Intimate large parties and the duty to protect privacy

I had to take a blog break over the holidays in order to get a hefty book read and to write a review of it.  I’ll post on that when it comes closer to publication.  Meanwhile, my, how the world has changed!  Let me kick off the new year with a look at some related developments in privacy law.

As Marion Oswald of the University of Winchester wrote recently for the journal of Information Communication & Technology Law (open source), to paraphrase, privacy ain’t what it used to be.  Oswald opened with a quote from The Great Gatsby, so it goes without saying that that needs to be reiterated here.  She wrote,

At one of the Great Gatsby’s spectacular parties, the golf champion Jordan Baker remarked to Nick Carraway that she likes large parties: “They’re so intimate. At small parties there isn’t any privacy.”

From that paradox, Oswald builds the case that privacy must be redefined to protect individuals in the digital world.  She observes the inadequacy of the “reasonable expectation of privacy” (REP) test—the U.S. Fourth Amendment standard—given the objective test’s tendency to drive itself to extinction in a world of objectively diminishing privacy.  Kade Crockford with the ACLU of Massachusetts articulates this point brilliantly in her lectures.  Oswald is not the first to reach her conclusion, but she does so compellingly.

Two recent cases, from Pennsylvania and Massachusetts, reached different conclusions on the question of a corporate defendant’s duty to safeguard private data.  The cases show the struggle under way in U.S. courts to do just what Oswald proposed—to redefine privacy in the digital age.  The United States is increasingly at odds with Europe, and for that matter the rest of the world, on this question.  Heralded as a modern human right in Europe, data protection is a burgeoning global legal field—and corporate obligation.

Duty

First, a quick primer on duty in U.S. tort law.

Tort law in the United States usually provides for a “duty” by “default” in negligence—that is, all persons owe to all other a persons a duty to exercise reasonable care (or not to act negligently), to avert harm to all others.  But the default rule of duty is subject to some important limitations.   

One limitation is the economic loss rule, which circumscribes negligence liability.  The rule precludes a plaintiff’s action for nonphysical, economic injury alone.  There are plenty of exceptions to the rule, and some scholars even think it’s not really a rule at all.  For example, negligent misrepresentation, which is like fraud but without intent, can be supported by economic loss within the context and expectations of a business relationship.

Defamation and privacy torts can generate what looks like economic injury, but really are animated by their own, sui generis classes of damages to reputation and personality.  U.S. privacy torts push in the European direction, but generally do not protect data voluntarily disclosed to third parties, such as employers and banks—a relation of the REP problem.  That means no protection in privacy torts for financial data, even though it’s the stuff of identity theft.

The other limitation on duty by default is that U.S. law imposes no affirmative duty to protect, or to render aid.  This rule, too, is subject to many exceptions, such as a parent’s duty to protect a child, contractual and statutory duties to protect, and a duty not to abandon a rescue undertaken.

Here like in privacy law, European legal codes diverge from U.S. common law with a greater willingness to impose affirmative duty.  In the United States, the affirmative-duty limitation also can relieve a corporate entity of a duty to safeguard data when the injury to the plaintiff is caused much more immediately by an intervening bad actor, such as the hacker or identity thief.  (The problem in proximate causation is integrally related.)

So on to the cases.  Remember, "[i]t takes two to make an accident."

Pennsylvania

A January 12 Pennsylvania court decision, Dittman v. UPMC (Leagle) held that an employer had no duty to safeguard employees’ private information on a workplace computer.  (Hat tip to Richard Borden at Robinson + Cole.)  University of Pittsburgh Medical Center (UPMC) employees numbering 62,000 alleged disclosure of personal information in a data breach, resulting in the theft of identities and of tax refunds.

The court applied a five-factor test for duty: 

1. the relationship between the parties;

2. the social utility of the actor's conduct;

3. the nature of the risk imposed and foreseeability of the harm incurred;

4. the consequences of imposing a duty upon the actor; and,

5. the overall public interest in the proposed solution.

UPMC prevailed in common pleas and superior courts, the latter 2-1, arguing that it owed no duty to protect the plaintiff’s interests.  On the affirmative duty question, the court pointed to attenuated causation and professed willingness to defer to the state legislature.  As summarized by Brian J.Willett for the Reed Smith Technology Law Dispatch: 

The Superior Court observed that the social utility of electronic information storage is high, and while harm from data breaches is foreseeable, an intervening third party stealing data is a superseding cause.

Additionally, the Court explained that a judicially created duty of care would be unnecessary to motivate employers to protect employee information, as “there are still statutes and safeguards in place to prevent employers from disclosing confidential information” in addition to business considerations.

Finally, the Court agreed with the trial court’s conclusion that creating a duty in this context would not serve the public interest; rather, it would interrupt the deliberative legislative process and expend judicial resources needlessly.

The court then bolstered its conclusion by pointing to the economic loss rule as well. 

Massachusetts

Just before the holiday break in December, a Massachusetts Appeals Court also decided a case in which the plaintiff alleged an employer’s negligence in safeguarding private data—though the plaintiff was a client of the employer rather than an employee.

The facts recited by the court in Adams v. Congress Auto Insurance Agency, Inc. (Justia), have the makings of a docudrama.  According to the court, Thomas was fleeing police at high speed when he crashed his car into Adams's.  Thomas was driving the car of his girlfriend, Burgos, so Adams claimed against Burgos’s auto insurance.  Meanwhile Burgos was both customer and customer service manager of defendant insurance agency Congress.  She reported her car stolen and filed her own insurance claim. 

Adams could identify Thomas.  So Burgos used her computer access at work to identify Adams and passed his identity to Thomas.  Thomas then phoned Adams, impersonated a state police officer, and threatened Adams: “‘Shut the F up and get your car fixed or you will have issues,’” the court purported to quote.  Though I bet Thomas didn’t say just “F.”

Adams sued Congress on multiple theories, including negligent failure to safeguard private data.  At the trial level, according to the appeals court, “the motion judge . . . rul[ed] that expert testimony was required to establish whether the agency owed a duty to Adams to safeguard his personal information, what that duty entailed, and whether the agency breached that duty.”

It’s odd that the motions judge sought expert testimony, because, as the appeals court aptly observed, duty is unique among the four elements of negligence—duty, breach, proximate cause, and injury—for being purely a question of law, guided by public policy.  Courts do not ordinarily hear expert testimony on what the law is.  The theory goes that figuring that out is the judge’s main job.  (Too bad, or being a law professor would be more lucrative.  I was gently tossed from the witness stand once when a lawyer made a valiant but futile attempt to squeeze me past the rule.)

Unlike the Pennsylvania Superior Court, the Massachusetts Appellate Court found its way to a legal duty.  The court held “that the agency had a legal duty to Adams, a member of a large but clearly defined class of third parties, to prevent its employee’s foreseeable misuse of the information that Adams provided to process his automobile insurance claim.”  Where the Pennsylvania court had pointed to statute to justify judicial restraint, the Massachusetts court pointed to state data breach law to show that the legislature had green-lighted legal duty (albeit "a single green light, minute and far away").

“Just as those with physical keys to the homes of others have a duty of reasonable care to preserve their security,” the Massachusetts court reasoned, “companies whose employees have access to the confidential data of others have a duty to take reasonable measures to protect against the misuse of that data.”  Indeed, the court cited a keys case as applicable precedent.  The court made no fuss over the rule of affirmative duty or the rule of economic loss.  In a discussion of causation, the court seemed content to resort to foreseeability on the facts.

Summary judgment for defendant Congress was vacated, and the case was remanded for trial.

Conclusion

Advocates who wish to block European-style data protection in the United States use the availability of state tort law remedies as one tool in the toolbox to argue that U.S. law already sufficiently safeguards personal data from both sides of the Atlantic.  That’s not true.  Not yet.

Data protection in the United States is confounded by the rules of affirmative duty and economic loss.  And that’s not bad; those rules exist for sound public policy reasons.  They also are excepted for sound reasons.

I’ve written before (e.g., here and here) that popular thinking and expectations with respect to individual privacy are converging in the United States and Europe, even if a legal bridge lags behind.  Common law negligence can be a vital building block of that bridge.  But it’s a work in progress.

“‘Don’t believe everything you hear, Nick.’”

Digital forgetting in America

Yesterday I spoke on a panel at the annual conference of the National Communication Association (NCA) on “the right to be forgotten,” or “right to erasure,” in data protection law. 

RTBF is a way for someone to get unwanted Internet content taken down, or at least de-listed, or de-indexed, from search results, because the content causes the person injury.  RTBF is regarded in Europe as a function of the human right to data protection, an outgrowth of the fundamental right to privacy in European law.  The history of the right is now well documented online for the reader of every interest level, so I won’t belabor it here.  Suffice to say that a landmark moment came in the case of Mario Costeja González in the European Court of Justice in 2014 (Wikipedia; the case in English).  He had complained about the online publication of an archived 1998 newspaper report of a debt.  The court sided with the Spanish Data Protection Authority in ordering Google Spain to de-index the report from search results.

The Costeja case rattled media on the American side of the Atlantic, who raised the alarm about a threat to the freedom of expression.  U.S. law has always been a problematic analog to European privacy law.  The disparity stems from a basic, initial problem, which is that the only place our Constitution plainly recognizes privacy law is in the Fourth Amendment right against unreasonable searches and seizures.  To the dismay of constitutional textualists, the U.S. Supreme Court has sometimes located a right of privacy in various other provisions, as well as in their “penumbras and emanations” (Griswold v. Conn., 381 U.S. 479, 484 (1965) (LII)).  But at the end of the day, our constitutional notion of a privacy right has remained largely constrained by the state action doctrine, meaning the right restrains only governmental power, not the private operators of search engines and newspaper archives. When statutory or common law privacy collides with the free speech rights of online publishers, the constitutional imperative prevails.

Meanwhile RTBF has been recognized explicitly in the General Data Protection Regulation (GDPR) of the European Union.  The doctrine has spawned its own body of administrative and case law in European national courts, some of it tied more to the human right of privacy than to the GDPR.  RTBF court rulings have spawned a labor-intensive takedown request service within Google.  The courts and the Internet giant are sparring now over whether search engines can be compelled to de-index websites worldwide or only in national iterations of the service (e.g., google.fr for France).  Scholars are looking hard at whether there should be a legal difference between a search engine and a primary information provider, such as a newspaper, in the area of Internet intermediary liability.   RTBF was a sore point in the trans-Atlantic negotiation over the data protection Privacy Shield agreement, and still key details remain to be worked out in implementation.  And RTBF and its balance with free expression remains a point of debate around the world as countries such as Brazil look to overhaul and update their data protection and privacy laws.

I made the moral case for RTBF in a Washington Post op-ed two years ago, so I won’t reiterate that here.  I’ve since been looking into the law of RTBF in the United States.  Saturday I reported my belief that the First Amendment hurdles are surmountable.  

To give just the flavor of that presentation, take for example the prior restraint doctrine in U.S. First Amendment law.  The prior restraint doctrine essentially forbids restraints on free expression backed by government power prior to adjudication of the expression as unlawful.  One need look no farther than the vigorous notice and takedown (N&TD) regime of the Digital Millennium Copyright Act (DMCA) to see that the prior restraint doctrine is a manageable problem.  To be clear, I’m on record agreeing with those who think that DMCA N&TD has gotten out of control and needs to be reined in, not to mention that the underlying scope of copyright protection is excessive.  But the analogy holds.  When nude celebrity photos of the likes of Jennifer Lawrence were leaked online, the remedy employed by some—for the rabidly popular Lawrence, it wasn’t possible—to recall their images from circulation was copyright N&TD, rather than tortious invasion of privacy.  It makes no sense to compel the use of intellectual property law to remedy what is plainly a privacy problem.  Tort law is up to the job.  Moreover, I see a clear and constitutional path to injunctive remedies for privacy torts, better than for ill-fitting copyright infringements.

I am also engaging the idea that in this age of information commodification, the provision of information is sometimes more a commercial enterprise than an expressive enterprise.  Certainly that's the case for data brokers, such as Acxiom.  Researchers such as Nikolas Ott and Hugo Zylberberg in the Kennedy School Review have described the commercial value of the wash of data that our appliances will generate in the Internet of Things era.  A Spanish court in an RTBF case against the newspaper El País held that the newspaper's online publication of archives was a commercial act rather than a journalistic one.  Commercial communication is protected by the First Amendment, but to a much lesser extent than is political or artistic expression.

I am grateful to Dr. Kyu Ho Youm, the John Marshall First Amendment chair at the University of Oregon School of Journalism and Communication, who invited me to be a part of the NCA program that he designed and proposed.  I am also indebted for thought-provoking reflection to my co-panelists: Dr. Ed Carter, professor and director of the School of Communication at Brigham Young University; Dr. Stefan Kulk, a researcher at the Centre for Intellectual Property Law of Utrecht University in the Netherlands; and Dr. Ahran Park, a senior researcher for the Korea Press Foundation in South Korea.

Laughing with Lenny Bruce, from schmuck to conscience

 

Kitty Bruce cuts the ribbon on the Lenny Bruce archive at the Brandeis University Goldfarb Library.

There is indecent language in this post.

In the last week of October, Brandeis University hosted a conference, “Comedy and the Constitution,” celebrating the life and work of comedian Lenny Bruce (1925-1966).  The conference marked the accession in the Brandeis University Library of Lenny Bruce’s papers, donated by his daughter Kitty Bruce, who participated in the conference.  The program was organized by Professor Steve Whitfield in American Studies and Sarah Shoemaker in Goldfarb Library Special Collections.  Featured speakers included Christie Hefner, former chairwoman and CEO of Playboy Enterprises, and “outrage” comedian Lewis Black, known to many through his long-running Daily Show segment, “Back in Black.”

My own paper for the academic part of the program concerned free expression and communication regulation.  Specifically, I looked at Bruce's technique of repeating indecent words with the aim of disempowering them.  If one repeats fuck again and again, the tenth repetition doesn’t sting the ear as much as the first.  George Carlin was there at least once when Bruce was arrested for “obscenity” based on the use of discrete words.  There can be little doubt that the experience directly influenced Carlin’s famous “seven dirty words” routine.  This comedic tradition at least tracked a strengthening of free expression in U.S. culture and law—think “Fuck the Draft” on Cohen’s jacket, 403 U.S. 15 (1971)—and might moreover have been a precipitating force.  For better or worse, the power today that attaches to many favorites in the pantheon of bad words is not what it used to be.  Ruth Wajnryb observed in her 2005 book, Language Most Foul, “[N]owadays it takes several fucks to achieve what one lone fuck would have achieved ten years ago.”

The lodging of Bruce’s legacy at Brandeis is a good fit for a couple of reasons.  The university is named for Justice Louis Brandeis, an associate justice of the U.S. Supreme Court from 1916 to 1939.  Brandeis was a key contributor to modern First Amendment law.  In the wake of World War I, he laid the groundwork for a more vigorous model of speech protection than had been known in the prior century.  Even amid the Red Scare, Brandeis recognized that if freedom of speech means anything, then minority perspectives on politics must be protected, however distasteful to the establishment.

Brandeis also was the first Jewish member of the U.S. Supreme Court, an experience that informed his views on social justice and antimajoritarianism.  Judaism played a key role in the founding of (non-sectarian) Brandeis University and remains today an omnipresent part of the university’s social culture.  Bruce was a Jewish comedian, and his cultural experience shaped his comedy.  

A number of academic papers at the conference focused on the role of Yiddish in the comedy of Bruce and also in the wider tradition of Jewish comedy.  I was ignorant on this point.  But presenters made a compelling case that the Yiddish tongue is especially well suited to comedic devices such as double entendre and nuanced word play.  In broad strokes, the particular compatibility of Yiddish with comedy seems a function of the truism that people have always turned to comedy to relieve suffering.

Christie Hefner

In terms of political commentary, Christie Hefner traced a direct legacy from Lenny Bruce to the sharp witted comedy of The Daily Show and Last Week with John Oliver.  I think she’s right.  Jon Stewart and Stephen Colbert routinely scoffed at the notion that they produce news, despite serious research showing their influence on popular thinking about politics.  Stephen Colbert’s SuperPAC bits on The Colbert Report spoke volumes on the very real role of money in politics.  John Oliver eschews the label of journalist, but his work at HBO has at least raised awareness, if not effected reform, on critical social issues such as net neutrality.

Someone at the Brandeis conference pointed out that some of our attribution to Lenny Bruce of a desire to make the world a better place--by cursing of all things--has got to be a posthumous fiction.  I think that’s right too.  Bruce was just a person, not a legend.  He wanted to sustain himself with his flair for the funny, to fill seats at shows, and to take care of his family.  Arrests for obscenity--the more absurd the state's case, the better--were good for business.

I’m not troubled by any dissonance in the legend and the man who was Lenny Bruce.  The Old Testament is replete with the sea changes of unlikely messengers.

Lewis Black

Let's put democracy out of its misery

Democracy ain’t all that. 

That must be what Reince Priebus has been thinking this year.  The possibility has been on the mind also of author and professor Jason Brennan, of Georgetown University.  Brennan is touring New England this week to talk about his new book, Against Democracy.  I knew of Brennan from one of his earlier works touting my faith, Libertarianism: What Everyone Needs to Know.  This week I had the good fortune to meet him in Providence, thanks to the Rhode Island Federalist Society.  On my commute this morning, I heard that he’ll be on WGBH’s excellent Innovation Hub this week. 

Brennan’s thesis in short is that when we talk about how best to select our leaders in human society, democracy might not be the endpoint and high point of human achievement.  He offered a simple thought experiment:  Imagine a professor instructs students that instead of grading exams on the usual A-F merit system, each person in the class will get the same grade, an average of everyone’s performance.  No surprise, students don’t study and perform poorly.  The incentive for each individual to do well is diminished along with the risk that poor preparation will be reflected in any one person’s grade.

Brennan explains that the same dynamic is at work in democracy.  If any one person’s vote is vastly unlikely to have an impact on the general election, then the individual has only weak, and largely symbolic or emotional, incentives to become informed and vote intelligently.  Surveys of how well informed voters are sadly support this thesis, with voters performing only about as well as chance would predict in answering simple multiple choice questions about politics.

What’s better than democracy?  Brennan isn’t shilling for any model, but provided a compelling and fair tour of the possibilities.  He pointed out for one example that simple gambling—imagine betting on the next President of the United States, if the model could be translated into politics—is a rather good predictor of outcome.  The gambler has skin in the game the way a voter does not, so has a proportionate incentive to be well informed.  Other potential models would jettison one person, one vote in ways that would reward better informed voters with greater influence.  I was reminded of my “oligarchy of the intelligentsia” phase when I studied politics at university.

A model I found enchanting, maybe because of its cool name, is “the Simulated Oracle.”  Imagine that along with a person’s vote, we collect also some basic demographic data and even administer a short quiz on political know-how.  With large enough data sets, we could employ the magic of statistics to control variables and correct for self-serving biases.  Factors such as race and gender, the community I live in, and my wealth can be predicted to evidence self-serving biases in my voting behavior, not necessarily the vote that a more altruistic me might cast.  The Simulated Oracle can control variables and correct for irrational or unfair biases, transforming my vote into a hypothetical ideal, the vote my better self would cast.  Weight everyone’s votes accordingly, and we might get a result that compensates for individual rent-seeking.

The mythology of democracy is emotively powerful in our society today, shaping how we define ourselves and our ideals.  But the U.S. Constitution—in, for examples, life tenure in the Article III courts, a republican representation system, and the original method of selecting senators—was designed to temper the risky excesses of pure democracy.  Moreover, the framers intended the Constitution to be amended.  There is no reason to think that progress means evolution toward pure direct democracy.  Remember Ross Perot suggesting instant home voting on contemporary issues?  Today that sounds like a good way to run Dancing with the Stars, and not so good a way to make foreign policy, tax policy, or really to do anything important.

Rather, we are engaged, or should be engaged, in an ongoing process of perfecting the organization of human society.  It’s not so strange to imagine that democracy as we know it now is just one stop on our journey.

Brennan is awash with fascinating data about the American electorate, and I’ll share just one item.  Turns out that people who self-identify with political third parties, such as libertarianism, are among our most informed voters. 

Am I blushing?