Showing posts with label privacy. Show all posts
Showing posts with label privacy. Show all posts

Monday, March 11, 2024

Book supports legal privilege for undercover reporting

Truth and Transparency, a recent book by Professors Alan K. Chen and Justin Marceau, is a comprehensive and gratifying tour of the history and law of undercover reporting.

Chen and Marceau teach at the Sturm College of Law at Denver University and have especial expertise in constitutional law, and respectively in public interest law and animal law. In their co-authorship, they examine the social phenomenon of undercover reporting that lies at the intersection of journalism, tort law, and the First Amendment—and often animal law, too.

I know Chen best for his work in opposing ag gag laws: statutes designed to stop and punish journalists, activists, and whistleblowers from investigating and revealing wrongful conduct and animal cruelty in the agricultural industry, especially by way of undercover video recording. Chen has worked against ag gag in Idaho, Iowa, Kansas, and Utah. I've been privileged to sign on to some of the amicus briefs he has coordinated.

Chen and Marceau leave no stone unturned. I was intrigued especially to read about the history of undercover reporting in the United States, the evolution of undercover reporting in its treatment in journalism ethics, and the thorough explication of undercover reporting in tort and First Amendment law.

Upton Sinclair's 1905 The Jungle, a novel based on real-life undercover reporting in the meatpacking industry, was my mind's go-to on the early history of the practice. Apropos of the present Women's History Month, however, it was female reporters such as Nellie Bly who carved out a niche for undercover reporting in the popular imagination in the late 19th century and deserve the most credit for pioneering the genre.

Bly, born Elizabeth Jane Cochran, famously had herself committed to a deplorable New York mental institution in 1887 for 10 days before a New York World lawyer secured her release, per prearrangement. Chen and Marceau recount the stories of Bly and other so-called "girl stunt reporters." They trace the history even further, as well, to antebellum abolitionists determined to expose the horrors of slavery.

Chen and Marceau explore a range of treatments of undercover reporting in journalism ethics, including the qualified permissiveness of the 1996 Code of Ethics of the Society of Professional Journalists, preserved in the more recent 2014 iteration. They observe as well the almost complete prohibition on the practice at National Public Radio, where journalists may engage in deception only when necessary to protect themselves in a conflict zone, and secret recordings may be used in only extraordinary circumstances.

A case that naturally arises throughout the book is the ABC News investigation of hygienic practices at Food Lion in the 1990s (at Reporters Committee). This case was contemporary with my university study of journalism, so was front and center in my class on journalism ethics. Whether or when journalists might engage in deception to get the story is a favorite point of discussion in journalism ethics class. The problem stratifies the need for public trust in journalism across the micro layers of people who are the subjects of stories and the macro layers of readers and the public interest. 

A court in Food Lion ultimately held that ABC journalists could be sued for trespass or breach of loyalty, but awarded only nominal damages. The factual problem for the plaintiffs that precluded a more substantial damages award was that notwithstanding the concealment of their motives, the journalists had been given jobs at Food Lion, and they did their jobs. So from a damages perspective, Food Lion got what it paid for. The appellate court, unlike the trial jury, was unwilling to consider the reputational harm flowing from truthful disclosures, if deceptively obtained, as any kind of compensable loss.

The outcome in Food Lion was consistent with the broad propositions of First Amendment law that there is no right to gather the news, which is why the Freedom of Information Act is a statutory rule, not a constitutional one; and that journalists are not exempt from generally applicable expectations of law, such as honoring contracts, obeying police orders—and not trespassing. As Chen and Marceau observe, the outcome exerted a chill in investigative reporting.

However, the Food Lion rule is hardly absolute, Chen and Marceau also aptly observe. The rule of no-right-to-gather-news has never been wholly true. The courts have given media latitude to test the limits, for example disallowing wiretap liability for receiving probably illegally intercepted communications. And technological advances have complicated the picture. A majority of U.S. circuit courts now, in a post-George Floyd world, have held that the First Amendment protects video-recording police in public places. The proposition seems right, but it doesn't square with the news-gathering rule.

The outcome in Food Lion further hints at a deeper problem in tort law that Chen and Marceau explore: the problem of damages in cases of only notional harm. In contemporary doctrine, a trespass with no infliction of physical harm or loss might entitle a plaintiff to an equitable remedy of injunction, but no more than nominal damages in tort law, thus Food Lion. Though with no damages in the offing, there is no deterrence to deceptive trespass, a logic that likely explains the eventual waning of Food Lion's chilling effect. The problem bleeds into the contemporary debate over the nature of damages in personal privacy violations. 

Journalism exceptionalism resonates as well in the problem of trespass and consent. Food Lion suggests that consent to enter property is vitiated by deception as to one's motive. Chen and Marceau explore opposing academic and judicial views on the question.

In a remarkable work of empirical research unto itself, Chen and Marceau's chapter 6 presents compelling data to show overwhelming public support for undercover reporting to expose wrongdoing. Public support seems to transcend political ideology and even whether the perpetrator of deception is a journalist or activist.

Chen and Marceau argue summatively and persuasively for a qualified legal privilege to protect journalistic deception in undercover reporting. Historical, ethical, and legal authorities all point in the same direction. Even the Fourth Circuit in Food Lion hedged its bets, observing that generally applicable employment law as applied in the case had only an "incidental effect" on news-gathering; in other words, news-gathering was outweighed as a consideration, not shut out.

Technological advances and citizen journalism will continue to generate conflict among conventional norms of property and fair dealing, evolving norms of privacy, and public interest in accountability in private and public sectors. Truth and Transparency is an essential manual to navigate in this brave new world.

Thursday, March 7, 2024

UK anti-SLAPP bill takes fire

The United Kingdom has an anti-SLAPP bill on the table, and lawyer Gideon Benaim has cataloged objections.

In broad strokes, the bill follows the usual pattern of anti-SLAPP, looking for free speech and public interests on the part of the defendant, which then burdens the plaintiff with proving probable success on the merits out of the gate.

Benaim published his objections on the INFORRM blog, part 1 and part 2. Some of his objections track those that I articulated in 2021 as to American anti-SLAPP statutes. I lamented the unfairness of expecting a plaintiff to meet an extraordinary proof standard such as actual malice as to falsity without the benefit of discovery. The equivalent UK approach expects a plaintiff to overcome a bare public interest defense without the opportunity to probe the publisher's process or motives.

Benaim also points out, as I have, that anti-SLAPP is as likely to be invoked by the powerful against the weak as vice versa; Goliath media giant against aggrieved individual; or, as happened, President Trump against sexual assault complainant Stormy Daniels.

Benaim is a rarity, a plaintiff's lawyer in media torts. Not that everyday aggrieved individuals will be able to score a place on his client list, which includes JK Rowling, Naomi Campbell, Roman Polanski, and Gordon Ramsay.

At least in the United States, at least, the already daunting odds of prevailing in a media tort case against a publisher with expert defense counsel on retainer causes most would-be plaintiffs not to sue at all, no matter how just their causes. They can't find counsel and certainly can't navigate complex media torts pro se. And that's before anti-SLAPP comes into play, threatening a losing plaintiff with having to pay the attorney fees of the media giant's high-dollar representation.

As I've written before, anti-SLAPP works well when it works well. Statutes just aren't drafted to ensure that that's always the case. It looks like the UK is struggling with the same problem.

Thursday, February 1, 2024

Naming rape suspects may draw criminal charges for journalists under Northern Ireland privacy law

Bernard Goldbach via Flickr CC BY 2.0
In Northern Ireland, it's a crime for a journalist to identify a rape suspect.

The relevant provision of the country's Justice (Sexual Offences and Trafficking Victims) Act 2022. Attorney Fergal McGoldrick of Carson McDowell in Belfast detailed the law for The International Forum for Responsible Media Blog in October 2023, just after the law took effect.

The law applies to a range of sexual offenses including rape. The prohibition expires upon an arrest warrant, criminal charge, or indictment. If prosecution does not expire the prohibition on identification, it remains in force until 25 years after the death of the suspect. The act amended preexisting privacy law to afford comparable anonymity to victims.

I have deep experience with this issue, and it is fraught. Despite my strong preference for transparency in government, especially in policing, the law has merit.

I was a university newspaper editor back in ye olden days of paper and ink. My newspaper reported vigorously on accusations of sexual assault against a student at our university by a student at a nearby university. The accusations and ensuing criminal investigation gripped the campus.

We learned the identity of both suspect and accuser. We reported the former and concealed the latter. Discussing the matter as an editorial board, we were uncomfortable with this disparity. Having the suspect be a member of our own community and the accuser an outsider amplified our sensitivity to a seeming inequity. We did take measures to minimize use of the suspect's name in the reporting.

These were the journalistic norms of our time. Naming the accuser was unthinkable. This was the era of "the blue dot woman," later identified as Patricia Bowman (e.g., Seattle Times). The nation was enthralled by her allegation of rape against American royalty, William Kennedy Smith. In the 1991 televised trial, Bowman, a witness in court, was clumsily concealed by a floating blue dot, the anonymizing technology of the time.

Smith was acquitted. The case was a blockbuster not only for TV news, but for journalism, raising a goldmine of legal and ethical issues around criminal justice reporting and cameras in the courtroom.

There was no anonymity for Smith. I went to a Society of Professional Journalists (SPJ) conference around this time, and the issues were discussed in a huge plenary session in a ballroom. The crowd exuded self-loathing for the trauma journalism itself had piled on Bowman. Objectivity be damned, many speakers beat the drums for the pillorying of the acquitted Smith.

The calculation in journalism ethics with regard to Smith, and thus to my editorial board, was that police accountability, knowing whom is being investigated, charged, or detained, and public security, alerting the public to a possible threat, or eliciting from the public exonerating evidence, all outweighed the risk of reputational harm that reporting might cause to the accused. Moreover, ethicists of the time reasoned, it would be paternalistic to assume that the public doesn't understand the difference between a person accused and a person convicted.

Then, in my campus case, the grand jury refused to indict. Our reporting uncovered evidence that the accusation might have been exaggerated or fabricated.

Our editorial hearts sank. Had we protected the wrong person?

My co-editor and I discussed the case countless times in the years that followed. We agonized. It pains me still today. Thirty years later, I find myself still retracing the problem, second-guessing my choices. It's like a choose-your-own-adventure where you feel like you're making the right choice each time you turn the pages, yet your steps lead you inevitably to doom.

Idealistically committed as we were at that age to freedom-of-information absolutism, we were inclined to the anti-paternalistic argument and reasoned that probably we should have named everyone from the start and let the public sort it out.

In our defense, a prior and more absolutist generation of norms in journalism ethics prevailed at the time. I was there at SPJ in the following years as leading scholars worked out a new set of norms, still around today, that accepts the reality of competing priorities and evinces more flexible guidance, such as, "minimize harm." Absolutism yielded to nuance. Meanwhile, the internet became a part of our lives, and both publication and privacy were revolutionized.

So in our present age, maybe the better rule is the Northern Ireland rule: anonymize both sides from the start. 

I recognize that there is a difference in a free society between an ethical norm, by which persons decide not to publish, and a legal norm, which institutes a prior restraint. I do find the Northern Ireland rule troublesomely draconian. The law would run headlong into the First Amendment in the United States. Certainly, I am not prepared to lend my support to the imprisonment of journalists.

Yet the problem with the leave-it-to-ethics approach is that we no longer live in a world in which mass media equate to responsible journalism. From where we sit in the internet era, immersed in the streaming media of our echo chambers, the SPJ Code of Ethics looks ever more a relic hallowed by a moribund belief system.

In Europe, the sophisticated privacy-protective regime of the General Data Protection Regulation (GDPR) is more supportive than the U.S. First Amendment of the Northern Ireland approach. The UK continues to adhere to the GDPR regime since Brexit. The GDPR reflects the recognition in European law of privacy and data protection as human rights, to be held in balance with the freedoms of speech and press. Precisely this balance was at issue in 2022, in Bloomberg LP v. ZXC, in which the UK Supreme Court concluded that Bloomberg media were obligated to consider a suspect's privacy rights before publishing even an official record naming him in a criminal investigation.

McGoldrick wrote "that since Bloomberg most media organisations have, save in exceptional circumstances, elected not to identify suspects pre-charge, thus affording editors the discretion to identify a suspect, if such identification is in the public interest."

Maybe the world isn't the worse for it.

Monday, January 29, 2024

Consumers turn tables against corporate defense in compelled arbitration of information privacy claims

Image via www.vpnsrus.com by Mike MacKenzie CC BY 2.0
Consumer plaintiffs turned the usual tables on corporate defense in the fall when a federal court in Illinois ordered Samsung Electronics to pay millions of dollars in arbitration fees in a biometric privacy case.

In the underlying arbitration demand, 50,000 users of Samsung mobile devices accuse the company of violating the Illinois Biometric Information Privacy Act (BIPA). BIPA is a tough state privacy law that has made trans-Atlantic waves as it fills the gap of Congress's refusal to regulate the American Wild West of consumer privacy.

Typically of American service providers, Samsung endeavored to protect itself from tort liability through terms and conditions that divert claims from the courts to arbitration. The (private) U.S. Chamber of Commerce champions the strategy. Arbitration is reliably defense-friendly. Rumor has it that arbitrators who don't see cases corporations' way don't have long careers. And companies bask in the secrecy that shields them from public accountability. (Read more.)

Resistance to compelled arbitration has been a rallying cause of consumer advocates and the plaintiff bar. For the most part, resistance has been futile. But consumer plaintiffs appear to have a new strategy. The Chamber is not happy.

In the instant case, consumers alleging BIPA violation were aiming for arbitration. Arbitration rules, endorsed by Samsung's terms, require both sides to pay toward initial filing fees, a sum that adds up when 50,000 claims are in play. The consumers' attorneys fronted their share, but Samsung refused. The company weakly asserted that it was being scammed, because some of the claimants were deceased or not Illinois residents, both BIPA disqualifiers.

Samsung must pay its share of arbitration filing fees for living Illinois residents, the district court answered, at least those living in the court's jurisdiction. Many of those consumer claimants were identified with Samsung's own customer records. A few whom Samsung challenged, the claimants dropped from their number. Even when the court pared the list to consumers in Illinois's federal Northern District, roughly 35,000 were still standing.

"Alas, Samsung was hoist with its own petard," the court wrote, quoting Shakespeare. The court opined:

Samsung was surely thinking about money when it wrote its Terms & Conditions. The company may not have expected so many would seek arbitration against it, but neither should it be allowed to “blanch[] at the cost of the filing fees it agreed to pay in the arbitration clause.” Abernathy v. Doordash, Inc., 438 F.Supp. 3d 1062, 1068 (N.D. Cal. 2020) (describing the company’s refusal to pay fees associated with its own-drafted arbitration clause as “hypocrisy” and “irony upon irony”).

The American Arbitration Association, the entity with which the claimants filed pursuant to Samsung's terms, estimated Samsung's tab at $4.125 million when the number was still 50,000 claims.

Attorneys Gerald L. Maatman, Jr., Rebecca S. Bjork, and Derek Franklin for corporate defense firm DuaneMorris warned:

As corporations who employ large numbers of individuals in their workforces know, agreements to arbitrate claims related to employment-related disputes are common. They serve the important strategic function of minimizing class action litigation risks. But corporate counsel also are aware that increasingly, plaintiffs’ attorneys have come to understand that arbitration agreements can be used to create leverage points for their clients. Mass arbitrations seek to put pressure on respondents to settle claims on behalf of large numbers of people, even though not via the procedural vehicle of filing a class or collective action lawsuit. As a result, corporate counsel should carefully review arbitration agreement language with an eye towards mitigating the risks of mass arbitrations as well as class actions.

Samsung wasted no time appealing to the Seventh Circuit. The case has drawn a spate of amici with dueling briefs from the Chamber and associates, favoring Samsung, and from Public Justice, et al., favoring the consumer claimants.

The district court case is Wallrich v. Samsung Electronics America, Inc. (N.D. Ill. Sept. 12, 2023), opinion by Senior U.S. District Judge Harry D. Leinenweber. The appeal is Wallrich v. Samsung Electronics America, Inc. (7th Cir. filed Sept. 25, 2023).

Wednesday, January 24, 2024

TORTZ volume 2 unpacks duty, causation, damages, introduces nuisance, defamation, privacy

Tortz volume 2 is now available for affordable purchase from Lulu.com and for free PDF download from SSRN.

Tortz volume 2 follows up volume 1 (Lulu, SSRN, The Savory Tort), published in 2023 and pending update this year. I am using Tortz volumes 1 and 2 with students in my American tort law classes in the United States and in Poland this academic year.

The two-volume Tortz textbook represents a survey study of American tort law suitable to American 1L students and foreign law students. In volume 1, the first eight chapters cover the fundamentals of the culpability spectrum from intentional torts to negligence to strict liability.

Volume 2 comprises chapters 9 to 15: (9) damages, (10) res ipsa loquitur, (11) multiple liabilities, (12) attenuated duty and causation, (13) affirmative duty, (14) nuisance and property torts, and (15) communication and media torts. 

Contemporary content in Tortz volume 2 includes exercises in pure several liability; treatment of opioid litigation in public nuisance law; recent criticism of New York Times v. Sullivan in defamation law; and exposure to common law developments in privacy law, such as the extension of fiduciary obligations to protect personal information.

Three final chapters will be added to Tortz volume 2 for a revised edition later in 2024: (16) interference and business torts, (17) government claims and liabilities, “constitutional tort,” and statutory tort, and (18) worker compensation and tort alternatives. Any teacher who would like to have copies of draft materials for these chapters in the spring is welcome to contact me.

Tortz is inspired by the teachings of Professor Marshall Shapo, a mentor to whom I am deeply indebted. Marshall passed away in November 2023.

My thanks to Professor Christopher Robinette, Southwestern Law School, who kindly noted the publication of Tortz volume 2 on TortsProf Blog even before I got to it here.

Tuesday, January 23, 2024

Plaintiff drops privacy suit that stretched to claim against UMass Medical in nationwide data breach

UMass Chan Medical School
Mass. Office of Travel & Tourism via Flickr CC BY-ND 2.0
Until six days ago, the University of Massachusetts Chan Medical School was defending a privacy suit over a data breach, though the plaintiff liability theories looked thin.

There doesn't seem to be any dispute over the fact of the data breach. UMass Chan was just one of hundreds of organizations nationwide implicated in a breach affecting tens of millions. According to electronic security firm Emsisoft (which has a commercial interest in higher numbers), the breach affected more than 2,700 organizations and the data of more than 94 millions persons (last updated Jan. 18, 2024).

The vulnerability for all of these organizations was a file transfer platform called MOVEit, a product of publicly traded, Burlington, Mass.-based Progress Software Corp. UMass Chan used MOVEit to transfer personal information to other state agencies and programs. Hackers obtained and published the data of more than 134,000 persons, including recipients of state supplemental income and elder services.

According to state officials, WBUR reported, the "exposed data varies by person, but in each case includes the person's name and at least one other piece of information like date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information." The commonwealth notified affected persons and offered free credit monitoring and identity theft protection.

The complaint filed in federal court in September 2023 sought class action certification. The named plaintiff blamed UMass Chan for weak security and delayed notification resulting in a fraudulent attempt to use her debit card. Wednesday last week, the plaintiff voluntarily dismissed without prejudice, meaning the case might not yet be over.

The articulated causes of action, though, were a stretch. That's not to say that the putative plaintiffs suffered no injury. The problem rather is that the law in most states, including Massachusetts, and at the federal level still fails to define data privacy wrongs in a manner on par with the law of Europe and most of the rest of the world.

There was no statutory cause of action in the UMass Chan complaint. The diversity complaint alleged counts of negligence, breach of contract, and unjust enrichment.

Negligence has not been a productive vein for privacy plaintiffs, who lack the usually prerequisite physical injury. Massachusetts cracks open the door more than most other states to negligence actions based on lesser injury claims, such as emotional distress or economic loss. But it's not a wide opening.

Privacy actions in state law meanwhile are problematic because American common law has not yet well established the nature of the plaintiff's loss according to conventional understandings of injury. Indeed, federal courts disagree over when a statutory state privacy action supplies the "injury-in-fact" standing required by the federal Constitution. 

The named plaintiff in the UMass Chan case hastened to emphasize her contractual relationship with UMass Chan as a service provider, in an effort to anchor the negligence claim within a strong relationship of duty to get through the Massachusetts doorway. She described the identity risk of the debit-card incident to establish economic loss at least.

It's not clear that the pleading could have pushed over the hurdles to negligence recovery. I have advocated for the evolution of common law tort to close the gap in recognition of privacy violations in U.S. law, similarly to how UK courts developed the "misuse of private information" tort in common law to complement transposition of EU data protection. The Massachusetts Supreme Judicial Court could do that; certification would be required here in a federal case. But the trend in American data privacy law rather has been for the courts to wait on legislators to move the ball forward.

The other liability theories were a stretch, too. In contract, the plaintiff alleged herself a third-party beneficiary of data sharing agreements between UMass Chan and its state partners. Third parties can claim rights in a contract, but the proof is stringent. Contract law also raises a damages problem. The plaintiff here was not seeking specific performance, and it's not clear that any recovery in contract law would exceed the remediation the commonwealth already offered.

The equitable claim of unjust enrichment theorized essentially that UMass Chan benefited financially by cheaping out on security. That's creative, but a plaintiff in equity usually wants back something she lost to the defendant. A differential in the cost of contract services is speculative, and it's an attenuated causal chain to allege detriment to UMass Chan clients.

Privacy plaintiffs in the United States have seen some success using laws that predate contemporary data breach. But those theories won't work here. Massachusetts once had a leading data regulatory system for its requirements of secure data management. But the law is now well worn and has not kept up with other states, California being the model. Critically, the Massachusetts regs don't provide for private enforcement.

Some plaintiffs have found success with the dated (1986) Computer Fraud and Abuse Act. But a federal CFAA claim would be leveled properly against the hacker. The alleged culpability of UMass Chan is more accident than abuse.

American privacy plaintiffs flailing to state wrongs in litigation unfortunately is common and will continue as long as the United States lacks a comprehensive approach to data protection. I wrote 10 years ago already that American expectations in data privacy had outpaced legal entitlements.

The pivotal factor in whether MOVEit breach victims find any relief is likely to be the state where they and their defendants are located. Perhaps the case will push commonwealth legislators at last to act on a bill such as the proposed Massachusetts Information Privacy and Security Act (see, e.g., Mass. Tech. Leadership Council).

The case is Suarez v. The University of Massachusetts Chan Medical School (D. Mass. filed Sept. 18, 2023).

Wednesday, January 17, 2024

Police reform shines light on disciplinary records

CC0 Pixabay via picryl
A favorable reform to follow the police protest movement of recent years, stemming in particular from the killing of George Floyd, has been transparency around police disciplinary dispositions.

There is room for disagreement over what police reform should look like. I'm of the opinion that it costs society more to have police managing economic and social problems, such as homelessness and mental health, than it would cost to tackle those problems directly with appropriately trained personnel. I wouldn't "defund" police per se, but I would allocate public resources in efficient proportion to the problems they're supposed to remedy. We might not need as much prison infrastructure if we spent smarter on education, job training, and recreation.

Regardless of where one comes down on such questions, there is no down-side to transparency around police discipline. Police unions have cried privacy, a legitimate interest, especially in the early stages of allegation and investigation. But when official disciplinary action results, privacy should yield to accountability. 

Freedom-of-information (FOI) law is well experienced at balancing personnel-record access with personal-privacy exemption. Multistate FOI norms establish the flexible principle that a public official's power and authority presses down on the access side. Because police have state power to deprive persons of liberty and even life, privacy must yield to access more readily than it might for other public employees.

In September 2023, Stateline, citing the National Conference on State Legislatures, reported that "[b]etween May 2020 and April 2023, lawmakers in nearly every state and [D.C.] introduced almost 500 bills addressing police investigations and discipline, including providing access to disciplinary records." Sixty-five enacted bills then included transparency measures in California, Colorado, Delaware, Illinois, Maryland, Massachusetts, and New York.

The Massachusetts effort has come to fruition in online publication of a remarkable data set. Legislation in 2020 created the Massachusetts Peace Officer Standards and Training (POST) Commission. On the POST Commission website, one can download a database of 4,570 law enforcement disciplinary dispositions going back 30 years. There is a form to request correction of errors. The database, at the time of this writing last updated December 22, 2023, can be downloaded in a table by officer last name or by law enforcement agency, or in a CSV file of raw data.

The data are compelling. There are plenty of minor matters that can be taken at face value. For example, one Springfield police officer was ordered to "Retraining" for "Improper firearm usage or storage." I don't see that as impugning the officer, rather as an appropriately modest corrective and a positive for Springfield police. Many dispositions similarly suggest a minor matter and proportional response, for example, "Written Warning or Letter of Counseling" for "conduct unbecoming"/"Neglect of Duty."

Then there are serious matters. The data indicate termination of a police officer after multiple incidents in 2021, including "DRINKING ON DUTY, PRESCRIPTION PILL ABUSE, AND MARIJUANA USE," as well as "POSING IN A HITLER SALUTE." Again, it's a credit to the police department involved that the officer is no longer employed there. Imagine if such disciplinary matters were secreted in the interest of personal privacy, and there were not a terminal disposition.

The future of the POST Commission is to be determined. It's being buffeted by forces in both directions. Apropos of my observation above, transparency is not a cure-all and does not remedy the problem of police being charged with responsibility for social issues beyond the purview of criminal justice.

Lisa Thurau of the Cambridge-based Strategies for Youth told GBH in May 2023 that clarity is still needed around the role and authority of police in interacting with students in schools. Correspondingly, she worried whether the POST Commission, whose membership includes a chaplain and a social worker, is adequately funded to fulfill its broad mandate, which includes police training on deescalation.

Pushing the other way, the POST Commission was sued in 2022, GBH reported, by police unions and associations that alleged, ironically, secret rule-making in violation of state open meetings law. Certainly I agree that the commission should model compliance in rule-making. But I suspect that the union strategy is simply obstruction: strain commission resources and impede accountability however possible. Curious that the political left supports both police unions and police protestors.

WNYC has online a superb 50-state survey of police-disciplinary-record access law, classifying the states as "confidential," "limited," or "public." Massachusetts is among 15 states in the "limited" category. My home state of Rhode Island and my bar jurisdictions of Maryland and D.C. are among the 24 jurisdictions in the "confidential" category.

"Sunshine State" Florida is among 12 states in the "public" category. In a lawsuit by the Tallahassee Police Benevolent Association, the Florida Supreme Court ruled unanimously in November 2023 that Marsy's Law, a privacy law enacted to protect crime victims, does not shield the identity of police officers in misconduct matters. (E.g., Tallahassee Democrat.)

Monday, May 22, 2023

DA cannot shield officer, EMT identities from state FOIA disclosure, court rules in fatal police shooting

A Massachusetts Superior Court in March ordered the district attorney to release investigative records to the family of a man killed by police.

The privacy of public officials in the technology era has strained conventional accountability rationales for transparency. Since the advent of access to public information as a democratic norm, public officials and public figures have decried purported invasions of their privacy. The very notion of privacy in modern tort law, for better and worse, traces its roots to precisely such whinging in the late nineteenth century. Access usually prevailed.

Yet in the technological era, privacy complaints have gained new currency, and some of it is legitimate. Even, or perhaps especially, in the intensely emotional context of high-profile police shootings, interests are amped up on both sides. Of course, victims and families demand understanding and accountability, and they are entitled to it. At the same time, it's harder than ever to be a police officer, and passions that expose public servants and their families to harassment and threats pose a genuine policy problem. 

The two sides collided in Massachusetts over the death of Anthony (Antone) Harden in Fall River in 2021. The 30-year-old was shot twice and killed by police in his bedroom. Police investigators concluded that Harden had used a steak knife to attempt to stab the shooter's partner in the neck and head. A district attorney (DA) investigation in 2022 ruled the homicide justified.

Surveillance video shows officer arriving at Harden's apartment.
With the final report, Bristol County DA Thomas M. Quinn III released hundreds of pages of records, including video, audio, and photographs. But there was much that the DA did not release in response to a freedom-of-information request by Harden's brother, Eric Mack, an attorney. Though the family knew, and the lawsuit revealed publicly, the names of the involved officers by the time of the DA's report, the DA would not disclose their names.

The DA also withheld other records identifying responding personnel, including video interviews with emergency medical technicians. WBUR reported that the EMTs said they did not see the steak knife that police said necessitated lethal force.

Mack sued the DA under the state public records law, and the Superior Court in March granted his request for records on all counts. With regard to the identities of police and EMTs involved, the court wrote:

Upon balancing the rights of the parties, the public's need to access against the privacy rights at issues here, I find that the equities favor disclosure. The public officials here are not acting in the capacity of private citizens but in the course of their duties. Plaintiff has a right to have a full understanding of the facts leading to his brother's death including the identities of the public officials involved to ensure accountability and transparency. The failure to disclose this information would raise questions amongst the public about why this information was being withheld, which would only serve to undermine the integrity of the law enforcement departments involved and those reviewing their conduct. Any right to privacy that a public official might have under these circumstances, which is de minimis under the circumstances presented here, is overwhelmed by the public's right to know.

Before the resolution of the public records case, in January, the Harden family threatened Fall River with a $50m lawsuit for Harden's death, if the records were not released.

The case is Mack v. Office of the District Attorney, No. 2284-CV-00248 (Mass. Super. Ct. Suffolk County Mar. 6, 2023), decided by Justice James Budreau.

Wednesday, May 17, 2023

Mass., EU courts wrestle with requisite harm in defamation, data protection cases

The vexing problem of proof of damages in defamation and privacy has turned up recently in the Massachusetts Court of Appeals and the Court of Justice of the European Union. Meanwhile, the Massachusetts Gaming Commission borrowed European privacy principles for new data security rules.

Tiny turkey. Stéphanie Kilgast via Flickr CC BY-NC-ND 2.0
'Stolen' Turkey Money in Massachusetts

The Appeals Court in April vacated dismissal in a business dispute over turkeys. Nonprofit and business collaborators fell out over spending on variably sized turkeys for a charitable food event. The defendant wrote on social media that the plaintiff "stole" money intended for charitable purposes.

The complaint, which was filed by a Massachusetts lawyer, was messy—narrative in excess, numbering in disarray, and allegations jumbled between liability theories—so it was difficult for the trial court to parse the pleadings. With the aid of oral argument on appeal, the court teased out the defamation count and determined that it had been dismissed for want of pleaded loss.

However, Massachusetts is among jurisdictions that continue to recognize the historical doctrines of libel per se and slander per se. Those doctrines allow some pleadings to proceed without allegation of loss, and for good reason. Reputational harm is exceedingly difficult to prove, even when it seems self-evident. After all, whom should a plaintiff call to testify to prove her damaged reputation, people who now think an awful falsity about her? Witnesses will be less than eager. Even in case of a business plaintiff that suffers economic loss, it can be exceedingly difficult to tie specific losses to specific assertions of falsity.

The historical approach allows a plaintiff to demand presumed damages. That's a messy solution, because the jury is entrusted with broad discretion to assess the damages. On the plaintiff side, perhaps that's OK; we just juries to measure intangible losses all the time, as in the case of general damages for injuries, or pain and suffering. The defense bar and allied tort reformers have rebelled against presumed damages, though, arguing that they afford juries a blank check. That unpredictability makes it difficult for defendants and insurers to assess their liability exposure. Defense-oriented tort reformers have been successful in extinguishing per se defamation actions in many U.S. states.

Massachusetts splits the difference, I think in a healthy way. Per se actions are preserved, but the plaintiff is entitled to nominal damages, plus proved actual losses, but not presumed damages. I mentioned recently that the E. Jean Carroll case has spurred overblown commentary about the potential of defamation law to redress our misinformation problem. The unavailability of per se actions in many states is one reason that defamation is not up to the job. A defamation action for nominal damages helps, though, coming about as close as U.S. jurisdictional doctrine allows to a declaration of truth—which is what defamation plaintiffs usually most want.

Allegation of a crime, such as theft or misappropriation of charitable funds, fits the class of cases that qualify for per se doctrine, whether libel or slander. There is some room debate about whether social media better fits the historical mold of libel or slander, but that's immaterial here. The allegation of "stolen" money fit the bill.

The Appeals Court thus vacated dismissal and remanded the claim for defamation and related statutory tort. The court clerk entered the Memorandum and Order for Judges Mary Thomas Sullivan, Peter Sacks, and Joseph M. Ditkoff in Depena v. Valdez, No. 22-P-659 (Mass. App. Ct. Apr. 28, 2023).

Austrian post box.
High Contrast via Wikimedia Commons CC BY 3.0 DE

Non-Consensual Political Analysis in Austria

The Court of Justice of the European Union (CJEU) also recently tussled with a problem of proof of damages. The court held early in May that a claimant under the EU General Data Protection Regulation (GDPR) must claim harm for a personal data processing violation, but need not meet any threshold of seriousness.

The court's press release summarized the facts in the case:

From 2017, Ă–sterreichische Post collected information on the political affinities of the Austrian population. Using an algorithm, it defined "target group addresses" according to socio-demographic criteria. The data thus collected enabled Ă–sterreichische Post to establish that a given citizen had a high degree of affinity with a certain Austrian political party. However, that data processed were not communicated to third parties.

The citizen in question, who had not consented to the processing of his personal data, claimed that he felt great upset, a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and the party in question. It is in the context of compensation for the non-material damage which he claims to have suffered that he is seeking before the Austrian courts payment of the sum of €1,000.

The plaintiff endeavored to quantify his emotional upset, but in the absence of communication of the conclusions about the plaintiff to to any third party, the claim of harm was thin. Emotional suffering resulting from the mere processing of personal data in contravention of one's advance permissions seems minimal. Accordingly, the Austrian courts, following the example of neighboring Germany, were inclined to disallow the plaintiff's action for failure to demonstrate harm.

Harm has been a sticking point in privacy law in the United States, too. Privacy torts are a relatively modern development in common law, and they don't import the per se notion of historical defamation doctrine. Tort law balances culpability with harm to patrol the borders of social contract. Thus, intentional battery is actionable upon mere unwanted touching, while merely accidental infliction of harm requires some degree of significance of injury. Defamation law arguably defies that dynamic, especially in per se doctrine, in part for the reasons I explained above, and in part because, for much of human history, personal integrity has been as essential for survival as physical security.

Not having inherited the paradigm-defying dynamic, privacy law has posed a puzzle. Scholars disagree whether damages in privacy should follow the example of business torts, requiring at least economic loss; the example of emotional distress torts, requiring at some threshold of severity; or defamation per se torts, recognizing some sui generis harm in the disruption of personal integrity. As personal data protection has grown into its own human right independent of privacy, the problem has been amplified, because, exactly as in the Austrian case, a right against the non-consensual processing of data that are personal, but not intimately personal, is even more difficult to generalize and quantify.

The problem is not only a European one. In the United States, courts and scholars have disagreed over when claims in the burgeoning wave of state data protection laws, such as the Illinois Biometric Information Privacy Act, can satisfy the "case or controversy" constitutional requirement of jurisdiction. Failure to see a sui generis harm in privacy violations means, arguably, that there is no "case or controversy" over which courts, particularly federal courts, have competence.

The CJEU balked at Austrian courts' unwillingness to see any wrong upon a claim of only intangible loss. But the court agreed that the plaintiff must demonstrate harm. Hewing to the text of the GDPR, the court reasoned that a plaintiff must show a violation of the regulation, a resulting harm, and a causal connection between the two. Thus, harm is required, but there is no requirement that the harm meet some threshold of seriousness or economic measure.

The CJEU decision was touted in headlines as "clarifying" the law of damages under the GDPR, while the stories beneath the headlines tended to do anything but. Some writers said that the court raised the bar for GDPR claims, and others said the court lowered it. Confusion stems from the fact that the court's decision spawns subsequent many questions. Conventionally, the GDPR leaves the quantum of damages to national courts. So how must a claim of de minimis harm be measured on remand? Are nominal damages sufficient compensation, or must the data protection right be quantified?

Moreover, Sara Khalil, an attorney with Schönherr in Vienna, observed that the court left out a component of tort liability that national courts sometimes require: culpability. Is there a minimal fault standard associated with recovery for mere data processing? Because tort law ties together the elements of harm and fault, at least in some jurisdictions, the one question necessarily begets the other.

RW v. Ă–sterreichische Post AG, No. C-154/21 (May 4, 2023), was decided in the First Chamber of the CJEU.

Data Security in Gambling in Massachusetts

Policymakers and courts on both sides of the Atlantic are wrestling with the problems of contemporary personal data protection. And while the gap between the GDPR and patchwork state and federal regulation in the United States has stressed international relations and commerce, it's no wonder that we see convergence in systems trying to solve the same problems.

To wit, the Massachusetts Gaming Commission has employed recognizably European privacy principles in new data security rules. For Israeli law firm Herzog Fox & Neeman, attorneys Ariel Yosefi, Ido Manor, and Kevin David Gampel described the overlap. The commission adopted the regulations for emergency effect in December 2022; final rules were published in April.

The attorneys detailed the requirements of gambling operators:

  • to establish and plainly disclose to players comprehensive data privacy policies, including measures regarding data collection, storage, processing, security, and disclosure, the latter including the specific identities of third-party recipients; 
  • to guarantee player rights including access, correction, objection, withdrawal of consent, portability, and complaint;
  • to eschew purely automated decision-making; and
  • to implement physical, technical, and organization security practices.

The regulations are 205 CMR 138 and 205 CMR 248 (eff. Mar. 9, 2023, publ. Apr. 28, 2023).

Friday, May 12, 2023

German court protects political satire in 'fake interview'

Katrin Göring-Eckardt
Heinrich-Böll-Stiftung CC BY-SA 2.0

In August 2022, a German court rejected a politician's claim that a satiric "fake interview" violated her rights.

Attorney Roman Brtka reported on the case for Bird & Bird Munich, and I rely on his report at Media Writes. The case is compelling because the fact scenario, and usually the same outcome, arises periodically in American law from the likes of an Onion "exclusive interview."

The plaintiff in the German case was Katrin Göring-Eckardt of the German Green Party. The defendant was Tichys Einblick (TE), a wide-ranging opinion magazine sometimes identified with right-wing populism. The content at issue was a wholly fictitious interview that mocked Göring-Eckardt's liberal position on pronouns. TE flagged the piece expressly headlined, "Achtung Satire" ("Attention Satire").

Brtka provided a helpful explanation of pronouns in the German language and how they play out in hot-button gender identity politics. The interview employed "extremely exaggerated ... gender-neutral language" to mock Göring-Eckardt.

The plaintiff invoked the German constitutional "right of personality," an outgrowth of broad European privacy law and close cousin of data protection. In this context, the right comes perhaps closest in American tort law to false light invasion of privacy. A better analogy would be a marriage of the right of personal autonomy, as known to medical decision-making in American constitutional law, to the interest of anti-disparagement, as known to trademark law.

The Hamburg regional court concluded, according to Brtka, "that the unbiased and reasonable audience could ... recognise, from the hyperbolic use of gender forms and the exaggerated demands mentioned in the article, that these were not actual statements made by the plaintiff. The mere fact that individual readers might come to a different understanding did not change this." Without any asserted truth, there could be no misrepresentation of the plaintiff's person, so no infringement of the plaintiff's personality right.

Brtka commented that "[i]t remains to be seen" whether the courts would protect satire that is not so plainly labeled, such that the satiric nature must be inferred from the content itself.

TE also reported the outcome of the case.

Unlike TE, The Onion, "America's Finest News Source," is satire through and through, even as it has been sold between media companies with other properties. The Onion's non-satirical supplement The AV Club was always branded distinctively and spun off in 2012. Taken in context, it's very difficult to mistake Onion content as true, though people sometimes infamously do

Like the German regional court, American courts, heeding the First Amendment, cut a wide berth for satire, likewise employing objective reasonableness to examine both content and context. Without an assertion susceptible of being proved true or false, there can be no winning claim of false light or defamation.

For satirists, closely related legal problems can arise from real interviews under pretenses the interviewee alleges were false: think Rudy Giuliani in Borat Subsequent Moviefilm. The Borat films and media enterprises such as The Daily Show use releases to help protect themselves. Even a well worded release is not ironclad against a claim that acquiescence was procured through fraud. But whether upon the release or lack of falsity, claims are almost invariably dismissed. The practical problem for plaintiffs is that what the camera captures is true, and the judgment that frames it is merely opinion.

Evidencing American courts' deference to hyperbole, Fox News prevailed in a 2020 lawsuit in part upon the theory that reasonable viewers did not regard the recently newsworthy Tucker Carlson as a source of facts. In 2022, the Sixth Circuit denied recovery to a man who satirized the Facebook page of his local police, and then was charged with and acquitted of a crime. Police were entitled to qualified immunity from the man's civil rights claim, the court concluded. The U.S. Supreme Court denied review amid a set of engaging amicus briefs, including one from The Onion.

Since the E. Jean Carroll verdict against former President Donald Trump, there has been a flurry of commentary suggesting that defamation law is the way out of the misinformation quagmire. It's really not, for a bunch of reasons that are beyond the scope of this post. Relevant here, the understandable thirst for accountability in the misinformation age might push against the traditionally wide berth of protection for satire. Let's hope the courts resist that push, because satire itself is a vital accountability mechanism.

Saturday, April 22, 2023

Lissens presents EU data protection, IoT research

Sylvia Lissens, a Ph.D. student and teaching assistant at the KU Leuven Centre for Global Governance Studies in Belgium, presented part of her doctoral research comparing U.S. and EU data protection law at a doctoral seminar in Lyon, France, in December.

In her research, Lissens focuses on the internet of things (IoT) to examine how American and European law protects the personal data that machines increasingly collect. She has a law degree from KU Leuven and a background in criminology, so is especially interested in government access to personal data, which has been a sticking point in trans-Atlantic privacy negotiations.

Looking at the emerging norms in state legislation in the United States, on the one hand, and at developing data protection jurisprudence in the European Union, on the other hand, Lissens hopes to identify points of convergence and divergence that might smooth the way forward for agreement over data flows.

In Lyon, Lissens presented findings from the EU leg of her research at the International Doctoral Seminar in European and International Human Rights Law, hosted by the Université Jean Moulin Lyon 3. She explained how the broad range of data collected by devices in our homes, from phones to refrigerators, will confront national security and international trade regimes with new challenges in the protection of personal privacy.

Comparative law is among Lissens's teaching responsibilities at KU Leuven. She joined my Comparative Law class by Zoom this semester to provide an EU perspective on contemporary European legal issues. Students' experience was greatly enriched by both her experience as a professional and her informed perspectives as a Belgian voter. I'm privileged to serve on Lissens's dissertation committee.

Wednesday, November 23, 2022

Anti-corruption law violates business-owner privacy, EU court holds with myopic appraisal of transparency

A key European Union transparency law that allows watchdogs to trace corporate ownership to combat corruption has been struck down by the EU high court for compromising personal privacy.
EU beneficial owner registry map from Transparency International, 2021. Read more.
CC BY-NC-ND 3.0

I'm not a hard skeptic on the personal privacy prerogative of the EU General Data Protection Regulation. To the contrary, I've written that there's a lot to like about the emerging global privacy norms embodied in the GDPR, and, contrary to conventional wisdom, American social expectations, if not yet federal law, are converging with Europe's.

That said, the EU Court of Justice yesterday announced a profoundly problematic decision at the junction of public access and personal privacy. The blanket disclosure requirements of a key anti-money-laundering law can't stand, the court held, because they don't calibrate the public need for access with the privacy of natural-person business owners with sufficient precision, that is, as a function of necessity and proportionality.

Troublingly, the court characterized transparency norms, which are grounded in treaty and law more firmly in the EU than in the United States, as specially relevant to the public sector and not fully implicated in the private sector, in the context of business regulation.

The potential implication of this proposition is that access to information is limited to a requester learning "what the government is up to," to the exclusion of government oversight of the private sector. That's a cramped and problematic construction of access law that has dogged journalists and NGOs using the U.S. Freedom of Information Act (FOIA) for decades. Read more in Martin Halstuk and Charles Davis's classic 2002 treatment. As I have written in my comparative research on access to information, access to and accountability of the private sector is a problem of our times. We must solve it if we're to save ourselves from the maw of corporatocracy.

In my opinion, the CJEU decision fundamentally misunderstands and overstates the legitimate scope of data protection regulation with the effect of enervating transparency as a vital oversight tool. The impact is ironic, considering that data protection regulation came about as a bulwark to protect the public from private power. The court turned that logic on its head by using personal privacy to shield commercial actors from public scrutiny.

Unfortunately (for this purpose), I have my hands full in Europe (coincidentally) right now, and I lack time to write more. Fortunately, Helen Darbishire and the team at Access Info Europe already have written a superb summary. Their lede:

In a ruling that has sent shockwaves through Europe’s anti-corruption and transparency community, the Court found that the Fifth Anti-Money Laundering Directive (AMLD5, 2018) is too loosely framed and provides for overly-wide public access to the [ownership] registers without a proper justification of the necessity and proportionality of the interference with the rights to privacy and personal data protection of the beneficial owners.

A saving grace, Access Info observed, is that the court did not rule out transparency per se; rather, requesters will have to fight for access case by case on the facts, upon a properly narrowed regulation. In U.S. constitutional terms, it's like saying the one-size-fits-all law was struck for vagueness, but the regulatory objective still can be achieved under a narrower rule that works as applied. All the same, journalists and non-profit watchdogs are not famously well financed to fight for access on a case-by-case basis.

The case is No. C‑37/20 & No. C‑601/20 in the Grand Chamber of the CJEU.

Tuesday, January 25, 2022

Hospital BAC disclosure prompts tort privacy claims

Photo by Marco Verch (CC BY 2.0)
The federal district court in Montana in December refused to dismiss an informational privacy claim against police, highlighting the space for state law to effect personal privacy protection in the United States.

Plaintiff Harrington was hospitalized after police found her unresponsive in her parked car. In the complaint, she alleged that sheriff's deputies "joked about her incapacitated condition and played along when nurses asked them to guess her blood alcohol content" (BAC). A nurse thereby disclosed Harrington's BAC, and, the complaint alleged, deputies then coaxed the record from a doctor. Harrington was charged with driving under the influence.

Subsequently, Harrington sued county officials and Madison Valley Hospital, the latter on theories of state statutory information privacy and common law invasion of privacy, negligence, and negligent infliction of emotional distress. The hospital sought dismissal on grounds that the federal Health Insurance Portability and Accountability Act (HIPAA), cited by the plaintiff in the complaint, affords no private right of action.  The federal district court, per Chief Judge Brian Morris, denied the motion to dismiss, recognizing that while HIPAA does not itself authorize private enforcement, it also does not preclude state law from providing greater privacy protection.

The case caught my attention because its facts point to something for which I've advocated, the use of tort law to fill gaps in informational privacy protection in the United States.  The law has not kept up with Americans' expectations of privacy, much less the norms of the world, but the common law should be sufficiently dynamic to reflect the evolving social contract.  I see drift in this direction in the expansion of medical fiduciary duty in emerging precedents in the states, such as Connecticut's Byrne v. Avery Center for Obstetrics & Gynecology, P.C., in 2018.

A theory as tenuous as negligent infliction of emotional distress, "NIED," can't usually stand on its own.  And tortious invasion of privacy has a poor track record in protecting personal information that is already in limited circulation.  However, paired with a medical provider's fiduciary duty and bolstered by a privacy violation recognized in regulation, either tort theory might be ripe for redefinition.

The case is Harrington v. Madison County, No. 2:21-cv-00015 (D. Mont. Dec. 6, 2021).  Hat tip to Linn Foster Freedman at Robinson+Cole's Data Privacy + Cybersecurity Insider.

Saturday, January 1, 2022

Code might inevitably regulate journalism in digital age

The U.K. Information Commissioner's Office is working on a "journalism code of practice" to legislate against defamation and invasion of privacy by mass media.

Principally and ostensibly, the code is intended to bring media law into conformity with U.K. data protection law, essentially the European General Data Protection Regulation (GDPR), including the stories "right to be forgotten," or right to erasure (RTBF). On the ground, the picture is more complicated. The British phone hacking scandal and following Leveson Inquiry constitute a strong causal thread in public receptiveness to media regulation.

Cambridge legal scholar David Erdos analyzed the draft code for the INFORRM public in part one and part two postings in October.  The code incorporates media torts such as defamation of privacy and misuse of private information (MOPI), the latter a common law innovation of British courts to facilitate enforcement of data protection rights. I have posited in other venues that common law tort similarly might provide a way forward to fill gaps in information privacy law in the United States.

Journalism and data protection rights have been on a collision course for a quarter century, like a slow-motion car wreck, and the draft journalism code is a harbinger of the long anticipated impact.  Back in 1995, when the EU GDPR-predecessor Data Protection Directive was brand new, the renowned media law scholar Jane Kirtley published an article in the Iowa Law Review, "The EU Data Protection Directive and the First Amendment: Why a 'Press Exemption' Won't Work."  Kirtley foresaw data protection and the First Amendment's arguably irreconcilable differences before most U.S. scholars had even heard of data protection.

In those innocent days, journalism ethics was reshaping itself to preserve professionalism in the newly realized and anxiety-inducing 24/7 news cycle.  A key plank in the new-ethics platform was its essentiality to resist regulation.  In 2000, media law attorney Bruce Sanford published the book Don't Shoot the Messenger: How Our Growing Hatred of the Media Threatens Free Speech for All of Us.  Then in 2001, everything changed, and mass media and their consumers became engrossed by new concerns over government accountability.

In a way, the consolidation of media regulation in a generation of code could be a relief for journalism, especially on the European continent.  In an age of ever more complex regulatory mechanisms, codification can offer bright lines and safe harbors to guard against legal jeopardy.  Information service providers from local newspapers to transnationals such as Google are struggling to comply with new legal norms such as the RTBF, and there is as yet little evidence of uniformity of norms, much less convergence. Yet even if industry ultimately embraces the security of code, what's good for business is not necessarily good for wide-ranging freedom of expression. 

Courts, too, are struggling with novel problems.  For example, in late November, the European Court of Human Rights ruled in Biancardi v. Italy that RTBF de-indexing orders extend beyond search engines and bind original news publishers.  Writing for Italian Tech and INFORRM, attorney Andrea Monti fairly fretted that the decision effectively compels journalistic organizations to expend resources in constant review of their archives, else face liability in data protection law.  The result, Monti reasoned, will be to discourage preservation, manifesting a threat to the very existence of historical record.

On the one hand, it's foolish to wring one's hands for fear that journalism is being newly subordinated to legal regulation.  Tort itself is a regulatory mechanism, and defamation has been around for a long time, notwithstanding the seeming absolutism of the First Amendment.  On the other hand, media regulation by law looks nothing like the punctilious supervision of regulated industries, including the practice of law.

In my own education, I found the contrast in approaches to ethics perplexing.  In journalism school, my ethics class had been taught aptly by a religion scholar who led impassioned discussions about handout hypotheticals.  In law school, the textbook in legal profession hit the desk with a thud for what was as much a study of model or uniform code as was crim or sales.

With no "First Amendment" per se, media regulation by code is not the novelty in the U.K. that it would be in the United States.  Still, with privacy and digital rights sweeping the globe, law is poised to regulate journalism in new ways everywhere, whether through the subtlety of common law or the coercive power of civil regulation.  American courts will not be able to escape their role in reshaping fundamental rights for the digital world, as European courts are at work doing now.  Kirtley foresaw the issues in 1995, and the chickens are slowly but surely turning up at the roost.

The present ICO consultation closes on January 10, 2022.

Wednesday, October 27, 2021

In parting meditation on pub gossip, Czech judge peels onion on privacy limits, judicial transparency

Does GDPR pertain to pub buzz?, AG Bobek asks.
Earlier this month, Czech judge and legal scholar Michal Bobek rounded out a six-year term as an Advocate General (AG) of the European Court of Justice with a mind-bending meditation on the ultimate futility of enforcing data protection law as written and a confirmation of the essentiality of transparency in the courts.

The case on which Bobek opined hardly required a deep dive.  He said so: "This case is like an onion," he wrote.  "I believe that it would be possible, and in the context of the present case entirely justified, to remain at that outer layer.   No peeling of onions unless expressly asked for."

But the case provided Bobek an optimal diving board, and, on the penultimate day of his term as AG, he plunged and peeled.

Complainants in the case were litigants before the Dutch Council of State (Raad van State).  They asserted that disclosure to a journalist of summary case information, from which they could be identified and details of their personal lives worked out, violated their right of privacy under the General Data Protection Regulation (GDPR) of the European Union, as transposed into Dutch law.

The disclosures are permissible under a GDPR exemption for judicial activities, Bobek concluded.  But en route to that conclusion, he further opined that the potentially unbridled scope of the GDPR must be tamed to accord with social norms and democratic imperatives.

With remarkably plain reasoning, he framed the problem in a comfortable venue:

If I go to a pub one evening, and I share with four of my friends around the table in a public place (thus unlikely to satisfy the private or household activity exception of ... the GDPR) a rather unflattering remark about my neighbour that contains his personal data, which I just received by email (thus by automated means and/or is part of my filing system), do I become the controller of those data, and do all the (rather heavy) obligations of the GDPR suddenly become applicable to me? Since my neighbour never provided consent to that processing (disclosure by transmission), and since gossip is unlikely ever to feature amongst the legitimate grounds listed in ... the GDPR, I am bound to breach a number of provisions of the GDPR by that disclosure, including most rights of the data subject contained in Chapter III.

The pub might not be the only place where the GDPR runs up against a rule of reason.  Consider the more nuanced problem of footballers considering a challenge against the processing of their performance stats.  Goodness; the pub convo will turn inevitably to football.

Let's step back for a second and take stock of the GDPR from the perspective of the American street.

Americans don't get many wins anymore.  We just retreated from a chaotic Afghanistan, despite our fabulously expensive military.  We resist socialized healthcare, but we make cancer patients finance their treatments on Go Fund Me.  We force families into lifelong debt to pay for education, undermining the social mobility it's supposed to provide.  We afford workers zero vacation days and look the other way from the exploitation of gig labor.  Our men's soccer team failed to qualify for the last World Cup and Olympics, while we're not sure why our women are rock stars; it can't be because we pay them fairly.  When it comes to personal privacy, we tend to want it, but our elected representatives seem eager to cede it to our corporate overlords.

Truth be confessed, then, Americans are willing to engage in a smidge of schadenfreude when Europeans—with their peace, their healthcare, their cheap college, their Ryanair Mediterranean vacations, their world-class football, and their g—d— G—D—P—R—get themselves tied up in regulatory knots over something like the sufficient size of a banana.  Ha.  Ha.

Therein lies the appeal, to me, of Judge Bobek's train of thought.  He finds inevitable the conclusion that posting case information is data processing within the purview of the GDPR.  The parties did not even dispute that.  For today, Bobek found an out through the GDPR exemption for the business of the courts in their "judicial capacity."

The out required a stretch to accommodate posting information for journalists, which is not, most strictly speaking, a judicial capacity.  Bobek reasoned by syllogism:  For the courts to do what they do, to act in the judicial capacity, they require judicial independence.  Judicial independence is maintained by ensuring public confidence in the judiciary.  Public confidence in the judiciary is bolstered by transparency in the courts.  Transparency in the courts is facilitated by the provision of case information to journalists.  Therefore, the judicial capacity requires publication of case information to journalists.

The problem, tomorrow, is that there is no answer in the case of pub gossip.  Bobek meditated on the human condition: "Humans are social creatures.  Most of our interactions involve the sharing of some sort of information, often at times with other humans. Should any and virtually every exchange of such information be subject to the GDPR?"

Bobek
Can't be, he concluded.

[I]n my view, I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law. That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR's application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR. While it might certainly be possible that such protection of personal data is still able to "serve mankind," I am quite confident that being ignored as a result of being unreasonable does not in fact serve well or even contribute to the authority or legitimacy of any law, including the GDPR.

While we await reassessment of the bounds of data privacy law in modern society, Bobek opined more and mightily on the importance of judicial transparency as a countervailing norm.  He opened the opinion with philosopher-jurist Jeremy Bentham:

"Publicity is the very soul of justice. It is the keenest spur to exertion, and the surest of all guards against impropriety.… It is through publicity alone that justice becomes the mother of security. By publicity, the temple of justice is converted into a school of the first order, where the most important branches of morality are enforced...."

Bobek later picked up the theme:

Judging means individualised detail brought to the public forum....

On the one hand, the basis for judicial legitimacy in an individual case are its facts and details. The judge settles an individual case. His or her job is not to draft abstract, general, and anonymous rules detached from individual facts and situations. That is the job of a legislature. The more a judicial decision departs from or hides the factual background to a public court case, or if it is later reported with significant limitations, the more often it becomes incomprehensible, and the less legitimate it becomes as a judicial decision.

On the other hand, ever since the Roman age, but presumably already earlier, if a claimant asked for the help of the community or later the State to have his claim upheld and enforced by the State, he was obliged to step into the public forum and let his case be heard there. In classical Roman times, the applicant was even entitled to use violence against the respondent who refused to appear in the public (the North Eastern part of the Roman Forum called comitium), before the magistrate (seated on a rolling chair on a tribune higher than the general public—hence indeed tribunal), when called before a court (in ius vocatione).

It is true that, later on, there were other visions of the proper administration of justice and its publicity. They are perhaps best captured by a quote from a judge in the Parlement de Paris writing in 1336 instructions to his junior colleagues, and explaining why they should never disclose either the facts found or the grounds for their decision: "For it is not good that anyone be able to judge concerning the contents of a decree or say 'it is similar or not'; but garrulous strangers should be left in the dark and their mouths closed, so that prejudice should not be caused to others.... For no one should know the secrets of the highest court, which has no superior except God...."

In the modern age, returning to the opening quote of Jeremy Bentham, it is again believed that even garrulous strangers should be allowed to see and understand justice. Certainly, with the arrival of modern technologies, a number of issues must continuously be re-evaluated so that garrulous strangers cannot cause prejudice to others....

Naturally, the publicity of justice is not absolute. There are well-grounded and necessary exceptions. The simple point to keep in mind here is: what is the rule and what is the exception. Publicity and openness must remain the rule, to which naturally exceptions are possible and sometimes necessary. However, unless the GDPR were to be understood as imposing a revival of the best practices of the Parlement de Paris of the 14th century, or other elements of the Ancien RĂ©gime or the Star Chamber(s) for that matter, it is rather difficult to explain why, in the name of the protection of personal data, that relationship must now be reversed: secrecy and anonymity were to become the rule, to which openness could perhaps occasionally become the welcome exception.

Bobek seems content with judicial exceptionalism in the GDPR framework.  I'm not so sure.  I rather think the problem of the courts points to the broader problem of GDPR scope.  Will there ultimately be a pub exception, too?  Stubborn American insistence on framing data protection as business regulation, as in California data protection law, suddenly exhibits some appeal.

The case is X v. Autoriteit Persoonsgegevens, No. C-245/20, Opinion of Advocate General Bobek (Oct. 6, 2021).  HT @ Edward Machin, writing in London for Ropes & Gray.

This is not Bobek's first high-profile opinion on the GDPR—even this year.  Read in Fortune about his January opinion in a Facebook case.