Making my way back in, one post at a time.
I had ventured back to my dear, neglected blog, pondering what on earth to write about, when I noticed how many pending spam comments were awaiting me. It wasn’t the typical 5-10, or even 25. No, it was 175! 175 spam comments! How much viagra can one 28 year old female really need? Apparently a lot.
Anyways, all this talk of spam got me thinking (no, not about Monty Python you sillys) about my Data Privacy Law class. Tonight we happened to briefly discuss spam and what’s allowed, what’s not allowed, all that good stuff, which I found quite interesting, especially given my hatred of spammers and telemarketers (let’s stick it to ‘em my good chap!). Since I’ve been all out of ideas for what to blog about, I figured I’d go with what has swallowed my entire life – law school. Tonight I’ll begin w/ Data Privacy and later I’ll continue with a snippet from all the other classes I’ve taken so far and a bit of info about the startup I interned with this summer. It should be good fun (please note I’ve been watching a lot of Downton Abbey so my speech may sound rather over the top, even more so than usual), especially if any law students, or prospective law students, happen my way. Please note that Data Privacy is an upper level course – I will go down to first year courses after this.
With data privacy, I feel the best way to approach it is to consider: (1) the contexts in which we may find ourselves questioning our rights; (2) the applicable laws surrounding it; (3) what we hope to gain, or a remedy we hope to achieve, through using the law; and (4) how US perspectives stack up against our European counterparts. I will try to throw in a bit about misconceptions and some on point examples where I can. Please note, this may get a bit long but I’m gonna try super hard to keep it brief(ish). I haven’t really referenced sources because a lot of it comes from class notes and reading material, plus it’s late and I’m lazy. But if you have questions, please let me know and I’ll point you to where I got the info.
Also, mandatory disclaimer: I am only a 2nd year law student so you should not rely on any of this as legit legal advice/information and I will not be held accountable if you do. Okay, no more of that, let’s get to it.
Here are some scenarios where you may encounter a need for data privacy protection:
- When answering government surveys, including the Census
- When your home is searched by government agents – will a police officer disclose personal information to the government? To my neighbors? To the press?
- When you sign up for a web service, like for a web app e-mail service. What if the government suspects I’ve committed a crime? Will the service provider disclose my information? Could it be used against me in court?
- When you happen to be a celebrity and the paparazzi comes after you
- When you use social media (i.e. Twitter, Facebook, etc.)
- When your company plans to open up a European subsidiary
- When you want to tell someone about your boss’ unlawful action and get wrongfully terminated
- When your employer monitors your work and personal e-mail for quality control purposes
One thing to consider is the U.S. Constitution, and maybe your state’s constitution too. One thing that you might not know (at least I didn’t before), is that the Constitution doesn’t actually guarantee any sort of privacy right. The 4th Amendment provides protection for unreasonable searches and seizures from state actors, but doesn’t say that we’re entitled to be safe from all searches and seizures. Please note that some states (including California, I believe) say that this applies to non-state actors as well. The Supreme Court has also interpreted that there is an implied fundamental right to privacy, but it is not absolute. Certain Justices *cough* Scalia *cough* reject this notion of a fundamental right because it doesn’t appear in the text – let’s just ignore him, shall we (thanks Obama!)?
Statutory law is essential to data privacy law. Although it certainly doesn’t cover everything, it does offer specific types of protection in some (albeit narrow) circumstances. The Wire Tap Act and the Stored Communications Act protect against people either intercepting or storing your information. Please note that these acts actually contain pretty broad exceptions that seem to be relatively easy to circumvent. For example, if the FBI suspects that you’re part of some criminal activity, it won’t take much for them to get your Internet Service Provider to disclose not only your personal information, but also the contents of your e-mails and beyond. So, if you think that your e-mail provider of choice would never do something to hurt you or give your info away, please be warned that they are legally required to disclose your information when applicable.
There are statutes to cover various areas, including spam for commercial use, and statutes for health care providers, celebrities, whistle-blowers, and specific ones for financial information, to name a few. If you work in a specific industry, chances are that there’s a statute that pertains to you.
The Common Law is where we can look for all sorts of protection, although it varies by state and may only get us so far (remember that statutes are where most of the action really is). First, we’ve got good old fashioned property law. We think we own this information, right? Chances are that the answer is actually no. No one can own facts. Your e-mail address, physical address, name, phone number? You do not own that information. Therefore, you can’t file a claim against an individual or entity because they “stole” your personal info. In fact, my professor points out in an article, that many social media companies actually have a stronger property claim to the information in our posts than we do. Although you might have some chance of claiming that your 140 character tweet was so eloquently stated as to garner copyright protection, the facts within that same tweet do not belong to you. If you tweet, “I’m headed to the Page tonight. Gotta love me some Bushmills, dudes,” that information is not your own. Instead, Twitter, or whatever other agency, could claim that this information is protected by trade secret law. That is, it is so valuable to their economic performance/business, that no one else can use this information. So, if someone starts a rival to Twitter tomorrow, they can’t start targeting me with local Lower Haight bars and Northern Irish whiskey based on that one tweet. If I wanted to sell that information myself, I could not because it is deemed to be factual (and also I probably signed away that right when I signed up). Another property tort you could try would be trespass, but it probably won’t get you very far.
Tort law provides some assurances. If you’re up against a governmental agency, you might be able to argue a 42 U.S.C. § 1983 claim for a civil rights violation. Generally, government officials may not be held liable for civil claims as long as they are acting in their official capacity. Torts like this were created to grant individuals some relief and to prevent against abuse. This would come in to play if, for example, a police officer searched your home (with a warrant) then disclosed to other nongovernmental officials some of your intimate details that a reasonable person would find offensive. So maybe revealing that you like Michael Bolton might not be that big a deal, but revealing that you have a giant stack of foot fetish porn by your bed might be.
Tort law also includes the torts of privacy, which include (1) intrusion upon seclusion; (2) appropriation of private facts; (3) public disclosure of private facts; and (4) false light. These are all pretty boring but are highly relevant in this area. If someone is using your name or image to sell something without your consent, you’ve probably got yourself an appropriation of private facts claim.
Contract law is another biggie. If you’re able, you can use this to give yourself stronger protection. However, most of the time it’s companies or service providers who set the terms. Unfortunately, a lot of these will encourage you to waive your rights. Pay attention to the Terms of Service of the next service you sign up for. Chances are, you’ll find that the provider is asking you (or forcing as I see it) to give up at least some of your expectation of privacy.
What do we want from all this? It can be hard to say in some instances and really goes to the question of “what is privacy?” In some cases, we don’t want to be fired or misrepresented. In others, we don’t want our company’s secrets, or personal financial information, to be freely given away. Other times, we don’t want certain information to be used against us as evidence in court. However, often it’s hard to say what we really want. If Google monitors my information in order to better target me for advertisement purposes, what harm is really done? Now I know that Google won’t *do* anything with that info. They won’t tell all my contacts where I’m going to lunch with so and so, they won’t tell everyone how many times I call my boyfriend a certain pet name, nor reveal some intimate secret to my parents (don’t worry, there isn’t a secret like that, so shhh). Instead, they’ll use it to “improve my ad experience.” Now I sort of appreciate it because I’d rather get ads about my preferred dog food or favorite L.L.Bean slipper shoes instead of diet supplements or engagement rings *cough*Facebook*cough*. However, at first I found it intrusive. How dare they access my e-mail? Even using non-human algorithms! But what harm was really done? Was my sense of self somehow damaged? My reputation? My right to enjoy everything I “get” from using personal e-mail? It’s hard to say. Generally, laws related to data privacy grant injunctions or money damages, and sometimes criminal penalties. But do those remedies really fix the harm? Not all of the above mentioned laws may be used in data privacy settings because of this seemingly lacking harm.
U.S. vs. Europe
Just to quickly mention it, Europe approaches data privacy very differently from the US. Despite what 1984 would have us believe, Europe is pretty stringent compared to us. Rather than having piecemeal statutes and common law approaches, which target individual areas of data privacy, Europe leans more to broad and over-encompassing regulation. The default rule is that companies, individuals, or the government can’t process data unless there is a specific statutory exception. Europeans may more easily complain that their “right of personality” has been harmed by a privacy invasion, while Americans are told that they didn’t have a reasonable expectation of privacy in the same setting. We can waive our rights while it is much harder for Europeans to do so. As a result, the United States is much more amenable to tech companies that take advantage of our personal information. How would many startups survive if they had to search for legal exceptions to accessing our personal data? This also makes doing transnational business trickier because the European Union has had trouble accepting U.S. standards for protection. Now, American companies are encouraged to adopt certain standards and follow specific guidelines if they hope to engage in transnational transactions or establish foreign subsidiaries that will allow for the transfer of personal data (including employee, not just customer, information). The FTC is to step in and enforce these provisions, although it has gained criticism for often failing to do so.
I could continue on about the differences between German, EU, and US data privacy law, but will stop, for everyone’s sake. The main point is, don’t take your personal data privacy for granted; simply because it seems “safe” does not mean that it is yours for the keeping.
Oh – I realize I didn’t really talk about spam in the end, but maybe I’ll address it another day. If you’re really interested right now, go check out the Can-SPAM act, which sets out the elements for a claim. You’ll find that many spammers, including those fondly mentioned (ahem, *worst*) spammers who left me 175 comments, would not satisfy those elements (meaning they are guilty as the eff for spam violations as long as blog comments are included in the Act). Part of the reason I didn’t include it just yet is because we covered it super quickly and I’d like to be able to address it more fully so if anyone does want to make a claim, you’ll know whether you’ve got what it takes to put something together. You can also look for statutes that target your specific industry (as mentioned above) to see what protection you might have.
Next time in the law school series: Civil Procedure I ( I promise they will be more exciting after that)