LITIGATION SUPPORT TIP OF THE NIGHT

The Sedona Conference's Primer on Data Privacy has just been made available for public comment. Here's a summary of the contents of the primer.

I. INTRODUCTION

The primer focuses on civil law issues.

II. BACKGROUND AND OVERVIEW

A. Common Law of Privacy

1. Brandeis / Warren article The Right to Privacy (1890) in Harvard Law Review in response to instantaneous photography - origin of right to privacy

2. Paresich v. New England Life Ins. Co. (Ga. 1905) recognizes tort for invasion of privacy.

3. Restatement of Torts (2nd)

a. intrusion upon seclusion - most often used for data privacy

i. violate reasonable expectation of privacy

ii. intrusion must be offensive to a reasonable person.

b. appropriation of name or likeness.

c. public disclosure of private facts.

d. false light

B. Fair Information Practice Principles and Similar Privacy-Protecting Frameworks

1. Privacy Act of 1974 (HHS)

2. White House Fair Information Practice Principles (FIPP) 2011

a. Transparency - notify use of PII

b. Individual participation / access - seek individual consent

c. Purpose Specification -

d. Data Minimization

e. Use Limitation

f. Data Quality and Integrity

g. Security

h. Accountability and Auditing - audit the actual use of PII.

C. Personal Information

1. EU definition broader

2. Personal information may become re-identified.

3. PII under federal government requirements for federal agencies is defined broadly to include “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”

D. Industry Standards

1. FTC has brought actions based on failure to implement policies consistent with industry standards.

E. Contract Based Privacy Rights

1. Generally not enforceable through use of contract law principles.

III. FEDERAL AND STATE GOVERNMENTS

A. Federal Government

1. Privacy Act of 1974 (5 U.S.C. 552)

a. Can't disclose PII unless written consent or disclosure under 12 exceptions:

i. need to know. ii. FOIA iii. routine use iv. Census Bureau v. statistical research

vi. NARA vii. law enforcement viii. health/safety circumstances ix. official use by Congress

x. official use by GAO xi. court order xii. report bad debt information.

b. Individuals can request an Accounting

c. Right to Civil Action

d. If SSNs collected must issue disclosure

e. Privacy Act limits computer matching of records between agencies

f. Judicial Redress Act - EU citizens right to legal redress for privacy violations

2. E-Government Act of 2002

a. Title III Federal Information Security Management Act of 2002 (FISMA)

b. Title II privacy protections

i. Privacy Impact Assessment required by fed agencies before implementing information system.

ii. Privacy policy must be posed on agency web site describing what information is being collected.

iii. Confidential Collection of Statistical Information - Title V of the E-Gov Act, enacted as the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), protects individuals and organizations who provide information to federal agencies for statistical purposes under a pledge of confidentiality.

3. Freedom of Information Act

a. Nine 5 U.S.C. 552(b) exemptions. Exemption 6 - personal and medical files; Exemption 7 records compiled for law enforcement purposes - if unwarranted invasion of personal privacy.

4. Fourth Amendment

a. Led to shutdown of NSA telephone metadata bulk collection practices.

b. Unreasonably seized information can lead to 42 U.S.C. 1983 civil rights claim.

5. Federal Criminal Law Enforcement

a. FBI, DHS, and Secret Service have dedicated cyber crime units.

B. State Governments

1. State Constitutional Privacy Protections

a. California Constitution, for example, makes “pursuing and obtaining” privacy an inalienable right, on par with “enjoying and defending life and liberty.”

2. Public Record Statutes

a. All states have public records law that allow individuals to access documents from government agencies.

3. Surveillance and Other Data Collection

a. Motor Vehicle Records

Drivers Privacy Protection Act (DPPA) requires states to provide a minimum baseline of protection to drivers’ motor vehicle records

b. License Plate Readers

Automated License Plate Readers (ALPRs) in California can only be stored for 60 days.

c. Event Data Recorders

17 states have laws preventing collection from EDRs without owner consent.

d. 911 Call Recordings

- may or may not require court order to disclose.

4. Privacy Policies

One-third of states have passed laws requiring government agencies to maintain and publicize a privacy policy. California, for example, requires state agencies to adopt a privacy policy and to appoint an employee to be responsible for the policy.

5. State Criminal Statutes

a. Computer Crimes - unauthorized access is usually a misdemeanor, but aggravating circumstances can make it a felony. Only 12 states make it a crime to introduce a virus into a computer.

b. Identity Theft - e.g. RFID skimming

c. Threats and Harassment

i. Cyber Stalking - all states have laws criminalizing stalking and most have amended them to include cyber stalking.

ii. Revenge Porn - Outlawed in 16 states. Illinois statute is not limited to nude photos.

IV. GENERAL CONSUMER PROTECTION

A. Federal Privacy Statutes of General Applicability

1. Federal Trade Commission Act

Section 5 actions against entities that fail to protect consumer privacy and fail to properly secure personal information. E.g., August 2015, the FTC announced settlements with 13 companies that claimed to be current participants in the now defunct EU-US Safe Harbor Framework but whose certifications had either lapsed or never been submitted.

2. Children’s Online Privacy Protection Act (COPPA)

protects PII of children under 13 - websites can't collect.

3. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)

- prohibits deceptive header information in spam.

- requires method to opt out of further messages.

- For email messages containing sexually oriented material, the first 19 characters on the subject line must be, in all caps and as depicted “SEXUALLY-EXPLICIT:” and that same phrase must also appear when the email is opened.

4. Telemarketing Act

a. prohibits abusive or coercive calls.

b. restricts the hours of the day unsolicited calls may be made.

c. promptly disclose the purpose of the call.

d. Telemarketing Sales Rule - FTC can address at its discretion deceptive telemarketing practices. Setup Do Not Call Registry.

This evening I attended a discussion hosted by the Sedona Conference at the offices of BakerHostetler at Rockefeller Center in Manhattan. The topic of the discussion was, "Practical Solutions to the Challenges and UncertaintyAssociated with the EU-U.S. Privacy Shield". The panel was composed of Magistrate Judge Andrew Peck of the United States District Court for the Southern District of New York; Emily Fedeles, an associate with BakerHostetler; and Stacey Blaustein, a Senior Attorney and Global E-Discovery Lead at IBM.

The panel briefly discussed the Schrems decision of a year ago. They laughed about how ironic it was that a law student had found the time to bring the case, and joked that someone could have prevented all the trouble caused by the overturning of the U.S./E.U. safe harbor scheme by giving him a job with an American law firm. The group focused on the new privacy shield adopted in response to the Schrems decision and the General Data Protection Regulation which will be fully implemented in May 2018 in the European Union after a two year transition period.

Stacey Blaustein noted that business can certify online at https://www.privacyshield.gov. The site leads companies through the process step by step. She discussed how the new framework has avenues of redress built in. The FTC has jurisdiction under section 5 of the FTC Act for adjudicating violations of the Privacy Shield Principles. Blaustein mentioned the September 30, 2016 deadline for companies to self-certify and gain a nine month grace period to update contracts made with data processors.

Ms. Fedeles said that under the new framework companies would have a 45 day deadline to address specific concerns raised by complainants. She also noted the many companies have already certified. See the list here.

Ms. Blaustein talked about the onward transfer or downward stream exchange of data, and mentioned that vendors may not have to certify but need to comply with the same standards as the companies who engage them.

The panel noted the the FTC's jurisdiction only extends to the industries that it regulates. Ms. Blaustein noted that is precluded from exercising jurisdiction over transportation.

Judge Peck talked about the anonymization of data as a potential solution to the problem of producing documents covered by European data privacy laws. He speculated that under the new GDPR review will still take place in the European Union, with anonymization taking place before ESI was transferred to the United States.

Ms. Fedeles noted that certification can be rescinded, which would lead to a company having to delete the data it had collected. Audits are conducted under the new privacy shield regime.

Judge Peck discussed cross border discovery in the context of the 1987 United State Supreme Court decision, Societe Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa,482 US 522 (1987) . Five factors were given to judge whether or not international discovery could be conducted despite a foreign blocking statute:

"(1) the importance to the . . . litigation of the documents or other information requested;

"(2) the degree of specificity of the request;

"(3) whether the information originated in the United States;

"(4) the availability of alternative means of securing the information; and

"(5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located."

Judge Peck noted that over the years two additional factors were added in effect to this Societe Nationale test - the hardship imposed on the producing party and whether or not the request was made in good faith. He blamed bad lawyering for over relying on the fifth factor to justify cross border discovery.

He mentioned the 2007 'Christopher X' case in which a French court only imposed a €10000 fine for the violation of a blocking statute, has been used in American courts to encourage the practice of violating such statutes.

Judge Peck warned that under the new GDPR companies could face fines potentially high as 4% of global gross revenue - not just profit. He said if foreign data currently located in the United States no longer fell under provisions allowing for its exchange, there was a good argument for it being protected under cross border discovery rules, but he felt that this was something other judges would have to be educated about.

Judge Peck noted that a party won't necessarily be sanctioned for the disclosure of private data it moves 'downstream', if it uses proper contracts. He did not know if a negligence standard or something else would be used to evaluate whether or not a party had used proper methods for transferring data.

Ms. Blaustein noted that if possible recipients should only get data for a specific purpose. The panel reminded the audience that the United Kingdom after Brexit, and Switzerland would not be bound by European data privacy laws.

Judge Peck observed that Britain was one country in which discovery could be obtained quickly through the Hague Convention - in part because the British disclosure process is similar to American discovery.

Under the EU's Data Protection Directive, an individual has a 'right to be forgotten'. Google Spain SL v. Agencia Española de Protección de Datos , a 2014 decision of the Court of Justice of the European Union, found EU citizens can request that data controllers remove URLs with personal information. If you want to request that the world's number one search engine perform this task, you do so by completing this form:

https://support.google.com/legal/contact/lr_eudpa?product=websearch

Google says that it weighs the public's interest in the information against privacy rights in deciding whether or not to honor a request. Google's decisions can be appealed to an European data protection agency.