First Amendment advocate counsels caution, but doesn't rebuff, American right to be forgotten

Gene Policinski, Freedom Forum Senior Fellow for the First Amendment, published an op-ed last week for the "First Five" blog in which he counseled caution, but did not gainsay, newsroom "fresh start," or "right to be forgotten" (RTBF), programs.

Motivated in part by European notions of personal data protection, or informational privacy, especially RTBF, fresh start programs give persons covered in past news an opportunity to apply for the erasure of their coverage from online archives.  For NPR in February, David Folkenflik and Claire Miller reported on trending fresh start programs at major U.S. news outlets, such as The Boston Globe, "Revisiting the Past for a Better Future."  The NPR stories observed that these programs have come about in part because of European legal norms, even for newspapers beyond the reach of European legal jurisdiction.

In 2013, I wrote in a law review article that Americans' expectations of privacy, including RTBF, are in fact consonant with evolving European norms, but American law has been slow to keep pace.  The twin notions of finite punishment for past wrongs and of a second chance for persons who have paid their dues are quintessentially American, I wrote in a Washington Post op-ed in 2014.  Those values are reflected, for example, in Eighth Amendment jurisprudence and the Ban the Box campaign.

A prohibitive challenge to RTBF norms in the United States has been the First Amendment, which generally prohibits regulation of the republication of lawfully obtained and truthful information.  Sometimes for better and sometimes for worse, the free-speech absolutist bent of the First Amendment contrasts with a more flexible European approach to rights balancing.  Nothing about the First Amendment, however, precludes a private journalistic enterprise, such as the Globe, from erasing content voluntarily.

Like RTBF itself, fresh start programs have been criticized by free speech and mass communication scholars.  They remind us that journalism is the "first rough draft of history."  Tinkering with archives therefore vests private actors with a weighty, not to mention expensive, responsibility on behalf of the public.  Fresh start advocates point out that this work is not dissimilar to the exercise of news judgment in the first instance.  But the perspective problem is not eliminated by time.  There is no way to be sure that our present-day second-guessing of the historical record is more fair and objective than the original judgment, nor sufficiently preservationist for the future.

Old Slave Mart Museum, Charleston, S.C.
(RJ Peltz-Steele CC BY-NC-SA 4.0)

Just last week, I visited the Old Slave Mart Museum and other historical sites in Charleston, S.C.  To my eyes, the casual treatment of persons as property in the content of news media in times of slavery, as well as racism evident in later media during Jim Crow, is evidence of horrific injustice and a powerful reminder not to take for granted that one's present vision is free of bias.  What if that record had been erased, rather than preserved?  Could Henry Louis Gates Jr.'s "Finding Your Roots" have identified Ben Affleck's slave-owning ancestor (NPR) if history were redacted?

At the same time, I am an advocate for RTBF in some form, just as I support Ban the Box.  I am devoted to the First Amendment.  But digital media, that is, an internet that "never forgets," confronts our society with a new and qualitatively different challenge from any we have faced before.  Viktor Mayer-Schönberger well described in his 2011 book, Delete: The Virtue of Forgetting in the Digital Age, how forgetting, in addition to remembering, is an essential and well evolved part of human social culture.  A failure to forget is an existential threat.

Journalist and academic Deborah L. Dwyer has developed a useful and thought-provoking set of fresh start resources for journalists at her website, Unpublishing the News, cited by Policisnki.  I don't pretend to know whether fresh start, or European RTBF, or some other approach is the best solution, nor whether any of these models will stand the test of time.  I do believe that feeling our way forward is fascinating and necessary.

The op-ed is Gene Policinski, Perspective: News Outlets Need Caution in Offering a "Fresh Start," Freedom Forum (May 26, 2021).

Facebook shields records from Mass. AG inquiry

The Massachusetts Supreme Judicial Court today ruled on efforts by Facebook to resist disclosures arising from an internal investigation into application development.  The disclosures are sought by the commonwealth attorney general, which is investigating allegations of consumer data misuse.

AG Healey
(Zgreenblatt CC BY-SA 3.0)

The court's ruling is mixed, but, overall, Facebook gained ground.  The court allowed Facebook more latitude than it won in the lower court to resist disclosure on grounds of attorney work product.  On remand, the lower court will have to scrutinize the records to separate attorney opinion, which is protected, from mere facts, which are not.  The SJC agreed with the lower court that one set of records was within attorney-client privilege, and Facebook will have to produce a privilege log.

Facebook seems to be taking seriously the investigation by the office of Attorney General Maura Healey, and it should.  The company hired fixer-firm Gibson Dunn to handle its internal investigation and is represented by Wilmer Hale in the Massachusetts investigation.  Massachusetts data protection regulation is antiquated relative to the latest generation of regulations in Europe and California, but the law has been on the books for more than a decade.  The AG was represented in the SJC by attorney Sara Cable, whose appointment last year as the office's first chief of data privacy and security signaled an intent to ramp up data protection.  Massachusetts consumer protection law, "93A," the basis of the AG investigation here, is famously expansive, often displacing common law tort in private enforcement and affording generous damages.

Justice Scott Kafker wrote the lengthy opinion for the court in Attorney General v. Facebook, No. SJC-12946 (Mass. Mar. 24, 2021).  Justice Kafker is on a tear of late, having written the court's opinion in a sea change in tort law in late February and the court's unanimous ruling against Gordon College in a First Amendment religious freedom case on March 5.

UK court: Long arm of GDPR can't reach California*

Image my composite of Atlantic Ocean by Tentotwo CC BY-SA 3.0

and "hand reach" from Pixabay by ArtsyBee, licensed

*[UPDATE, Jan. 30, 2022:] On December 21, 2021, the Court of Appeal allowed service on U.S. defendants without ultimately resolving the GDPR territorial scope question.  Read more from Paul Kavanaugh, Dylan Balbirnie, and Madeleine White at Dechert LLP.]

A High Court ruling in England limited the long-arm reach of European (now British) privacy law in a suite of tort claims against Forensic News, a California-based web enterprise doing "modern investigative journalism."

The complainant is a security consultant investigated by Forensic News and a witness in the U.S. Senate Intelligence Committee probe into Russian interference in the 2016 U.S. elections.  A British national, he accused Forensic News of "malicious falsehood, libel, harassment and misuse of private information," the latter based on violation of the British enactment of the European General Data Protection Regulation (GDPR).

The extraterritorial reach of the GDPR has been a hot topic lately in privacy law circles, as U.S. companies struggle to comply simultaneously with foreign and burgeoning state privacy laws, such as the California Consumer Privacy Act (CCPA).  

Forensic News has no people or assets in the UK, but the complainant tried to ground GDPR application in the news organization's website, which accepts donations in, and sells merch for, pounds and euros.  No dice, said the court; it's journalism that links Forensic to the plaintiff and to the UK, not the mail-order side show.

The case is Soriano v. Forensic News LLC, [2021] EWHC 56 (QB) (Jan. 15, 2021).  Haim Ravia, Dotan Hammer, and Adi Shoval at Pearl Cohen have commentary.

Court: Employer has no free speech right to republish worker healthcare data that state provides conditionally

Confidential (Nick Youngson Alpha Stock Images CC BY-SA 3.0)

An employer has no First Amendment right to republish the identity of workers who relied on publicly subsidized healthcare when the state provides the names conditionally, for restricted use, the Massachusetts Appeals Court held yesterday.

A state program imposed assessments on employers whose employees relied on publicly subsidized healthcare.  The state offered to tell the employer which employees triggered assessment, so that the employer could review, and if appropriate challenge, the assessment. But the names came with strings attached: employers were required to promise that they will use the names in the administrative process only and not republish them.

Emerald Home Care, Inc., challenged the assessment program and conditional disclosures as violative of procedural due process and the First Amendment.

Affirming the Superior Court, the Appeals Court rejected both arguments.  As to due process, the state provided employers ample notice and opportunity to be heard in resisting the assessments.  As to the First Amendment, the state may attach conditions to access to confidential information.

In the First Amendment analysis, the court cited two U.S. Supreme Court oldies but goodies: LAPD v. United Reporting (1999) and Seattle Times v. Rhinehart (1984).  In LAPD, the Court allowed a statute to condition access to criminal histories on non-commercial use.  In Seattle Times, the Court allowed a protective order on discovery disclosures in a defamation-and-privacy case in which a newspaper was the defendant.

Justice Desmond

The Appeals Court applied intermediate scrutiny, drawn from Seattle Times.  The court reasoned that confidentiality in healthcare insurance information is an important state interest, and the restrictions on disclosure were closely tailored to the purpose of maintaining confidentiality while allowing the employer limited access for the purpose of administrative review.

The case is not remarkable for its holding, but it marks an ongoing tension between U.S. and foreign law over free speech, privacy, and data protection.  In the United States, the First Amendment often is a wrench in the works of government efforts to regulate information downstream from its disclosure to a third party.  Legal systems elsewhere in the world are more comfortable with the notion that a person's privacy rights may tag along with information in its downstream transfer from hand to hand, outweighing the free speech right to republish.

I noted some years ago that in some areas of U.S. law, including freedom of information (FOI), or access to information, we can see examples of American privacy expectations that accord with, not diverge from, European norms.  Downstream control by contract has been a key advancement in making some jurisdictions willing to furnish court records to information brokers.  Binding a broker to adjust records later as a condition of receipt helps to solve problems such as expungement, the American judiciary's equivalent to the right to be forgotten.

The case is Emerald Home Care, Inc. v. Department of Unemployment Assistance, No. AC 20-P-188 (Mass. App. Ct. Feb. 2, 2021).  Justice Kenneth V. Desmond Jr. authored the opinion for a unanimous panel that also comprised Chief Justice Green and Justice Lemire.

'Right to repair' of Mass. Question 1 would close loophole, aid consumers; industry opposition misleads

Teen mechanic in Philippines, 2014
(Rojessa Tiamson-Saceda, USAID, via Pixnio CC0)

Massachusetts has a right-to-repair initiative (Question 1) on the ballot this Election Day.

Voter information explains: "Under the proposed law, manufacturers would not be allowed to require authorization before owners or repair facilities could access mechanical data stored in a motor vehicle’s on-board diagnostic system, except through an authorization process standardized across all makes and models and administered by an entity unaffiliated with the manufacturer."

Passing this initiative should be a no-brainer.  The provision is in fact only an update to an existing law that voters approved in 2012.  Extending the right to repair to "telematic" data, the new law would close a right-to-repair loophole, through which carmakers can shield vehicle data against access by transmitting data out from the vehicle to a proprietary server.  The only source of controversy here should be how we let corporations continuously try to exploit law and technology to evade accountability to consumers and line their pockets with monopolistic product strategies.

The initiative is opposed by the "Coalition for Safe and Secure Data."  The organization's tack is that if you vote yes on Question 1, you'll facilitate domestic violence, because vehicle information can be misused by violent ne'er-do-wells.  The threat is a repulsive red herring, especially considering that telematic data about consumers already are being relocated without subject sign-off.  The Coalition for Safe and Secure Data is not the sheep of consumer privacy advocacy it pretends to be, but a wolf of a trade group, funded to the tune of $25m by the motor vehicle industry to shut down Question 1, according to Commonwealth Magazine.

Canadian privacy advocate deploys anti-SLAPP law in suit by electronic exam proctoring company

John Oliver's Big Coal SLAPP nemesis, Bob Murray, retires

Pixabay by Aksa2011

An IT specialist at a Canadian university is defending a lawsuit against a U.S. tech company over its allegations of copyright infringement and his allegations of infringement of student privacy.

Proctorio is an Arizona-based company offering online testing to academic institutions.  It's similar to ExamSoft, which is used by my law school, the Massachusetts Bar, and other academic and licensing organizations.

Needless to say, businesses in the mold of Proctorio and ExamSoft have taken off since the pandemic.  But these businesses are not without their problems, and their widespread use has brought unwanted scrutiny to their terms of service.

For example, the Electronic Frontier Foundation raised a red flag over ExamSoft in anticipation of its adoption to administer the California bar exam.  Examsoft's terms of service afford the company overbroad reach into the computers of users and, worse, collection of biometric data from studying their faces on screen.  My students have raised legitimate concerns about ExamSoft, and I will not be administering a "closed-book" final exam because I share those concerns.

UBC (GoToVan CC BY 2.0)

Related privacy worries motivated University of British Columbia learning technology specialist Ian Linkletter, MLIS, to tweet out the URLs of unlisted Proctorio instructional videos located at YouTube, meaning to make his case that the company is excessively intrusive of student privacy.  In response, the company sued Linkletter in British Columbia for copyright infringement and breach of confidence.

Now Linkletter has filed for dismissal under British Columbia's anti-SLAPP law.  Linkletter told the Vancouver Sun that fighting the lawsuit for just "more than a month has cost him and his wife tens out thousands of dollars."  Read more in Linkletter's public statement of October 16.

B.C.'s anti-SLAPP law was enacted unanimously by lawmakers in March 2019.  Oddly enough, B.C. lawmakers passed one of Canada's first anti-SLAPP laws in 2001, but quickly repealed it over doubts about its efficacy.  I wrote recently about the dark side of anti-SLAPP laws.  Never have I denied that they are sometimes deployed consistently with their laudable aims; rather, my concerns derive from their ready abuse when deployed against meritorious defamation and privacy causes.   

The case is Proctorio, Inc. v. Linkletter, Vancouver Reg. No. S-208730 (filed B.C. Sup. Ct. Sept. 20, 2020) (civil claim).

Bye, bye, Bob

[UPDATE, Oct. 27, 2020. To be clear, I wrote that sub-headline before this happened: "Coal giant Robert Murray passes away just days after announcing retirement" (Stephanie Grindley, WBOY, Oct. 25, 2020).]

In other, if distantly related, anti-SLAPP news, Bob Murray is resigning and retiring as board chairman of American Consolidated Natural Resource Holdings Inc., successor of Big Coal's Murray Energy.  It was a tangle with Murray that turned HBO comedian John Oliver into an anti-SLAPP champion.  And, I admit again, HBO's use of anti-SLAPP law was textbook and laudable after Murray brought a groundless suit against the network.

While I disagree with Oliver over anti-SLAPP, he's one of my favorite comedians and social activists, and definitely was the mic-drop-best live act I've ever seen.  Here are his key Murray Energy treatments from Last Week Tonight.

The first, June 18, 2017, drew Murray's lawsuit.

The second, November 10, 2019, followed up with a paean to anti-SLAPP, wrapping up with a musical tribute to Murray.

Jarosiński to talk cloud law, from Europe to Zoom, in free transnational legal webinar series

Jarosiński

Wojciech Jarosiński, a friend and colleague, will speak in November on "The Cloud: A New Legal Frontier."  The talk is part of a free webinar series of the American Law Program (ALP) of the Columbus School of Law at The Catholic University of America (CUA) in Washington, D.C., and the law school, foreign program office, and American law student society at Jagiellonian University (UJ) in Kraków, Poland.

In just under a decade, armed with master's-in-law-degrees from UJ and CUA, attorney Jarosiński has risen to prominence as an accomplished attorney in transnational business.  Now a partner at the Maruta Wachta law firm in Warsaw, he heads the dispute resolution practice group, leading or supervising a portfolio of more than 200 technology cases valued at more than US$2bn.  At the same time, I know Wojtek to be a gifted and globally minded person.  In his spare time, he is a co-founder, expedition planner, and skipper for Vertical Shot Expeditions, a wilderness adventure company offering photography expeditions in remote locations from pole to pole.

Here is the description of the talk, which will be in English.

Until recently, the cloud was mainly storage for surplus holiday photos. Today, the cloud plays a vital role in commerce: allowing businesses to thrive in geographically distant markets, limiting operational costs, and enabling workplace flexibility for employees. These applications, though, bring sleepless nights for judges who try to apply existing law to a new reality.

This webinar will begin with a brief introduction to the cloud’s basics: where the cloud is located, what is stored there, and whether it is even possible to avoid the cloud in today’s business world. Then, the session will move to opportunities for lawyers to guide their clients through cloud regulations—highlighting the importance of legal education in cross-border legal concepts. Finally, the webinar will consider dispute resolution regarding cloud-based services. The webinar will consider Zoom, Apple Mail, Amazon Web Services, Oracle, and many other popular services, as well as the Court of Justice of the European Union Schrems II decision and the U.S. Cloud Act. 

The talk is scheduled for Tuesday, November 24, at 1 p.m. U.S. EST (6 p.m. GMT, 7 p.m. CET).  All of the talks in the series are free, but advance registration is required.  

Here is the full schedule.  [UPDATED, Oct. 22: All fall dates are now open for registration.]

• OCTOBER 21 – Marc Liebscher, "Wirecard, Europe’s Enron? – Auditor Liability to Investors in Corporate Fraud"
• OCTOBER 28 – Sarah H. Duggin, "Why Compliance Matters – The Increasing Significance of the Compliance and Ethics Function in Global Corporations"
• NOVEMBER 19 – Roger Colinvaux, "Nonprofits in Crisis: Changes to Giving Rules and Politicization"
• NOVEMBER 24 – Wojciech Jarosiński, "The Cloud – A New Legal Frontier"
• DECEMBER 2 – Justyna Regan, "Data Privacy in the US: Where We Stand Today and Predictions for the Future"
• DECEMBER 9 – Megan M. La Belle, "Artificial Intelligence and Intellectual Property"

I'm proud to claim Wojtek as an alum of one of my classes in 15 years' teaching in the CUA-UJ ALP, though I doubtless have naught to do with his success.  Regrettably, the ALP is not running live this year, because of the pandemic.  Lemonade from lemons, though, is the fascinating work being produced by the Law Against Pandemic project (CFP, CFP en español).  I was privileged meanwhile, in May, to offer an item on American tort law to the pilot iteration of the ALP webinar series.

View this post on Instagram

Our fearless leader @wjarosinski relaxing on a Pripyat rooftop with all his essential gear. #verticalshotexpeditions #chernobyl #pripyat #adventureawaits #exploretocreate #pelicase #peliproducts #gearpatrol #thenorthface #neverstopexploring #peakdesign #mypakage #adventureisoutthere #photographyadventures

A post shared by Vertical Shot Expeditions (@verticalshotexp) on Aug 9, 2017 at 6:36am PDT

U.S. White Paper on 'Schrems II': Emperor still clothed

A new U.S. white paper on data protection means favorably to supplement the record on U.S. surveillance practices that, in part, fueled the European Court of Justice (ECJ) decision in "Schrems II," in July, rejecting the adequacy of the Privacy Shield Framework to secure EU-to-US data transfers.

From the U.S. Department of Commerce, Department of Justice, and Office of the Director of National Intelligence, the white paper suggests that the ECJ ruling was interim in nature, pending investigation of U.S. national security practices to better understand whether they comport with EU General Data Protection Regulation norms, such as data minimization, which means collecting only data necessary to the legitimate purpose at hand.  The paper states:

A wide range of information about privacy protections in current U.S. law and practice relating to government access to data for national security purposes is publicly available.  The United States government has prepared this White Paper to provide a detailed discussion of that information, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring personal data from the EU to the United States. The White Paper provides an up-to-date and contextualized discussion of this complex area of U.S. law and practice, as well as citations to source documents providing additional relevant information. It also provides some initial observations concerning the relevance of this area of U.S. law and practice that may bear on many companies’ analyses. The White Paper is not intended to provide companies guidance about EU law or what positions to take before European courts or regulators. 

Armed with this additional information, then, the message to the private sector seems to be, Keep Calm and Carry On, using the very same "standard contractual clauses" (SCCs) that the ECJ invalidated.  Yet if the information featured in the white paper has been publicly available, why assume that the ECJ was ill informed?  (Read more about SCC revisions under way, and their likely shortcomings, at IAPP.)

Unfortunately for the U.S. position, the ECJ opinion was not, to my reading, in any way temporary, or malleable, pending further development of the record.  The white paper comes off as another installment in the now quarter-century-old U.S. policy that the emperor is fully clothed.

I hope this white paper is only a stop-gap.  As I said in a Boston Bar CLE recently, no privacy bill now pending in Congress will bridge the divide between the continents on the subject of U.S. security surveillance.  A political negotiation, which might involve some give from the American side at least in transparency, seems now to be our only way forward.

The white paper is Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (Sept. 2020).

Boston Bar panel surveys landscape of privacy law, data protection policy, class action litigation

Attorneys Melanie Conroy, Marjan Hajibandeh, and Matthew M.K. Stein

We had great fun yesterday, as lawyer fun goes, talking about privacy law in the United States, from the impact of the Privacy Shield collapse to the latest litigation under California's groundbreaking consumer privacy protection law.  I was privileged to appear in a Boston Bar Association program on privacy class action litigation, led by attorney Melanie A. Conroy, CIPP/US, of Pierce Atwood LLP, alongside practicing-attorney panelists Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh of CarGurus, Inc. 

Our topical reach was a breathless sprint across a dramatic landscape.  We opened with our respective thoughts on developments in privacy law, Conroy observing that the fast-paced field has undergone seismic shifts again and again in recent years, from the implementation of the California Consumer Privacy Act (CCPA) to the $18m Equifax data breach settlement in Massachusetts.

I spoke to the impact of the European Court of Justice decision ("Schrems II" (ECJ July 16, 2020)) invalidating the U.S.-EU Privacy Shield as a motivator for U.S. reform.  Besides the significance of the case in Europe and our foreign relations, the decision signals that a quarter century after adoption of the first European Data Protection Directive, Europe's patience with American recalcitrance has finally run out.

Julie Brill (MS CC) and William Kovacic

Former Federal Trade Commissioner Julie Brill told the Senate Commerce Committee this week that in two years, 65% of the world will be living under data protection laws, most of them modeled after the EU General Data Protection Regulation (GDPR).  As former Federal Trade Commission (FTC) Chairman William Kovacic put it, if we don't pass legislation in the United States, "we will get a national privacy policy: the GDPR."  As I tweeted this week, hearing testimony drove the usually cool and collected Senator Maria Cantwell (D-Wash.) to exclaim, "My God, this is clear, we need a strong privacy law." And Americans are ready; Brill said that nine out of ten Americans now believe that privacy is a human right.

Sen. Cantwell

Our panel ran down the latest developments in class action privacy litigation, loosely divided on the fronts of biometric data class actions, mostly arising under Illinois's pioneering Biometric Information Privacy Act; CCPA-related class actions in California; and data breach litigation.  I ran down cases in the latter vein and talked some about the present circuit split over Article III standing.  Federal courts have divided over whether "theft alone" can constitute concrete injury for constitutionally minimal standing, or plaintiffs must show some subsequent misuse of their data.  This issue is not limited to the data breach area, but has implications across a wide range of statutory enforcement systems, including the Fair Credit Reporting Act.

For my part, I predict that our dawning, if belated, understanding of the monetary value of personally identifiable information (PII) will lead us to the inevitable conclusion that theft alone suffices.  This is evidenced, for example, in Hogan v. NBCUniversal (D.R.I. filed Aug. 27, 2020), over the sale of Golf Channel subscriber identities, which subsequently were associated with other PII and resold.  Though for the time being, my favored conclusion is arguably not the inclination evidenced in the U.S. Supreme Court in Spokeo, Inc. v. Robins, in 2016.  Senator Dick Blumenthal (D.-Conn.) mentioned this week, apropos of current events, that Justice Ginbsburg, joined by Justice Sotomayor, dissented in Spokeo on just this point.

The late Justice Ginsburg; Sen. Blumenthal

Our next panel focus was developments in the First Circuit and Massachusetts.  In Massachusetts Superior Court in Boston, data breach litigation, filed in May 2019, against Massachusetts General Hospital, Brigham & Women's Hospital, and the Dana-Farber Cancer Institute, over online patient-service communications occurring outside secure portals, raises the very question of concrete harm, which may be resolved differently at the state level than under the federal Constitution.  Meanwhile in federal court, the same issue in data breach litigation, filed in March 2020, in Hartigan v. Macy's, highlights the lack of First Circuit precedent on the question since Spokeo, while citing strong pre-Spokeo indications that the First Circuit would favor the misuse-required position.

In parting observations, I offered that we have a long road ahead.  Of all the bills pending in Congress (see EPIC's excellent April report), only some propose a private cause of action and none attacks the problem of government surveillance, both purported prerequisites to European restoration of authorized trans-Atlantic data flow.  Within the U.S Congress, there appears to be bipartisan support for some kind of nationwide privacy legislation.  But the questions of private or FTC enforcement, and whether preemption would mean a legislative floor or ceiling remain sticking points that could derail the process.

First Circuit dismisses Mount Ida student class action, incidentally limits emerging data protection theory

Holbrook Hall, Mount Ida College, Newton, Mass. John Phelan CC BY 3.0

An angle in a recent First Circuit decision deserves a mention in U.S. data protection circles.  I hadn't been aware of this angle of the case, so hat tip to attorney Melanie A. Conroy at Pierce Atwood in Boston for analyzing the case carefully in the The National Law Review.

The First Circuit affirmed dismissal in the ugly and unfortunate matter of Mount Ida College students' class action against the school after its abrupt closure and sale to the University of Massachusetts system.  Conroy's rundown on the case is thorough.  I want only to highlight one important point: the court refused to recognize, in Massachusetts law, a fiduciary duty owed by university to student.

The decision comports with multistate norms, but is nonetheless important in limiting an emerging doctrine of data protection in U.S. common law tort.  State courts that have recognized something like a data protection right in civil cases have used fiduciary duty to bootstrap their way there.

American common law invasion of privacy is too stringent to get the job done, that is, to articulate a data protection right, for various reasons.  One reason is its incorporation of what Professor Daniel Solove termed "the secrecy paradigm": information must be kept secret to remain secret.  Thus, I cannot complain when my bank tells someone about my financial transactions, because I already let my bank know about them.  My resort must be to banking privacy law, by statute.  And there arises the second problem for privacy plaintiffs: statutes are too stringent to get the job done.  I might be unhappy if my employer divulges information about my psychiatric condition to my insurer, but neither one of them is a healthcare provider covered by the federal patient privacy law ("HIPAA"), which does not (directly) provide for a cause of action anyway.

In 2018, the Connecticut Supreme Court bridged the common law gap from statutory insufficiency to actionable privacy claim by relying on the physician-patient duty of confidentiality.  In short, the court held, HIPAA + duty of confidentiality = protectible common law interest.  The court thereby allowed a woman to sue her ObGyn provider upon an allegation of breached confidentiality.  That duty of confidentiality is a form of fiduciary duty.  So a theory emerged of how U.S. common law might stumble its way to recognition of what the rest of the world, especially Europe, calls "data protection."

There are a lot of ways for us to start catching up with the rest of the world in recognizing people's right to personal data integrity; this is just one.  And it remains.  But it is limited by the scope of duties that might stand in for that second piece of the equation.  The Mount Ida case shows correctly that it will be harder for a plaintiff to get there against a business defendant that is not a professional, and the data held are financial information tangential to the nature of the relationship, here, educational.

The First Circuit aptly instructed Mount Ida students that if they wanted better protection for their personal information in state law, their remedy was with the state legislature.  The same can be said for Americans, data protection, and our torpid Congress.

The case is Squeri v. Mount Ida College, No. 19-1624 (1st Cir. Mar. 25, 2020).  U.S. Circuit Judge Lynch wrote for the panel, which also included Stahl and Kayatta, JJ.

Radiolab ponders journalists who would undo what they wrought

Radiolab tackled the "right to be forgotten," U.S. style, back in August, and I missed it.  Hat tip at On the Media, which just revived the excellent segment.  Here is the summary and audio.

In an online world, that story about you lives forever. The tipsy photograph of you at the college football game? It’s up there. That news article about the political rally you were marching at? It’s up there. A DUI? That’s there, too. But what if ... it wasn’t.

In Cleveland, Ohio, a group of journalists are trying out an experiment that has the potential to turn things upside down: they are unpublishing content they’ve already published. Photographs, names, entire articles. Every month or so, they get together to decide what content stays, and what content goes. On today’s episode, reporter Molly Webster goes inside the room where the decisions are being made, listening case-by-case as editors decide who, or what, gets to be deleted. It’s a story about time and memory; mistakes and second chances; and society as we know it.

This episode was reported by Molly Webster, and produced by Molly Webster and Bethel Habte.

EU court rules for Google, narrows French 'right to be forgotten' order to Europe

In the latest battle of the feud between Google and the French data protection authority (CNIL), the Court of Justice of the European Union ruled that the CNIL's "right to be forgotten" order should be limited to internet users in Europe.  However, the court did not rule out the possibility of a worldwide order if the facts warrant.

The court wrote:

[T]he right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality....  Furthermore, the balance between the right to privacy and the protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world. 

While the EU legislature has, in Article 17(3)(a) of Regulation 2016/679 [GDPR], struck a balance between that right and that freedom so far as the Union is concerned ... it must be found that, by contrast, it has not, to date, struck such a balance as regards the scope of a de-referencing outside the Union.

"Proportionality" is a core principle of EU human rights law when regulation collides with individual rights, or, as here, state power is implicated to favor one individual's rights over those of others.  The same principle also constrains supra-national authority over member states.

The case arose from a CNIL fine of Google.  The French authority had ordered Google to de-list search results to protect certain individuals' privacy under the "right to be forgotten," or "right to erasure," when those individuals were searched by name.  "De-listing" or "de-referencing" search results is the front line of right-to-erasure court challenges today, though the specter of erasure orders that reach content providers directly looms on the horizon.

Google complied with the CNIL order only for European domains, such as "google.fr" for France, and not across Google domains worldwide.  Google employs geo-blocking to prevent European users from subverting de-listing simply by searching at "google.com" (United States) or "google.com.br" (Brazil).  Determined users still can beat geo-blocking with sly technocraft, so CNIL was dissatisfied with the efficacy of Google's solution.  Undoubtedly, a dispute will arise yet in which the CNIL or another European data protection authority tests its might with a more persuasive case for global de-listing.

The case is Google, LLC v. Commission Nationale de L’informatique et des Libertés (CNIL), No. C-507/17 (E.C.J.), Sept. 24, 2019.  Several free speech and digital rights NGOs intervened on behalf of Google, including Article 19, the Internet Freedom Foundation, the Reporters Committee for Freedom of the Press, and the Wikimedia Foundation, as well as Microsoft Corp.  The case arose initially under the 1995 EU Data Protection Directive, but carries over to the new regime of the General Data Protection Regulation (GDPR).

EU frets over Privacy Shield adequacy, and NGO insists, emperor still naked

The Commission of the European Union is reviewing the U.S.-EU Privacy Shield framework for conformity with the General Data Protection Regulation (GDPR), and NGO AccessNow is again demanding an inadequacy finding.

A lot is at stake.  For the uninitiated, European regulators have a dramatically different take on the protection of personal information than the free-wheeling free marketeers of the United States.  I've written some about the problem here and elsewhere (e.g., here and here), arguing that the American people are not so far from European privacy norms, but it's our law that lags behind the democratic will.  For my money, the definitive macro analysis of why American and European approaches to privacy have differed is James Q. Whitman's.  Anyway, the GDPR does not allow the export from Europe of information to countries that do not comport with its privacy protections, and that creates a monumental problem for the trans-Atlantic flow of not only information, but commerce.

The problem is not new and existed under the GDPR's predecessor law, the 1995 Data Protection Directive (DPD).  A number of mechanisms were devised to work around the problem, and they were approved by European regulators under the umbrella of "the Safe Harbor agreement."  But it's widely understood, at least on the European side, that Safe Harbor was something of a sham: No one with a straight face could argue that U.S. law was comparable to the DPD.  Safe Harbor in practice comprised mostly industry standards, voluntarily adopted and barely enforced by U.S. regulators.  There's also an important piece of this problem in the vein of national security, government spying, and personal information; I'm not even getting into that.

Privacy Shield is stronger than Safe Harbor, but the GDPR is a lot stronger than the DPD.  There have been remarkable advancements in privacy law in some states, notably California, in the EU direction.  And quite a number of court challenges have followed, winding their way through the process, some derived from objections in the commercial sphere, some the civil rights sphere: you've probably heard of "the right to be forgotten."  But our patchwork state laboratories hardly sum reassurance to Europe.  So in the absence of a comprehensive peace offering at the federal level, the debate over the EU's adequacy determination regarding Privacy Shield pretty much boils down to whether or not we're going to admit that the emperor is naked.

AccessNow, a global NGO and sponsor of RightsCon, has consistently called for honesty about the emperor's sorry state.  A recent memo calls on the Commission to rule Privacy Shield inadequate, and AccessNow has invited republication of a new infographic in support of its position.  I hereby oblige. It's past time we get serious about protecting personal information in the United States and stop commercial exploitation of human identity upon industry's abusive invocations of civil rights such as the freedom of speech and freedom to contract.

[UPDATE, 23 Oct. 2019, at 13:53 U.S. EDT: Privacy Shield still good, per EC report issued today.]

UMass Law Review hosts vibrant media law symposium

Today, as advertised, the UMass Law Review hosted a symposium on media law. The program videos are all on Facebook Live.  Check my Twitter feed for hot links to speakers' handles.  Three panels were organized by media "platform," from politics to digital to entertainment, raising issues from the investigative journalism to data breach law to streaming music copyright.  The program concluded with a keynote address by Richard P. Flaggert, a DLA Piper media attorney.  Here are some highlights:

After a thoughtful welcome by UMass Law Dean Eric Mitnick, UMass Law Professor Jeremiah Ho started the program with a discussion of why media matter.  The problem of law and policy, he said, is the gulf between "what matters" and "what excites us," with the media business model tending to cater to the latter.  Professor Ho is a co-adviser of the UMass Law Review.

  

Kicking off the first panel of the day, Rep. Christopher Markey, New Bedford, Mass., attorney, Commonwealth legislator, and UMass Law alumnus, gave the political perspective.  Money has distorted news from being an educational tool to being entertainment, he explained.  People must be media literate to elicit truth from what they see, hear, and read.  Recalling his years as a district attorney, Markey said that attorneys and judges were "better" when a beat reporter was sitting in the courtroom, that journalism "makes government better."  But those beat reporters are no longer there.

Jillian Fennimore provided her perspective from inside the busy office of Massachusetts Attorney General Maura Healey.  A journalism graduate of the University of New Hampshire with many years experience in media, Fennimore explained the challenge of making the work of the state's law office intelligible and meaningful to citizens, whether the subject matter is investigation of the opioid crisis, antitrust enforcement, or protection of a consumer whose vacuum cleaner broke.  AG Healey cares about all of these things because she understands that these are things people care about, Fennimore said.  My Torts II class has been looking at the impact of the Healey opioid investigation on the crisis and litigation nationwide.

Peter Ubertaccio, a dean and political scientist at Stonehill College, gave an academic perspective on news and media law.  Those of us of a certain age remember the local TV news anchors of our youth, he observed.  That is not true for our children.  Journalism today is "atomized," lacking the "rhythm" of television before the information age, even if the internet is "democratiz[ing]."  There is more content available through more conduits than ever before, Ubertaccio explained, yet there is less availability of accurate information.  We are entering a golden age of television entertainment while at the same time entering a dark age of information, he said.  Incidentally, yes, I remember my anchors.  And I was privileged to have worked with Baltimore's great Al Sanders for a short time before he passed away.

A star of the first panel was Dee DeQuattro, UMass Law alumna, staff attorney for Operation Stand Down Rhode Island, and creator of the Boots on the Ground Heroes Memorial.  DeQuattro talked about her experiences in radio and television, most recently as an assignment manager for ABC6 News in Providence, Rhode Island, then her transition to a public relations and later legal capacity for the veterans organization, Operation Stand Down.  DeQuattro went to journalism school to hold power accountable in the tradition of Woodward and Bernstein, she said.  But "news doesn't work that way anymore," as bottom-line focused detracted from serious political reporting.  After covering the Boston Marathon bombing, she went to law school.  She still uses her familiarity with news media, driven by money savings and visual imagery, to manage public affairs in her nonprofit work.

Law Review co-adviser Professor Dwight Duncan moderated the second panel, on digital media.  Professor Andrew Beckerman-Rodau of Suffolk Law School and the Intellectual Property Center opened with a comprehensive overview of data protection, including data breach and Big Data analytics, in American law today.

Attorney Hollie Lussier of Bristol County Savings Bank told the audience about the large role data protection and privacy play in legal practice today, especially in the financial sector.  She warned attorneys to consider insurance liability limits, as $100,000, she said, won't cut it.  She cited a recent case of a "small" data breach that nevertheless generated a $140 million loss.  The breach could have been prevented, she said, with a $10,000 "penetration test."  Making matters more hazardous, she explained, many insurance policies will not cover consequential damages, which make up most of that mega-million loss.

Rhode Island attorney and legislator Stephen Ucci concurred on the importance of data protection to contemporary practice.  He referenced a recent in case in which only 300 records were exposed.  Despite seemingly straightforward facts, the exposure of data has different implications for each data subject, he explained; moreover, breach across state borders implicates the laws of 50 states as well as federal laws, such as the Gramm–Leach–Bliley Act.  The complexity of even a small case is thus multiplied.  Ucci discussed the data breach legislation adopted by Rhode Island in 2015 and plans to beef up education and implementation in the near future.

UMass Law Professor Dustin Marlan moderated the third panel, on the subject of entertainment law.  Attorney and educator Richard Kent Berger started off the afternoon program talking about music copyright.  He explained the significance of the Music Modernization Act of 2018 and related legislation and pending proposals.  Royalties are now owed for digital streaming, and some pre-1972 musical works that had lost copyright protection have had their authors' royalty rights restored.  The law also revamped the approach to orphan works and afford them greater protection against loss of copyright.  Previously large content providers such as Google's YouTube were able to use a notice process on a massive scale to shake potentially orphaned works free of their copyright protection.

Seattle University Law Professor Bryan Adamson, a mass media scholar, talked about the importance of framing in media, especially in news reporting, and especially in coverage of protest movements. Media frames tend to perpetuate social stability, he explained, and as a result, tend to perpetuate racial hegemony.  The portrayals viewers see might not fairly represent the facts, and, as a result, he said, rather than contributing to the public dialog, media narratives might "derail" meaningful discussion of sensitive topics such as race and social and economic equality.

Rhode Island attorney Richard E. Kühn talked about the importance of social media to attorneys.  Social media are part of contemporary legal practice across the board, he explained, touching on areas including lawyer advertising, client counseling, evidentiary investigation and spoliation, and trial practice and voir dire.  He recited recent case rulings demonstrating that failure to take social media into account, for example in evidentiary investigation, may result in a finding of legal malpractice.

DLA Piper attorney Richard P. Flaggert (not speaking on behalf of clients or the firm) gave the keynote address of the symposium, discussing contemporary media law practice.  Flaggert, who is licensed in California, Massachusetts, and England and Wales, started off by reminding that Shakespeare's "kill all the lawyers" lines was an admonition against unethical or incompetent practice, not actually an indictment of the professional.

He then spoke about two key doctrinal developments in media law practice.  First, he discussed the potential impact on free speech and commerce of the newly adopted EU Copyright Directive, in particular the article 11 "link tax" and the article 13 "upload filter measure."  Both threaten a chilling effect, he explained.  The former purports to give copyright protection to even a "snippet"—the actual word, undefined in the law—of content, putting at risk a range of content from Google news aggregation to "your blog."  Meanwhile article 13 imposes the burden of protecting against copyright infringement on ISPs, abandoning reliance on the notice-and-takedown approach of the U.S. Digital Millennium Copyright Act.  As a result, even "your blog" content might be tied up for weeks or longer as ISPs mull over whether you have violated copyright, likely prompting prophylactic censorship.  I note: not unlike Europe's approach to the right to be forgotten, now miring Google in a new administrative bureaucracy, not to mention the risk of Goliath gate-keeping under non-transparent private-sector control.  

Second, Flaggert talked about the problem of copyright and live fan captures of sporting events and the like.  As technology improves and recording devices become harder to detect and control, event providers such as sporting authorities will have a more difficult time policing the difference between the odd fan photo and the HD-streaming pirate.  The French solution has been to regulate, Flaggert explained, giving near absolute control to providers, a strategy of obviously problematic dimension.  Meanwhile in the United States, no body of intellectual property law, such as federal copyright or state common law, seems up to addressing the problem.  Event providers are confounded at the choice between loss of control of their intellectual property and alienation of their fan base with its abiding affection for social media.  Meanwhile the problem poses a threat to our fine-line precedents and the delicate balance between INS v. AP IP rights and the "hot news" doctrine, which has kept the peace for decades.

The village idiot moderated the first panel. Here
he is about to laugh at one of his own bad jokes.

Once a lawyer who represented ESPN before it ceded its design to bring Premier League coverage to America, I asked Flaggert 1:1 whether NBC, with its unsatisfying and impossibly expensive array of cannibalized Premiere League coverage for U.S. viewers, intends to be destroying soccer in America, or is just doing so indifferently.  He shared his frustration with access to Liverpool matches.  I'm not sure why one would necessarily want to see Liverpool, unless they were playing directly against ManC.  But I appreciate his empathy.

A big congratulations to the UMass Law Review, especially editor Casey Shannon, for executing a superb symposium, with my sincere thanks for bringing these talents to our campus.