'Don't panic,' lawyers say, as Oz High Court clears way for website liability over defamatory user comments

The High Court of Australia last week greenlit defamation claims against website operators for user comments, the latest evidence of crumbling global immunity doctrine represented in the United States by the ever more controversial section 230.

There is plenty news online about the Aussie case, and I did not intend to comment.  For the academically inclined, social media regulation was the spotlight issue of the premiere Journal of Free Speech Law.

Yet I thought it worthwhile to share commentary from Clayton Utz, in which lawyers Douglas Bishop, Ian Bloemendal, and Kym Fraser evinced a mercifully less alarmist tone when they wrote, "don't panic just yet."

The Australian apex court extended the well known and usual rule of common law defamation, when not statutorily suspended: that the tale bearer is as responsible as the tale maker.  In the tech context, in other words, "[b]y 'facilitating, encouraging and thereby assisting the posting of comments' by the public," the defendants, notwithstanding their actual knowledge or lack thereof, "became the publishers," Bishop, Bloemendal, and Fraser wrote.

But it's a touch more complicated than purely strict liability.  "What is relevant is an intentional participation in the process by which a posted comment may become available to be accessed by other Facebook users," Bishop, et al., opined.  "So does that mean you should take down your corporate social media pages? That would be an over-reaction to this decision."

The lawyers emphasized that this appeal was interlocutory.  On remand in New South Wales, the media defendants may assert defenses, including innocent dissemination, justification, and truth.  Bishop, et al., advise:

In the meantime, if your organisation maintains a social media page which allows comments on your posts, you should review your monitoring of third-party comments and the training of your social media team in flagging and (if necessary) escalating problems to ensure you can have respectful, non-defamatory conversation with stakeholders.

Funny they should say so.  Coincidentally, I gave "feedback" to Google Blogger just Friday that a new option should be added for comment moderation, something like "archive," or "decline to publish for now."  The only options Google offers are spam, trash, and publish.

I have two comments posted to this blog in recent years that I hold in "Awaiting Moderation" purgatory, because they fit none of my three options.  Every time I go to comment moderation, I have to see these two at the top.  The comments express possible defamation: allegations of criminality or otherwise ill character about third parties referenced on the blog.  I don't want to republish these comments, because I do not know whether they are true.  But I don't want to trash them, because they are not necessarily valueless.  Moreover, they might later be evidence in someone else's defamation suit.

I moderate comments for this blog, so I don't think it's too much to ask the same of anyone else who publishes comments, whether individual, small business, or the transnational information empires that peer over my shoulder.  

I do worry, though, about how that works out for the democratizing potential of the internet.  I'm trained to recognize potentially defamatory or privacy invasive content; I've done it for a living.  Are we prepared to punish the blogger who contributes valuably to the information sphere, but lacks the professional training to catch a legal nuance?  Or to pay the democratic price of disallowing dialog on that writer's blog?  As a rule, ignorance of the law is no excuse, in defamation law no less than in any other area.  But understanding media torts asks a lot more of the average netizen than knowing not to jaywalk.

I don't profess answers, at least not today.  But I can tell that the sentiment of my law students, especially those a generation or more younger than I, is unreticent willingness to hold corporations strictly liable for injurious speech on their platforms.  So if I were counsel to Google or Facebook, I would be planning for a radically changed legal future.

Disputed allegations in malicious prosecution suits against Apple raise data protection issues

Apple Store Osaka (Sébastien Bertrand CC BY 2.0)

A case of identity theft, now the subject of lawsuits against Apple and a security contractor, SIS, in three jurisdictions, seems to have raised an alarm about data protection.  But the case might be more complicated, as the defendants have accused the plaintiff of false pleadings.

Plaintiff Ousmane Bah was a 17-year-old Bronx honors student and permanent resident alien applying for citizenship at times relevant to the complaints.  An acquaintance of Bah's acquired Bah's temporary New York driving learner's permit (ID); it is disputed what Bah knew about the acquisition.

The ID did not have a photo, and the biographical data did not match the acquaintance's in all particulars, such as height.  Nevertheless, when the acquaintance was, according to the complaints, apprehended trying to shoplift from Apple stores in New York, New Jersey, and Massachusetts, he was misidentified as Bah.  Bah was criminally charged, subject to arrest warrants, and repeatedly compelled to defend himself.  The case does not directly implicate the known risk of race discrimination in facial recognition algorithms.  But in Bah’s version of events, Apple's use of facial recognition technology to identify the perpetrator in subsequent incidents gave police a false confidence that the suspect was Bah.

Apple and SIS have filed for Rule 11 sanctions in New Jersey and characterize the complaint in that jurisdiction as fiction.  They rely on discovered communication between Bah and the acquaintance to allege that Bah knew well that he was being impersonated, and that misidentification resulted from the acquaintance’s deliberate deception, not from error on the part of Apple or SIS. 

Media have been quick to seize on the allegations in the initial complaint, which does resonate with extant privacy issues in public policy.  If the plaintiff’s allegations are complete and accurate, then the case speaks to Americans’ lack of comprehensive data protection law.  A data protection regulation like Europe’s, generally speaking, would shift the burdens of fair and accurate identification to the defendants, rather than a victim of identity theft, time and again.

Moreover, if the plaintiff’s allegations are complete and accurate, the case has unpleasant overtones in race and socioeconomic equality.  A mismatch of data between the false ID and the acquaintance's appearance prompts concern that “black” was all the retailer needed to see, and one must worry whether persons of limited means can afford to defend themselves against false charges and wrongful arrest, not to mention the collateral effects of publication of misidentification to third parties, such as employers and creditors.

Bah claims defamation and malicious prosecution.  The complaints at least allege evidence in support of actual malice, which Apple and SIS deny.  Malicious prosecution is usually a claim made against public officials in tandem with civil rights violations, but the tort is viable against private parties who initiate criminal proceedings on false pretenses.  Whether the plaintiff’s allegations hold up, I do not know.  The counter-allegations of Apple and SIS in seeking sanctions in the New Jersey case are biting.

The cases are:

• Bah v. Apple Inc., No. 1:19-cv-03539-PKC (S.D.N.Y. filed Apr. 22, 2019) (Court Listener);
• Bah v. Apple Inc., No. 2:20-cv-15018-MCA-MAH (D.N.J. filed Oct. 27, 2020) (Court Listener); and
• Bah v. Apple Inc., No. 1:21-cv-10897-RGS (D. Mass. filed May 28, 2021) (Court Listener).

Bah is represented in the New York case by UMass Law alumnus Subhan Tariq, '13.  My thanks to Steven Zoni, '13, for bringing this case to my attention.

First Amendment advocate counsels caution, but doesn't rebuff, American right to be forgotten

Gene Policinski, Freedom Forum Senior Fellow for the First Amendment, published an op-ed last week for the "First Five" blog in which he counseled caution, but did not gainsay, newsroom "fresh start," or "right to be forgotten" (RTBF), programs.

Motivated in part by European notions of personal data protection, or informational privacy, especially RTBF, fresh start programs give persons covered in past news an opportunity to apply for the erasure of their coverage from online archives.  For NPR in February, David Folkenflik and Claire Miller reported on trending fresh start programs at major U.S. news outlets, such as The Boston Globe, "Revisiting the Past for a Better Future."  The NPR stories observed that these programs have come about in part because of European legal norms, even for newspapers beyond the reach of European legal jurisdiction.

In 2013, I wrote in a law review article that Americans' expectations of privacy, including RTBF, are in fact consonant with evolving European norms, but American law has been slow to keep pace.  The twin notions of finite punishment for past wrongs and of a second chance for persons who have paid their dues are quintessentially American, I wrote in a Washington Post op-ed in 2014.  Those values are reflected, for example, in Eighth Amendment jurisprudence and the Ban the Box campaign.

A prohibitive challenge to RTBF norms in the United States has been the First Amendment, which generally prohibits regulation of the republication of lawfully obtained and truthful information.  Sometimes for better and sometimes for worse, the free-speech absolutist bent of the First Amendment contrasts with a more flexible European approach to rights balancing.  Nothing about the First Amendment, however, precludes a private journalistic enterprise, such as the Globe, from erasing content voluntarily.

Like RTBF itself, fresh start programs have been criticized by free speech and mass communication scholars.  They remind us that journalism is the "first rough draft of history."  Tinkering with archives therefore vests private actors with a weighty, not to mention expensive, responsibility on behalf of the public.  Fresh start advocates point out that this work is not dissimilar to the exercise of news judgment in the first instance.  But the perspective problem is not eliminated by time.  There is no way to be sure that our present-day second-guessing of the historical record is more fair and objective than the original judgment, nor sufficiently preservationist for the future.

Old Slave Mart Museum, Charleston, S.C.
(RJ Peltz-Steele CC BY-NC-SA 4.0)

Just last week, I visited the Old Slave Mart Museum and other historical sites in Charleston, S.C.  To my eyes, the casual treatment of persons as property in the content of news media in times of slavery, as well as racism evident in later media during Jim Crow, is evidence of horrific injustice and a powerful reminder not to take for granted that one's present vision is free of bias.  What if that record had been erased, rather than preserved?  Could Henry Louis Gates Jr.'s "Finding Your Roots" have identified Ben Affleck's slave-owning ancestor (NPR) if history were redacted?

At the same time, I am an advocate for RTBF in some form, just as I support Ban the Box.  I am devoted to the First Amendment.  But digital media, that is, an internet that "never forgets," confronts our society with a new and qualitatively different challenge from any we have faced before.  Viktor Mayer-Schönberger well described in his 2011 book, Delete: The Virtue of Forgetting in the Digital Age, how forgetting, in addition to remembering, is an essential and well evolved part of human social culture.  A failure to forget is an existential threat.

Journalist and academic Deborah L. Dwyer has developed a useful and thought-provoking set of fresh start resources for journalists at her website, Unpublishing the News, cited by Policisnki.  I don't pretend to know whether fresh start, or European RTBF, or some other approach is the best solution, nor whether any of these models will stand the test of time.  I do believe that feeling our way forward is fascinating and necessary.

The op-ed is Gene Policinski, Perspective: News Outlets Need Caution in Offering a "Fresh Start," Freedom Forum (May 26, 2021).

Posh Londoners poo poo peekaboo performance art

"Rear Window" by Anthony O'Neil, CC BY-SA 2.0

Residents who live opposite the Tate Modern, an art museum in London on the south bank of the Thames, sued the Tate for private nuisance and will have their appeal heard by the U.K. Supreme Court.  Residents of the swank NEO Bankside apartment building grew discontent two years ago when a new 360-degree viewing platform at the Tate afforded hundreds of thousands of visitors annually a generous vantage point on private quarters as close as 34 meters away.  Some Tate tourists took pictures and shared to social media insights into the private lives of London apartment dwellers.  The problem in legal terms is whether "overlooking" is a private nuisance, and the general rule, at least in an urban environment, is that it is not.  Accordingly, the residents lost in the High Court in 2019 and in the Court of Appeal in 2020.  Not to be deterred, the resident-plaintiffs will press on in the Supreme Court this year.  The case is Fearn v. Tate, [2020] EWCA Civ 104, and Fearn v. Board of Trustees, [2019] EWHC 246 (Ch).  Hat tip to Art Law & More from Boodle Hatfield.

UK court: Long arm of GDPR can't reach California*

Image my composite of Atlantic Ocean by Tentotwo CC BY-SA 3.0

and "hand reach" from Pixabay by ArtsyBee, licensed

*[UPDATE, Jan. 30, 2022:] On December 21, 2021, the Court of Appeal allowed service on U.S. defendants without ultimately resolving the GDPR territorial scope question.  Read more from Paul Kavanaugh, Dylan Balbirnie, and Madeleine White at Dechert LLP.]

A High Court ruling in England limited the long-arm reach of European (now British) privacy law in a suite of tort claims against Forensic News, a California-based web enterprise doing "modern investigative journalism."

The complainant is a security consultant investigated by Forensic News and a witness in the U.S. Senate Intelligence Committee probe into Russian interference in the 2016 U.S. elections.  A British national, he accused Forensic News of "malicious falsehood, libel, harassment and misuse of private information," the latter based on violation of the British enactment of the European General Data Protection Regulation (GDPR).

The extraterritorial reach of the GDPR has been a hot topic lately in privacy law circles, as U.S. companies struggle to comply simultaneously with foreign and burgeoning state privacy laws, such as the California Consumer Privacy Act (CCPA).  

Forensic News has no people or assets in the UK, but the complainant tried to ground GDPR application in the news organization's website, which accepts donations in, and sells merch for, pounds and euros.  No dice, said the court; it's journalism that links Forensic to the plaintiff and to the UK, not the mail-order side show.

The case is Soriano v. Forensic News LLC, [2021] EWHC 56 (QB) (Jan. 15, 2021).  Haim Ravia, Dotan Hammer, and Adi Shoval at Pearl Cohen have commentary.

Birth announcement: Ontario court is reluctant parent of new tort of 'internet harassment'

UNESCO image CC BY-SA 4.0

The tort world is abuzz with a court decision in Ontario that has birthed a new common law cause of action for online harassment.

The facts that gave rise to the case were extreme.  The defendant was the subject of a New York Times story (subscription) on January 30 about the difficulty of remediating online reputational harm.  The perpetrator of the harassment targeted some 150 victims, including children, spat accusations ranging from fraud to pedophilia, and was adjudged a vexatious litigant and jailed for contempt of court.  Floundering in a dearth of effective enforcement mechanisms, the Ontario Superior Court of Justice (para. 171) recognized a "tort of harassment in internet communications" that means to be narrow:

where the defendant maliciously or recklessly engages in communications conduct so outrageous in character, duration, and extreme in degree, so as to go beyond all possible bounds of decency and tolerance, with the intent to cause fear, anxiety, emotional upset or to impugn the dignity of the plaintiff, and the plaintiff suffers such harm.

The case is Caplan v. Atas, 2021 ONSC 670 (Ont. Super. Ct. Jan. 28, 2021).  Jennifer McKenzie and Amanda Branch at Bereskin & Parr have commentary.  Hat tip to Dan Greenberg for bringing the New York Times story to my attention.

Court: UK hospital's mishandling of corpse after suspicious death violated human rights convention

St. James's Hospital is among those managed by the Leeds group

(image by CommsLTHT 2020 CC BY-SA 4.0).

From the eastern shore of the pond comes an unusual spin on the tort of mishandling a corpse.

The usual mishandling case invokes the longstanding common law exception to the rule against recovery in negligence for emotional distress in the absence of physical injury to person or property.  There was more at stake in this case, as The Guardian explained:

The family of a woman whom they suspect was killed has won a lawsuit against a health trust that allowed her body to decompose to the point that experts were unable to rule out third-party involvement in the death ....

The court ruled that the Leeds, England, hospital violated Article 8 of the European Convention of Human Rights, on the right to respect for private and family life.

The case is Brennan v. Leeds Teaching Hospitals NHS Trust, per High Court Judge Andrew Saffman.  I cannot locate the opinion online.  Besides The Guardian, there is more coverage at the Yorkshire Evening Post and Wharfedale Observer.  Hat tip to Professor Steve Hedley's Private Law Theory.  See also Professor Eugene Volokh's compelling 2019 missive on "the tort of loss of sepulcher."

Court: Employer has no free speech right to republish worker healthcare data that state provides conditionally

Confidential (Nick Youngson Alpha Stock Images CC BY-SA 3.0)

An employer has no First Amendment right to republish the identity of workers who relied on publicly subsidized healthcare when the state provides the names conditionally, for restricted use, the Massachusetts Appeals Court held yesterday.

A state program imposed assessments on employers whose employees relied on publicly subsidized healthcare.  The state offered to tell the employer which employees triggered assessment, so that the employer could review, and if appropriate challenge, the assessment. But the names came with strings attached: employers were required to promise that they will use the names in the administrative process only and not republish them.

Emerald Home Care, Inc., challenged the assessment program and conditional disclosures as violative of procedural due process and the First Amendment.

Affirming the Superior Court, the Appeals Court rejected both arguments.  As to due process, the state provided employers ample notice and opportunity to be heard in resisting the assessments.  As to the First Amendment, the state may attach conditions to access to confidential information.

In the First Amendment analysis, the court cited two U.S. Supreme Court oldies but goodies: LAPD v. United Reporting (1999) and Seattle Times v. Rhinehart (1984).  In LAPD, the Court allowed a statute to condition access to criminal histories on non-commercial use.  In Seattle Times, the Court allowed a protective order on discovery disclosures in a defamation-and-privacy case in which a newspaper was the defendant.

Justice Desmond

The Appeals Court applied intermediate scrutiny, drawn from Seattle Times.  The court reasoned that confidentiality in healthcare insurance information is an important state interest, and the restrictions on disclosure were closely tailored to the purpose of maintaining confidentiality while allowing the employer limited access for the purpose of administrative review.

The case is not remarkable for its holding, but it marks an ongoing tension between U.S. and foreign law over free speech, privacy, and data protection.  In the United States, the First Amendment often is a wrench in the works of government efforts to regulate information downstream from its disclosure to a third party.  Legal systems elsewhere in the world are more comfortable with the notion that a person's privacy rights may tag along with information in its downstream transfer from hand to hand, outweighing the free speech right to republish.

I noted some years ago that in some areas of U.S. law, including freedom of information (FOI), or access to information, we can see examples of American privacy expectations that accord with, not diverge from, European norms.  Downstream control by contract has been a key advancement in making some jurisdictions willing to furnish court records to information brokers.  Binding a broker to adjust records later as a condition of receipt helps to solve problems such as expungement, the American judiciary's equivalent to the right to be forgotten.

The case is Emerald Home Care, Inc. v. Department of Unemployment Assistance, No. AC 20-P-188 (Mass. App. Ct. Feb. 2, 2021).  Justice Kenneth V. Desmond Jr. authored the opinion for a unanimous panel that also comprised Chief Justice Green and Justice Lemire.

'Right to repair' of Mass. Question 1 would close loophole, aid consumers; industry opposition misleads

Teen mechanic in Philippines, 2014
(Rojessa Tiamson-Saceda, USAID, via Pixnio CC0)

Massachusetts has a right-to-repair initiative (Question 1) on the ballot this Election Day.

Voter information explains: "Under the proposed law, manufacturers would not be allowed to require authorization before owners or repair facilities could access mechanical data stored in a motor vehicle’s on-board diagnostic system, except through an authorization process standardized across all makes and models and administered by an entity unaffiliated with the manufacturer."

Passing this initiative should be a no-brainer.  The provision is in fact only an update to an existing law that voters approved in 2012.  Extending the right to repair to "telematic" data, the new law would close a right-to-repair loophole, through which carmakers can shield vehicle data against access by transmitting data out from the vehicle to a proprietary server.  The only source of controversy here should be how we let corporations continuously try to exploit law and technology to evade accountability to consumers and line their pockets with monopolistic product strategies.

The initiative is opposed by the "Coalition for Safe and Secure Data."  The organization's tack is that if you vote yes on Question 1, you'll facilitate domestic violence, because vehicle information can be misused by violent ne'er-do-wells.  The threat is a repulsive red herring, especially considering that telematic data about consumers already are being relocated without subject sign-off.  The Coalition for Safe and Secure Data is not the sheep of consumer privacy advocacy it pretends to be, but a wolf of a trade group, funded to the tune of $25m by the motor vehicle industry to shut down Question 1, according to Commonwealth Magazine.

Canadian privacy advocate deploys anti-SLAPP law in suit by electronic exam proctoring company

John Oliver's Big Coal SLAPP nemesis, Bob Murray, retires

Pixabay by Aksa2011

An IT specialist at a Canadian university is defending a lawsuit against a U.S. tech company over its allegations of copyright infringement and his allegations of infringement of student privacy.

Proctorio is an Arizona-based company offering online testing to academic institutions.  It's similar to ExamSoft, which is used by my law school, the Massachusetts Bar, and other academic and licensing organizations.

Needless to say, businesses in the mold of Proctorio and ExamSoft have taken off since the pandemic.  But these businesses are not without their problems, and their widespread use has brought unwanted scrutiny to their terms of service.

For example, the Electronic Frontier Foundation raised a red flag over ExamSoft in anticipation of its adoption to administer the California bar exam.  Examsoft's terms of service afford the company overbroad reach into the computers of users and, worse, collection of biometric data from studying their faces on screen.  My students have raised legitimate concerns about ExamSoft, and I will not be administering a "closed-book" final exam because I share those concerns.

UBC (GoToVan CC BY 2.0)

Related privacy worries motivated University of British Columbia learning technology specialist Ian Linkletter, MLIS, to tweet out the URLs of unlisted Proctorio instructional videos located at YouTube, meaning to make his case that the company is excessively intrusive of student privacy.  In response, the company sued Linkletter in British Columbia for copyright infringement and breach of confidence.

Now Linkletter has filed for dismissal under British Columbia's anti-SLAPP law.  Linkletter told the Vancouver Sun that fighting the lawsuit for just "more than a month has cost him and his wife tens out thousands of dollars."  Read more in Linkletter's public statement of October 16.

B.C.'s anti-SLAPP law was enacted unanimously by lawmakers in March 2019.  Oddly enough, B.C. lawmakers passed one of Canada's first anti-SLAPP laws in 2001, but quickly repealed it over doubts about its efficacy.  I wrote recently about the dark side of anti-SLAPP laws.  Never have I denied that they are sometimes deployed consistently with their laudable aims; rather, my concerns derive from their ready abuse when deployed against meritorious defamation and privacy causes.   

The case is Proctorio, Inc. v. Linkletter, Vancouver Reg. No. S-208730 (filed B.C. Sup. Ct. Sept. 20, 2020) (civil claim).

Bye, bye, Bob

[UPDATE, Oct. 27, 2020. To be clear, I wrote that sub-headline before this happened: "Coal giant Robert Murray passes away just days after announcing retirement" (Stephanie Grindley, WBOY, Oct. 25, 2020).]

In other, if distantly related, anti-SLAPP news, Bob Murray is resigning and retiring as board chairman of American Consolidated Natural Resource Holdings Inc., successor of Big Coal's Murray Energy.  It was a tangle with Murray that turned HBO comedian John Oliver into an anti-SLAPP champion.  And, I admit again, HBO's use of anti-SLAPP law was textbook and laudable after Murray brought a groundless suit against the network.

While I disagree with Oliver over anti-SLAPP, he's one of my favorite comedians and social activists, and definitely was the mic-drop-best live act I've ever seen.  Here are his key Murray Energy treatments from Last Week Tonight.

The first, June 18, 2017, drew Murray's lawsuit.

The second, November 10, 2019, followed up with a paean to anti-SLAPP, wrapping up with a musical tribute to Murray.

U.S. White Paper on 'Schrems II': Emperor still clothed

A new U.S. white paper on data protection means favorably to supplement the record on U.S. surveillance practices that, in part, fueled the European Court of Justice (ECJ) decision in "Schrems II," in July, rejecting the adequacy of the Privacy Shield Framework to secure EU-to-US data transfers.

From the U.S. Department of Commerce, Department of Justice, and Office of the Director of National Intelligence, the white paper suggests that the ECJ ruling was interim in nature, pending investigation of U.S. national security practices to better understand whether they comport with EU General Data Protection Regulation norms, such as data minimization, which means collecting only data necessary to the legitimate purpose at hand.  The paper states:

A wide range of information about privacy protections in current U.S. law and practice relating to government access to data for national security purposes is publicly available.  The United States government has prepared this White Paper to provide a detailed discussion of that information, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring personal data from the EU to the United States. The White Paper provides an up-to-date and contextualized discussion of this complex area of U.S. law and practice, as well as citations to source documents providing additional relevant information. It also provides some initial observations concerning the relevance of this area of U.S. law and practice that may bear on many companies’ analyses. The White Paper is not intended to provide companies guidance about EU law or what positions to take before European courts or regulators. 

Armed with this additional information, then, the message to the private sector seems to be, Keep Calm and Carry On, using the very same "standard contractual clauses" (SCCs) that the ECJ invalidated.  Yet if the information featured in the white paper has been publicly available, why assume that the ECJ was ill informed?  (Read more about SCC revisions under way, and their likely shortcomings, at IAPP.)

Unfortunately for the U.S. position, the ECJ opinion was not, to my reading, in any way temporary, or malleable, pending further development of the record.  The white paper comes off as another installment in the now quarter-century-old U.S. policy that the emperor is fully clothed.

I hope this white paper is only a stop-gap.  As I said in a Boston Bar CLE recently, no privacy bill now pending in Congress will bridge the divide between the continents on the subject of U.S. security surveillance.  A political negotiation, which might involve some give from the American side at least in transparency, seems now to be our only way forward.

The white paper is Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (Sept. 2020).

Boston Bar panel surveys landscape of privacy law, data protection policy, class action litigation

Attorneys Melanie Conroy, Marjan Hajibandeh, and Matthew M.K. Stein

We had great fun yesterday, as lawyer fun goes, talking about privacy law in the United States, from the impact of the Privacy Shield collapse to the latest litigation under California's groundbreaking consumer privacy protection law.  I was privileged to appear in a Boston Bar Association program on privacy class action litigation, led by attorney Melanie A. Conroy, CIPP/US, of Pierce Atwood LLP, alongside practicing-attorney panelists Matthew M.K. Stein, of Manatt, Phelps & Phillips, LLP, and Marjan Hajibandeh of CarGurus, Inc. 

Our topical reach was a breathless sprint across a dramatic landscape.  We opened with our respective thoughts on developments in privacy law, Conroy observing that the fast-paced field has undergone seismic shifts again and again in recent years, from the implementation of the California Consumer Privacy Act (CCPA) to the $18m Equifax data breach settlement in Massachusetts.

I spoke to the impact of the European Court of Justice decision ("Schrems II" (ECJ July 16, 2020)) invalidating the U.S.-EU Privacy Shield as a motivator for U.S. reform.  Besides the significance of the case in Europe and our foreign relations, the decision signals that a quarter century after adoption of the first European Data Protection Directive, Europe's patience with American recalcitrance has finally run out.

Julie Brill (MS CC) and William Kovacic

Former Federal Trade Commissioner Julie Brill told the Senate Commerce Committee this week that in two years, 65% of the world will be living under data protection laws, most of them modeled after the EU General Data Protection Regulation (GDPR).  As former Federal Trade Commission (FTC) Chairman William Kovacic put it, if we don't pass legislation in the United States, "we will get a national privacy policy: the GDPR."  As I tweeted this week, hearing testimony drove the usually cool and collected Senator Maria Cantwell (D-Wash.) to exclaim, "My God, this is clear, we need a strong privacy law." And Americans are ready; Brill said that nine out of ten Americans now believe that privacy is a human right.

Sen. Cantwell

Our panel ran down the latest developments in class action privacy litigation, loosely divided on the fronts of biometric data class actions, mostly arising under Illinois's pioneering Biometric Information Privacy Act; CCPA-related class actions in California; and data breach litigation.  I ran down cases in the latter vein and talked some about the present circuit split over Article III standing.  Federal courts have divided over whether "theft alone" can constitute concrete injury for constitutionally minimal standing, or plaintiffs must show some subsequent misuse of their data.  This issue is not limited to the data breach area, but has implications across a wide range of statutory enforcement systems, including the Fair Credit Reporting Act.

For my part, I predict that our dawning, if belated, understanding of the monetary value of personally identifiable information (PII) will lead us to the inevitable conclusion that theft alone suffices.  This is evidenced, for example, in Hogan v. NBCUniversal (D.R.I. filed Aug. 27, 2020), over the sale of Golf Channel subscriber identities, which subsequently were associated with other PII and resold.  Though for the time being, my favored conclusion is arguably not the inclination evidenced in the U.S. Supreme Court in Spokeo, Inc. v. Robins, in 2016.  Senator Dick Blumenthal (D.-Conn.) mentioned this week, apropos of current events, that Justice Ginbsburg, joined by Justice Sotomayor, dissented in Spokeo on just this point.

The late Justice Ginsburg; Sen. Blumenthal

Our next panel focus was developments in the First Circuit and Massachusetts.  In Massachusetts Superior Court in Boston, data breach litigation, filed in May 2019, against Massachusetts General Hospital, Brigham & Women's Hospital, and the Dana-Farber Cancer Institute, over online patient-service communications occurring outside secure portals, raises the very question of concrete harm, which may be resolved differently at the state level than under the federal Constitution.  Meanwhile in federal court, the same issue in data breach litigation, filed in March 2020, in Hartigan v. Macy's, highlights the lack of First Circuit precedent on the question since Spokeo, while citing strong pre-Spokeo indications that the First Circuit would favor the misuse-required position.

In parting observations, I offered that we have a long road ahead.  Of all the bills pending in Congress (see EPIC's excellent April report), only some propose a private cause of action and none attacks the problem of government surveillance, both purported prerequisites to European restoration of authorized trans-Atlantic data flow.  Within the U.S Congress, there appears to be bipartisan support for some kind of nationwide privacy legislation.  But the questions of private or FTC enforcement, and whether preemption would mean a legislative floor or ceiling remain sticking points that could derail the process.