privacy
Prosser's 4 torts
- 1. Intrusion upon seclusion - 2. Public disclosure of embarrassing private facts - 3. False light publicity "in public eye"- looks more like harm to rep than disclosure of info you want to control - 4. Appropriation, for D's advantage, or P's name/ likeness
Consumer Privacy/ Personally Identifiable Info
PII (Personally Identifiable Info) in GLBA; HIPAA many regs do not protect info unless it is PII - Examples: name; SSN; what's not PII: height; city you live in - Many things can re-ID someone: by using cross-correlation w/ other databases - Computers/ processing power/ etc. challenges regulatory focus on PII? 3 ways to define PII: 1- PII= info which IDs a person (VPPA) 2- PII= nonpublic info (GLBA) 3- PII= specific list of data (COPPA, CA credit card act Song-Beverly) a. Address; name; SSN leads to clarity; but, won't provide protections for correlations b. Ex ante notice- you know how to conform your behavior
1974 Privacy Act & FIPS
- Addresses govt databases, not privately-held databases or LE - Only partially addresses LE- requires data quality/ data security- don't let them mess w/ the data eg no fly list o Openness/ transparency don't apply; can't really enforce them either - Permits individual to request records (Openness) [Really an "open government" law] - Allows individual to correct info (Individual Participation) - Can prevent records gathered for 1 purpose from being used for 2nd purpose (Use limitation, Purpose Specification) - Requires agencies to ensure info is current and accurate (Data Quality) - Requires agencies to have adequate safeguards to prevent misuses (Use limitation, Security Safeguards) Can bring civil action- must show: - Agency violated obligations under Act - Info disclosed must be "record" (identifiable to an ind.) contained w/in a "system of records" (group of records under control of agency) - Must show adverse impact resulting from violation - And that violation was "willful & intentional" ^^Extremely difficult to get damages under the Privacy Act- cts struggle w/ privacy damages (priv harm) generally Doe v. Chao- provided expressly for liability to such victims for actual damages sustained - the "but in no case" looks back to that language
New FISAA
- Allows mass surveillance with "targeting of persons reasonably believed to be located outside the US to acquire foreign intelligence information" - May not intentionally target US person - "A significant purpose" of surveillance must be to acquire "foreign intelligence info," broadly defined - Minimization procedures Section 702: Is bulk gathering of content for purposes of foreign national security, with minimization procedures, constitutional? Clapper v. Amnesty In'tl [SCOTUS 2013]: Standing: if you don't know you're being surveilled, no standing in court - No standing to challenge 702: injury must be certainly impending their fear is highly speculative - Consequence of holding that there's no standing to challenge 702: o Majority: this "by no means insulates § 1881a from judicial review." FISC certification, targeting, minimization procedures, est. by Congress (checks) o Communications provider can challenge it o If govt uses info in domestic jud/ admin proceeding: provide advance notice of intent, & person may challenge
HIPPA Security Rule
- Applies only to ePHI (electronic PHI) o But note: Privacy Rule does have some security requirements, too - Requires covered entities to "protect against reasonably anticipated threats or hazards to security and integrity of ePHI" o Using "administrative, physical, and technical safeguards" - Administrative safeguards : o risk analysis and management; access authorization; security awareness and training o procedures for dealing with security incidents, among other things - Physical safeguards: o facility security plan; access limitations to records; process for safe disposal of records/ data backup & storage. - Technical safeguards: o login authentication, encryption, and audit controls
HIPPA Prviacy Rule
- Covered entity must: o Keep PHI confidential Can't be used/ disclosed w/out patient's authorization (list of exceptions incl. legal requirements, for trtmnt, payment, or health care operations, avert serious threats to health or safety) o Provide Notice of Privacy Practices (NPP) o Designate privacy official & contact person (can be the same person) o Have written procedures & policies that provide appropriate safeguards - PHI & authorization: PHI cannot be disclosed/ used w/out authorization. Auth. must be: o Written and signed o Plain language IDing: Types of info to be disclosed; types of entities auth. to make disclosure; to whom disclosure will be made; purpose of disclosure - Individuals' rights: Ind. have the right under the Privacy rule to: o Access any PHI used to make decisions about them, incl. in electronic form o Amend: can request for records to be amended Personhood conception of privacy o File complaint w/out retaliation o Request restrictions on info use, but entity doesn't have to do it o Request how providers communicate- must accommodate request unless rsbl - Accuracy - Disclosure to 3rd parties: no disclosure w/out auth. [exceptions]; o Marketing: Auth. requ for 3rd P to peddle goods/ services. Also for covered entity itself. HOWEVER: covered entity's own health-related services & products not included. o Law enforcement: Must disclose to LE if there's W, ct order, subpoena "or similar process authorized under law" PLUS info must be relevant & material to legit LE inquiry; AND specific and limited in scope AND de-identified info could not rsbly be used. May also disclose info wrt request to IDing/ locating: suspect, fugitive, material witness, missing person Northwestern Memorial Hospital v. Ashcroft - Govt is using subpoena to get medical records for late term abortions as part of that suit [Dist. ct quashed subpoena] - (1) Should Ill. Evid. priv. apply, or HIPAA reg? - does evid priv have to do with PHI/ is more stringent than HIPAA? o HIPAA regs do not impose state evidentiary privileges on suits to enforce federal law o And Fed rule of evidence 501 does not recognize hospital-patient privilege - (2) If state law doesn't apply, how does balance play out between benefit of material sought and burden of compliance? o Holding: balance weighs in favor of quashing the subpoena
FTC "Jurisprudence"
- Covers only certain institutions (schools; not non-profits) - Can obtain injunctions; can't issues fines; but can fine if co. violates consent decree - No private COA; No real rule-making authority
Misplaced Trust & Communications
- Ex Parte Jackson: have to have a warrant to open a letter even if it's in the hand of the US postal service - Miller: bank records o Assumption of risk: No legit EXP in financial info voluntarily conveyed to banks/ 3rd parties o Sensitivity: Numbers aren't sensitive- just transactional documents involving finances - Similar to Lopez/ White: bank is your false friend- taking on risk that someone will turn on you Smith v. Maryland: pen registers- no actual EXP in #s dialed b/c phone co. has them & #s not content (AR & sensitivity) - Pen registers records numbers and not content is this a search? - No actual EXP in phone #s dialed: phone company uses them for bills; tracking numbers to screen for prank calls o AND, phone numbers are not content: assumption of risk & not sensitive [EXP in convo in home, but not #s]
HIPPA Breach Notification Rule
- Requires notification if there's been a data breach o Without reasonable delay and no later than 60 days after discovery of breach o Applies only to unsecured (unencrypted) PHI o Larger breaches (of 500+ people) require notice to media and HHS (wall of shame) - Creates presumption that violation of Privacy Rule is a data breach unless covered entity/ bus. Assoc. demonstrates there is low probability that PHI has been compromised based on a risk assessment." o 4 non-exclusive factors to be weighed in determining whether such a "low probability" of compromised info Type of info & how identifiable; Info about the person who used info or to whom info was given Whether info was actually acquired or viewed; Extent to which risk has been mitigated
GENETIC INFO: IS DNA SPECIAL OR IS IT LIKE ANY OTHER MEDICAL INFO?
- Future diary v. not that deterministic; Autonomy/ identity/ control/ relationship management - Is the ability to withhold your genetic info protection of privacy or fraud? - Do empers, spouses, insurers have a rt to know? ; DNA: probability you'll get something 18 states have laws protecting privacy of genetic info; 30 prevent empment discrimination - NJ has broadest law: prohibits disc. based on genetic info o Limits collection, retention, disclosure w/out informed consent o Exceptions: LE use for IDing; determine paternity; ID of deceased o Declares genetic info to be property of individual o Exception for anon research where ID wont' be released Federal protection of genetic info: - Exec Order 13145 (2000): No disc. in fed empment based on genetic info o Protects "protected genetic info"- empers can't collect info, incld. Family medical history - GINA (2008): Prevents insurance cos/ empers from using genetic tests to disc. [floor legislation] o Also prevents empers from requesting/ requiring/ purchasing info about empee (exceptions)
FISA
- Interpreted: by FISC judges; by exec branch agencies/ intel orgs themselves Establishes FISA ct order standards: NOT W, which requires PC of crim activity: INSTEAD: PC that party is a foreign power or an agent of a foreign power status question: who they are but not what they've done
4th Amendment & National Security
- Katz footnote on natl security: dicta-mess: whether 4th A would apply to natl security is not involved in this case - Who should handle natl security: o White's concurrence: shouldn't require warrant procedure; if the POTUS/ chief legal officer/ AG has considered requirements of natl security & authorized, no need to go to magistrate o Douglas/ Brennan: should have a W b/c they're not neutral/ detached & no distinction in 4th A about types of surveillance—they want warrant from the judiciary Keith [SC 1972]- WTA doesn't confer powers beyond what Pres alrdy has- get a warrant for domestic natl sec. issue [4th A applies] - Are they foreign persons? No; Does it implicate natl security? Kinda- attack on govt [White Panthers bombed CIA office] - Does 4th A (and Wiretap Act) apply to domestic actions? o Gov't: WTA itself confers power to President: 2511(3) [since modified]: exempted from WTA wire/ oral comm. intercepted by authority of Pres for natl security purposes; nothing in WTA limits constitutional powers of Pres. SC: Nope: not saying that the 4th A doesn't apply; all this is doing is Congress saying that they won't intrude on the President's space doesn't confer powers beyond what Pres already has What does 4th A say about situation involving domestic natl security? Left open by Katz - Tension between exec power/ authority/ capabilities & concern over civil liberties/ checks on the executive o EXEC AUTH: Informational capacity: exec better; Pres has duty under Article II o CIVIL LIB: afraid of chilling speech! Pres use surv in name of natl security to go after lawful, political dissent Inherent vagueness; broad & continuing in nature really, 1st A concerns - HOLDING: domestic natl security issues: get a warrant- normal 4th A protections apply o BUT not necessarily covered by WTA: can't make them get a super warrant: No alternatives; minimization o 4th A does cover domestic national security (Keith); But NOT foreign national security/foreign intel.
What's enough for publicity?
- Loaded comments in public restaurant- Publicity: not in print, but expanded beyond # of people to a much larger group - Nurse who disclosed mastectomy to a few other empees: Publicity, b/c of special relationship & embarrassing nature o Despite explicit publicity requirement, sometimes the sensitivity of the info tips the scale - In Shoe when filled: arguable: like public restaurant; but, crowded/ lots of ppl - Emailing to 1 friend: no publicity: even though written down, more like a letter than a handbill - Emailing to closed mailing list of 25 ppl: maybe; Not: selected the ppl - Emailing to open mailing list of 25 ppl & anyone can join - Posting on friend's FB wall : If they have 1000 friends: publicity; but you're controlling the distribution o 10 friends: publicity: dif. Between email & fb: only person you send email to can see it; on FB, you're searchable More privacy-related controls you exert, the less it seems to matter what the number is
CELL PHONE TRACKING:
- Location tracking & cell site info [W/out a trespass] - To operate cell phone, need to use cell towers - Q: can gov't use less than warrant to get this info? Circuit split: o 5th Cir: fine if you don't get a warrant- can use the SCA - 3rd Party doctrine: AOR/ Envelope o 11th Cir: gots to get a warrant! Jones control, location info Mosaic theory changes 3PD analysis- if you take enough of that envelope, it becomes the content - Bright line rule under Smith v. Maryland: no V b/c 3rd party doctrine Historical vs. real-time data [not well-reasoned distinction] - Prospectively: cts will use part of Wiretap Act that requires warrant - Historic data/ where you've already been: SCA approach & doesn't require warrant
Review of 4th Amendment & Location Tracking
- Oliver, Knotts, Karo: No EXP in open fields or public view o Despite no trespass sign o But, Curtilage - Jones: o 1: trespass-ish: phys. occupation for gathering info o 2: Katz o Shadow plurality
Guidance from Spokeo
- On 1 hand, "violation of procedural rt granted by statute can be sufficient in some circums to constitute injury in fact o Procedural rts priv stats usually grant: [basically FIPS] notice/ disclosre; ability to amend/ correct false info - On other hand, cannot always satisfy Article III "by alleging a bare procedural violation... [that] may result in no harm" o Example of a procedural violation that results in no harm: dissemination of incorrect zip, w/out more
Privacy & Civil Liberties Oversight Board:
- On Sect. 215: metadata; bulk collection of telephony records - Whether Congress has statutorily authorized the program o If 215 authorizes: If Cong. going along w/ Pres in area where Pres alrdy has stat auth, Pres. has more authority But if legislation doesn't authorize program, not strong for Exec branch o Not a singular investigation; not everything can be relevant to an invest.; nothing in the statute allowing FBI to make tele comp hand over stuff; it named the FBI, not NSA, so NSA bulk collection not authorized by 215 o Connect it to Pen Register Act: PRA doesn't contemplate 215 as an exception to be used this way - PCLOB makes recommendations- concern about FISA ct functioning: concerned that dist ct/ fed judges rubberstamping programs w/out understanding exactly what NSA is doing- someone should argue for ind. liberties After Snowden: - Pres Obama unilaterally changed: o Two hops instead of 3 & required ct approval of specific #s of who they're targeting - Presidential Policy Directive 28 PPD-28: Addressing FISA & 12333 o Gathering signal intel must be authorized by law/ must address civil liberties o Non US & US persons to be treated the same (unless... not) o Requires a # of reports accountability
Gramm-Leach Bliley Act 1999
- Pertains to banks; financial regulation - GLBA enables financial conglomerates to provide a host of dif forms of financial services o Authorizes widespread sharing of personal info by financial institution One set of rules re: between companies that are joined together Another set of rules for sharing between unaffiliated companies - GLBA required a variety of agencies (FTC, SEC, etc.) to establish o Establish appropriate standards to ensure security/ confidentiality of customer records & info o And "protect against unauthorized access" to records - FIPS so far: security safeguards & use limitation Scope: Applies only to "nonpublic personal info" that consists of "personally identifiable financial info" AKA financial info
After Snowden: Exec Branch:
- Pres's Civil Liberties Review Bd o Issued report in 2013 didn't find major abuse in NSA o Had recommendations about econ effects of surveillance, encryption attakcs o 215 shouldn't be in hands of gov't tele cos collect & gov't must get something to see them - Priv & Civil Lib Oversight Bd [Ind. agency in exec branch]- Issued report in June 2014 o End bulk surveillance: 215 not authorized/ effective (and some say unconstitutional) o But 702: roughly okay - ^^215 not that effective & problematic; 702mostly okay
Pen Register Act
Congress reacts: Pen Register Act: requires LE to get ct order certifying pen register is relevant to ongoing invest. [less than PC] State constitutions can be 4th A Plus: atl 11 states have recognized priv in phone records
What happens to 3rd party doctrine: what happens to Smith v. Maryland?
- Search of actual person here- not trying to determine whether 3rd party record retention constitutes a search under Katz - Apps: technically assumed risk by turning over info to 3rd party app providers, but all together sensitive info - Phone log: identifying info makes call log more sensitive- 3rd party now also has ind data points of sensitive info Riley: prob need to reevaluate everything we've talked about
Border Searches
- Searching comps at border: US has inherent authority to protect & paramount interest in protecting territorial integrity - Cotterman, en banc: comp is not the same thing as suitcase/ box reflects most private thoughts/ activities & constitutes personal papers under 4th A: forensic search of a comp. at the border requires a showing of rsbl suspicion; not PC! o Somewhere between nothing & PC; Met in that case under a totality of the circumstances Riley v. California: Can't search cell phone SILA - Discussing rsblness of search - Themes: Is data sensitive? Assumption of risk; Does quantity make things different? o Chimel: search whole body; body of person/ places he can reach: SILA: officer safety/ destr of evid. o Robinson: Chimel applies to search of arrestee's person- but if it's not weapon can't search it o Arizona: Chimel applies to search of passenger compartment of car - HERE: Officer safety not a concern; Preservation of evidence not a concern [won't make a dif if you wait to get a warrant] - Analogies: cameras, video players, rolodexes, every mail, every picture, book, article/ libraries/ diaries/ tv/ maps, etc. - Cites Sotomayor's Jones concurrence: puts normative 1st A values to 4th A concerns
Involuntary Public Figure
- Sipple: yes what kind of incentives/ disincentives does this provide for civic engagement? - Shulman: no (helicopter) even if you're involved in newsworthy event, there are still things you can keep private
FTC COPPA Guidelines:
- Six steps of COPPA guidelines for compliance, available on FTC site. - (1) determine if your company is a website or online service that collects personal info from kids under 13 o Directed to kids under 13 and you collect info; Directed to kids under 13 and you let others collect info; Directed to general audience but you have actual knowledge; You run an ad network/plug-in and have actual knowledge o To determine if "directed to children under 13": multifactors, including subject matter, content, animated characters, age of models, use of child celebs, ads directed to kids, etc - (2) Post COPPA compliant priv policy [List operators collecting PII; Describe types of PII collected; Describe parental rts] - (3) Notify parents before collecting personal info from kids - (4) Get Parents' verified consent before collecting PII from kids [Eg sign & scan form; CC; Toll free #; video conf; gov ID] - (5) Parents have ongoing rights- honor them: way to review PII; revoke consent; delete PII - (6) Implement Reasonable security- rsbl procedures to protect security Should COPPA apply to Path? - For actual knowledge, COPPA says that if you gathered data on kids, that's enough; don't have to show you knew o Only takes having kids' profiles to fall under COPPA- doesn't matter if you knew/ saw them
EFF brief in StingRay/ Patrick case:
- StingRay: fake cell towers that police put up so your phone interacts with it/ cell site spoofer o Gets info from all phones, not just the suspect's phone o Gets location info, but instead of having cell tower be wherever co. put it, can get really specific info Also gets phone's ID number; can potentially get content info off phone using StingRay - Raises similar questions [to Jones] re: tracking ppl w locations; mosaic theories, etc. o Dif from Jones b/c no physical trespass - In Patrick amicus, EFF argues re: location tracking via embedded GPS/ Stringray: o Katz test: we have both subj. & obj. EXP w/r/t location tracking Subj EXP: cite Pew surveys: teens turn off location services more than adults Obj EXP: cts/ 9-11 state legislatures' progress towards protecting location
Digital Search and Seizure
- US v. Comprehensive Drug Testing, 9th Cir 2010: MLB steroid scandal; warrant: seize everything, but search for 10 ppl o Didn't actually seize anything; but found more players o En banc panel: no way: 5 requirements for handling seizure/ search of large datasets from comps: Cannot use evid of other crimes; Wall off forensic experts Gov't must explain actual risks of destruction of info if not allowed to seize comp Gov't must use a search protocal; Gov't must destroy non-responsive data o ^Became suggestions instead of requirements in a later per curiam opinion Analogies: what is a computer like: - Container (box/ briefcase) vs series of individual containers - House: more sensitive info; quantity - Wallet/ pocket - Locks is a pword like a lock? Or like a "no trespass" sign? US v. Andrus: dad consented to comp. search- police can use forensic software to bypass pword o When offr rsbly, even if erroneously, believes 3rd party possesses authority to consent- BUT, may be unrsbl to assume apparent authority w/r/t object typically associated w/ high EXP / person exhibited intent to exclude - Object typically associated w/ high EXP: Like a suitcase; locked footlocker inside a bedroom; bureau drawers - Has owner indicated intent to exclude: No notice to LE it was locked- pword doesn't count as lock b/c not imm. visible
1st Amendment & Privacy and Govt
1st A also has been recognized to create privacy beyond anonymity: Lamont v. Postmaster General (SCOTUS 1965): rt. to receive info also means rt to receive in private Stanley v. GA: rt to receive info in private protected by 1st A - Question: can cops search home for obscene material (ie determine possession); gov't can regulate obscene speech - If 1st A means anything, means that State has no business telling man, alone in home, what books he may read or what films he may watch can ban obscenity, but can't ban possession of obscenity - Our whole constitutional heritage rebels at thought of giving gov't power to control men's minds o Other holding would force you to self-censor Osborne v. Ohio: after Stanley, gov't can ban possession of child pornography - Harm to children, destroy market for something that harms children [gov interest higher than morality]
FIPS- DESIGN PRINCIPLES ARE "BIG DATA"
1- COLLECTION LIMITATION - Should be limits to collection of personal data and any such data should be obtained by lawful/ fair means and where appropriate, w/ knowledge or consent of the data subject o Don't perform surveillance indiscriminately on everyone everywhere o Is there anything in FIPS that tells you not to create a database w/ x amt of info 2- DATA QUALITY - Personal data shld be relevant to purposes for which they are to be used & should be accurate, complete, and up to date 3- PURPOSE SPECIFICATION - Purpose for which data collected should be specified at time of data collection & subs. use limited to fulfillment of those purposes/ such others as are not incompatible w/ those purposes & as are specified on each occasion of change of purpose 4- USE LIMITATION - Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified 5- SECURITY SAFEGUARDS - Protected by rsbl security safeguards against risks like: loss/ unauthorized access, destruction, use, modific. or disclosure 6- OPENNESS - General policy of openness... person as point person 7- INDIVIDUAL PARTICIPATION - Ind. has the right to: o Obtain confirmation of whether/ not data controller has data relating to him o Have communicated to him the data related to him o To be given reasons if a request made is denied & challenge denial o To challenge data relating to him & if challenge successful, to have data erased, rectified, completed, amended - If the info is right, can't erase, etc.--> in other contexts, ability to control didn't depend on accuracy of info 8- ACCOUNTABILITY - Are FIPS about privacy, fairness, or security? How are they connected? Audits
Newsworthiness Tests
1- Leave it to the press 2- Rstmnt: Customs of the community [Virgil: line between info to which public is entitled & morbid/ sensational prying] 3- Nexus test [between complaining individual & matter of legit public interest]
Two Legal ?S
1- What is the privacy harm? [right/ remedy won't exist unless there's a harm; damages must be measurable and standing] What other values does privacy harm implicate? o Freedom; power dynamics; due process; freedom of expression; association; democratic values
4th Amendment
4TH A DECISION-TREE: 1- Is it a search/ seizure? 2- Is it rsbl? [Do you have a warrant/ exception to warrant requirement] a. Consent; exigent circum; stop & frisk; special needs exception (high school drug tests- not for LE purposes) 3- Remedies/ enforcement a. Exclusionary rule then evid is not admissible in court b. Fruit of the poisonous tree but, parallel construction c. 42 USC 1983 claims can sue the gov't
National Security and Privacy
4th A protects priv from LE: requires warrant based on PC of crim activity or warrant exception; also Wiretap; SCA; PRA Does 4th A protect phone numbers you dial? No: Smith v. Maryland- 3rd P Doctrine: assumpt. of risk/ sensitivity of info [But PRA] 4th A protects contents of communication- Katz Key points about natl security and privacy: - 4th A only sometimes/ partially applies [exception for foreign intel & natl security] - Complex statutory system: FISA; ISA Amendments Act; Patriots Act o Who is target of surv. vs. who falls under ECPA combined w 4th A for domestic; What behavior is targeted - Until recently (Snowden), secrecy/ no public interpretations available Why might 4th A not apply to natl security? - Pres is tasked w/ natl security issues/ foreign relations - 4th A guards against unrsbl searches- unrsbl might be dif w/r/t domestic searches v. big natl disasters quick - Institutional capacity: Posner: in emergencies, premium on exec's capacities for swift, vigorous, secretive action
Anonymity
Anonymous Speech: anon. speech is protected under the 1st Amendment NAACP: cannot be compelled to reveal membership list: chilling effect on membership & fear of retaliation Talley v. CA: can't require names/ addresses on handbills: fear of retaliation/ positive egs of anon in history McIntyre v. OH Elections Commission: Fear of retaliation, social ostracism, or merely desire to conserve privacy; more persuasive - Standard adopted: Summary Judgement: to obtain discovery of anon def's ID, pl. must submit sufficient evid to est prima facie case for each essential element of defamation claim o Except actual malice!
Cable Act of 1984
Applies to cable operators and service providers Requires: - Notice: written privacy policy of nature and uses of personal info collected - Access: to personal data gathered - Limitations on data collection: none w/out written/ elect consent [exc. for legit bus.; ct order if notified; opp to limit discl.] - Prevent unauthorized access - Must destroy personal data if no longer necessary for purpose for which it was collected (similar to VPPA) - Enforcement via private cause of action: High standard- above probable cause- for government access [no exclus. Rule]
STORED COMMUNICATIONS ACT
Applies to intentional access of stored info Elect. storage means: temporary & incidental storage; backup storage - Any temporary, intermediate storage - Storage for purposes of backup Splits stored comm in two: - Less than 180 days: Normal warrant needed - More than 180 days: Notice & admin subpoena; grand jury subpoena; or court order o Not warrant, not PC: spec & articulable facts showing rsbl grounds to believe comm. relevant to crim invest. EXCEPTIONS to warrant/ ct order requirement: - Consent - Service provider exc.- broader than Wiretap Act; & Comm. serv. providers must disclose subscriber info under circum. REMEDIES: - No exclusionary rule - Penalties lower than Wiretap Act
INFORMATION PRIVACY & GENETICS
Constitutional Right to Info Privacy - Series of cases about Constit. privacy, outside 4th A, some linked to substantive due process- in penumbra of other rts - Usually outcome involves balancing Looking at measures govt takes to keep secure - Can vindicate this right using 1983 claim (state & local gov) or Bivens action (fed govt) Whalen v. Roe- - Ct: you've put in enough boxes/ keys, privacy concern is not implicated here program does not, on its face, pose a sufficiently serious threat to either interest to establish a constitutional violation 2011: NASA: Background check does not violate constitutional rt to info privacy SCOTUS continues to not define info priv rt
Children's Online Privacy Protection Act 1998
Applies to websites (or online service) that collect pers info from kids under 13 not to other kinds of cos, but def. broad- apps incl.] Most priv laws about the information this is about vulnerable data subject Applies to: Only info re children under 13 - Given directly by child themselves (not by parents) - Only to "operator of website/ online service directed to kids OR any operator w/ actual know collecting pers. info from kid - Personal info, incl.: voice, audio, image, geolocation IDing street name + city; online contact info; persistent IDers Collection broad: Incl gathering PII by any mns: incl. requ info & enabling kid to make pers info publicly available in IDable form MUST post privacy policies describing what info is collected, how used, disclosure practices. Notice. Must obtain verifiable parental consent for collection, use or disclosure of personal info from children Cannot condition child's participation in game or receipt of a prize on disclosure of more PI If parent requests it, must provide access to types of PII collected Liability for third parties - Hosts are strictly liable for third party behaviors if an agent or receive a benefit [website can be liable for serving adds from COPPA violating ad network] - Third party is liable if has actual knowledge that host site is directed to children [Eg ad network could be liable for collecting info on website if had actual knowledge site was directed to kids] Enforced by FTC: As a rule defining an unfair or deceptive act or practice; Up to $16,000 per violation No private cause of action Preempts state law- States can bring civil actions in interests of citizens to obtain injunctions, damages Safe harbor: Self-regulatory guidelines issued by industry groups/marketing groups, and approved by FTC - If follow those, then COPPA requirements will be deemed satisfied
Appropriation
Appropriation & use of P's NAME OR LIKENESS to ADVERTISE D's business or product, or for some SIMILAR COMMERCIAL PURPOSE. - Not limited to commercial appropriation applies when D makes use of P's name/ likeness for his own purposes & benefit, even though use is not commercial, and even though benefit sought is not a pecuniary one. - Statutes in some states have, however, limited the liability to commercial uses of the name or likeness. Rstmnt: uses for advertising purposes, name/ portrait/ picture w/out consent Name/ likeness: Goes beyond actual name/ physical likeness: - Nicknames; depicting profession, nickname, but not face or likeness; voice W&B: Do public figures have EXP? - Sipple/ newsworthiness test: for public figure, will be entwined w/ what public can/ should know
Privacy Torts Online
Can privacy torts work in this dig. context? Intrusion upon seclusion; Appropriation; Public disclosure of private fact; False light Dwyer v. American Express- Ill. App. 1995 - Am. Ex took client info & added them to client groups (rude names) & sold that info o Ranked cardholders into 6 tiers based on spending habits- Rodeo Drive Chic/ Value Oriented o Created lists of cardholders who shop in a particular store, or purchase specific types of items (jewelry) - Relevant privacy torts: o Intrusion upon seclusion: No: not unauth. b/c shared info w/ AmEx- not actually priv. fact anymore- like 3PD Elements: *Unauthorized* intrusion into seclusion; That is offensive or objectionable to a reasonable man; The matter upon which the intrusion occurs is private; intrusion causes anguish and suffering o Appropriation: No: fails to satisfy appropr. b/c single name has little/ no value- value created via aggregation- does not deprive ind. of value in their name/ likeness Elements: appropriation; w/out consent; of one's name/ likeness; for another's use or benefit) Preventing a market from being created by failing to recognize it Fraley v. Facebook: economic injury b/c not compensated for commercial use of name/ likeness in targeted add - Facebook was sued for sponsored stories advertising program x likes y page, & it shows up to someone else o Making this more like x says shop here—more like an endorsements- made the like less obscure - Sued for appropriation of name & likeness - FB: had permission; no injury; not celebs- no existing econ value in name/ likeness - Court: economic injury b/c not compensated for commercial use of name/ likeness in targeted add o Don't need to show existing commercial value in name
Big Data
Challenges to privacy governance: - Ubiquitous sensors; Data being reused and combined, going beyond initial intent; Anon data and re-ID problems - Data gathered by entities without direct relationship with consumer. - Why do these features of big data challenge the "notice and choice" framework for privacy? FTC Data Brokers Report - FTC in-depth study of nine data brokers:Never interact with consumers so consumers don't know they exist - Three categories of brokers: (1) entities subject to FCRA (credit, employment, insurance) (2) non-FCRA entities maintaining data for marketing purposes (3) non-FCRA covered entities that maintain data to detect fraud or locate people Industry Characteristics: Collect data from numerous sources, without consumer knowledge - Including commercial, gov, other publicly available sources o Bankruptcy info, voting registration, web browsing activities, consumer purchase data Complex: multiple layers of brokers providing data to each other - Most of the nine surveyed obtained most of data from other brokers not original source - Virtually impossible for consumer to figure out where data comes from Benefits: Prevent fraud; Improve product offerings; Deliver tailored ads; Lower search costs; Increase competition from smaller businesses; connect w/ old friends Risks: Denial of transactions, and no redress; No way to mitigate scoring and negative effects; Receiving ads based on health, ethnicity; Bad use: "Biker Enthusiasts" lets motorcycle dealership send coupons- and insurance increase price because of risk.; Harassment and stalking; Security risks- if stored indefinitely (which some do) Consumer Choice: Little/ none For marketing products: Congress should enact law to enable transparency for consumers and give reasonable access to info And opt out of sharing for marketing purposes; And disclose sources of data so consumers can eg correct public records Require consumer-facing entities to provide notice of sharing with data brokers, with choices; Protect particular sensitive info (eg health info) with express consent
Church Committee Report 1976
Church Cmte investigated intel gathering: Some of revelations: CIA/ FBI intercepted/ opened 215,000 pieces of US mail; CIA assassination attempts - NSA monitored wire comm. to & from US; FBI Cointelpro: covert action to discredit pol/ rel dissent 96 recommendations, legislative & regulatory, which were followed: - Checks & bals against exec auth haven't been applied; Est. Senate Select Cmte on Intel; AG guidelines on intel activities - FISA enacted!
Data Breaches & Mitigating Injury
Cts generally not receptive to idea of poss future harm & mitigation expenses most reject claims that breach increased risk of future ID theft- Clapper similar; 1st & 11th have exceptions though, so poss. Circuit split - FCRA requires & Spokeo failed to: o Maintain rsbl procedures to limit furnishing of consumer reports for "permissible purposes". o Verify identity of user o Verify user certified uses, and certified info would be used for no other purpose. o Not give reports to persons with no permissible purpose o Maintain maximum possible accuracy of info o Provide User Notice Spokeo (SCOTUS) Standing: Injury in fact must be both particularized and concrete [real & not abstract but can be intangible] Focused on injury in fact (actual/ imminent; concrete/ particularized) - no analysis on concrete o SCOTUS: Injury in fact must be both particularized and concrete - Concrete injury: must be "real" and not "abstract" but can be intangible o Risk can count- Question of degree- consider info at hand Possible that risk of harm can be enough
Mug Shots
Detroit Free Press v. U.S. DOJ • Trying to get mug shots of two police officers who were arrested • On case-by-case basis, privacy exemption may apply Weighing priv in mug shots vs. public's interest in disclosure Google Spain • You can ask a public search engine to take down public information about you o Unless you are a public figure • Default here is for the private user and individual Bartnicki v. Vopper: newsp not liable for speech that discloses content of illegally intercepted comm.: public concern/ better tool - Speech obtained unlawfully but not by the entity publishing it
Intrusion & Seclusion & Newsgathering
Dietemann: quack let reporters into home—tort b/c clandestine photos in own home- didn't implicitly consent to concealed pics Desnic Eye Center: eye center; if person gaining access doing something completely dif from what you expected & there is a harm -if person gaining access is doing something completely dif from expected & there is a harm
Financial Privacy: FCRA, GLBA
FCRA governs Consumer reporting agencies; Consumer reports Identity theft protections in FCRA/FACTA (2003): - One-call fraud alert; FACTA gives right to require disclosures from creditors on fraudulent transactions. - In writing, with ID; other limitations.; Consumer reporting agency shall block the reporting of info identified by consumer as result of identity theft; notify entity furnishing transaction info that it's identity theft - Need proof of ID, an identity theft report, and statement from consumer that it's not consumer's own transactions - SSN truncation, at consumer's request; Free yrly consumer reports/ credit score (weren't able to get this before FACTA) Which FIPS are included in FCRA? - ACCESS TO RECORDS: Individual Participation/ Openness - PROCEDURES FOR CORRECTING INFO: Individual Participation - LIMITATIONS ON DISCLOSURE: Use Limitation - Purpose Specification? Dif trtmnt for empment/credit-granting. Must certify purpose of use - Data Quality? Burden entirely on consumer to figure out fraud has happened - No collection limitation? FIPS: Purpose specification; use limitation; openness; individual participation HIPAA: personal health info; held by covered entities; processed in certain formats Privacy Act: govt agencies; barely covers LE databases (some data quality/ self-monitoring; no transparency/ ind. participation) FCRA: financial info held by consumer reporting agencies
False Light
Gives publicity to matter concerning another that places other before public in a false light- subject to liability for inv of priv, IF: - The false light is HIGHLY OFFENSIVE TO RSBL PERSON & - Intent: KNOWLEDGE OF/ RECKLESS DISREGARD of falsity of matter/ false light Can get compensated for exclusively emotional distress (Vs. reputational harm (defamation)) - Can thus recover even if reputation is not harmed, but in fact benefits
The FTC & Data Privacy
FTC governs: Consumer protection; Recently, enforces # of sectoral privacy laws (GLBA, COPPA, formerly FCRA) Source of FTC authority: Sect. 5 - FTC can regulate against unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce- declared unlawful o Deceptive: material misrepresentation likely to mislead consumer acting rsbly in the circumstances to the consumer's detriment o Unfair: causing/ likely to cause substantial injury to consumers, which is not rsbly avoidable by consumers themselves, and is not outweighed by countervailing benefits to consumers/ competition Deceptive behavior & privacy re: digital priv.: - Broken promises of privacy; General deception; Insufficient notice; Unrsbl data security practices Unfairness: retroactive changes to privacy policies might be unfair—consumer can't rsbly avoid b/c they alrdy got it - Deceitful data collection; Improper data use; Unfair design/ efault settings; Unfair data security practices
Privacy Notice Required
Financial institutions must inform customers of privacy policies, incl: - Disclosure of personal info to affiliates; Categories of info disclosed; Security of personal data
Open Fields
Florida v. Riley: helicopter from 400 ft; society doesn't recog it as rsbl b/c police had rt to be there - Katz: Actual EXP: Yes. Society prepared to recog. as rsbl? No. plain view from place police had rt to be o Commercial/ private flight in commercial airways is routine - Under majority's test, EXP defeated if single member of public could conceivably position herself to see into area in question without doing anything illegal Dow Chemical: Commercial aerial photog. - No such thing as "industrial curtilage" - Photos not dif from naked eye, but satellite tech, not available to public, might be unrsbl Kyllo: using sense enhancing tech to look in home is a search when tech not in gen public use - Police outside home, on street is this a search? - Using sense-enhancing technology to obtain any info re: interior of home that couldn't be obtained w/out phys intrusion into a Constit. protected area constitutes a search — at least where tech in question is not in general public use.
Public Disclosure of Private Fact Examples
Gill v. Hearst: couple kissing @ farmers market; publ. w/out consent- relationship between consent/ sensitivity of info -- Ct: picks side of the journalist: no protection of info in public, unless private Daily Times Democrat v. Graham: up-skirt photo; rep/ emo harm - Ct focuses on: o Consent: She consented to being in public; conduct involuntary (unlike Hearst) -In public, but exposure of body was not voluntary [like Intrusion Rstmnt: underwear in public is priv] Sipple v. Chronicle Publishing: gay man exposed; fam home didn't know; info was newsworthy; journalist protective test 3 elements of tort: - Publicity - Private facts (highly offensive to rsbl person) o Does wide knowledge of fact in one community prevent privacy in another, distinct community? - Not newsworthy o Newspaper: not about private individual, revealing trait of Pres. Ford (homophobe) Ct: this info is newsworthy: Virgil v. Time: Line to be drawn: when publicity ceases to be the giving of info to which the public is entitled, and becomes a morbid & sensational prying into private lives for its own sake, w/ which a rsbl member of the public, w/ decent standards, would say that he had no concern
WIRETAP ACT: known as Title III
Governs intentional interception of communications - Interception: acquiring contents using any "elect, mech, or other device" - Covers wire communications, electronic communication, oral communications Have to get warrant-plus SUPER WARRANT - Judge must find PC that part comm. concerning offense will be obtained through interception - And that alternatives to wiretapping were attempted/ failed or rsbly appear unlikely to succeed/ be too dangerous Super warrant must be: - Tailored to particular individual, if known - Minimization requirement: stop listening when someone not targeted individual on the phone o 2518 Minimization—30 second break - Can last for up to 30 d but judge approves both initial period of time & renewal - Ex parte, but NOTICE to individual being recorded- w/in 90 d of completion [so they can challenge/ defend] - Only certain gov officials can apply (AG, deputy AG, state prosecutor; NOT police) REMEDIES: - Exclusionary rule: for oral communications and wire communications only, NOT elect. comm.! - No exclusionary rule for elect. comm. eavesdropping- judges might still grant as const required rather than stat required EXCEPTIONS: - 1-party consent; some states are 2-party - Comm. service providers "in the normal course of business" & more, eg. Emergencies
HIPAA
HIPAA applies to: 1- Protected health info a. PHI: [any info created/ received by covered entity [health care provider... incl. universities... ] and relates to phys/ mental health or condition of any ind., provision of health care to an ind. or payments for health care] b. Must be info that identifies the ind. [carves out room for medical studies- countervailing interest: public health] 2- Held & processed by covered entities [health plans (insurers/ HMO), health care clearinghouses (processes health info into various forms), health care providers (physician; hospital; pharmacy)] a. And their business associates (BAs) and subcontractors [record-keeping; accountants] b. Hybrid entities: health care provider ++ - also do other things; less stringently regulated than covered entities 3- Performing standard transactions/ standard formats (for electronic processing) a. Only entities doing e-processing in "standard format" as described in statute are subject to HIPAA b. Not Google or WebMD Consists of 3 rules, promulgated by HHS: 1- PRIVACY RULE 2- SECURITY RULE 3- BREACH NOTIFICATION RULE HIPAA preempts state law, unless the state law is more protective (floor, not ceiling) Enforcement: by HHS Office for Civil Rights no private right of action - DOJ enforces criminal violations; State AGs may enforce - Civil fines for each provision violated; often violate multiple provisions at once multi-millions - Criminal penalties if you V w/ malicious motive
Wiretapping Trump Tower
How could gov't have wiretapped Trump Tower/ under what authorities? If content info: what do you have to show under ECPA to get content info? - If ECPA applies: Super W PC of crime; tried to do other things; minimization; Prosecuting atty applies, not pres. - 702/ FISA if person is non-US persons, have to show rsbl belief that the target is non-US person/ outside US o Not strictly speaking, tapping Trump Towers incidental gathering b/c communicating w/ someone overseas o If you're a US person, 702 standard: PC that they're agent of a foreign power/ foreign power If non-content info: - Pen Register Act: ct order - Natl Security Provisions of Stored Comm. Act: low standards for seizure of records - 215: target person & then two hops- doesn't necessarily mean he's the target; could've been a hop person
Consumer Privacy and Standing
INJURY AND STANDING: What is privacy harm? When is it enough to get standing to sue? When do you get damages? Clapper: no standing b/c couldn't show "certainly impending" harm Doe v. Chao: must show actual damages for Privacy Act award (not standing, but still on harm) not standing case- damages - Contrast w/ Sloane, where you could get emo damages accrual of facts that she then can use to show emotional damages know the facts when it's fact-specific (b/c not govt agency) To get Article III standing in fed ct (FTC; data security; data breach), must have: 1- Injury in fact *can be hard in cases inv. data privacy* a. That is: Concrete & particularized, actual & imminent (not conjectural or hypothetical) 2- Fairly traceable to challenged action of the Def. 3- Is likely, as opposed to merely speculative to be redressable What are hurdles for privacy injury? - Solove: courts usually look for visceral and vested harms. Hard for privacy actions to show o Visceral: tactile; can feel it; Vested: something that's already happened In re Google: N.D. Cal. 2013- must show loss of your own money/ value; only standing for direct econ damages - Suit over change in Google's privacy policy in 2012- Old: keep PII separate in separate Google accounts o 2012: walls come down: Consumer profile- they can target ads to you Relationship mngmnt; control mngmnt; secrecy; false light - you're supposed to control who you are/ what you rep- they comm. who you are w/out your permission personhood/ dignitary theory of privacy
Intrusion Upon Seclusion
INTENTIONALLY INTRUDES (phys/ other) upon SOLITUDE OR SECLUSION of another/ his PRIVATE AFFAIRS OR CONCERNS if intrusion would be HIGHLY OFFENSIVE TO A RSBL PERSON - Don't have to have publication/ dissemination; info probably must be sensitive (offensive/ private affairs/ concerns)
Recent Data security enforcement actions/ consent decrees
If FTC comes after you, try to mitigate right away FTC Data Security guidelines: - Start w/ security - Control access to data sensibly - Require secure pwords & authentication - Store sensitive PII securely & protect it during transmission - Segment your network & monitor who gets in/ out - Proceudres in place to keep it current - Secure physical comps/ etc. - Don't collect PII you don't need - collection limitation - Hold on to info only so long as you have a business need - Don't use PII when it's not necessary - Restrict access if not needed - Use industry-tested and accepted methods
PARKVIEW RESOLUTION AGREEMENT- CORRECTIVE ACTION PLAN
If you want to be risk-adverse, use roadmap for how to avoid/ preempt HHS enforcement by using these guidelines - Must develop policies and procedures; - Sets minimum content of those policies: o Safeguards; Protect priv of non-elect PHI; o Notify HHS in writing w/in 30 d. of violation of policies/ procedures; General training - One year from HHS approval of materials; FTC lasts 20 yrs - FTC only deals w/ commercial entities; more limited ability to issue fines HHS can address govt agencies & nonprofits: FTC focuses only on entities engaged in comm. activity- HHS has greater ability to issue fines; FTC has more limited ability to issue fines; butt FTC cases settle for more HHS has "Corrective Action Plans" (CAPs): FTC's don't call plans CAP but contain functional equivalent- - Steps requ. to remedy situation, and auditing by FTC
Location Tracking
Jones: beeper; search: phys trespass, & if none, apply Katz; Sotomayor: REP against longer collection of data [mosaic theory] - Scalia's plurality: Search: b/c phys. trespass for purposes of gathering info o Physical trespass, and if no physical trespass, then apply Katz - Alito: Search: Katz test applied 28 d. unrsbl amt of time to search - Sotomayor [Kaminski's favorite]: REP against longer collection of data o Mosaic theory—if gathering small info in the aggregate, it becomes a search o But she joins Scalia—start w/ inquiry into phys. occupation for purposes of gathering info BUT then, you turn to Katz, and she fully talks about whether there's a REP under Katz In the next case that doesn't turn on physical trespass, she's joining Alito o Concerns about associational/ expressive freedoms: aggregate of sensitive info over long period of time - Implementing 1st A concerns—concerned about constraining police and normative impacts—afraid cost of 4th A violating surveillance is chilling effect on 1st A privileges - 3rd Party Doctrine ill-suited to digital age: Jones doesn't tell us what's going to happen when 3rd party doctrine involved Which test controls after Jones? - 4 person concurrence that looks like it's the minority, but Sotomayor would likely join them if no physical trespass - Sotomayor creates SHADOW PLURALITY—bulk of what she's saying says she'll go the other way in the next case o Preserving bright line rule of Olmstead - trespass + Katz benefit of bright line floor + normative balancing Florida v. Jardines: Dog sniff on porch [w/in curtilage]- officer enters the house- exceeding scope of implied license - Under Jones, Step 1: determine whether police physically occupying a place w/out perm. for purposes of obtaining info o Step 2: Katz test
First Amendment and Public Surveillance
Laird v. Tatum: Chilling effect from gov't surveillance of dissident mtgs- ct. said not ripe - Ct: dismissed as not ripe o No evid of an actual chilling effect- too speculative o All the info gathered happened at mtgs that were open to public/ could've been gained from newspapers - Dissent by Douglas: 1st A designed to allow rebellion to remain as our heritage Background to Raza v. City of New York: - Handschu litigation: hay market bombing in Chicago after labor market protest- 1st major red scare - NY: police surveillance started w/ Italian squad - most of surveillance directed at left-wing pol activities & labor leaders - Handschu class action filed against NYPD 1985: Consent Decree in NY o NYPD must conduct investigations of pol activity in accordance w/ guidelines o Can't commence investigation into political/ idealogical/ religious activities: Unless you have specific info about conduct that constitutes a crime o Procedural protections: Handschu Authority: 2 PO and person outside PD appointed by mayor Must file investigative stmnt w/ Authroity based on specific info that crime was committed/ threatened, w/in 48 h or beginning investigation o Investigation could continue for 30d o After 30 d, written request to Auth for 60 d extensions - After 911: modified by request of NYPD in 2003 o No more "specific info that a crime had been/ was about to be committed" More like mass surveillance w/ requirements in place Preliminary inquiry could be initiated where "info... indicates the possibility of criminal activity" o Lowered/ changed procedural requirements Raza: - Filed in 2013 challenging NYPD surveillance of Muslims - Jan. 2016 proposed settlement: o Barring NYPD investigations on basis of race/ religion/ ethnicity o Requiring articulable, factual info before NYPD o Presumptive time limit o Civilian representative
Facial Recognition Policies
Law Enforcement; Civil Liberties community; Community groups Potentially location-tracking issue: if you have enough info, easy to put together record of where someone's been - Alito's concurrence: 28 d too much: cost; sense-enhancing cost-reduction if you have this sort of database - No longer have security through obscurity Database Privacy Requirements- not constitutional issues - Collection: Notice; Consent; Purpose limitations - Use: Transparency; use limitations [rsbl suspicion v. PC v. stated need] - Other: Individual participation; ability to correct info, challenge use; data quality; cybersecurity
Right to be Forgotten
Melvin v. Reid: If a person has tried to rehabilitate himself, should allow rather than throwing them back into their past life • Do you have a right to restart? Former prostitute and alleged murderer tries to make a new name for herself Briscoe: Newsworthy, but no need to ID- he paid debt to society/ remade himself so why let newsp drag him back in public eye
Privacy and Group Memberships
NAACP v. Alabama: Ct didn't let State get list of NAACP members Barenblatt v. US: can force psych prof. to testify re: connections to Communist party - Dif from NAACP case? National security concerns - Congress's interests in investigating Comm > teacher's rights Shelton v. Tucker: Ct struck down law requiring teachers to list orgs they belonged to/ contributed to w/in past 5 years - Comprehensive interference w/ associational freedom goes far beyond what might be justified in the exercise of State's legit inquiring into the fitness/ competency of its teachers- more deference on fed level for natl security issues
Intrusion Upon Seclusion Examples
Nader v. GM: can have action for intrusion only when "info sought is of confid. nature" and D's conduct unrsbly intrusive (bank) -can have action for intrusion only when "info sought is of a confidential nature" -public usually means no privacy but not always Shulman v. Group W Prod. - Relationship/ type of info matter more than the location- filing accident - Intrusion into private place/ conversation/ matter: Scene of accident not public place
PEN REGISTER ACT
Need COURT ORDER for use of pen register info likely to be obtained relevant to ongoing invest.; cts "shall" issue What counts as a pen register? Device or process that records/ decodes dialing, routing, addressing, or signaling info... such info shall not include the contents of any comm. [now applies poss. To URL info/ to/ from IP addresses] Smith v. Maryland says no warrant required for phone numbers; Congress says you at least need a court order - Then, Congress edits pen register to include a bunch more things that the ct hasn't ruled on: possible PRA could be found unconstit. b/c ct could find you need a warrant not ct order to get that stuff pursuant to 4th A
Sectoral Privacy
No omnibus federal privacy law in US- regulate federally by sector: different parts of econ/ type of info/ subject-matter
Sharing
Nonpublic "personally identifiable financial info" may be shared o Between financial institutions that are joined together (affiliated) Must tell customers- but can inform in privacy policy No way to block this sharing- enabling rational marketplace actors to shop around; but banks almost all banks are affiliated FIPS: Openness; NO use limitations o Between non-affiliated institutions: Must tell customers Must have a K in place w/ 3rd party requiring it to maintain confidentiality of info (like BAA in HIPAA) 3rd Ps cannot reuse that info Individuals can opt out of disclosure to nonaffiliated companies FIPS: Use limitation (for 3rd parties) but most ppl won't opt out so not effective; • Openness (tell customers) • Ind. Part: opt-out rather than requiring consent- Don't want to add to transaction/ paper costs o Some states do have opt-in (VT, CA) GLBA: rules on: Security safeguards; Openness (Notice (privacy policies)); Some Individual Participation (Sharing info) - PRIVACY POLICY REQUIRED: Openness - SECURITY SAFEGUARDS REQUIRED: Proportional to type of institution/ Security safeguards - SHARING RESTRICTIONS: Can share with affiliated agencies, with notice o And with unaffiliated, with notice: Consumers can opt out; Openness; Limited Individual Participation
4th Amendment and New Technology
Olmstead: If no phys. trespass, no priv. inv. Wiretapping - 4th A linked to phys trespass so no warrant needed; assume risk Analogies: - Majority: phone lines to highways - Dissent: sealed letter- similar to secure channel; has a sealed envelope; simultaneous reply via phone worse than mail Katz: phone booth: Ct gets rid of trespass doctrine & REP test REP: If you have a REP, it's a search - Harlan's concurrence: o 1- Person must exhibit an actual subjective EXP o 2- Expectation must be one that society is prepared to recognize as rsbl Potential prob. w/ REP: have to have an actual EXP - Smith v. Maryland: if gov't announces it's watching everyone all the time, wouldn't have actual EXP o Turn to a normative determination [if no actual EXP]
Misplace Trust/ False Friends
On Lee- undercover trade agents can testify Lopez (pre-Katz): no EXP against rec. by govt no rt to rely on flaws in memory lose EXP by talking to false friend/ AR' White: (Lopez after Katz): misplaced trust doctrine survives Katz: no EXP in convo b/c you assumed risk - Don't apply Katz- Lopez was rightly decided—no EXP in convo b/c you voluntarily assumed risk when you handed the info over; if we let undercover agents testify, we should let them record/ broadcast that info Don't end up w/ REP test applied to every case where you disclosed info to someone else huge carve-out that when you give info to someone else, you have risk that it'll be given to someone else
Public Disclosure of Private Fact
One who GIVES PUBLICITY to matter conc. priv life of another subject to liability for inv. of priv. if matter publicized is kind that: - Would be HIGHLY OFFENSIVE to a rsbl person - Is NOT OF LEGITIMATE CONCERN TO THE PUBLIC [accounts for freedom of press/ newsworthiness]
Website Liability
Pre-Internet: secondary liability for defamation: publisher/ distributor CDA 230: No provider/ user of interactive comp service treated as publisher/ speaker of any info provided by another ICP Protect free speech Zeran v. AOL - Actual notice does not turn AOL into distributor then speech; too big of burden on websites; lead to over caution
Carson v. Here's Johnny
Priv. claim denied; rt of publicity: harms econ abilities after you earned the phrase - Sues for both invasion of privacy & rt of publicity; priv. claim denied - Publicity claim: o Toilet company benefitting from his labor/ commercial he earned this o Sully his reputation for other things he might want to do w/ his name - Ct sides w/ Carson: this does harm your economic abilities after you earned this phrase o Phrase isn't his name- if the idea is he worked hard to earn this, Ed should "own" the phrase - Does right of publicity or right of privacy get you more? o Kennedy dissent: by granting rt of publicity, you're taking things out of the public domain Unlike other forms of IP that include notice, in rt of publicity, no notice that someone owns this Rt of publicity doesn't exist for a limited time Can be descendible/ transferable (right of privacy is not transferable) Should celebrity be allowed to win rt of publicity more easily than rt of privacy - Only recognizes things that can be monetized; - If publicity is stronger, bad bc most ppl can't file for rt of publicity claim- usually accessible only to celebrities
First Amendment
Private speech vs. public and newsworthy • Intrusion v. newsgathering • Public disclosure has newsworthiness built into the tort • Appropriation is restricted to commercial use Strict scrutiny : Content-based regulation • Certain content isn't protected [Obscenity, fighting words, libel] Why do we have free speech? • Marketplace of ideas ; Self-governance ; Autonomy Why are the torts potentially problematic? • Intrusion upon seclusion o Marketplace of ideas: Want to use reporters to expose fraud ;Increasing amt of info in market Cox v. Cohn: news report Identified rape victim, ct says this was public interest Florida Star v. BJF: If news lawfully got info re: matter of public sign. then state officials may not constitutionally punish them
USA Freedom Act 2015
Reauthorization of Sect. 215 - Ends bulk collection of telephony metadata by govt- tele com comps have this info now; FBI can request info on individuals/ accounts/ devices - 2 hops only by statute; Minimization procedures required - FISA ct reforms: provides for appointment of amici at FISC; perform declassification review of FISC opinions that include sign. construction or interp of any provision of law & make publicly available don't want FISA broadly interpreting laws to give authorization of programs - Transparency: companies can release how when gov't asking for info - Natl Security Letters: USA Freedom requires "reciprocal notice": FBI goes to ct if recipient asks 702 Reform: coming up for reauthorization this year- content info Concerns: Incidental gathering of US persons—backdoor access to US; reverse targeting of US ppl by aiming at foreign targets - Treatment of EU citizens: ability of them to challenge any of this against backdrop of trade - But, fewer civil liberty concerns about 702 (than 215) by review groups; and this program seems to have been effective PCLOB 22 Recommendations: - Big ones that haven't been implemented/ could be rolled back: o Intel agency transparency procedures (voluntary reporting) o FBI access to 702 for US persons
Safeguards Rule
Requires FTC to est. security safeguards for nonpublic personal info - FTC final reg was in 2002: contextual: comprehensive info security program appropriate to the size/ complexity of the institution, nature and scope of institution's activities, sensitivity of any customer info at issue o Vs. risk approach from HIPAA- looked at how sensitive info was (commonality) and how likely it was there would actually be a breach; if there was breach, how bad looking at risk of harm, not just risk of breach - Here: want to create safeguard based on your size and nature (contextual)--Lower standard for banks than insurance cos - GLBA: less sensitive info, less harm of breach
What Counts as Publicity?
Rstmnt Comment B: Communicating fact conc. private life to single person/ small group of ppl not sufficient to est publicity; - Any publication in newspaper/ mag, even in small circulation, or handbill distributed to large number of ppl, or any broadcast over the radio/ stmnt made in address to large audience, is sufficient to give publicity Distinction between public & priv. comm: matter communicated to "public at large" or "to so many ppl that matter must be regarded as substantially to become one of public knowl."-- Rstmnt attempting to distinguish between communication at large
NATIONAL SECURITY & GAG ORDERS
Sect. 215/ SCA/ FCRA have gag order: when telecomms providers required to hand something over & they can't tell anyone - If you aren't told you're being surveilled, you won't have the harm Natl Security Letter (NSL) litigation - Challenging NSLs as prior restraint- Chilling (by being overly broad) all kinds of legitimate speech - Is a gag order prior restraint? Preventing them from speaking & not narrowly tailored; not an end date for gag order - Series of SDNY & D. Conn cases finding NSL unconstitutional prior restraint - 2nd Circuit in Doe v. Mukawey (2008): Wrote in FBI procedural requirements so that it satisfied 1st A - ND Cal. case: NSL unconstitutional prior restraint- but not a "classic prior restraint" fuzzy area w/ some deference LE - 9th Cir bounced back down 2015 given USA Freedom Act changes to the statute Microsoft ECPA litigation: Microsoft sued to overturn SCA gag orders- 1st A concerns esp. since they go on forever - Dist. Ct: Msfot has standing to make a 1st A challenge; but no standing to make a 4th A chal. on part of customers "Warrant Canaries": Govt: okay to say NO letters; but if you receive even one, can't say which kind (NSL, 215, etc.)
Snowden
Sect. 702 FISAAA: - Can get content info if show PC you're agent of foreign power; shifted to rsbl belief that person is outside of the country - Amended FISA to address/ authorize TSP bulk warrantless wiretapping - Changes FISA from narrow, targeted (though not warrant) ct orders Sect. 215 (PATRIOT ACT): protection of tangible things- bulk telephone metadata - For invest to protect against int'l terrorism/ clandestine intel activities... solely upon basis of activities protected by 1st A - What counts as a tangible thing: o Snowden revelation: tangible things includes bulk telephony metadata from US persons PRA seems to govern getting phone records- makes us think you need ct order to get that info - Procedure for Sect. 215 order: relevant to authorized investigation o [Pen register act: material not just relevant; ongoing investigation] 702 [FISAA]: PRISM [data from providers] & Upstream [tapping into fiber-optic network]: Surveillance: content-surveillance; - US persons: PC forign gov/ agent - 2008 FISA Amend. Act: rsbl belief person overseas
Stored Communications Act Continued
Steve Jackson Games: need a warrant: email in issue falls under elect. comm., so falls under SCA - Does seizure of comp on which email stored but not yet read constitute an intercept under Wiretap Act? - Is seizing an unread email like tapping phone line w/ convo happening? - Literal fact of storage even though it's more like a part of a convo that's still happening - Statutory analysis: o Wiretap Act def. of "transfer" explicitly incl. "elect. storage" of oral & wire comms. o BUT for elect. comms., def. of "electronic comm" doesn't include mention of elect. storage of such comm. Negative reasoning/ by omission o AND electronic storage explicitly defined in SCA Ct: email falls into elect. comm. so it falls under SCA; Email in remote storage, unopened, stored for 180 d or less: warrant; SCA Proposed ECPA reforms: almost everyone agrees there should be reform - Can't get it enacted; Email Privacy Act passed House but waiting to see what happens in Senate - Would get rid of 180 d distinction—need a warrant for all emails Warshak: Seized emails that were more than 180 d old- don't need warrant under SCA, just need ct order - Is that part of SCA constitutional- do you need a warrant to access email, even stored email? - 4th A: does taking these 6+ month old emails invoke a search? Katz - K1: Does Warshak have a subjective EXP in those stored emails? o YES: sensitive info revealed in emails - K2: Is society prepared to recognize that EXP as rsbl? o Concern is that ISP is the 3rd party o YES: there is an EXP in email despite fact that you've handed it over to 3rd party, and society sees it as rsbl B/C info passing through communications network, not a bank more akin to post office
Dragnet Govt Surveillance
Surveillance of Intellectual & Associative Activities: - Solove: searching/ seizing a comp can reveal personal & political writings- info about correspondence and associations - Richards: this surveillance can cause ppl not to experiment w new, controversial or deviant ideas o Chilling effect; If you're always watched, you're powerless exacerbates imbalances in power dynamic between the watcher & watched: can lead to discrimination, coercion, blackmail Zurcher v. The Stanford Daily- 1978: no more spec. warrant requ. For this type of search - Police go into college newspaper- violent protest; police want to see all of Stanford's pics from the protest - 1st A activities implicated by the speech: o Freedom of the press; Power dynamics: inverts power of the press v. power of the gov't - Cts apply warrant requirement w/ particular exactitude—no more spec. warrant is required for this type of search Congress reaction: Privacy Protection Act: bans govt from searching/ seizing work product/ materials/ documents possessed by person rsbly believed to have purpose to disseminate to public a newspaper, book, broadcast, similar forms of communication More recent lower cases: added procedural protections for 1st A materials on top of what's required by 4th A - Amazon Echo case: Amazon wants Warrant +++: Compelling interest in info sought; sufficient nexus to underlying inquiry of investigation; other means aren't adequate
Sect. 215 Patriot Act & Metadata
Tangible things- included collection of bulk telephony metadata - Purportedly didn't include location info- would implicate Jones/ location tracking - Lawsuits after Snowden challenging 21, 702 Two major hurdles to overcome to win a 4th A challenge of S. 215 surveillance: - Standing, after Clappert - 3rd party doctrine- they're getting the info from the providers & we're giving it to them: o Assumption of Risk & sensitivity metadata covered in Smith v. Maryland- not content info Easier to overcome standing in S.215 v. 702 - 215: class of guaranteed ppl who have standing - 702: we know the program exists, but we don't know who was targeted/ etc. Klayman (dist. ct.): standing to chal. Bulk collection of phone metadata under 4th A; REP against bulk metadata collection Does bulk collection of US persons' phone metadata under S 215 violate the 4th A? Yes Is there a REP against bulk metadata collection, despite Smith v. Maryland? Yes
False Light & 1st Amendment
Time v. Hill: false light okay w/ 1st A must have knowledge/ reckless disregard of falsity Alvarez (SCOTUS): Constitutionally protected to lie about having the Medal of Honor (Stolen Valor Act); no concrete harm False lights may not survive b/c Alvarez said 1st A rights trump
Third Party Doctrine Cases
US v. Hambrick: LE posing on chat room; Katz test Prong 2: is EXP obj. rsbl? No obj. EXP in ID held by ISP—3rd P Doct. - ISP gives name/ address/ CC/ SSN; also that account connected to internet at IP address when convos taking place - Katz test: subjective EXP; societal rsbl this case about 2nd prong: is the EXP "objectively rsbl"? - No objective REP in ID info held by your ISP: 3rd Party doctrine; ISP is false friend! o Data must not be knowingly exposed to others third party doctrine o Assumption of risk: turned over info to ISP knowingly & knew it would be used in normal course of ISP business Third party doctrine cases: - Smith v. Maryland [pen register] - Miller [bank] - Assumption of risk & sensitive vs. not sensitive - Is Katz still good law after Smith v. Maryland? [Katz had to turn that info over for phone convo] o Why is Katz dif From Smith v Maryland? Katz not about assumption of risk; Katz is about sensitivity/ content U.S. v. Forrester: IP addresses/ to/ from email addresses not a search - Info at issue: to/ from addresses of emails; IP addresses of websites visited; total volume of info sent to/from account - Is this a search? No: to/ from of emails/ IP addresses [similar as info revealed by PR] not a search - Sharing w/ 3rd party & content/ envelope distinction - Ct distinguishes between URLS & IP of websites
Entertainment Records Statutes
VPPA (VIDEO PRIVACY PROTECTION ACT) Prohibits video tape service provider (and provider of "similar audio visual materials") from - Knowingly disclosing personal info such as titles rented - Without written consent [ie, opt-in disclosure] Which FIP(s)? Use limitation; Why not regulate collection? EXCEPTIONS TO CONSENT REQUIREMENT: - Incident to ordinary course of business - For marketing goods and services directly to consumer - Or if consumer was given right to opt out and disclosure doesn't identify videos - To law enforcement pursuant to warrant or subpoena - For civil discovery, if notice and opportunity to object - Records must be destroyed as soon as practicable ^^^Whether disclosure under VPPA: Very fact specific! VPPA Pl. must prove that the video-service provider actually knew that it was disclosing - (1) a user's identity; (2) the identity of the video material and (3) the connection between the two
Appropriation and Speech
• Some states make exemptions for newsworthiness, satire, fiction, artistic expression • Real relationship test: Does use of name/ likeness have no real relation to the article except as advertising? o As long as it does not look like a guise for an advertisement, you get your article • Transformativity test (California) o Was the work "primarily the Δ's own expression rather than the celebrity's likeness" [goes to author's effort] o Did "marketability and economic value of the work derive primarily" Zacchini v. Scripps-Howard Broadcasting : Human cannonball - Can sneaky reporter broadcast the show without permission? • State's interest in protecting performance • 1st A : Doesn't immunize press when they broadcast a performer's entire act w/out consent