's 2005 "ranking of the most
obnoxious and grumpy characters in the entertainment world." The story occasioned rebroadcast of the 2000 segment, along with commentary mocking his diminished fame in the intervening years. Antonello took offense and sued, claiming "a right to be forgotten" attached to the 2000 video.
Of peculiar resonance with current events in the United States, the Italian court took note of a German right-to-erasure case about "an affair in which a German citizen, who held a major political and business position in Germany, had requested the erasure of information from the web relating to an episode of collusion with Russian crime dating back several years earlier, republished several years after." The Court of Justice of the EU ruled that "the public's interest in information prevailed over the individual's interest in oblivion." However, the Italian court observed, the ruling resulted from a fact-intensive inquiry.
The court must engage with "the search for the right balance between the interest of Internet users in information and the fundamental rights of the person," the Italian court explained. "Therefore, the editor of a newspaper that stores in its historical archive on the internet the news, making it available to a potentially unlimited number of people, is required to prevent, through the dissemination of even remote facts, without any meaningful and current public interest, possible harm to the right to be forgotten by the people who were involved."
The freedom of expression must yield to the right to erasure, the court held, upon analysis according to five factors:
The court also rejected "satire" as a defense. The representation of Antonello was not "paradoxical, surreal and hyperbolic critique," but referred to "true fact," "clearly directed to a mere and unjustified denigration of the artist." The broadcaster sought to use the 2000 video to represent Antonello in 2005 as "a singer, for years, in decline."
This case is the very stuff of American media advocates' nightmares. Newspapers decry the right to erasure as a threat to online archives—though representations in archives, as archives, are readily factually distinguishable from the Antonello case. The more realistic threat would be to the "TMZ"/"Talk Soup" format of entertainment media, or even the clever uses of archival video that have become the staple of commentary on The Daily Show with Trevor Noah and Last Week with John Oliver. Certainly under a rule such as the Italian court employed, broadcasters, even straight news broadcasters, would have to take more care with their use of B roll.
I've advocated in favor of evolving U.S. privacy law toward European data protection norms. But the Italian court went too far here, lending credence to American nay-saying. I fault the court's analysis of Antonello as, in U.S. terms, a "private figure." The lower court got it right in finding Antonello's public status dispositive relative to this RAI commentary. It's especially telling and troubling that as to the satire argument—the RAI program seems on the mild side of the Talk Soup genre—the court faulted RAI commenters for the truth in their observation of Antonello's waning fame. The court set up the Italian judiciary to be a "super editor" of popular media, an arbiter of taste. American courts appropriately struggle with newsworthiness determinations in privacy law because they do not want that job.
As an aspect of European, and increasingly global, data protection law, "the right to be forgotten," or right to erasure, unsettles the tummies of American media advocates. The right to erasure runs up against the presumptive rule of U.S. First Amendment law that there can be no punishment for the republication of truthful information lawfully obtained. Read more about that here (predating implementation of the EU General Data Protection Regulation). The Italian Court of Cassation has issued a potentially important decision at the intersection of the right to erasure and the freedom of expression.
Hat tip @TheItalianLawJournal. For a few months to come, or until a better translation comes to light, I'm parking a very rough Google Translate rendition of the ruling here in PDF. The translations that follow here are mine, refining the Google Translate rendering. The original court decision can be found here.
Antonello Venditti by Angela_Anji (CC BY-NC-SA 2.0) |
Of peculiar resonance with current events in the United States, the Italian court took note of a German right-to-erasure case about "an affair in which a German citizen, who held a major political and business position in Germany, had requested the erasure of information from the web relating to an episode of collusion with Russian crime dating back several years earlier, republished several years after." The Court of Justice of the EU ruled that "the public's interest in information prevailed over the individual's interest in oblivion." However, the Italian court observed, the ruling resulted from a fact-intensive inquiry.
The court must engage with "the search for the right balance between the interest of Internet users in information and the fundamental rights of the person," the Italian court explained. "Therefore, the editor of a newspaper that stores in its historical archive on the internet the news, making it available to a potentially unlimited number of people, is required to prevent, through the dissemination of even remote facts, without any meaningful and current public interest, possible harm to the right to be forgotten by the people who were involved."
The freedom of expression must yield to the right to erasure, the court held, upon analysis according to five factors:
- the contribution made by the dissemination of the image or of the news to a matter of public interest;
- the actual and current interest in the dissemination of the image or news (for reasons of justice, police, or protection of the rights and liberties of others, or for scientific, educational, or cultural purposes), to be considered absent in case of prevalence of a popular interest [italics added; in original, divulgativo: I'm not sure how to translate that and don't think "popular" or "informed" is right], or, worse, merely economic or commercial interest of the subject that spreads the news or the image;
- the high degree of notoriety of the subject represented, for the economic or political reality of the country;
- the methods used, for the particular position held in public life, and, in particular, to obtain and give information, which must be truthful (because it is drawn from reliable sources, and with a diligent research work), disseminated in ways that are not excessive for information purposes, in the interest of the public, and free from insinuations or personal considerations, so as to highlight an exclusive objective interest in the new dissemination;
- the preventive information about the publication or transmission of the news or image at a distance of time, in order to allow the interested party the right of reply before its disclosure to the general public.
The court also rejected "satire" as a defense. The representation of Antonello was not "paradoxical, surreal and hyperbolic critique," but referred to "true fact," "clearly directed to a mere and unjustified denigration of the artist." The broadcaster sought to use the 2000 video to represent Antonello in 2005 as "a singer, for years, in decline."
This case is the very stuff of American media advocates' nightmares. Newspapers decry the right to erasure as a threat to online archives—though representations in archives, as archives, are readily factually distinguishable from the Antonello case. The more realistic threat would be to the "TMZ"/"Talk Soup" format of entertainment media, or even the clever uses of archival video that have become the staple of commentary on The Daily Show with Trevor Noah and Last Week with John Oliver. Certainly under a rule such as the Italian court employed, broadcasters, even straight news broadcasters, would have to take more care with their use of B roll.
I've advocated in favor of evolving U.S. privacy law toward European data protection norms. But the Italian court went too far here, lending credence to American nay-saying. I fault the court's analysis of Antonello as, in U.S. terms, a "private figure." The lower court got it right in finding Antonello's public status dispositive relative to this RAI commentary. It's especially telling and troubling that as to the satire argument—the RAI program seems on the mild side of the Talk Soup genre—the court faulted RAI commenters for the truth in their observation of Antonello's waning fame. The court set up the Italian judiciary to be a "super editor" of popular media, an arbiter of taste. American courts appropriately struggle with newsworthiness determinations in privacy law because they do not want that job.
Labels:
Antonello Venditti,
archives,
broadcasting,
data protection,
defamation,
erasure,
EU,
Europe,
free expression,
Italy,
news,
privacy,
public figure,
right to be forgotten,
satire
Thursday, April 5, 2018
SCOTUS 'Microsoft' privacy case likely moot, R+C blog reports
It looks like we won't get an answer from the U.S. Supreme Court in the Microsoft privacy case. For the Data + Privacy Security Insider at Robinson + Cole, Kathleen Porter and Connor Duffy report that the Government and Microsoft agree that the case was mooted by the CLOUD Act, signed into law in March as part of omnibus spending legislation.
The CLOUD Act gives the Government the authority to compel Microsoft to produce the sought-after data, whether stored at home or abroad, and the Government already has attained a warrant under the new law. Microsoft's reported statement indicates that the company's position was exonerated insofar as it maintained that the legislature was the appropriate branch of government in which to resolve the matter.
I wrote about Microsoft and the pending Carpenter case for the winter 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the ABA Section of International Law (published just last month, March 2018).
The CLOUD Act gives the Government the authority to compel Microsoft to produce the sought-after data, whether stored at home or abroad, and the Government already has attained a warrant under the new law. Microsoft's reported statement indicates that the company's position was exonerated insofar as it maintained that the legislature was the appropriate branch of government in which to resolve the matter.
I wrote about Microsoft and the pending Carpenter case for the winter 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the ABA Section of International Law (published just last month, March 2018).
Wednesday, January 31, 2018
Brief argues public interest in social science research, FOI, while managing privacy risk
Introduction
The public good often depends on social science research that employs personal data. Volumes of scientific breakthroughs based on data accumulated through access to public information demonstrate the importance and feasibility of enabling research in the public interest while still respecting data privacy. For decades, reliable and routine technical methods have ensured protection for personal privacy by de-identifying personal data.
Social science research into legal education and admission to the bar is presently a matter of urgent public interest and importance, requiring solid empirical analysis of anonymized personal data that government authorities possess. Social science research of the very kind proposed by Appellants Sander and The First Amendment Coalition represents standard, indeed commonplace, research practice furthering the public interest, while employing established methodologies that minimize the risk to privacy.
Friday, November 24, 2017
Fourth Amendment privacy case, set for oral argument Nov. 29, touches on US-EU data protection divide
I've published a short preview of Carpenter v. United States, 819 F.3d 880 (6th Cir. 2016), cert. granted, No. 16-402 (U.S. June 5, 2017) (SCOTUSblog), a Stored Communications Act, 18 U.S.C. § 2703(d), set for oral argument in the U.S. Supreme Court on Wednesday, November 29. Here's an excerpt; link below to the full article and the ABA publication in which it appears.
Read the article at pp. 5-6 of the fall 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the Section of International Law of the American Bar Association, available here in PDF.
U.S. Supreme Court accepts cell phone privacy case with transnational implications
A privacy case headed to the U.S. Supreme Court will give justices an opportunity to examine “the third-party doctrine” in U.S. constitutional law. The doctrine manifests a central feature of American privacy policy, marking a divide that has flummoxed transnational data transfer negotiators.
* * *
The urgent problem on the transnational scene is that the secrecy paradigm is incompatible with emerging global privacy norms. In EU data protection, for example, privacy follows data downstream. A person can divulge information with strings attached, and the strings are enforceable against subsequent recipients, such as Internet retailers. Even in public places, a data collector, such as a surveillance camera owner, has affirmative obligations to captured subjects. This incompatibility goes a long way to explain the incongruence of European apoplexy and American nonchalance in reaction to global surveillance by the U.S. National Security Agency.
* * *
However suspenseful, Carpenter proffers bad facts to kill the third-party doctrine outright. As the Sixth Circuit observed, ordinary people know that cell phones communicate with nearby towers, and their location data are not as damningly precise as GPS. The privacy intrusion was therefore modest, and statute afforded some safeguard. What will be interesting to see in Carpenter is whether more justices lend their voices to the Alito or Sotomayor position, and whether the replacement of Justice Scalia with Justice Gorsuch unsettles the Court’s fealty to originalism.
Read the article at pp. 5-6 of the fall 2017 newsletter of the Privacy, Cybersecurity & Digital Rights Committee of the Section of International Law of the American Bar Association, available here in PDF.
Tuesday, January 24, 2017
Intimate large parties and the duty to protect privacy
I had to take a blog break over the holidays in order to get a hefty book read and
to write a review of it. I’ll post on that when it
comes closer to publication. Meanwhile,
my, how the world has changed! Let me kick
off the new year with a look at some related developments in privacy law.
As Marion Oswald of the University of Winchester wrote recently
for the journal of Information Communication
& Technology Law (open source), to paraphrase, privacy ain’t what it used to be. Oswald opened with a quote from The Great Gatsby, so it goes without
saying that that needs to be reiterated here.
She wrote,
At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”
From that paradox, Oswald builds the case that privacy must
be redefined to protect individuals in the digital world. She observes the inadequacy of the “reasonable
expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the
objective test’s tendency to drive itself to extinction in a world of
objectively diminishing privacy. Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures. Oswald is not the first to reach
her conclusion, but she does so compellingly.
Two recent cases, from Pennsylvania and Massachusetts,
reached different conclusions on the question of a corporate defendant’s duty to safeguard private data. The cases show the struggle under way in U.S.
courts to do just what Oswald proposed—to redefine privacy in the digital
age. The United States is increasingly
at odds with Europe, and for that matter the rest of the world, on this
question. Heralded as a modern human right in Europe, data protection is a burgeoning
global legal field—and corporate obligation.
Tort law in the United States usually provides for a “duty”
by “default” in negligence—that is, all persons owe to all other a persons
a duty to exercise reasonable care (or not to act negligently), to avert harm to
all others. But the default rule of duty
is subject to some important limitations.
One limitation is the economic loss rule, which circumscribes negligence
liability. The rule precludes a plaintiff’s action
for nonphysical, economic injury alone. There
are plenty of exceptions to the rule, and some scholars even think it’s not
really a rule at all. For example, negligent
misrepresentation, which is like fraud but without intent, can be supported by economic
loss within the context and expectations of a business relationship.
Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality. U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem. That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.
Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality. U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem. That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.
The other limitation on duty by default is that U.S. law
imposes no affirmative duty to protect, or to render aid. This rule, too, is subject to many
exceptions, such as a parent’s duty to protect a child, contractual and
statutory duties to protect, and a duty not to abandon a rescue undertaken.
Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty. In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief. (The problem in proximate causation is integrally related.)
Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty. In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief. (The problem in proximate causation is integrally related.)
So on to the cases. Remember, "[i]t takes two to make an accident."
Pennsylvania
A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer. (Hat tip to Richard Borden at Robinson + Cole.) University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.
A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer. (Hat tip to Richard Borden at Robinson + Cole.) University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.
The court applied a five-factor test for duty:
1. the relationship between the parties;2. the social utility of the actor's conduct;3. the nature of the risk imposed and foreseeability of the harm incurred;4. the consequences of imposing a duty upon the actor; and,5. the overall public interest in the proposed solution.
UPMC prevailed in common pleas and superior courts, the
latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests. On the affirmative duty question, the court
pointed to attenuated causation and professed willingness to defer to the state
legislature. As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch:
The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.
Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.
Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.
The court then bolstered its conclusion by pointing to the
economic loss rule as well.
Massachusetts
Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.
Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.
The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of
a docudrama. According to the court, Thomas
was fleeing police at high speed when he crashed his car into Adams's. Thomas was driving the car of his
girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance. Meanwhile Burgos was both customer and customer
service manager of defendant insurance agency Congress. She reported her car stolen and filed her own
insurance claim.
Adams could identify Thomas. So Burgos used her computer access at work to identify Adams and passed his identity to Thomas. Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote. Though I bet Thomas didn’t say just “F.”
Adams could identify Thomas. So Burgos used her computer access at work to identify Adams and passed his identity to Thomas. Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote. Though I bet Thomas didn’t say just “F.”
Adams sued Congress on multiple theories, including
negligent failure to safeguard private data. At the trial level, according to the appeals court, “the motion
judge . . . rul[ed] that expert testimony was required to establish
whether the agency owed a duty to Adams to safeguard his personal information,
what that duty entailed, and whether the agency breached that duty.”
It’s odd that the motions judge sought expert
testimony, because, as the appeals court aptly observed, duty is unique among the
four elements of negligence—duty, breach, proximate cause, and injury—for being
purely a question of law, guided by public policy. Courts do not ordinarily hear expert
testimony on what the law is. The theory
goes that figuring that out is the judge’s main job. (Too bad, or being a law professor would be more
lucrative. I was gently tossed from the
witness stand once when a lawyer made a valiant but futile attempt to squeeze
me past the rule.)
Unlike the Pennsylvania Superior Court, the Massachusetts
Appellate Court found its way to a legal duty.
The court held “that the agency had a legal duty to Adams, a member of a
large but clearly defined class of third parties, to prevent its employee’s
foreseeable misuse of the information that Adams provided to process his
automobile insurance claim.” Where the
Pennsylvania court had pointed to statute to justify judicial restraint, the
Massachusetts court pointed to state data breach law to show that the legislature
had green-lighted legal duty (albeit "a single green light, minute and far away").
“Just as those with physical keys to the homes of others
have a duty of reasonable care to preserve their security,” the Massachusetts
court reasoned, “companies whose employees have access to the confidential data
of others have a duty to take reasonable measures to protect against the misuse
of that data.” Indeed, the court cited a
keys case as applicable precedent. The
court made no fuss over the rule of affirmative duty or the rule of economic
loss. In a discussion of causation, the
court seemed content to resort to foreseeability on the facts.
Summary judgment for defendant Congress was vacated, and the
case was remanded for trial.
Conclusion
Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic. That’s not true. Not yet.
Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic. That’s not true. Not yet.
Data protection in the United States is confounded by the
rules of affirmative duty and economic loss.
And that’s not bad; those rules exist for sound public policy reasons. They also are excepted for sound reasons.
I’ve written before (e.g., here and here) that popular thinking and expectations
with respect to individual privacy are converging in the United States and
Europe, even if a legal bridge lags behind.
Common law negligence can be a vital building block of that bridge. But it’s a work in progress.
“‘Don’t believe everything you hear, Nick.’”
Subscribe to:
Posts (Atom)