Fourth Amendment's Interplay with Privacy in Today's Digital World Generates Debate

Posted by Tonya Gisselberg on June 01, 2012

This week’s post concerns a panel discussion at the 2012 Western District of Washington Annual CLE and District Meeting for Judges and Lawyers, held at the U.S. Courthouse in Seattle, Washington.  The panel discussed the Fourth Amendment and privacy issues in the digital age. 

The title of Professor Dorothy Glancy’s segment was Keeping Up with the Jones Decisions and What May Lie Beyond.  Professor Glancy teaches at Santa Clara University School of Law.  The U.S. Supreme Court recently issued its decision in U.S. v. Jones.  The justices agreed that the warrantless GPS tracking of vehicles is unconstitutional, but disagreed on why it’s unconstitutional. 

Continue Reading

Sweden Eyes Outlawing Using Smartphones to Take "Insulting" Pictures

Posted by Tonya Gisselberg on March 23, 2012

“Modern-day Peeping Toms snapping photographs of women in various states of undress in department store fitting rooms, public toilets, or showers” are creating trouble in Sweden.  Wendy Zeldin reports on this problem in Sweden:  Proposal to Outlaw Use of Smartphones to Take Compromising Pictures.  What we think of as voyeurism in the U.S. is apparently not unlawful in Sweden.

The Swedish government has been working to address the problem of privacy violations caused by secret picture taking since 2008.  The current proposal is an attempt to protect privacy interests, while also protecting the freedom of expression and legitimate photography, such as for news reporting.  What exactly is legitimate photography for news reporting in the Peeping Tom context?  The draft law focuses on “insulting picture-taking,” making that a crime, but does not ban taking “unauthorized” pictures.  The draft law leaves it to the courts to determine what an “insulting” photograph is.  Although the widespread use of smartphones makes secret picture taking easier, it appears that the concern involves all “insulting picture-taking,” not just pictures taken with smart phones.

Continue Reading

VPPA Damages Remedy Not Available in Class Action Suit Over Personally Identifiable Information

Posted by Tonya Gisselberg on March 09, 2012

The question before the 7th Circuit in this case was whether the Video Privacy Protection Act (VPPA), 18 U.S.C. §2710, provides a civil damages remedy for violating subsection (e) of the Act, which requires the destruction of personally identifiable information as soon as practicable.  Plaintiffs are consumers who brought a class action suit against Redbox for failure to comply with subsection (e) of the VPPA.  Redbox rents DVDs, Blu-ray discs and video games to consumers from automated retail kiosks. 

The VPPA is codified in the U.S. Code under Title 18, Crimes and Criminal Procedure, Chapter 121, Stored Wire and Electronic Communications and Transactional Record Access.  Subsection (d) provides for the exclusion of personally identifiable information that is not obtained according to the statute as “evidence in any trial, hearing, arbitration, or other proceeding before any court, grand jury, department, officer, agency, regulatory body, legislative committee, or other authority of the United States, a State, or a political subdivision of a State.”  Accordingly, the VPPA does not provide for criminal fines or incarceration for violators.  However, subsection (c) does provide for damages and attorneys’ fees in a civil action.  The court’s discussion focused on whether the civil remedy provided in subsection (c) applies only to violations of subsection (b) and not to violations of subsection (e), since subsection (e) comes after subsection (c) and the subsection (c) civil remedy does not come after all of the Act’s prohibitions.

Continue Reading

Freedom of Information Act Ruling by Ninth Circuit Holds VA Wrong to Withhold Documents

Posted by Tonya Gisselberg on January 27, 2012

In Yonemoto v. Department of Veterans Affairs (pdf), the Ninth Circuit addressed two questions about the Freedom of Information Act (FOIA):  1)  Was a Veterans Health Administration (VHA) employee’s FOIA request made moot when the Department of Veterans Affairs (VA) offered to allow the VHA employee to obtain copies of the documents in his capacity as a VHA employee; and (2) Could the VA withhold redacted portions of 9 other documents under FOIA Exemption 6, which allows an agency to withhold personnel, medical and similar files that would constitute a clearly unwarranted invasion of personal privacy?

The FOIA, 5 U.S.C. §552, allows citizens to find out what their federal government is up to, consequently providing a check against corruption and holding government actors accountable.  FOIA

permit[s] access to official information long shielded unnecessarily from public view and attempt[s] to create a judicially enforceable public right to secure such information from possibly unwilling official hands.

(Opinion pdf page 7).

Continue Reading

No Reasonable Expectation of Privacy in IP Address Information Rules Twitter-Wikileaks Court

Posted by Tonya Gisselberg on November 21, 2011

The decision in this case arose out of the U.S. government’s grand jury investigation of several individuals associated with Wikileaks:  Jacob Appelbaum, Rop Gonggrip and Birgitta Jonsdottir.  The government obtained an order under the Stored Communications Act for Twitter to provide the non-content Twitter account records of these individuals.

The Twitter account holders moved to quash the order and to unseal court records, raising arguments under the Stored Communications Act (SCA), the Fourth Amendment, the Due Process Clause and the First Amendment.  This blog post discusses the court’s SCA and Fourth Amendment analyses in denying the motion to quash the order.

Continue Reading

Privacy Bill Aimed at Protecting Personally Identifiable Information?

Posted by Tonya Gisselberg on April 15, 2011

Senators Kerry and McCain recently introduced a bill entitled “Commercial Privacy Bill of Rights Act of 2011.”  The purpose of the bill is

To establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.

How comprehensive is the privacy protection for individuals when the bill only covers entities collecting, using, transferring or storing personally identifiable information on more than 5,000 individuals in a 12 month period?  What about the personally identifiable information collected by your independent insurance agent or the dealership you take your car to for servicing?  Those businesses probably don’t collect and use personally identifiable information on more than 5,000 individuals in a 12 month period, but they have your personally identifiable information.

The bill makes a number of findings, including

  • Personal privacy should be protected through appropriate legislation.
  • The success of businesses depends on trust in the treatment of personally identifiable information.
  • People have a significant interest in their personal information, especially when interacting with those engaged in interstate commerce, and have a right to control how the information is collected, used, stored or transferred.
  • People engaged in interstate commerce and who collect personally identifiable information are responsible for treating that information with respect and according to a common standard.
  • State regulation of personally identifiable information could lead to inconsistent standards and protections.
  • Federal, state and local governments fail to adequately protect the privacy of individuals interacting with persons engaged in interstate commerce.
  • Industry self-regulation leads to some self-policing schemes that do not adequately protect individuals’ privacy.
  • Many collectors of personally identifiable information do not provide baseline fair information practice protections.
  • Due to advances in technology, information gatherers can effortlessly compile highly detailed personal histories of individuals.
  • Personal information about individuals is collected, combined, sold or transferred to third parties for purposes unknown to the subject individual.
  • Congress has enacted statutes to protect privacy in specific areas, but the Federal Government has an interest in creating protection that covers all collectors of personally identifiable information.
  • The Federal Trade Commission considers current private self-regulation efforts inadequate.  The Commission also thinks first-party data collection practices are distinguishable from third party practices with respect to behavioral advertising.  Consumers may expect to receive recommendations from companies they deal directly with over the Internet.
  • Commerce will be stimulated by the greater consumer confidence created by clear and consistent rules enhancing privacy protection.

Personally identifiable information includes only an individual’s first and last name, the address of her physical place of residence, her email address, her telephone number, her social security number, her credit card account number, unique identifier information that alone can be used to identify her specifically, and her biometric data.  If used, transferred or stored in connection with one or more of the above pieces of information, the following items are also personally identifiable information:  date of birth, the number on a certificate of birth or adoption, place of birth, unique identifier information that cannot alone be used to identify a specific individual, precise geographical location equivalent to a global positioning system, detailed information about the uses of voice services, and any other information that may reasonably be used by a collecting, using or storing party to identify an individual.  There is a difference between covered information under the Act and personally identifiable information.  In this summary I refer to personally identifiable information to keep things from becoming overly complicated.

The bill is divided into 7 titles:

  • Right to Security and Accountability
  • Right to Notice and Individual Participation
  • Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity
  • Enforcement
  • Co-Regulatory Safe Harbor Programs
  • Application with Other Federal Laws
  • Development of Commercial Data Privacy Policy in the Department of Commerce

Right to Security and Accountability.  The Commission is charged with making rules for security measures applicable to covered entities (described under Enforcement) to protect the personally identifiable information they collect and maintain.  Every covered entity must have managerial accountability for implementing the Act and have a process for responding to non-frivolous inquiries from individuals regarding the collection, use, transfer or storage of their personally identifiable information.  Covered entities must design their products to protect personally identifiable information and implement managerial processes and practices designed to comply with the Act. 

Right to Notice and Individual Participation.  Each covered entity must provide clear, concise and timely notice to individuals of the entity’s practices regarding the collection, use, transfer, and storage of personally identifiable information and the specific purposes of those practices.  Covered entities must also provide notice of material changes and make notices easily accessible to individuals. 

Covered entities must offer a clear and conspicuous mechanism for opting out of consent for any use of their personally identifiable information that would otherwise be a use not specifically authorized and for use of their personally identifiable information by third parties.  Covered entities must offer a clear and conspicuous mechanism for opting in for the collection, use or transfer of personally identifiable information other than for processing the transaction, fraud enforcement or providing a secure environment.  Covered entities must also offer an opt-in mechanism for previously collected data when there is a material change in the covered entity’s stated practices and such a change creates a risk of harm to an individual. 

Covered entities must provide individuals with access to their information and a way to correct errors.  Covered entities must provide a mechanism for individuals to request that their information be rendered not personally identifiable in the event of the covered entity’s bankruptcy or the termination of the relationship.

Third parties can use personally identifiable information only to the extent of the opt-in consent.

Rights Relating to Data Minimization, Constraints on Distribution, and Data Integrity.  Covered entities may collect personally identifiable information only to the extent necessary to process the transaction, prevent fraud, investigate a possible crime, comply with the law, for the covered entity to market to an individual if the information used was directly collected by the covered entity, for research and development for product improvement or for internal operations, such as customer satisfaction surveys and improving website navigation.

Covered entities can retain personally identifiable information only for the duration necessary to provide the service, necessary for research and development or required by law.

Covered entities must provide in contracts with third parties to whom the information is transferred that the third parties may use the information consistent with the Act, as specified by contract, and may not combine information that is not personally identifiable with other information to determine the identity of an individual unless opt-in consent is obtained.

Covered entities may not transfer information to unreliable third parties.

Third parties receiving information from covered entities are subject to the Act’s provisions to the same extent as covered entities.

Covered entities must attempt to establish and maintain reasonable procedures to ensure that personally identifiable information is accurate when the information could be used to deny consumers benefits and cause significant harm.

Enforcement.  A covered entity is any person who collects, uses, transfers or stores personally identifiable information on more than 5,000 individuals during a 12 month period and is someone the FTC has authority over under 15 USC 45(a)(2) regarding unfair methods of competition or deceptive acts or practices affecting commerce, a common carrier or a non-profit organization.  Knowing or repetitive violations of the Act will be treated as unfair or deceptive acts or practices in violation of the Federal Trade Commission Act, 15 USC 57a(a)(1)(B).

State Attorneys General may enforce the Act in U.S. District Court.

Civil penalties range from $16,500 for each day of noncompliance to $16,500 for each individual whose consent was not obtained.  The maximum total civil penalty is $3,000,000.

Co-Regulatory Safe Harbor Programs.  The Commission shall establish requirements for safe harbor programs.  The safe harbor programs cover uses that offer consumers an opt-out for the transfer of information to a third party for behavior advertising purposes, location-based advertising purposes or for uses not authorized by the individual.  Safe harbor programs must protect the privacy of individuals at least to the same extent as the requirements of the provision from which the covered entity seeks a safe harbor.

Application with Other Federal Laws.  Other federal privacy laws continue to apply and the Act does not modify, limit or supersede them.

Development of Commercial Data Privacy Policy in the Department of Commerce.  The Secretary of Commerce has the responsibility of developing commercial data privacy policy by convening forums of stakeholders to develop codes of conduct, expanding interoperability of the U.S. commercial data privacy framework with other national and regional privacy frameworks, conducting research to improve privacy protection under the Act and conducting research on improving data sharing practices.

The bill only covers entities collecting, using, transferring or storing personally identifiable information on more than 5,000 individuals in a 12 month period.  Quite a bit of personally identifiable information is not covered by the bill.  While it is a step in the right direction to recognize the problems articulated in the bill’s findings, the bill falls short of the goal of creating protection that covers all collectors of personally identifiable information.

Patient Privacy Not Protected in Facebook Placenta Photo Case

Posted by Tonya Gisselberg on February 01, 2011

A Kansas federal district court judge recently enjoined a community college nursing program from expelling a student for posting a photo of herself examining a placenta on Facebook.  Three other nursing students likewise posted photos of themselves examining the placenta on Facebook.  All were expelled from the nursing program.  The woman from whom the placenta came was not shown in the photos.  An instructor allowed the photos to be taken, but denied that she was informed that the photos would be posted on Facebook.  One of the nursing students challenged her explusion in federal court.  The judge found that there were no patient privacy rights involved.  Debra Cassens Weiss describes the facts in greater detail in In Facebook Age, Do Photos Carry Expectation of Privacy?  Placenta Opinion Raises the Issue.  Nursing Student wins Facebook placenta photo case by Matt Campbell is another detailed article and includes a picture of the Facebook photo posted by the challenging student.

I will depart from much of the other discussion about the case and make these two arguments:

  • The woman the placenta came from is personally identifiable to a point where her privacy should be protected.
  • The supervisor had no authority to consent to the students taking the photos.

First off, what is a placenta?  I have been involved in whelping a few litters of puppies over the past 20 years.  When I first read about this case, I had a hard time believing that anyone would want a photo of the human equivalent of the little sack you tear off of the puppy when it is born, but that’s what they took a photo of.  “The placenta is an organ that connects the developing fetus to the uterine wall to allow nutrient uptake, waste elimination, and gas exchange via the mother’s blood supply.”  Unlike dogs, where the puppy is usually born while still in the placenta, in humans the placenta is usually expelled 15 to 30 minutes after the baby is born.

The court specifically found that “no patient privacy rights were implicated in this photo,” due to the fact that the supervisor “ensured that all patient identifying marks which might be captured by a photograph be removed before the photo was taken.”  The court indicated that whether it was a “fresh” placenta is irrelevant, as the freshness could not be determined from the photo.  Perhaps you can’t tell from the photo whether it is fresh, but the students and supervisor probably knew how fresh it was and that certainly is another identifier that can be used to narrow the identity of the woman it came from.  The court also stated that one of the defendants “testified to some attenuated theory involving the number of births that day at Olathe Medical Center (allegedly only one), which would enable the patient to be identified.  The theory is too remote and speculative.”

In Northwest Memorial Hospital v. Ashcroft, the hospital sought to quash a federal government subpoena of medical records of 45 women on whom a particular doctor performed late term abortions using a controversial method.  The 7th Circuit Court of Appeals upheld the district court’s order quashing the subpoena.  It found that the government failed to adequately account for the privacy interests of the women whose records it sought.  The court of appeals indicated that even if the medical records were redacted to remove personal identifying information, if the women’s medical records were made part of the trial record, some of the women would be fearful that others would have enough information to be able to determine their identity and “expose them to threats, humiliation and obloquy.”  The court of appeals thought that the medical histories and accumulation of information “can make the possibility of recognition very high.”  The court of appeals also stated that:

Even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy.

That is because the woman who is the subject of the records knows those are her records, even if others do not, and would still feel that her privacy was invaded.

The court’s ruling in the placenta case is just the opposite.  I think the 7th Circuit has the better argument, as it would be a small matter for someone searching publicly available records to narrow down where the placenta came from to a few women.  More importantly, the women who gave birth at that facility on or shortly before the day the photos were taken know who they are and know that some part of a very private moment was made public without patient consent.

My second argument, that the supervisor did not have the authority to consent to the students taking the photos, is an argument about confidentiality.  The court in the placenta case used the word “confidentiality” only once:  “While this Court recognizes and understands the significance of not only patient confidentiality, ...”  Despite this comment, patient confidentiality was not recognized by the court at all. 

Under Kansas law, a patient of a treatment facility has a privilege to prevent treatment personnel from disclosing that the patient has received treatment or from disclosing confidential communications made for treatment purposes.  Moreover, “the treatment personnel shall claim the privilege on behalf of the patient unless the patient has made a written waiver of the privilege.”  It seems to me that the supervisor should have refused the students’ request to photograph the placenta and claimed the privilege on behalf of the patient.  In any event, this decision failed to adequately consider the important rights of a person not named in the lawsuit, the patient.

Aside from the above arguments, are we willing to tolerate this type of insensitivity from our health care providers?  When I begin to feel like I am being treated in an impersonal manner or sense a lack of respect, I find another health care provider.  How many women across the country are going to refuse to allow nursing students to attend their deliveries as a result of this case?