Tuesday, January 31, 2017

Please Stand Behind the White Line: Harassment and free speech on the byway



A decision yesterday from the Massachusetts Appeals Court, V.J. v. N.J., 2017 Mass. App. LEXIS 6 (Mass. App. Ct. Jan. 30, 2017) (Mass.gov (temporary); Lexis with registration) pitted civil harassment against free speech in the case of a transit-service bus driver who felt threatened by a passenger’s unwanted advances and irate reaction to being rebuffed.  The court, per Justice William Meade, affirmed extension of a civil protection order.  Justice James Milkey dissented.  Meade is a former ADA and AAG.  Milkey is a former environmental lawyer who litigated on behalf of the Commonwealth to compel the U.S. Environmental Protection Agency to regulate greenhouse gases.

The facts engender sympathy for the position of the plaintiff, a bus driver for the Massachusetts Bay Transportation Authority (MBTA).  The defendant passenger came on to her a number of times, and she rebuffed his advances.  She ultimately complained to her supervisor upon an incident when the defendant “approached her from behind and grabbed her across her chest in a ‘bear hug,’” while the plaintiff was in full MBTA uniform.  When plaintiff thereafter spurned a tendered apology and eschewed further communication, defendant became verbally abusive, hurling derogatory epithets, “‘fat bitch’” and “‘ghetto bitch.’”  He was removed by police. 

Plaintiff thereafter for a time denied defendant access to the bus.  In a subsequent encounter, defendant did board the bus and was again removed by police after he “went on a rant about the impropriety of his being denied access,” told plaintiff “he would be there every day to inconvenience her,” and refused to leave the bus unless plaintiff called police.

Civil harassment has a curious history in U.S. law and an unsettled relationship with the freedom of speech.  Statutes of various kinds are commonplace in the states.  They accord with popular wisdom about what’s acceptable and what’s not in ordinary social interaction.  

Considering that the United States is a common law jurisdiction, though, harassment stands out as an example of the common law’s sometimes failure to change with the times.  Statutory harassment as an intentional tort might incorporate separate instances of common law assault, battery, intentional infliction of emotional distress (IIED), or invasion of privacy, but does not have to.  In some models, harassment can occur without the imminence of contact that assault requires and without the physical contact that battery requires.  Harassment might be accomplished through invasion of privacy—disclosure, intrusion, even misappropriation—but might not be. 

Instead, harassment statutes usually articulate a unique theory of intentional tort, invariably characterized by repetition.  The common law’s notorious insensitivity to gender inequality, both historic and extant, probably has a lot to do with its failure to evolve a response to harassment as a social problem, considering that women are disproportionately victimized.

Especially when harassment is not also assault or battery, it usually is accomplished by expression, written or verbal, so the freedom of speech is implicated.  The facial constitutionality of criminal and civil prohibitions on harassment is usually taken for granted.  But why that should be so is not so plain.

Harassment didn’t make the U.S. Supreme Court’s historic list of “non-speech” or unprotected speech categories in First Amendment law, alongside the likes of obscenity, “fighting words,” threats, and incitements to violence.  A free speech absolutist might well argue that harassment prohibitions, however fashionable, are, or should be, unconstitutional.  The opposite position is to be permissive of new-category recognition and carve out a harassment exception, invoking the muse of “I know it when I see it.”  

A typical and nuanced approach tries to jam harassment into existing non-speech categories, especially fighting words or “true threat” doctrine.  The fighting-words fit requires a touch of re-engineering, as the category usually requires the same imminence that assault does.  True threat has some more flexibility to it, owing to its relatively modest accretion of definitive case law to date.  But the notion of “threat” still seems to say something about urgency that the no-less-offensive, persistent grating of harassment might not quite equal.

By statute, a Massachusetts civil protection order requires harassment to be expressed in three instances.  Indeed, repetition is usually the linchpin that eases a court’s conscience in letting harassment slide under the First Amendment radar.  Massachusetts courts look for three malicious acts, “‘characterized by cruelty, hostility or revenge,’” and producing in sum, “‘fear, intimidation, abuse or damage to property.’”  This approach is thought to thread the “true threat” needle to the First Amendment’s satisfaction.

Manifesting the court’s sensitivity to the wakefulness of the free speech watchdog, repetition became precisely the sticking point between majority and dissent in V.J. v. N.J.  Justice Milkey disputed the viability of the third encounter between plaintiff and defendant as sufficient to support the three encounters required to extend the protection order.  Recall that the defendant said he would not leave the bus unless plaintiff summoned police.  Acknowledging a close question, the majority reasoned its way from intransigence to physical threat:


Although he did not directly threaten the plaintiff with physical violence, he nonetheless threatened that he would continue confronting her in this same manner, i.e., ranting about being denied access, and that she would need continuous police intervention to remove him from the bus. It was his stated goal that on a daily basis he would inconvenience her as she had him. This suffices to demonstrate the defendant’s malicious intent, characterized by cruelty, hostility, or revenge, to intimidate the plaintiff and to place her in fear of physical harm.


Justice Milkey disagreed.  A police summons might have threatened a physical encounter with police, he reasoned, but not with plaintiff.  The pledge to return daily was a threat of annoyance, not violence.  Quoting the U.S. Supreme Court in Virginia v. Black (2003), Milkey defined a “true threat” as “a serious expression of an intent to commit an act of unlawful violence to a particular individual.”  Milkey found no physicality in the defendant’s expression vis-à-vis the plaintiff.  Moreover, Milkey indulged the defendant’s theory that his expression constituted protest of his exclusion from the bus by a public official, in essence, a form of political expression, not “motivated by ‘cruelty, hostility, or revenge.’”

At first blush, the dissent seems hyper-technical and cringeworthily insensitive to what this bus driver had to endure—doubtless amid the myriad daily struggles of the job.  But one must appreciate that Milkey was motivated by a defense of free speech.  He did not condone the defendant’s conduct, and he expressly disavowed opinion on the propriety of the defendant’s exclusion from the bus.  Myself, I am inclined to succumb to the overwhelming social appeal of the plaintiff’s position in this case.  But I think it fair to say that dissenting required a measure of intellectual courage.

Tuesday, January 24, 2017

Intimate large parties and the duty to protect privacy



I had to take a blog break over the holidays in order to get a hefty book read and to write a review of it.  I’ll post on that when it comes closer to publication.  Meanwhile, my, how the world has changed!  Let me kick off the new year with a look at some related developments in privacy law.

As Marion Oswald of the University of Winchester wrote recently for the journal of Information Communication & Technology Law (open source), to paraphrase, privacy ain’t what it used to be.  Oswald opened with a quote from The Great Gatsby, so it goes without saying that that needs to be reiterated here.  She wrote,

At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”

From that paradox, Oswald builds the case that privacy must be redefined to protect individuals in the digital world.  She observes the inadequacy of the “reasonable expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the objective test’s tendency to drive itself to extinction in a world of objectively diminishing privacy.  Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures.  Oswald is not the first to reach her conclusion, but she does so compellingly.

Two recent cases, from Pennsylvania and Massachusetts, reached different conclusions on the question of a corporate defendant’s duty to safeguard private data.  The cases show the struggle under way in U.S. courts to do just what Oswald proposed—to redefine privacy in the digital age.  The United States is increasingly at odds with Europe, and for that matter the rest of the world, on this question.  Heralded as a modern human right in Europe, data protection is a burgeoning global legal field—and corporate obligation.

Duty

First, a quick primer on duty in U.S. tort law.

Tort law in the United States usually provides for a “duty” by “default” in negligence—that is, all persons owe to all other a persons a duty to exercise reasonable care (or not to act negligently), to avert harm to all others.  But the default rule of duty is subject to some important limitations.   

One limitation is the economic loss rule, which circumscribes negligence liability.  The rule precludes a plaintiff’s action for nonphysical, economic injury alone.  There are plenty of exceptions to the rule, and some scholars even think it’s not really a rule at all.  For example, negligent misrepresentation, which is like fraud but without intent, can be supported by economic loss within the context and expectations of a business relationship.

Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality.  U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem.  That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.

The other limitation on duty by default is that U.S. law imposes no affirmative duty to protect, or to render aid.  This rule, too, is subject to many exceptions, such as a parent’s duty to protect a child, contractual and statutory duties to protect, and a duty not to abandon a rescue undertaken.

Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty.  In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief.  (The problem in proximate causation is integrally related.)

So on to the cases.  Remember, "[i]t takes two to make an accident."

Pennsylvania

A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer.  (Hat tip to Richard Borden at Robinson + Cole.)  University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.

The court applied a five-factor test for duty: 

1. the relationship between the parties;
2. the social utility of the actor's conduct;
3. the nature of the risk imposed and foreseeability of the harm incurred;
4. the consequences of imposing a duty upon the actor; and,
5. the overall public interest in the proposed solution.

UPMC prevailed in common pleas and superior courts, the latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests.  On the affirmative duty question, the court pointed to attenuated causation and professed willingness to defer to the state legislature.  As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch

The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.

Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.

Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.

The court then bolstered its conclusion by pointing to the economic loss rule as well. 

Massachusetts

Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.

The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of a docudrama.  According to the court, Thomas was fleeing police at high speed when he crashed his car into Adams's.  Thomas was driving the car of his girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance.  Meanwhile Burgos was both customer and customer service manager of defendant insurance agency Congress.  She reported her car stolen and filed her own insurance claim. 

Adams could identify Thomas.  So Burgos used her computer access at work to identify Adams and passed his identity to Thomas.  Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote.  Though I bet Thomas didn’t say just “F.”

Adams sued Congress on multiple theories, including negligent failure to safeguard private data.  At the trial level, according to the appeals court, “the motion judge . . . rul[ed] that expert testimony was required to establish whether the agency owed a duty to Adams to safeguard his personal information, what that duty entailed, and whether the agency breached that duty.”

It’s odd that the motions judge sought expert testimony, because, as the appeals court aptly observed, duty is unique among the four elements of negligence—duty, breach, proximate cause, and injury—for being purely a question of law, guided by public policy.  Courts do not ordinarily hear expert testimony on what the law is.  The theory goes that figuring that out is the judge’s main job.  (Too bad, or being a law professor would be more lucrative.  I was gently tossed from the witness stand once when a lawyer made a valiant but futile attempt to squeeze me past the rule.)

Unlike the Pennsylvania Superior Court, the Massachusetts Appellate Court found its way to a legal duty.  The court held “that the agency had a legal duty to Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Adams provided to process his automobile insurance claim.”  Where the Pennsylvania court had pointed to statute to justify judicial restraint, the Massachusetts court pointed to state data breach law to show that the legislature had green-lighted legal duty (albeit "a single green light, minute and far away").

“Just as those with physical keys to the homes of others have a duty of reasonable care to preserve their security,” the Massachusetts court reasoned, “companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against the misuse of that data.”  Indeed, the court cited a keys case as applicable precedent.  The court made no fuss over the rule of affirmative duty or the rule of economic loss.  In a discussion of causation, the court seemed content to resort to foreseeability on the facts.

Summary judgment for defendant Congress was vacated, and the case was remanded for trial.

Conclusion

Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic.  That’s not true.  Not yet.

Data protection in the United States is confounded by the rules of affirmative duty and economic loss.  And that’s not bad; those rules exist for sound public policy reasons.  They also are excepted for sound reasons.

I’ve written before (e.g., here and here) that popular thinking and expectations with respect to individual privacy are converging in the United States and Europe, even if a legal bridge lags behind.  Common law negligence can be a vital building block of that bridge.  But it’s a work in progress.

“‘Don’t believe everything you hear, Nick.’”

Sunday, November 13, 2016

Digital forgetting in America




Yesterday I spoke on a panel at the annual conference of the National Communication Association (NCA) on “the right to be forgotten,” or “right to erasure,” in data protection law. 

RTBF is a way for someone to get unwanted Internet content taken down, or at least de-listed, or de-indexed, from search results, because the content causes the person injury.  RTBF is regarded in Europe as a function of the human right to data protection, an outgrowth of the fundamental right to privacy in European law.  The history of the right is now well documented online for the reader of every interest level, so I won’t belabor it here.  Suffice to say that a landmark moment came in the case of Mario Costeja González in the European Court of Justice in 2014 (Wikipedia; the case in English).  He had complained about the online publication of an archived 1998 newspaper report of a debt.  The court sided with the Spanish Data Protection Authority in ordering Google Spain to de-index the report from search results.

The Costeja case rattled media on the American side of the Atlantic, who raised the alarm about a threat to the freedom of expression.  U.S. law has always been a problematic analog to European privacy law.  The disparity stems from a basic, initial problem, which is that the only place our Constitution plainly recognizes privacy law is in the Fourth Amendment right against unreasonable searches and seizures.  To the dismay of constitutional textualists, the U.S. Supreme Court has sometimes located a right of privacy in various other provisions, as well as in their “penumbras and emanations” (Griswold v. Conn., 381 U.S. 479, 484 (1965) (LII)).  But at the end of the day, our constitutional notion of a privacy right has remained largely constrained by the state action doctrine, meaning the right restrains only governmental power, not the private operators of search engines and newspaper archives. When statutory or common law privacy collides with the free speech rights of online publishers, the constitutional imperative prevails.

Meanwhile RTBF has been recognized explicitly in the General Data Protection Regulation (GDPR) of the European Union.  The doctrine has spawned its own body of administrative and case law in European national courts, some of it tied more to the human right of privacy than to the GDPR.  RTBF court rulings have spawned a labor-intensive takedown request service within Google.  The courts and the Internet giant are sparring now over whether search engines can be compelled to de-index websites worldwide or only in national iterations of the service (e.g., google.fr for France).  Scholars are looking hard at whether there should be a legal difference between a search engine and a primary information provider, such as a newspaper, in the area of Internet intermediary liability.   RTBF was a sore point in the trans-Atlantic negotiation over the data protection Privacy Shield agreement, and still key details remain to be worked out in implementation.  And RTBF and its balance with free expression remains a point of debate around the world as countries such as Brazil look to overhaul and update their data protection and privacy laws.

I made the moral case for RTBF in a Washington Post op-ed two years ago, so I won’t reiterate that here.  I’ve since been looking into the law of RTBF in the United States.  Saturday I reported my belief that the First Amendment hurdles are surmountable.  

To give just the flavor of that presentation, take for example the prior restraint doctrine in U.S. First Amendment law.  The prior restraint doctrine essentially forbids restraints on free expression backed by government power prior to adjudication of the expression as unlawful.  One need look no farther than the vigorous notice and takedown (N&TD) regime of the Digital Millennium Copyright Act (DMCA) to see that the prior restraint doctrine is a manageable problem.  To be clear, I’m on record agreeing with those who think that DMCA N&TD has gotten out of control and needs to be reined in, not to mention that the underlying scope of copyright protection is excessive.  But the analogy holds.  When nude celebrity photos of the likes of Jennifer Lawrence were leaked online, the remedy employed by some—for the rabidly popular Lawrence, it wasn’t possible—to recall their images from circulation was copyright N&TD, rather than tortious invasion of privacy.  It makes no sense to compel the use of intellectual property law to remedy what is plainly a privacy problem.  Tort law is up to the job.  Moreover, I see a clear and constitutional path to injunctive remedies for privacy torts, better than for ill-fitting copyright infringements.

I am also engaging the idea that in this age of information commodification, the provision of information is sometimes more a commercial enterprise than an expressive enterprise.  Certainly that's the case for data brokers, such as Acxiom.  Researchers such as Nikolas Ott and Hugo Zylberberg in the Kennedy School Review have described the commercial value of the wash of data that our appliances will generate in the Internet of Things era.  A Spanish court in an RTBF case against the newspaper El País held that the newspaper's online publication of archives was a commercial act rather than a journalistic one.  Commercial communication is protected by the First Amendment, but to a much lesser extent than is political or artistic expression.

I am grateful to Dr. Kyu Ho Youm, the John Marshall First Amendment chair at the University of Oregon School of Journalism and Communication, who invited me to be a part of the NCA program that he designed and proposed.  I am also indebted for thought-provoking reflection to my co-panelists: Dr. Ed Carter, professor and director of the School of Communication at Brigham Young University; Dr. Stefan Kulk, a researcher at the Centre for Intellectual Property Law of Utrecht University in the Netherlands; and Dr. Ahran Park, a senior researcher for the Korea Press Foundation in South Korea.