by Daniel J. Solove
2013 was a remarkable year in privacy developments. Here are four main trends I saw occurring this year:
1. The heat on the NSA for its broad surveillance programs has been sustained and productive.
The Edward Snowden leaks revealed massive NSA surveillance efforts. What is most interesting in the aftermath of the recent NSA surveillance revelations has been the strong public disapproval of the NSA surveillance and courts finally taking some leadership on the issue, such as one court declaring the surveillance likely unconstitutional. The President’s Review Group on Intelligence and Communications Technologies recommended curbs on the NSA. Congress has yet to show leadership on the issue, which remains disappointing, but we are finally seeing the stirrings of a response and perhaps change. Indeed, 56% of people in a Pew poll “say that federal courts fail to provide adequate limits on the telephone and internet data the government is collecting.”
Moreover, the story regarding NSA surveillance keeps going on. It hasn’t faded. The overall trend is that there is now sustained heat on the NSA and a sustained stirring for changing the law to provide greater oversight and controls on government surveillance.
2. Privacy laws have increased in number and existing laws have been strengthened.
In January 2013, the HITECH Act changes to HIPAA were implemented by a sweeping new regulation issued by the Department of Health and Human Services (HHS). Now, entities that receive protected health information from a HIPAA covered entity are directly subject to HHS enforcement and auditing. This is a powerful expansion of coverage of HIPAA – it means that protected data under HIPAA cannot readily fall outside of HIPAA’s protective bubble just because it is shared with third parties. Penalties for HIPAA violations are much steeper, and the new definition for a data breach moves away from looking at harm. All of these are bold new changes.
The FTC issued strict new Children’s Online Privacy Protection Act (COPPA) rules, with a broader definition of personally identifiable information.
California enacted a number of bold new laws to protect privacy. One statute requires websites to indicate how they respond to Do Not Track indications in Web browsers. Another law allows minors to have personal data removed from sites. California also expanded its data breach notification law to encompass login credential information.
There is a trend here — privacy regulation is increasing and strengthening.
3. Pressure has mounted from the EU for the US to strengthen its approach to privacy.
The EU continues to pursue its new legislation and reform of the Safe Harbor Arrangement which governs the transfer of data about EU citizens to the US. Although that legislation is in flux, the noises coming out of the EU, especially after the NSA surveillance revelations, are quite loud in favor of strengthening the EU’s privacy protections and creating more divergence between the US and EU. Data Protection Authorities (DPAs) in the EU have been coming after US companies with great vigor. For example, a number of DPAs are going after Google for consolidating the privacy policies of its various services. The Dutch DPA recently found Google in violation of Dutch privacy law.
The trend here is that the EU is putting increased pressure on US companies and on the US more generally. The EU will have an impact on the future of US privacy law.
4. The law still struggles to determine what constitutes a privacy harm.
Courts decided several high-profile cases involving what constitutes a privacy harm.
In In re: Google Inc. Gmail Litigation (N.D. Cal., Sept. 26, 2013), plaintiffs sued Google alleging that Google was intercepting Gmail messages while in transit in order to send ads and that this practice violated federal and state wiretapping laws. Judge Koh found that the plaintiffs had standing because violations of these statutes, even without harm, are sufficient to confer standing. Google argued that its privacy policy put people on notice of its email scanning practices and hence people consented to it by using Gmail, but the court found that the policies weren’t sufficiently clear. Moreover, the court concluded that non-Gmail users who sent an email to a Gmail user never consented to their email being intercepted. The court allowed the case to go forward.
In In Re Google, Inc. Cookie Placement Consumer Privacy Litigation (D. Delaware, Oct. 9, 2013), plaintiffs alleged that Google “’tricked’ their Apple Safari and/or Internet Explorer browsers into accepting cookies, which then allowed defendants to display targeted advertising.”
Judge Robinson found that the plaintiffs lacked standing because they couldn’t prove a harm because they couldn’t demonstrate that Google interfered with their ability to “monetize” their personal data. The court dismissed various statutory claims, including wiretap statutory violations, for reasons too involved to explore here.
The court also dismissed the plaintiffs’ claims under the California Constitution, which protects a right to privacy and applies to the private sector. The court noted that the association of multiple instances of plaintiffs’ inputted information with other personal information to provide targeted advertising” was not “a sufficiently serious invasion of privacy.”
In In Re iPhone Application Litigation (Nov. 25, 2013), the plaintiffs alleged that Apple breached promises in its privacy policy to protect their personal data because its operating system readily facilitated the non-consensual collection and use of their data by Apps. Judge Koh found that the plaintiffs had made sufficient allegations of harm because of their claim that “the unauthorized transmission of data from their iPhones taxed the phones’ resources by draining the battery and using up storage space and bandwidth.” But then the court concluded that the plaintiffs failed to prove that they read and relied upon the privacy policy.
Another big case was recently decided, also involving Google. In In re Google, Inc. Privacy Policy Litigation (N.D. Cal. Dec. 3, 2013), plaintiffs sued Google for consolidating information from various Google products and services under a single universal privacy policy. The plaintiffs had shared data with Google under older privacy policies which were different for different Google services. The plaintiffs claimed that Google began using and sharing their data in different ways than had been promised in the original privacy policies.
Judge Gerwal held that the plaintiffs lacked standing because the plaintiffs failed to allege that how Google’s “use of the information deprived the plaintiff of the information’s economic value.”
What explains the divergence in these cases? The Gmail case involved privacy statutes that do not fixate on harm. The cookie and privacy policy cases involved some privacy rights that do require that harm be established. The challenge is that privacy harm is a difficult one to establish. It is often not financial and often doesn’t involve physical pain or injury. The law still struggles with harms created by the collection, use, or disclosure of people’s data. The iPhone case identifies a harm – loss of phone resources – but this really isn’t the real reason why the plaintiffs were upset.
I plan to explore these issues more in another post. The trend here is that courts are continuing to struggle with how to conceptualize privacy harms. We desperately need a coherent approach to privacy harm.
Privacy in 2014
The coming year for privacy will be quite exciting. I expect that the FTC will win in the Wyndham case, in which the scope of its regulatory authority is being challenged. The FTC has a deliberately broad and open-ended mandate – to protect against “unfair” and “deceptive” practices – and I expect that its powers will be affirmed.
I think we will see more pushback on government surveillance. Maybe Congress will do something, although with Congress these days, it is hard to assume it will accomplish anything. The courts will likely push back. The traditional government tricks are wearing thin, such as the argument “You can’t prove you were put under surveillance and we won’t tell you if you were.” With the fact that NSA surveillance is so broad, arguments like these become harder to make.
I hope that 2014 sees some greater action on education privacy. FERPA is woefully outdated and way too weak. Privacy of school data about students is an issue crying out for greater attention and action.
With all the attention on privacy, people will become more informed. The NSA stories have made people think hard about their privacy online as well as their privacy in their communications and activities.
Some might say that with all this news, people might just throw up their hands and concede that protecting privacy is futile. But polls are showing that people care about privacy even if they might feel somewhat helpless about protecting it. In the face of all this is how the law is responding. It’s not giving up. In fact, it is growing and getting stronger.
So despite growing threats to privacy and perhaps a sense of futility by some people over whether protecting privacy is possible, what I see is a growth and maturation of privacy law. Privacy law still has a long way to go, but it has already come a long way. Although I am generally cynical and recognize that the challenges facing privacy are immense and incredibly complicated, I nevertheless look to 2014 with a surprising sense of optimism.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter
Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security