Site Meter

Category: Privacy

4

Carrie Goldberg: IT’S CLEAR: CREATING AMATEUR PORN WITHOUT A PARTICIPANT’S KNOWLEDGE IS ILLEGAL IN NY

This post is by Carrie Goldberg who is the founding attorney at C. A. Goldberg, PLLC in Brooklyn, New York focusing on litigation relating to electronic sexual privacy invasions. She is a volunteer attorney at The Cyber Civil Rights Initiative and its End Revenge Porn campaign.Carrie

Earlier this year, the New York City tabloids and “Saturday Night Live” poked fun at a story about a handsome former Wall Street financial advisor who, after being indicted for recording himself having sex without the women’s permission, blamed the taping on his hyper-vigilant “doggie cam.”

Last week the story re—emerged with an interview by two of the three 30-something year old victims complaining that they’d been wrongly portrayed by the media and the defendant’s high profile criminal team as jealous stalkers when in reality their energetic efforts to reach him was upon discovery of the videos and centered around begging him to destroy them. The humiliation sustained during the ongoing criminal process, such as being forced to view the sex videos alongside the jurists, is palpable.

Many New Yorkers may be unaware that recording yourself having sex without the other person’s knowledge constitutes a sex crime in the state (NY Penal § 250.45) and also breaches our federal video voyeurism laws (18 USCA § 1801). With the proliferation of smart phones and tablets enabling people to­ secretly videotape sexual encounters – including apps that allow for stealth recording – this law is increasingly violated. The harm to victims is palpable and real. It’s deeply humiliating to be turned into an object of pornography without consent.

In 2003, then-Governor George E. Pataki signed New York’s unlawful surveillance statute, known as Stephanie’s Law, making it illegal to use a device to secretly record or broadcast a person undressing or having sex when that person has a reasonable expectation of privacy. The statute is named for Stephanie Fuller, whose landlord taped her using a camera hidden in the smoke detector above her bed. Read More

Facebook’s Hidden Persuaders

hidden-persuadersMajor internet platforms are constantly trying new things out on users, to better change their interfaces. Perhaps they’re interested in changing their users, too. Consider this account of Facebook’s manipulation of its newsfeed:

If you were feeling glum in January 2012, it might not have been you. Facebook ran an experiment on 689,003 users to see if it could manipulate their emotions. One experimental group had stories with positive words like “love” and “nice” filtered out of their News Feeds; another experimental group had stories with negative words like “hurt” and “nasty” filtered out. And indeed, people who saw fewer positive posts created fewer of their own. Facebook made them sad for a psych experiment.

James Grimmelmann suggests some potential legal and ethical pitfalls. Julie Cohen has dissected the larger political economy of modulation. For now, I’d just like to present a subtle shift in Silicon Valley rhetoric:

c. 2008: “How dare you suggest we’d manipulate our users! What a paranoid view.”
c. 2014: “Of course we manipulate users! That’s how we optimize time-on-machine.”

There are many cards in the denialists’ deck. An earlier Facebook-inspired study warns of “greater spikes in global emotion that could generate increased volatility in everything from political systems to financial markets.” Perhaps social networks will take on the dampening of inconvenient emotions as a public service. For a few glimpses of the road ahead, take a look at Bernard Harcourt (on Zunzuneo), Jonathan Zittrain, Robert Epstein, and N. Katherine Hayles.

T
0

The U.S. Supreme Court’s 4th Amendment and Cell Phone Case and Its Implications for the Third Party Doctrine

Today, the U.S. Supreme Court handed down a decision on two cases involving the police searching cell phones incident to arrest. The Court held 9-0 in an opinion written by Chief Justice Roberts that the Fourth Amendment requires a warrant to search a cell phone even after a person is placed under arrest.

The two cases are Riley v. California and United States v. Wurie, and they are decided in the same opinion with the title Riley v. California. The Court must have chosen toname the case after Riley to make things hard for criminal procedure experts, as there is a famous Fourth Amendment case called Florida v. Riley, 488 U,S, 445 (1989), which will now create confusion whenever someone refers to the “Riley case.”

Fourth Amendment Warrants

As a general rule, the government must obtain a warrant before engaging in a search. A warrant is an authorization by an independent judge or magistrate that is given to law enforcement officials after they properly justify their reason for conducting the search. There must be probable cause to search — a reasonable belief that the search will turn up evidence of a crime. The warrant requirement is one of the key protections of privacy because it ensures that the police just can’t search on a whim or a hunch. They must have a justified basis to search, and that must be proven before an independent decisionmaker (the judge or magistrate).

The Search Incident to Arrest Exception

But there are dozens of exceptions where government officials don’t need a warrant to conduct a search. One of these exceptions is a search incident to arrest. This exception allows police officers to search property on or near a person who has been arrested. In Chimel v. California, 395 U.S. 752 (1969), the Supreme Court held that the police could search the area near an arrestee’s immediate control. The rationale was that waiting to get a warrant might put police officers in danger in the event arrestees had hidden dangerous items hidden on them or that arrestees would have time to destroy evidence. In United States v. Robinson, 414 U.S. 218 (1973), the Court held that there doesn’t need to be identifiable danger in any specific case in order to justify searches incident to arrest. Police can just engage in such a search as a categorical rule.

What About Searching Cell Phones Incident to Arrest?

In today’s Riley case, the Court examined whether the police are allowed to search data on a cell phone incident to arrest without first obtaining a warrant. The Court held that cell phone searches should be treated differently from typical searches incident to arrest because cell phones contain so much data and present a greater invasion of privacy than more limited searches for physical objects: “Cell phones, however, place vast quantities of personal information literally in the hands of individuals. A search of the information on a cell phone bears little resemblance to the type of brief physical search considered in Robinson.”

Read More

0

The data retention judgment, the Irish Facebook case, and the future of EU data transfer regulation

On April 8 the Court of Justice of the European Union (CJEU) announced its judgment in the case C-293/12 and C-594/12 Digital Rights Ireland. Based on EU fundamental rights law, the Court invalidated the EU Data Retention Directive, which obliged telecommunications service providers and Internet service providers in the EU to retain telecommunications metadata and make it available to European law enforcement authorities under certain circumstances. The case illustrates both the key role that the EU Charter of Fundamental Rights plays in EU data protection law, and the CJEU’s seeming disinterest in the impact of its recent data protection rulings on other fundamental rights. In addition, the recent referral to the CJEU by an Irish court of a case involving data transfers by Facebook under the EU-US Safe Harbor holds the potential to further tighten EU rules for data transfers, and to reduce the possibility of EU-wide harmonization in this area.

In considering the implications of Digital Rights Ireland for the regulation of international data transfers, I would like to focus on a passage occurring towards the end of the judgment, where the Court criticizes the Data Retention Directive as follows (paragraph 68):

“[I]t should be added that that directive does not require the data in question to be retained within the European Union, with the result that it cannot be held that the control, explicitly required by Article 8(3) of the Charter, by an independent authority of compliance with the requirements of protection and security, as referred to in the two previous paragraphs, is fully ensured. Such a control, carried out on the basis of EU law, is an essential component of the protection of individuals with regard to the processing of personal data…”

This statement caught many observers by surprise. The CJEU is famous for the concise and self-referential style of its opinions, and the case revolved around the legality of the Directive in general, not around whether data stored under it could be transferred outside the EU. This issue was also not raised in the submission of the case to the Court, and first surfaced in the advisory opinion issued by one of the Court’s advocates-general prior to the judgment (see paragraph 78 of that Opinion).

In US constitutional law, the question “does the constitution follow the flag?” generally arises in the context of whether the Fourth Amendment to the US Constitution applies to government activity overseas (e.g., when US law enforcement abducts a fugitive abroad and brings him back to the US). In the context discussed here, the question is rather whether EU data protection law applies to personal data as they are transferred outside the EU, i.e., “whether the EU flag follows EU data”. As I explained in my book on the regulation of transborder data flows that was published last year by Oxford University Press, in many cases EU data protection law remains applicable to personal data transferred to other regions. For example, in introducing its proposed reform of EU data protection law, the European Commission stated in 2012 that one of its key purposes is to “ensure a level of protection for data transferred out of the EU similar to that within the EU”.

EU data protection law is based on constitutional provisions protecting fundamental rights (e.g., Article 8 of the EU Charter of Fundamental Rights), and the CJEU has emphasized in cases involving the independence of the data protection authorities (DPAs) in Austria, Germany, and Hungary that control of data processing by an independent DPA is an essential element of the fundamental right to data protection (without ever discussing independent supervision in the context of data processing outside the EU). In light of those previous cases, the logical consequence of the Court’s statement in Digital Rights Ireland would seem to be that fundamental rights law requires oversight of data processing by the DPAs also with regard to the data of EU individuals that are transferred to other regions.

This conclusion raises a number of questions. For example, how can it be reconciled with the fact that the enforcement jurisdiction of the DPAs ends at the borders of their respective EU Member States (see Article 28 of the EU Data Protection Directive 95/46)? If supervision by the EU DPAs extends already by operation of law to the storage of EU data in other regions, then why do certain EU legal mechanisms in addition force the parties to data transfers to explicitly accept the extraterritorial regulatory authority of the DPAs (e.g., Clause 5(e) of the EU standard contractual clauses of 2010)? And how does the Court’s statement fit with its 2003 Lindqvist judgment, where it held that EU data protection law should not be interpreted to apply to the entire Internet (see paragraph 69 of that judgment)? The offhand way in which the Court referred to DPA supervision over data processing outside the EU in the Digital Rights Ireland judgment gives the impression that it was unaware of, or disinterested in, such questions.

On June 18 the Irish High Court referred a case to the CJEU that may develop further its line of thought in the Digital Rights Ireland judgment. The High Court’s judgment in Schrems v. Data Protection Commissioner involved a challenge by Austrian student Max Schrems to the transfer of personal data to the US by Facebook under the Safe Harbor. The High Court announced that it would refer to the CJEU the questions of whether the European Commission’s adequacy decision of 2000 creating the Safe Harbor should be re-evaluated in light of the Charter of Fundamental Rights and widespread access to data by US law enforcement, and of whether the individual DPAs should be allowed to determine whether the Safe Harbor provides adequate protection (see paragraphs 71 and 84). The linkage between the two cases is evidenced by the Irish High Court’s frequent citation of Digital Rights Ireland, and by the CJEU’s conclusion that interference with the right to data protection caused by widespread data retention for law enforcement purposes without notice being given to individuals was “particularly serious” (see paragraph 37 of Digital Rights Ireland and paragraph 44 of Schrems v. Data Protection Commissioner). The High Court also criticized the Safe Harbor and the system of oversight of law enforcement data access in the US as failing to provide oversight “carried out on European soil” (paragraph 62), which seems inspired by paragraph 68 of the Digital Rights Ireland judgment.

The Irish referral to the CJEU also holds implications for the possibility of harmonized EU rules regarding international data transfers. If each DPA is allowed to override Commission adequacy decisions based on its individual view of what the Charter of Fundamental Rights requires, then there would be no point to such decisions in the first place (and the current disagreement over the “one stop shop” in the context of the proposed EU General Data Protection Regulation shows the difficulty of reaching agreement on pan-European rules where fundamental rights are at stake). Also, one wonders if other data transfer mechanisms beyond the Safe Harbor could also be at risk (e.g., standard contractual clauses, binding corporate rules, etc.), given that they also allow data to be turned over to non-EU law enforcement authorities. The proposed EU General Data Protection Regulation could eliminate some of these risks, but its passage is still uncertain, and the interpretation by the Court of the role of the Charter of Fundamental Rights would still be relevant under it. Whatever the CJEU eventually decides, it seems inevitable that the case will result in a tightening of EU rules on international data transfers.

The referral by the Irish High Court also raises the question (which the High Court did not address) of how other important fundamental rights, such as freedom of expression and the right to communicate internationally (meaning, in essence, the freedom to communicate on the Internet), should be balanced with the right to data protection. In its recent jurisprudence, the CJEU seems to regard data protection as a “super right” that has preference over other ones; thus, in its recent judgment in the case C-131/12 Google Spain v. AEPD and Mario Costeja Gonzalez involving the “right to be forgotten”, the Court never even refers to Article 11 of the Charter of Fundamental Rights that protects freedom of expression and the right to “receive and impart information and ideas without interference by public authority and regardless of frontiers”. In its zeal to protect personal data transferred outside the EU, it is important that the CJEU not forget that, as it has stated in the past, data protection is not an absolute right, and must be considered in relation to its function in society (see, for example, Joined Cases C-92/09 and C-93/09 Volker und Markus Schecke, paragraph 48), and that there must be some territorial limit to EU data protection law, if it is not to become a system of universal application that applies to the entire world (as the Court held in Lindqvist). Thus, there is an urgent need for an authoritative and dispassionate analysis of the territorial limits to EU data protection law, and of how a balance can be struck between data protection and other fundamental rights, guidance which unfortunately the CJEU seems unwilling to provide.

0

EU and US data privacy rights: six degrees of separation

The EU and the US have often engaged in a “tit for tat” exchange with regard to their respective systems of privacy protection. For example, EU academics have criticized US law as reflecting a “civil rights” approach that only affords data privacy rights to its own citizens, whereas US commentators have argued that privacy protection in the EU is less effective than its status as a fundamental right would suggest.

I am convinced that neither the EU nor the US properly understands each other’s approach to data privacy. This is not surprising, given that a sophisticated understanding of the two legal systems requires language skills and comparative legal knowledge that few people have on either side of the Atlantic. The close cultural and historical ties between the EU and the US may also make mutual understanding more difficult, since concepts that seem similar on the surface seem may actually be quite different in reality.

I like to think of the difference between the EU and US concepts of data privacy rights as reflecting the differing epistemological views of the rationalist philosophers (e.g., Descartes) versus those of the empiricists (e.g., Hume and Locke) who influenced development of the legal systems in Europe and the US. EU data protection law derives normative rules based mainly on reason and deduction (as do the rationalists), while US privacy law bases legal rules more on evidence drawn from experience (like the empiricists). It is thus no surprise that the law and economics approach that is so influential in US jurisprudence is largely unknown in EU data protection law, while the more dogmatic, conceptual approach of EU law would seem strange to many US lawyers. An illustration is provided by the recent judgment of the Court of Justice of the European Union dealing with the “right to be forgotten” (C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez), where the Court’s argumentation was largely self-referential and it took little notice of the practical implications of its judgment.

Here is a brief discussion of six important areas of difference between data privacy law in the EU and US, with a particular focus on their systems of constitutional rights:

Omnibus vs sectoral approach: The EU has an overarching legal framework for data privacy that covers all areas of data processing, based on EU constitutional law (e.g. the EU Charter of Fundamental Rights), the European Convention on Human Rights, the EU Data Protection Directive, national law, and other sources. In the US, there is no single legal source protecting data privacy at all levels, and legal regulation operates more at a sectoral level (e.g., focusing on specific areas such as children’s privacy, bank data etc).

Constitutional rights as the preferred method of protection: The US Supreme Court has interpreted the US Constitution to create a constitutional right to privacy in certain circumstances. However, from a US viewpoint, constitutional rights are only one vehicle to protect data privacy. Commentators have described the strengths of the US system for privacy protection as comprising a myriad of factors, including “an emergent privacy profession replete with a rapidly expanding body of knowledge, training, certification, conferences, publications, web-tools and professional development; self regulatory initiatives; civil society engagement; academic programs with rich, multidisciplinary research agendas; formidable privacy practices in leading law and accounting firms; privacy seals; peaking interest by the national press; robust enforcement by Federal and State regulators, and individual and class litigation”. In contrast, in the EU the key factor underlying data protection is its status as a fundamental right (see, e.g., Article 1 of the EU General Data Protection Regulation proposed by the European Commission in 2012).

Different conceptions of rights: In the US, a constitutional right must by definition derive from the US Constitution, while in the EU, fundamental rights are considered “general principles of law” that apply to all human beings within EU jurisdiction even if they do not derive from a specific constitutional source. The concept of fundamental rights in the EU is thus broader and more universal than that of constitutional rights in the US.

Positive and negative rights: In the US, privacy is generally protected as a “negative” right that obliges the government to refrain from taking actions that would violate constitutional rights. In the EU the state also has a constitutional obligation to affirmatively protect privacy rights (see the next point below).

Requirement of state action: US law protects constitutional rights only against government action, while in the EU the state also has a duty under certain circumstances to protect the privacy of individuals against violations by nongovernmental actors. An example from outside the area of privacy is provided by the decisions of the European Court of Human Rights (ECHR) in Case of Z and Others v. United Kingdom (2001) and the US Supreme Court in DeShaney v. Winnebago County (1989). Both cases involved the issue of whether the state has a duty under constitutional law to protect a child against abuse by its parents; in essence, the ECHR answered “yes” and the US Supreme Court answered “no”.

Requirement of “harm”: In the EU, the processing of personal data is generally prohibited absent a legal basis, and the CJEU has ruled that a data protection violation does not depend on “whether the information communicated is of a sensitive character or whether the persons concerned have been inconvenienced in any way” (para. 75 of the Rechnungshof case of 2003). In the US data processing is generally allowed unless it causes some harm or is otherwise restricted by law.

The EU and US systems of privacy rights have each developed in a democratic system of government based on the rule of law, and have been shaped by unique cultural and historical factors, so there is little point in debating which one is “better”. However, the fact that the two systems are anchored in their constitutional frameworks does not mean that practical measures cannot be found to bridge some of the differences between them; I am part of a group (the EU-US “Privacy Bridges” project) that is trying to do just that. The two systems may also influence each other and grow closer together over time. For example, the call for enactment of a “consumer privacy bill of rights” in the framework for protection of consumer privacy released by the White House in February 2012 seems to have been inspired in part by the status of data protection as a fundamental right in EU law.

The central role played by constitutional factors in the EU and US systems of data privacy rights means it is essential that more attention be given to the study of privacy law from a comparative constitutional perspective. For example, I wonder why there is so little opportunity in US law schools to study EU data protection law, and vice-versa? Efforts must be increased on both sides of the Atlantic to better understand each other’s systems for protecting data privacy rights.

1

The right to be forgotten and the global reach of EU data protection law

It is a pleasure to be a guest blogger on Concurring Opinions during the month of June. I will be discussing issues and developments relating to European data protection and privacy law, from an international perspective.

Let me begin with a recent case of the Court of Justice of the European Union (CJEU) that has received a great deal of attention. In its judgment of May 13 in the case C-131/12 Google Spain v AEPD and Mario Costeja Gonzalez, the Court recognized a “right to be forgotten” with regard to Internet search engine results based on the EU Data Protection Directive 95/46. This judgment by the highest court in the EU demonstrates that, while it is understandable that data protection law be construed broadly so that individuals are not deprived of protection, it is also necessary to specify some boundaries to define when it does not apply, if EU data protection law is not to become a kind of global law applicable to the entire Internet.

I have already summarized the case elsewhere, and here will only deal with its international jurisdictional aspects. It involved a claim brought by an individual in Spain against both the US parent company Google Inc, and its subsidiary Google Spain. The latter company, which has separate legal personality in Spain, acts as a commercial agent for the Google group in that country, in particular with regard to the sale of online advertising on the search engine web site www.google.com operated by Google Inc. via its servers in California.

The CJEU applied EU data protection law to the Google search engine under Article 4(1)(a) of the Directive, based on its finding that Google Spain was “inextricably linked” to the activities of Google Inc. by virtue of its sale of advertising space on the search engine site provided by Google Inc, even though Google Spain had no direct involvement in running the search engine. In short, the Court found that data processing by the search engine was “carried out in the context of the activities of an establishment of the controller” (i.e., Google Spain).

Since the Court applied EU law based on the activities of Google Spain, it did not discuss the circumstances under which EU data protection law can be applied to processing by data controllers established outside the EU under Article 4(1)(c) of the Directive (see paragraph 61 of the judgment), though the Court did emphasize the broad territorial applicability of EU data protection law (paragraph 54). Since the right to be forgotten has effect on search engines operated from computers located outside the EU, I consider this to be a case of extraterritorial jurisdiction (or extraterritorial application of EU law: I am aware of the distinction between applicable law and jurisdiction, but will use “jurisdiction” here as a shorthand to refer to both).

The Court did not limit its holding to claims brought by EU individuals, or to search engines operated under specific domains. An individual seeking to assert a right under the Directive need not be a citizen of an EU Member State, or have any particular connection with the EU, as long as the act of data processing on which his or her claim is based is subject to EU data protection law under Article 4. The Directive states that EU data protection law applies regardless of an individual’s nationality or residence (see Recital 2), and it is widely recognized that it may apply to entities outside the EU.

Thus, it seems that there would be no impediment under EU law, for example, to a Chinese citizen in China who uses a US-based Internet search engine with a subsidiary in the EU asserting the right to be forgotten against the EU subsidiary with regard to results generated by the search engine (note that Article 3(2) of the proposed EU General Data Protection Regulation would limit the possibility of asserting the right to be forgotten by individuals without any connection to the EU, since the application of EU data protection law would be limited to “data subjects residing in the Union”). Since only the US entity running the search engine would have the power to amend the search results, in effect the Chinese individual would be using EU data protection law as a vehicle to bring a claim against the US entity. The judgment therefore potentially applies EU data protection law to the entire Internet, a situation that was not foreseen when the Directive was enacted (as noted by the Court in paragraphs 69-70 of its 2003 Lindqvist judgment). It could lead to forum shopping and “right to be forgotten tourism” by individuals from around the world (much as UK libel laws have lead to criticisms of “libel tourism“).

It is likely that the judgment will be interpreted more restrictively than this. For example, the UK Information Commissioner’s office has announced that it will focus on “concerns linked to clear evidence of damage and distress to individuals” in enforcing the right to be forgotten. However, if one takes the position that Article 16 the Treaty on the Foundation of the European Union (TFEU) has direct effect, then the ability of individual DPAs to limit the judgment to situations where some “damage or distress” has occurred seems legally doubtful (see paragraph 96, where the Court remarked that the right to be forgotten applies regardless of whether inclusion of an individual’s name in search results “causes prejudice”). Google has also recently announced a procedure for individuals to remove their names from search results under certain circumstances, and the way that online services deal with implementation of the judgment will be crucial in determining its territorial scope in practice.

In any event, the Court’s lack of concern with the territorial application of the judgment demonstrates an inward-looking attitude that fails to take into account the global nature of the Internet. It also increases the need for enactment of the proposed Regulation, in order to provide some territorial limits to the right to be forgotten.

0

Tribune of the People

bostonglobe-504oped_tsaiCLRYesterday, the Boston Globe published my piece proposing the creation of a new national office dedicated to the protection of civil and human rights. I wanted to give a little more context to the idea here, beyond what the op-ed format allowed.

The basic idea is that we need a single national figure to instantiate rights and defend them consistently. For a variety of reasons, our existing political-legal structure fails to do this robustly and consistently. Enforcement of civil and human rights is fractured among multiple bodies with narrow mandates (U.S. Department of Justice, U.S. Commission on Civil Rights), all of which are captured by party politics. Those in the trenches know how much a general commitment to rights, along with which rights to promote, can vary wildly depending on which party controls the White House. Amicus briefs offer only an ad hoc solution, because such writings are driven by interest group concerns, which can be quite distorting, and don’t carry the kind of institutional weight that government briefs do (if they are read at all by judges, as opposed to their clerks). All of these factors reinforce the idiosyncratic way in which relevant law, including international and comparative law, is presented to jurists.

Historically, presidential agendas have at times aligned with the goal of promoting civil or human rights. But case study after case study underscores how challenging this can be. The bureaucratic politics, party dynamics, and reputational hurdles can be daunting to navigate for anyone who might want a president to take vigorous action on behalf of individual rights.

The idea I have proposed is adapted from one presented by a group of experts based at the University of Chicago in the immediate post-World War II period. At the time, the group–led by the visionary Robert Maynard Hutchins (Chancellor of the University of Chicago and former Dean of Yale Law School) and the fiery Giuseppe A. Borgese (professor of Italian literature)–hoped to inspire the creation of a world constitution. Many later found the overall project too utopian. But whatever one thinks of such strong internationalist proposals, the project allowed Americans to reflect deeply on what ailed American constitutional self-governnance.

Perhaps the most penetrating critique that emerged from the working group’s many meetings involved separation of powers. They believed Americans had become slavish followers of Montesquieu, by insisting that institutional functions had to be strictly distinguished in the name of ensuring political liberty. But strict separation was a disaster: American politics had been consumed by paralyzing party politics and bureaucratic dysfunction, utterly incapable of dealing with urgent problems. Members of the Chicago group turned separation of powers orthodoxy on its head by offering reforms that retained some measure of institutional distinctiveness, but also dramatically increased the overlap of functions.  For example, they thought it wise to give a president explicit constitutional authority to initiate legislation and to serve as Chief Justice of the Supreme Court.

These mid-century reformers felt comfortable injecting greater energy into government in part because they had a strong belief in rights. The Tribune of the People idea encapsulates that commitment, as it was intended to be an office charged with defending “the natural and civil rights of individuals and groups against violation or neglect” by government. The Chicago group tried to design an office that would “neither be a duplicate or retainer of the President in office, a Vice-President in disguise, nor his systematic heckler and rival.”  A Tribune should be “truly the spokesman for real minorities, not the exponent of a second party.”

In a sense, other countries heeded this call, while Americans have largely forgotten the conversation. Today, there are a number of analogues worth studying. Countries that have a national figure dedicated to the enforcement of rights include Albania, Argentina, Armenia, Azerbaijian, Bulgaria, Columbia, Costa Rica, Estonia, France, Guatemala, Norway, Peru, Poland, Portugal, and Serbia. Each of those countries has a Defender of Rights, Commissioner for Human Rights, or Chancellor of Justice. There exists a U.N. High Commissioner for Human Rights, who recently weighed in on Oklahoma’s bungled execution by lethal injection, but has no real power to influence rights development here.

So it seems it is well past the time to consider whether we are doing all that we can institutionally to protect civil and human rights.

 

P
0

The FTC and the New Common Law of Privacy

I’m pleased to announce that my article with Professor Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014), is now out in print.  You can download the final published version at SSRN.  Here’s the abstract:

One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its authority to police unfair and deceptive trade practices. Despite over fifteen years of FTC enforcement, there is no meaningful body of judicial decisions to show for it. The cases have nearly all resulted in settlement agreements. Nevertheless, companies look to these agreements to guide their privacy practices. Thus, in practice, FTC privacy jurisprudence has become the broadest and most influential regulating force on information privacy in the United States — more so than nearly any privacy statute or any common law tort.

In this Article, we contend that the FTC’s privacy jurisprudence is functionally equivalent to a body of common law, and we examine it as such. We explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies. A common view of the FTC’s privacy jurisprudence is that it is thin, merely focusing on enforcing privacy promises. In contrast, a deeper look at the principles that emerge from FTC privacy “common law” demonstrates that the FTC’s privacy jurisprudence is quite thick. The FTC has codified certain norms and best practices and has developed some baseline privacy protections. Standards have become so specific they resemble rules. We contend that the foundations exist to develop this “common law” into a robust privacy regulatory regime, one that focuses on consumer expectations of privacy, extends far beyond privacy policies, and involves a full suite of substantive rules that exist independently from a company’s privacy representations.

P
0

FTC v. Wyndham

The case has been quite long in the making. The opinion has been eagerly anticipated in privacy and data security circles. Fifteen years of regulatory actions have been hanging in the balance. We have waited and waited for the decision, and it has finally arrived.

The case is FTC v. Wyndham, and it is round one to the Federal Trade Commission (FTC).

Some Quick Background

For the past 15 years, the FTC has been one of the leading regulators of data security. It has brought actions against companies that fail to provide common security safeguards on personal data. The FTC has claimed that inadequate data security violates the FTC Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In many cases, the FTC has alleged that inadequate data security is deceptive because it contradicts promises made in privacy policies that companies will protect people’s data with “good,” “adequate,” or “reasonable” security measures. And in a number of cases, the FTC has charged that inadequate data security is unfair because it creates actual or likely unavoidable harm to consumers which isn’t outweighed by other benefits.

For more background about the FTC’s privacy and data security enforcement, please see my article with Professor Woodrow Hartzog: The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014). The article has just come out in print, and the final published version can be downloaded for free here.

Thus far, when faced with an FTC data security complaint, companies have settled. But finally one company, Wyndham Worldwide Corporation, challenged the FTC. A duel has been waging in court. The battle has been one of gigantic proportions because so much is at stake: Wyndham has raised fundamental challenges the FTC’s power to regulate data security under the FTC Act.

The Court’s Opinion and Some Thoughts

1. The FTC’s Unfairness Authority

Wyndham argued that because Congress enacted several data security laws to regulate specific industries (FCRA, GLBA, HIPAA, COPPA) that Congress did not intend for the FTC to be able to regulate data security more generally under FTC Act unfairness. The court rejected this argument, holding that “subsequent data-security legislation seems to complement—not preclude—the FTC’s authority.”

This holding seems quite reasonable, as the FTC Act was a very broad grant of authority to the FTC to regulate for consumer protection for most industries.

Read More

1

Facebook Privacy Dinosaur

privacy_checkup_1.jpeg.CROP.promovar-mediumlarge

I have yet to see it “in the wild,” but media outlets are reporting that Facebook has created a Privacy Dinosaur—a little helper that checks in on users in real-time to help ensure that they understand who will see their update or post.   Whether you think of this as “visceral notice,” a privacy “nudge,” or “obscurity by design,” suffice it to say that this development will be of interest to many a privacy scholar.