Anti-corruption law violates business-owner privacy, EU court holds with myopic appraisal of transparency

A key European Union transparency law that allows watchdogs to trace corporate ownership to combat corruption has been struck down by the EU high court for compromising personal privacy.

EU beneficial owner registry map from Transparency International, 2021. Read more.
CC BY-NC-ND 3.0

I'm not a hard skeptic on the personal privacy prerogative of the EU General Data Protection Regulation. To the contrary, I've written that there's a lot to like about the emerging global privacy norms embodied in the GDPR, and, contrary to conventional wisdom, American social expectations, if not yet federal law, are converging with Europe's.

That said, the EU Court of Justice yesterday announced a profoundly problematic decision at the junction of public access and personal privacy. The blanket disclosure requirements of a key anti-money-laundering law can't stand, the court held, because they don't calibrate the public need for access with the privacy of natural-person business owners with sufficient precision, that is, as a function of necessity and proportionality.

Troublingly, the court characterized transparency norms, which are grounded in treaty and law more firmly in the EU than in the United States, as specially relevant to the public sector and not fully implicated in the private sector, in the context of business regulation.

The potential implication of this proposition is that access to information is limited to a requester learning "what the government is up to," to the exclusion of government oversight of the private sector. That's a cramped and problematic construction of access law that has dogged journalists and NGOs using the U.S. Freedom of Information Act (FOIA) for decades. Read more in Martin Halstuk and Charles Davis's classic 2002 treatment. As I have written in my comparative research on access to information, access to and accountability of the private sector is a problem of our times. We must solve it if we're to save ourselves from the maw of corporatocracy.

In my opinion, the CJEU decision fundamentally misunderstands and overstates the legitimate scope of data protection regulation with the effect of enervating transparency as a vital oversight tool. The impact is ironic, considering that data protection regulation came about as a bulwark to protect the public from private power. The court turned that logic on its head by using personal privacy to shield commercial actors from public scrutiny.

Unfortunately (for this purpose), I have my hands full in Europe (coincidentally) right now, and I lack time to write more. Fortunately, Helen Darbishire and the team at Access Info Europe already have written a superb summary. Their lede:

In a ruling that has sent shockwaves through Europe’s anti-corruption and transparency community, the Court found that the Fifth Anti-Money Laundering Directive (AMLD5, 2018) is too loosely framed and provides for overly-wide public access to the [ownership] registers without a proper justification of the necessity and proportionality of the interference with the rights to privacy and personal data protection of the beneficial owners.

A saving grace, Access Info observed, is that the court did not rule out transparency per se; rather, requesters will have to fight for access case by case on the facts, upon a properly narrowed regulation. In U.S. constitutional terms, it's like saying the one-size-fits-all law was struck for vagueness, but the regulatory objective still can be achieved under a narrower rule that works as applied. All the same, journalists and non-profit watchdogs are not famously well financed to fight for access on a case-by-case basis.

The case is No. C‑37/20 & No. C‑601/20 in the Grand Chamber of the CJEU.

Hospital BAC disclosure prompts tort privacy claims

Photo by Marco Verch (CC BY 2.0)

The federal district court in Montana in December refused to dismiss an informational privacy claim against police, highlighting the space for state law to effect personal privacy protection in the United States.

Plaintiff Harrington was hospitalized after police found her unresponsive in her parked car. In the complaint, she alleged that sheriff's deputies "joked about her incapacitated condition and played along when nurses asked them to guess her blood alcohol content" (BAC). A nurse thereby disclosed Harrington's BAC, and, the complaint alleged, deputies then coaxed the record from a doctor. Harrington was charged with driving under the influence.

Subsequently, Harrington sued county officials and Madison Valley Hospital, the latter on theories of state statutory information privacy and common law invasion of privacy, negligence, and negligent infliction of emotional distress. The hospital sought dismissal on grounds that the federal Health Insurance Portability and Accountability Act (HIPAA), cited by the plaintiff in the complaint, affords no private right of action.  The federal district court, per Chief Judge Brian Morris, denied the motion to dismiss, recognizing that while HIPAA does not itself authorize private enforcement, it also does not preclude state law from providing greater privacy protection.

The case caught my attention because its facts point to something for which I've advocated, the use of tort law to fill gaps in informational privacy protection in the United States.  The law has not kept up with Americans' expectations of privacy, much less the norms of the world, but the common law should be sufficiently dynamic to reflect the evolving social contract.  I see drift in this direction in the expansion of medical fiduciary duty in emerging precedents in the states, such as Connecticut's Byrne v. Avery Center for Obstetrics & Gynecology, P.C., in 2018.

A theory as tenuous as negligent infliction of emotional distress, "NIED," can't usually stand on its own.  And tortious invasion of privacy has a poor track record in protecting personal information that is already in limited circulation.  However, paired with a medical provider's fiduciary duty and bolstered by a privacy violation recognized in regulation, either tort theory might be ripe for redefinition.

The case is Harrington v. Madison County, No. 2:21-cv-00015 (D. Mont. Dec. 6, 2021).  Hat tip to Linn Foster Freedman at Robinson+Cole's Data Privacy + Cybersecurity Insider.

Code might inevitably regulate journalism in digital age

The U.K. Information Commissioner's Office is working on a "journalism code of practice" to legislate against defamation and invasion of privacy by mass media.

Principally and ostensibly, the code is intended to bring media law into conformity with U.K. data protection law, essentially the European General Data Protection Regulation (GDPR), including the stories "right to be forgotten," or right to erasure (RTBF). On the ground, the picture is more complicated. The British phone hacking scandal and following Leveson Inquiry constitute a strong causal thread in public receptiveness to media regulation.

Cambridge legal scholar David Erdos analyzed the draft code for the INFORRM public in part one and part two postings in October.  The code incorporates media torts such as defamation of privacy and misuse of private information (MOPI), the latter a common law innovation of British courts to facilitate enforcement of data protection rights. I have posited in other venues that common law tort similarly might provide a way forward to fill gaps in information privacy law in the United States.

Journalism and data protection rights have been on a collision course for a quarter century, like a slow-motion car wreck, and the draft journalism code is a harbinger of the long anticipated impact.  Back in 1995, when the EU GDPR-predecessor Data Protection Directive was brand new, the renowned media law scholar Jane Kirtley published an article in the Iowa Law Review, "The EU Data Protection Directive and the First Amendment: Why a 'Press Exemption' Won't Work."  Kirtley foresaw data protection and the First Amendment's arguably irreconcilable differences before most U.S. scholars had even heard of data protection.

In those innocent days, journalism ethics was reshaping itself to preserve professionalism in the newly realized and anxiety-inducing 24/7 news cycle.  A key plank in the new-ethics platform was its essentiality to resist regulation.  In 2000, media law attorney Bruce Sanford published the book Don't Shoot the Messenger: How Our Growing Hatred of the Media Threatens Free Speech for All of Us.  Then in 2001, everything changed, and mass media and their consumers became engrossed by new concerns over government accountability.

In a way, the consolidation of media regulation in a generation of code could be a relief for journalism, especially on the European continent.  In an age of ever more complex regulatory mechanisms, codification can offer bright lines and safe harbors to guard against legal jeopardy.  Information service providers from local newspapers to transnationals such as Google are struggling to comply with new legal norms such as the RTBF, and there is as yet little evidence of uniformity of norms, much less convergence. Yet even if industry ultimately embraces the security of code, what's good for business is not necessarily good for wide-ranging freedom of expression. 

Courts, too, are struggling with novel problems.  For example, in late November, the European Court of Human Rights ruled in Biancardi v. Italy that RTBF de-indexing orders extend beyond search engines and bind original news publishers.  Writing for Italian Tech and INFORRM, attorney Andrea Monti fairly fretted that the decision effectively compels journalistic organizations to expend resources in constant review of their archives, else face liability in data protection law.  The result, Monti reasoned, will be to discourage preservation, manifesting a threat to the very existence of historical record.

On the one hand, it's foolish to wring one's hands for fear that journalism is being newly subordinated to legal regulation.  Tort itself is a regulatory mechanism, and defamation has been around for a long time, notwithstanding the seeming absolutism of the First Amendment.  On the other hand, media regulation by law looks nothing like the punctilious supervision of regulated industries, including the practice of law.

In my own education, I found the contrast in approaches to ethics perplexing.  In journalism school, my ethics class had been taught aptly by a religion scholar who led impassioned discussions about handout hypotheticals.  In law school, the textbook in legal profession hit the desk with a thud for what was as much a study of model or uniform code as was crim or sales.

With no "First Amendment" per se, media regulation by code is not the novelty in the U.K. that it would be in the United States.  Still, with privacy and digital rights sweeping the globe, law is poised to regulate journalism in new ways everywhere, whether through the subtlety of common law or the coercive power of civil regulation.  American courts will not be able to escape their role in reshaping fundamental rights for the digital world, as European courts are at work doing now.  Kirtley foresaw the issues in 1995, and the chickens are slowly but surely turning up at the roost.

The present ICO consultation closes on January 10, 2022.

In parting meditation on pub gossip, Czech judge peels onion on privacy limits, judicial transparency

Does GDPR pertain to pub buzz?, AG Bobek asks.

(Skeptics in the Pub Oslo (2015) by Dizzi90 CC BY-SA 4.0)

Earlier this month, Czech judge and legal scholar Michal Bobek rounded out a six-year term as an Advocate General (AG) of the European Court of Justice with a mind-bending meditation on the ultimate futility of enforcing data protection law as written and a confirmation of the essentiality of transparency in the courts.

The case on which Bobek opined hardly required a deep dive.  He said so: "This case is like an onion," he wrote.  "I believe that it would be possible, and in the context of the present case entirely justified, to remain at that outer layer.   No peeling of onions unless expressly asked for."

But the case provided Bobek an optimal diving board, and, on the penultimate day of his term as AG, he plunged and peeled.

Complainants in the case were litigants before the Dutch Council of State (Raad van State).  They asserted that disclosure to a journalist of summary case information, from which they could be identified and details of their personal lives worked out, violated their right of privacy under the General Data Protection Regulation (GDPR) of the European Union, as transposed into Dutch law.

The disclosures are permissible under a GDPR exemption for judicial activities, Bobek concluded.  But en route to that conclusion, he further opined that the potentially unbridled scope of the GDPR must be tamed to accord with social norms and democratic imperatives.

With remarkably plain reasoning, he framed the problem in a comfortable venue:

If I go to a pub one evening, and I share with four of my friends around the table in a public place (thus unlikely to satisfy the private or household activity exception of ... the GDPR) a rather unflattering remark about my neighbour that contains his personal data, which I just received by email (thus by automated means and/or is part of my filing system), do I become the controller of those data, and do all the (rather heavy) obligations of the GDPR suddenly become applicable to me? Since my neighbour never provided consent to that processing (disclosure by transmission), and since gossip is unlikely ever to feature amongst the legitimate grounds listed in ... the GDPR, I am bound to breach a number of provisions of the GDPR by that disclosure, including most rights of the data subject contained in Chapter III.

The pub might not be the only place where the GDPR runs up against a rule of reason.  Consider the more nuanced problem of footballers considering a challenge against the processing of their performance stats.  Goodness; the pub convo will turn inevitably to football.

Let's step back for a second and take stock of the GDPR from the perspective of the American street.

Americans don't get many wins anymore.  We just retreated from a chaotic Afghanistan, despite our fabulously expensive military.  We resist socialized healthcare, but we make cancer patients finance their treatments on Go Fund Me.  We force families into lifelong debt to pay for education, undermining the social mobility it's supposed to provide.  We afford workers zero vacation days and look the other way from the exploitation of gig labor.  Our men's soccer team failed to qualify for the last World Cup and Olympics, while we're not sure why our women are rock stars; it can't be because we pay them fairly.  When it comes to personal privacy, we tend to want it, but our elected representatives seem eager to cede it to our corporate overlords.

Truth be confessed, then, Americans are willing to engage in a smidge of schadenfreude when Europeans—with their peace, their healthcare, their cheap college, their Ryanair Mediterranean vacations, their world-class football, and their g—d— G—D—P—R—get themselves tied up in regulatory knots over something like the sufficient size of a banana.  Ha.  Ha.

Therein lies the appeal, to me, of Judge Bobek's train of thought.  He finds inevitable the conclusion that posting case information is data processing within the purview of the GDPR.  The parties did not even dispute that.  For today, Bobek found an out through the GDPR exemption for the business of the courts in their "judicial capacity."

The out required a stretch to accommodate posting information for journalists, which is not, most strictly speaking, a judicial capacity.  Bobek reasoned by syllogism:  For the courts to do what they do, to act in the judicial capacity, they require judicial independence.  Judicial independence is maintained by ensuring public confidence in the judiciary.  Public confidence in the judiciary is bolstered by transparency in the courts.  Transparency in the courts is facilitated by the provision of case information to journalists.  Therefore, the judicial capacity requires publication of case information to journalists.

The problem, tomorrow, is that there is no answer in the case of pub gossip.  Bobek meditated on the human condition: "Humans are social creatures.  Most of our interactions involve the sharing of some sort of information, often at times with other humans. Should any and virtually every exchange of such information be subject to the GDPR?"

Bobek

Can't be, he concluded.

[I]n my view, I suspect that either the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day. The current approach is gradually transforming the GDPR into one of the most de facto disregarded legislative frameworks under EU law. That state of affairs is not necessarily intentional. It is rather the natural by-product of the GDPR's application overreach, which in turn leads to a number of individuals being simply in blissful ignorance of the fact that their activities are also subject to the GDPR. While it might certainly be possible that such protection of personal data is still able to "serve mankind," I am quite confident that being ignored as a result of being unreasonable does not in fact serve well or even contribute to the authority or legitimacy of any law, including the GDPR.

While we await reassessment of the bounds of data privacy law in modern society, Bobek opined more and mightily on the importance of judicial transparency as a countervailing norm.  He opened the opinion with philosopher-jurist Jeremy Bentham:

"Publicity is the very soul of justice. It is the keenest spur to exertion, and the surest of all guards against impropriety.… It is through publicity alone that justice becomes the mother of security. By publicity, the temple of justice is converted into a school of the first order, where the most important branches of morality are enforced...."

Bobek later picked up the theme:

Judging means individualised detail brought to the public forum....

On the one hand, the basis for judicial legitimacy in an individual case are its facts and details. The judge settles an individual case. His or her job is not to draft abstract, general, and anonymous rules detached from individual facts and situations. That is the job of a legislature. The more a judicial decision departs from or hides the factual background to a public court case, or if it is later reported with significant limitations, the more often it becomes incomprehensible, and the less legitimate it becomes as a judicial decision.

On the other hand, ever since the Roman age, but presumably already earlier, if a claimant asked for the help of the community or later the State to have his claim upheld and enforced by the State, he was obliged to step into the public forum and let his case be heard there. In classical Roman times, the applicant was even entitled to use violence against the respondent who refused to appear in the public (the North Eastern part of the Roman Forum called comitium), before the magistrate (seated on a rolling chair on a tribune higher than the general public—hence indeed tribunal), when called before a court (in ius vocatione).

It is true that, later on, there were other visions of the proper administration of justice and its publicity. They are perhaps best captured by a quote from a judge in the Parlement de Paris writing in 1336 instructions to his junior colleagues, and explaining why they should never disclose either the facts found or the grounds for their decision: "For it is not good that anyone be able to judge concerning the contents of a decree or say 'it is similar or not'; but garrulous strangers should be left in the dark and their mouths closed, so that prejudice should not be caused to others.... For no one should know the secrets of the highest court, which has no superior except God...."

In the modern age, returning to the opening quote of Jeremy Bentham, it is again believed that even garrulous strangers should be allowed to see and understand justice. Certainly, with the arrival of modern technologies, a number of issues must continuously be re-evaluated so that garrulous strangers cannot cause prejudice to others....

Naturally, the publicity of justice is not absolute. There are well-grounded and necessary exceptions. The simple point to keep in mind here is: what is the rule and what is the exception. Publicity and openness must remain the rule, to which naturally exceptions are possible and sometimes necessary. However, unless the GDPR were to be understood as imposing a revival of the best practices of the Parlement de Paris of the 14th century, or other elements of the Ancien Régime or the Star Chamber(s) for that matter, it is rather difficult to explain why, in the name of the protection of personal data, that relationship must now be reversed: secrecy and anonymity were to become the rule, to which openness could perhaps occasionally become the welcome exception.

Bobek seems content with judicial exceptionalism in the GDPR framework.  I'm not so sure.  I rather think the problem of the courts points to the broader problem of GDPR scope.  Will there ultimately be a pub exception, too?  Stubborn American insistence on framing data protection as business regulation, as in California data protection law, suddenly exhibits some appeal.

The case is X v. Autoriteit Persoonsgegevens, No. C-245/20, Opinion of Advocate General Bobek (Oct. 6, 2021).  HT @ Edward Machin, writing in London for Ropes & Gray.

This is not Bobek's first high-profile opinion on the GDPR—even this year.  Read in Fortune about his January opinion in a Facebook case.

'Don't panic,' lawyers say, as Oz High Court clears way for website liability over defamatory user comments

The High Court of Australia last week greenlit defamation claims against website operators for user comments, the latest evidence of crumbling global immunity doctrine represented in the United States by the ever more controversial section 230.

There is plenty news online about the Aussie case, and I did not intend to comment.  For the academically inclined, social media regulation was the spotlight issue of the premiere Journal of Free Speech Law.

Yet I thought it worthwhile to share commentary from Clayton Utz, in which lawyers Douglas Bishop, Ian Bloemendal, and Kym Fraser evinced a mercifully less alarmist tone when they wrote, "don't panic just yet."

The Australian apex court extended the well known and usual rule of common law defamation, when not statutorily suspended: that the tale bearer is as responsible as the tale maker.  In the tech context, in other words, "[b]y 'facilitating, encouraging and thereby assisting the posting of comments' by the public," the defendants, notwithstanding their actual knowledge or lack thereof, "became the publishers," Bishop, Bloemendal, and Fraser wrote.

But it's a touch more complicated than purely strict liability.  "What is relevant is an intentional participation in the process by which a posted comment may become available to be accessed by other Facebook users," Bishop, et al., opined.  "So does that mean you should take down your corporate social media pages? That would be an over-reaction to this decision."

The lawyers emphasized that this appeal was interlocutory.  On remand in New South Wales, the media defendants may assert defenses, including innocent dissemination, justification, and truth.  Bishop, et al., advise:

In the meantime, if your organisation maintains a social media page which allows comments on your posts, you should review your monitoring of third-party comments and the training of your social media team in flagging and (if necessary) escalating problems to ensure you can have respectful, non-defamatory conversation with stakeholders.

Funny they should say so.  Coincidentally, I gave "feedback" to Google Blogger just Friday that a new option should be added for comment moderation, something like "archive," or "decline to publish for now."  The only options Google offers are spam, trash, and publish.

I have two comments posted to this blog in recent years that I hold in "Awaiting Moderation" purgatory, because they fit none of my three options.  Every time I go to comment moderation, I have to see these two at the top.  The comments express possible defamation: allegations of criminality or otherwise ill character about third parties referenced on the blog.  I don't want to republish these comments, because I do not know whether they are true.  But I don't want to trash them, because they are not necessarily valueless.  Moreover, they might later be evidence in someone else's defamation suit.

I moderate comments for this blog, so I don't think it's too much to ask the same of anyone else who publishes comments, whether individual, small business, or the transnational information empires that peer over my shoulder.  

I do worry, though, about how that works out for the democratizing potential of the internet.  I'm trained to recognize potentially defamatory or privacy invasive content; I've done it for a living.  Are we prepared to punish the blogger who contributes valuably to the information sphere, but lacks the professional training to catch a legal nuance?  Or to pay the democratic price of disallowing dialog on that writer's blog?  As a rule, ignorance of the law is no excuse, in defamation law no less than in any other area.  But understanding media torts asks a lot more of the average netizen than knowing not to jaywalk.

I don't profess answers, at least not today.  But I can tell that the sentiment of my law students, especially those a generation or more younger than I, is unreticent willingness to hold corporations strictly liable for injurious speech on their platforms.  So if I were counsel to Google or Facebook, I would be planning for a radically changed legal future.

Disputed allegations in malicious prosecution suits against Apple raise data protection issues

Apple Store Osaka (Sébastien Bertrand CC BY 2.0)

A case of identity theft, now the subject of lawsuits against Apple and a security contractor, SIS, in three jurisdictions, seems to have raised an alarm about data protection.  But the case might be more complicated, as the defendants have accused the plaintiff of false pleadings.

Plaintiff Ousmane Bah was a 17-year-old Bronx honors student and permanent resident alien applying for citizenship at times relevant to the complaints.  An acquaintance of Bah's acquired Bah's temporary New York driving learner's permit (ID); it is disputed what Bah knew about the acquisition.

The ID did not have a photo, and the biographical data did not match the acquaintance's in all particulars, such as height.  Nevertheless, when the acquaintance was, according to the complaints, apprehended trying to shoplift from Apple stores in New York, New Jersey, and Massachusetts, he was misidentified as Bah.  Bah was criminally charged, subject to arrest warrants, and repeatedly compelled to defend himself.  The case does not directly implicate the known risk of race discrimination in facial recognition algorithms.  But in Bah’s version of events, Apple's use of facial recognition technology to identify the perpetrator in subsequent incidents gave police a false confidence that the suspect was Bah.

Apple and SIS have filed for Rule 11 sanctions in New Jersey and characterize the complaint in that jurisdiction as fiction.  They rely on discovered communication between Bah and the acquaintance to allege that Bah knew well that he was being impersonated, and that misidentification resulted from the acquaintance’s deliberate deception, not from error on the part of Apple or SIS. 

Media have been quick to seize on the allegations in the initial complaint, which does resonate with extant privacy issues in public policy.  If the plaintiff’s allegations are complete and accurate, then the case speaks to Americans’ lack of comprehensive data protection law.  A data protection regulation like Europe’s, generally speaking, would shift the burdens of fair and accurate identification to the defendants, rather than a victim of identity theft, time and again.

Moreover, if the plaintiff’s allegations are complete and accurate, the case has unpleasant overtones in race and socioeconomic equality.  A mismatch of data between the false ID and the acquaintance's appearance prompts concern that “black” was all the retailer needed to see, and one must worry whether persons of limited means can afford to defend themselves against false charges and wrongful arrest, not to mention the collateral effects of publication of misidentification to third parties, such as employers and creditors.

Bah claims defamation and malicious prosecution.  The complaints at least allege evidence in support of actual malice, which Apple and SIS deny.  Malicious prosecution is usually a claim made against public officials in tandem with civil rights violations, but the tort is viable against private parties who initiate criminal proceedings on false pretenses.  Whether the plaintiff’s allegations hold up, I do not know.  The counter-allegations of Apple and SIS in seeking sanctions in the New Jersey case are biting.

The cases are:

• Bah v. Apple Inc., No. 1:19-cv-03539-PKC (S.D.N.Y. filed Apr. 22, 2019) (Court Listener);
• Bah v. Apple Inc., No. 2:20-cv-15018-MCA-MAH (D.N.J. filed Oct. 27, 2020) (Court Listener); and
• Bah v. Apple Inc., No. 1:21-cv-10897-RGS (D. Mass. filed May 28, 2021) (Court Listener).

Bah is represented in the New York case by UMass Law alumnus Subhan Tariq, '13.  My thanks to Steven Zoni, '13, for bringing this case to my attention.

First Amendment advocate counsels caution, but doesn't rebuff, American right to be forgotten

Gene Policinski, Freedom Forum Senior Fellow for the First Amendment, published an op-ed last week for the "First Five" blog in which he counseled caution, but did not gainsay, newsroom "fresh start," or "right to be forgotten" (RTBF), programs.

Motivated in part by European notions of personal data protection, or informational privacy, especially RTBF, fresh start programs give persons covered in past news an opportunity to apply for the erasure of their coverage from online archives.  For NPR in February, David Folkenflik and Claire Miller reported on trending fresh start programs at major U.S. news outlets, such as The Boston Globe, "Revisiting the Past for a Better Future."  The NPR stories observed that these programs have come about in part because of European legal norms, even for newspapers beyond the reach of European legal jurisdiction.

In 2013, I wrote in a law review article that Americans' expectations of privacy, including RTBF, are in fact consonant with evolving European norms, but American law has been slow to keep pace.  The twin notions of finite punishment for past wrongs and of a second chance for persons who have paid their dues are quintessentially American, I wrote in a Washington Post op-ed in 2014.  Those values are reflected, for example, in Eighth Amendment jurisprudence and the Ban the Box campaign.

A prohibitive challenge to RTBF norms in the United States has been the First Amendment, which generally prohibits regulation of the republication of lawfully obtained and truthful information.  Sometimes for better and sometimes for worse, the free-speech absolutist bent of the First Amendment contrasts with a more flexible European approach to rights balancing.  Nothing about the First Amendment, however, precludes a private journalistic enterprise, such as the Globe, from erasing content voluntarily.

Like RTBF itself, fresh start programs have been criticized by free speech and mass communication scholars.  They remind us that journalism is the "first rough draft of history."  Tinkering with archives therefore vests private actors with a weighty, not to mention expensive, responsibility on behalf of the public.  Fresh start advocates point out that this work is not dissimilar to the exercise of news judgment in the first instance.  But the perspective problem is not eliminated by time.  There is no way to be sure that our present-day second-guessing of the historical record is more fair and objective than the original judgment, nor sufficiently preservationist for the future.

Old Slave Mart Museum, Charleston, S.C.
(RJ Peltz-Steele CC BY-NC-SA 4.0)

Just last week, I visited the Old Slave Mart Museum and other historical sites in Charleston, S.C.  To my eyes, the casual treatment of persons as property in the content of news media in times of slavery, as well as racism evident in later media during Jim Crow, is evidence of horrific injustice and a powerful reminder not to take for granted that one's present vision is free of bias.  What if that record had been erased, rather than preserved?  Could Henry Louis Gates Jr.'s "Finding Your Roots" have identified Ben Affleck's slave-owning ancestor (NPR) if history were redacted?

At the same time, I am an advocate for RTBF in some form, just as I support Ban the Box.  I am devoted to the First Amendment.  But digital media, that is, an internet that "never forgets," confronts our society with a new and qualitatively different challenge from any we have faced before.  Viktor Mayer-Schönberger well described in his 2011 book, Delete: The Virtue of Forgetting in the Digital Age, how forgetting, in addition to remembering, is an essential and well evolved part of human social culture.  A failure to forget is an existential threat.

Journalist and academic Deborah L. Dwyer has developed a useful and thought-provoking set of fresh start resources for journalists at her website, Unpublishing the News, cited by Policisnki.  I don't pretend to know whether fresh start, or European RTBF, or some other approach is the best solution, nor whether any of these models will stand the test of time.  I do believe that feeling our way forward is fascinating and necessary.

The op-ed is Gene Policinski, Perspective: News Outlets Need Caution in Offering a "Fresh Start," Freedom Forum (May 26, 2021).

Posh Londoners poo poo peekaboo performance art

"Rear Window" by Anthony O'Neil, CC BY-SA 2.0

Residents who live opposite the Tate Modern, an art museum in London on the south bank of the Thames, sued the Tate for private nuisance and will have their appeal heard by the U.K. Supreme Court.  Residents of the swank NEO Bankside apartment building grew discontent two years ago when a new 360-degree viewing platform at the Tate afforded hundreds of thousands of visitors annually a generous vantage point on private quarters as close as 34 meters away.  Some Tate tourists took pictures and shared to social media insights into the private lives of London apartment dwellers.  The problem in legal terms is whether "overlooking" is a private nuisance, and the general rule, at least in an urban environment, is that it is not.  Accordingly, the residents lost in the High Court in 2019 and in the Court of Appeal in 2020.  Not to be deterred, the resident-plaintiffs will press on in the Supreme Court this year.  The case is Fearn v. Tate, [2020] EWCA Civ 104, and Fearn v. Board of Trustees, [2019] EWHC 246 (Ch).  Hat tip to Art Law & More from Boodle Hatfield.

UK court: Long arm of GDPR can't reach California*

Image my composite of Atlantic Ocean by Tentotwo CC BY-SA 3.0

and "hand reach" from Pixabay by ArtsyBee, licensed

*[UPDATE, Jan. 30, 2022:] On December 21, 2021, the Court of Appeal allowed service on U.S. defendants without ultimately resolving the GDPR territorial scope question.  Read more from Paul Kavanaugh, Dylan Balbirnie, and Madeleine White at Dechert LLP.]

A High Court ruling in England limited the long-arm reach of European (now British) privacy law in a suite of tort claims against Forensic News, a California-based web enterprise doing "modern investigative journalism."

The complainant is a security consultant investigated by Forensic News and a witness in the U.S. Senate Intelligence Committee probe into Russian interference in the 2016 U.S. elections.  A British national, he accused Forensic News of "malicious falsehood, libel, harassment and misuse of private information," the latter based on violation of the British enactment of the European General Data Protection Regulation (GDPR).

The extraterritorial reach of the GDPR has been a hot topic lately in privacy law circles, as U.S. companies struggle to comply simultaneously with foreign and burgeoning state privacy laws, such as the California Consumer Privacy Act (CCPA).  

Forensic News has no people or assets in the UK, but the complainant tried to ground GDPR application in the news organization's website, which accepts donations in, and sells merch for, pounds and euros.  No dice, said the court; it's journalism that links Forensic to the plaintiff and to the UK, not the mail-order side show.

The case is Soriano v. Forensic News LLC, [2021] EWHC 56 (QB) (Jan. 15, 2021).  Haim Ravia, Dotan Hammer, and Adi Shoval at Pearl Cohen have commentary.

Birth announcement: Ontario court is reluctant parent of new tort of 'internet harassment'

UNESCO image CC BY-SA 4.0

The tort world is abuzz with a court decision in Ontario that has birthed a new common law cause of action for online harassment.

The facts that gave rise to the case were extreme.  The defendant was the subject of a New York Times story (subscription) on January 30 about the difficulty of remediating online reputational harm.  The perpetrator of the harassment targeted some 150 victims, including children, spat accusations ranging from fraud to pedophilia, and was adjudged a vexatious litigant and jailed for contempt of court.  Floundering in a dearth of effective enforcement mechanisms, the Ontario Superior Court of Justice (para. 171) recognized a "tort of harassment in internet communications" that means to be narrow:

where the defendant maliciously or recklessly engages in communications conduct so outrageous in character, duration, and extreme in degree, so as to go beyond all possible bounds of decency and tolerance, with the intent to cause fear, anxiety, emotional upset or to impugn the dignity of the plaintiff, and the plaintiff suffers such harm.

The case is Caplan v. Atas, 2021 ONSC 670 (Ont. Super. Ct. Jan. 28, 2021).  Jennifer McKenzie and Amanda Branch at Bereskin & Parr have commentary.  Hat tip to Dan Greenberg for bringing the New York Times story to my attention.