Privacy Project Phase IV

Home , Jaiku, Sevenload, Susan Wagner

International Association of Defense Counsel The Joan Fullam Irick Privacy Project Phase IV

Social Media Surveillance

Warrantless Searches Using GPS Surveillance

Sealing your Settlement Agreement from the Public Eye

New Developments in PRC Privacy Laws

Privacy in the Face of New Forms of Electronic Communication

Biometrics and Privacy in Iraq

Signing Your Privacy Away?

Launching Australia’s Privacy Law into the 21st Century

Voyeurism in the Computer Age

The Privacy Implications of Arizona’s Immigration Law

Privacy and the MMSEA

Privacy Breach Notification under Canadian Privacy Law

Caution: What You Post Can Hurt You!

Massachusetts Strengthens Protection Requirements for Consumer Information

Confidentiality Concerns Surrounding Outsourcing

The Judgment of Google

How Companies Should Navigate Foreign Privacy Laws

Revisiting the Apex Doctrine The Foundation of the International Association International Association of Defense Counsel of Defense Counsel

303 West Madison, Suite 925 Chicago, IL 60606 USA p 312.368.1494 f 312.368.1854 e-mail [email protected] www.iadclaw.org The Joan Fullam Irick Privacy Project, Phase IV

Dedication

We dedicate Phase IV of The Privacy Project to the legacy and memory of Joan Fullam Irick, the beloved former Presi- dent of the IADC.

For those of you who did not have the privilege of knowing Joan and her passion for the IADC Privacy Project, we offer this brief history as so aptly described in the Dedication in Phase II just months after Joan’s untimely passing.

This Volume and its earlier companion (published in Janu- ary 2003) originated from Joan Fullam Irick’s deeply held belief that the very concept of privacy faced challenges on many fronts, in the legislature, in the workplace, and in the courts.

Joan’s passion for privacy-related issues led her to devote much of her term as President of the IADC to scrutinizing the many ways that our privacy is being invaded. At her urging, The Foundation of the IADC undertook preparations of scholarly papers analyzing the current state of privacy and anticipating future issues in the area.

Throughout the process that produced these volumes, Joan’s commitment to the issues imbued all of us with the desire to create a body of high-level, intellectually rigorous white papers that could be used in many disciplines to continue explora- tion of privacy issues on both the national and international scene, and the foreseeable future of privacy in the individual and corporate worlds.

As 2010-2011 IADC President, Joe Ryan considers Phase IV of The Privacy Proj- ect one of his primary initiatives and one that will allow us to share Joan’s wonder- ful legacy with this great organization. In recognition of her commitment to the IADC and the privacy interests of all, we dedicate this undertaking to the memory of Joan Fullam Irick.

Editors

Joseph E. O’Neil, Robert A. Curley, Deborah G. Cole, Tom Finarelli, and Ste- phen F. McKinney

The Joan Fullam Irick Privacy Project, Phase IV

“The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual.”

- Earl Warren, Chief Justice of the United States Supreme Court, 1963

In 2001, Joan Irick proposed a new project for the Institute of the IADC Foun- dation. Joan’s idea was to create a body of high-level, intellectually rigorous articles exploring national and international privacy issues. The IADC Executive Committee heartily endorsed Joan’s proposal to explore this vital area of law. The Foundation Board agreed and The Privacy Project was born, a reflection of Joan’s deeply held belief that the very concept of privacy faces ongoing challenges on many fronts, in the legislature, in the workplace, and in the courts. At Joan’s urging, a number of authors prepared scholarly papers analyzing the state of privacy and the future of this cherished right.

In January 2003, Phase I of The Privacy Project was published as a dedicated issue of the IADC Defense Counsel Journal. It received immediate and positive commentary and critique from many IADC members. With the support of then IADC President Irick, Phase II went to print in January 2004 – several months after Joan’s untimely passing. Phase II explored evolving areas of concern in the world of privacy while revisiting and updating earlier issues. Three years later, in 2007, Phase III of The Privacy Project was published to once again address ever emerging and significant privacy issues.

Chief Justice Warren’s words are now almost 50 years old, and we can only wonder what he might think today. Phase IV of The Joan Fullam Irick Privacy Project offers a truly global look at emerging and significant privacy issues, from The Peoples Republic of China to Australia, from Italy to Canada and to the United States. This publication explores a wide range of privacy issues including social media, GPS surveillance, biometrics, protection of consumer information, and outsourcing of legal services abroad to name just a few. For the first time, the project includes two articles authored by long-time IADC members and their children who were recently admitted to the practice of law.

The Privacy Project editorial team thanks the authors for their commitment and dedication to this endeavor. The talent and dedication of these individuals form the cornerstone of this publication. The editorial team also wishes to thank Bob Greenlee, Elizabeth Okoro, and Mary Beth Kurzak of the IADC staff, whose efforts made this project possible, and the IADC Foundation for its support.

Table of Contents

Social Media Surveillance: Now the Boss Knows What You Did Last Summer . . . and She Has Some Questions By Lana Varney and Kimberley King ...... 7

Warrantless Searches Using GPS Surveillance and the Role of the Fourth Amendment By George S. Hodges and Kelly A. Hodges...... 28

Sealing your Settlement Agreement from the Public Eye By Christopher R. Christensen and Evan M. Kwarta...... 40

New Developments in PRC Privacy Laws following the First “Cyber Manhunt” Cases By Ariel Ye and David Gu...... 50

Crispin v. Christian Audigier, Inc.: The Struggle to Maintain Privacy in the Face of New Forms of Electronic Communication By Nichole Cohen, M. King Hill and Craig A. Thompson...... 61

United States National Security: Biometrics and Privacy in Iraq By Leta Gorman and John Spomer...... 70

Signing Your Privacy Away? Privacy in the Petition Process By Lauren A. Shurman, Monica S. Call and John A. Anderson...... 82

The Ambiguous “Right To Privacy”: Launching Australia’s Privacy Law into the 21st Century By Caroline Bush, S. Stuart Clark and Amanda Graham...... 103

Voyeurism in the Computer Age: A School District’s Experience By Basil A. DiSipio, John J. Bateman and Lorraine B. McGlynn...... 114

The Privacy Implications and Legal Footing of Arizona’s Immigration Law: S.B. 1070 By Steven J. Strawbridge and Bryan S. Strawbridge...... 119

Privacy Implications Associated with Medicare Secondary Payer Act and the 2007 Medicare, Medicaid and S-CHIP Extension Act Reporting Requirements (Privacy and the MMSEA) By Tamela J. White and Allison N. Carroll...... 128 Privacy Breach Notification under Canadian Privacy Law – Case Studies for Understanding an Emerging Regime By John P. Beardwood and Gabriel M. A. Stern...... 140

Caution: What You Post Can Hurt You! By Robert E. Baugh...... 153

A Sign of the Times: Massachusetts Strengthens Protection Requirements for Consumer Information By Edward A. Kendall and Robert A. Curley...... 164

Outsourcing Privacy: Confidentiality Concerns Surrounding Sending Legal Services Overseas By Amy Sherry Fischer and Lindsey Parke...... 171

The Judgment of Google By Valerio Vallefuoco...... 180

Privacy Please: How Companies Should Navigate Strict Foreign Privacy Laws in Today’s Global Economy By Kyle Dreyer, Wendy May and Joy Tull...... 188

Revisiting the Apex Doctrine By Christopher R. Christensen and Justin M. Schmidt...... 200

Privacy Project Editors Joseph E. O’Neil The Foundation Robert A. Curley of the International Association Deborah G. Cole International Association of Defense Counsel Tom Finarelli of Defense Counsel Stephen F. McKinney

Copyright ©2011 by the International Association of Defense Counsel (IADC) and The Foundation of the International Association of Defense Counsel (Foundation). The Privacy Project is a forum for the publication of topical and scholarly writings on the law, its development and reform, and on the practice of law, particularly from the viewpoint of the practitioner and litigator in the civil defense and insurance fields. The opinions and positions stated in signed material are those of the author and not by the fact of publication necessarily those of the IADC and the Foundation. Material accepted for publication becomes property of the IADC and Founda- tion, and will be copyrighted as work for hire. Contributing authors are requested and expected to disclose any financial, economic or professional interests or affiliations that may have influenced positions taken or advocated in the efforts. Social Media Surveillance: Now the Boss Knows What You Did Last Summer…and She Has Some Questions

By Lana Varney and Lana Varney is a partner with Kimberly King Fulbright & Jaworski L.L.P. in Austin, Texas. Her practice involves handling complex litigation in both federal and OCIAL media may be the antithesis state courts throughout the United States, S of privacy. After all, it’s called emphasizing pharmaceuticals and “social” media because its users intend medical device litigation, including for their postings to be viewed by people defending multi--district federal in their social screen world. While social litigation, class actions, product liability media arguably diminishes the user’s claims, mass tort claims and personal expectation of privacy, some ancient and injury matters. Lana frequently lectures persistent vestiges of privacy concepts on Social Media, Electronic Discovery linger over social media postings. and Litigation Avoidance Practices. For the workplace, social media has Kimberly King is an associate with become a window for employers to see Fulbright & Jaworski L.L.P. in Austin, inside their employees’ personal, and not Texas. Kimberly practices labor and so personal, lives. Employers who want employment law and handles matters at to track employees’ (or potential the administrative, trial and appellate employees’) use of social media, and act level. on what they see, are challenging whether the traditional legal concepts for information in an unlawfully protecting privacy should attach to users discriminatory, retaliatory, or other of social media. prohibited manner. Technology continues to outpace the law that governs it. As a result, case law I. What is Social Media? in the United States is sparse as to the rights and limitations of an employer who A. Current Tools and seeks to monitor its employees’ social Technologies media activities. Generally, employers may monitor an employee’s social media “Social media” has been defined as use and make employment decisions “an umbrella term for social interaction based upon the content of the employee’s using technology (such as the Internet or online website or profile. But employers cell phones) with any combination of must be cautious with social media words, pictures, video, or audio.”1 In the monitoring, especially in two main areas: beginning, the Internet, or Web 1.0, was (1) that the employer obtained the social “read only.” Now, Web 2.0 sites are media information properly and (2) that “interactive and visitors can the employer does not use the obtained communicate, collaborate, and socialize with the web host and each other. Users Page 8 THE PRIVACY PROJECT IV – 2011 can share pictures, video, music, articles, the significant impact social media can or other user-generated content.”2 have on the marketplace. Social media is appealing to big and small businesses alike. Indeed, credible B. Most Commonly Used Social companies are increasingly turning to Media Sites social media both to develop a customer base and to build or maintain brand As social media continues to grow 3 reputation. Many statistics now available and evolve, the ability to reach more allow companies to track social media consumers globally continues to increase. usage and effectiveness worldwide. Here Twitter, for example, now reaches Japan, are some recent examples: Indonesia, and Mexico, among other markets. This helps companies advertise • 11% of all time spent online in in multiple languages and reach a broader the U.S. is spent on social range of consumers. 4 networking sites. One of the ways social media is able • Up from 13.8% in 2008, over to grow and evolve is through its variety. 25% of U.S. Internet page views Social media takes on a myriad of forms, occurred at one of the top social including these, which every international networking sites in December company, their CEOs and consumers are 2009.5 using, or are about to use: • In the U.S., 234 million people age 13 and older used mobile 1. Blogs (e.g., Blogger, LiveJournal, devices in December 2009 Open Diary, WordPress, Type alone.6 Pad, Vox, Xanga): Blogs are • Linkedln has over 75 million regularly updated websites (i.e., users.7 Twitter now has more the entries are in reverse than 190 million users, processes chronological order with the approximately 65 million Tweets newest entry at the top) that per day, and registers over typically combine text, graphics 330,000 new users per day.8 or video, and links to other • As of April 2010, an estimated sites.11 Blogs are often informal, 41.6% of the U.S. population taking on the tone of a diary or had a Facebook account.9 journal entry. There are blogs of • With a population of over 550 all sorts, ranging from very million users, roughly one personal to providing twelfth of the world’s mainstream news updates. Blogs population, Facebook would also encourage interactive rank as the world’s third largest dialogue with followers by country, behind only China and allowing readers to leave 12 India.10 comments. 2. Microblogging / Presence Given these statistics, more and more applications (e.g., Twitter, companies are compelled to take notice of Yammer, Jaiku, Plurk, Tumblr, Social Media Surveillance Page 9

Posterous): Microblogs are 5. Online video share (e.g., comprised of extremely short YouTube, Blip.tv, Vimeo, written blog posts, similar to text Viddler, sevenload, Zideo): messages. Twitter is an example Video sharing allows individuals of a microblog service that lets to upload video clips to an users broadcast short messages, Internet website. The website’s up to 140 characters long video host will then store the (“Tweets”), using computers or video on its server and show the mobile phones.13 individual different types of 3. Podcasts (e.g., audio sharing): codes to allow other users on the Podcasts (from a blend of “iPod” site to view or comment on the and “broadcast”) are audio or posted video.17 video files that users can listen 6. Widgets: Allegedly short for to or watch on their computers “window gadget,” a widget is a or portable media devices. graphic control on a website that Podcasts are usually short and allows the user to interact with it often free, and users can in some way. Widgets can be subscribe via their computers or easily posted on multiple portable media devices to websites, often have the added receive new podcasts benefit of hosting “live” content, automatically.14 and typically take the form of 4. Social networks and online on-screen tools (e.g., daily communities (e.g., Facebook, weather updates, clocks, event MySpace, LinkedIn, Friendster, countdowns, stock market Sermo, Ning, Orkut, Skyrock, tickers, flight arrival and Ozone, Xing, Bebo): Social departure information, etc.).18 networks are online communities 7. Wikis (e.g., Wikipedia, that allow users to connect and Medpedia, Wetpaint, PBworks): exchange information with Wikis, derived from the clients, colleagues, family and Hawaiian word for “fast,” friends who share common feature technology that creates interests.15 In many social access to webpages where users networks, users create profiles are encouraged to contribute to and then invite people to join as and modify the existing “friends.” There are many content.19 A wiki site can be different types of social either open or closed, depending networks and online on the preferences of its communities, many of which are community of users. An open free. The sites typically range wiki site allows all site users to from general use to those make changes and view content, targeted for a specific while a closed wiki only allows demographic or area of community members to edit and interest.16 view content.20 Page 10 THE PRIVACY PROJECT IV – 2011

via their corporate networks.29 These C. Current Trends in Corporate technologies, however, are difficult to Use of Social Media Sites control and can be easily accessed outside of corporate networks. Consequently, Just a few years ago, commentators companies and executives face difficult pondered if corporations would adopt and issues regarding how to handle the use of use social media tools. Today, the only social media, both in and outside of question is how much do they use them. company time. According to Fulbright & Jaworski L.L.P.’s 2010 Litigation Trends Survey, IV. The Use of Surveillance Software approximately one fourth of surveyed by U.S. Employers companies reported using LinkedIn in pursuit of a business purpose.21 Others A. Increased Use Due to reported use of Twitter and/or Increased Awareness of Social Facebook.22 Another recent survey found Responsibility, Corporate that 91% of “Inc. 500” companies are Governance, and Compliance reporting use, both internally and for Guidelines business purposes, of at least one social 23 media site. Surveyed companies There is a burgeoning “cottage” overwhelmingly responded that social industry of surveillance software media has been successful for their providers. The technology, while 24 businesses. For example, every social originally primitive and limited in media tool studied enjoys at least an 82% availability, has advanced in its 25 success level with business users. sophistication dramatically in the past Measuring success was determined as five years. Moreover, the multiple uses improving their communications for the collected data have inspired the approach, building internal knowledge, development of software with more improving marketing and sales, and precise findings. This in turn has brought guaranteeing long-term sustainability and the price-point for such software into the 26 growth. reach of many more companies. In August 2009, a research study Social media monitoring software is found that 81% of senior management, perhaps the fastest growing category of marketing, and human resources surveillance tools. Many companies executives of companies view social embrace the technology to gain, media as a valuable tool to build their competitive business intelligence and company’s brand and to enhance attempt reputation management. Vendors 27 relationships with customers. However, of social media surveillance software the study also found that an equal represent, for example, that the software number, 81%, view social media as a can identify online postings to determine 28 corporate security risk. For that reason such things as where conversations about many organizations do not allow their products occur most often, or how applications like Facebook, Twitter, much their products are being discussed Linkedln, etc., to be used by employees versus those of a competitor. Many of Social Media Surveillance Page 11 these monitoring tools are available as applications “deployed discretely on PCs Software as a Service (SaaS) over the in an organization” with monitoring internet, making it easy for companies to managed from a centralized location. The access and deploy them. difference is where the employer has Some corporations are now turning “access” to the employees’ activities – at their surveillance software to monitoring the network level or at the end point –and internal company activity. Companies are the ability to control their seeking employee monitoring software communications, computer applications applications designed to prevent and online activities (not just the employee theft and data leakage, and to information that flows over the network). eliminate inappropriate online activities. Some of the surveillance software Many software surveillance companies purveyors represent they can monitor pitch their surveillance software to employees’ social media activities even corporations offering “the ability to from devices like mobile phones, not monitor the social networking necessarily provided by the company to communications of their employees” on the employee.33 all major social networks such as Facebook and Twitter.30 Customers are C. Basic and Inexpensive told, for example, the software “provides Methods granular and real-time tracking to eliminate significant corporate risks” Employers can monitor social media related to: compliance issues, leakage of use by employees at little or no cost, sensitive information, HR issues, legal except for the personnel and work time exposure, brand damage and financial necessary to operate the on-line search impact.31 tools. Here are some examples:

B. Available Tools are More • Google Alerts – a content Sophisticated than Last Year’s monitoring service, offered by tools and the Innovation of the search engine company New Tools is Increasing Google, that automatically Exponentially notifies users when new content from news, web, blogs, video Like everything in the computer and/or discussion groups world, today’s technology will be matches a set of search terms outdated by the time you finish reading selected by the user. Alerts can this article. Surveillance software is no be created for each employee’s exception. Basic and inexpensive name. techniques have always been available. • Facebook Search – Facebook’s Automating the process via sophisticated own search features allows software that is installed at the network searches by specific names. level will make monitoring more Searches can be limited to only commonplace, say commentators.32 Some publicly posted status updates. surveillance software purveyors offer Page 12 THE PRIVACY PROJECT IV – 2011

The same application can search D. Mechanistic Methods Twitter conversations. • TweetDeck – an Adobe AIR Many vendors offer desktop application for Twitter, corporations the ability to Facebook, LinkedIn, Google monitor various aspects of their Buzz, Foursquare and MySpace. businesses via surveillance It allows real-time keyword software. These companies offer searches, and users can send and software which can monitor a receive tweets and view profiles. company’s business and • Yahoo Pipes – a web application competitive intelligence via from Yahoo! that provides a network and server monitoring, graphical user interface for website monitoring, and spy building data mashups software.34 (combinations of data from more than one Web data source into a Many vendors also offer corporations single integrated Web the ability to monitor the social application) that aggregates web networking communications of their feeds, web pages, and other employees. Some vendors promise services. The application works desktop-level visibility into employees’ by enabling users to “pipe” activities, and most currently available information from different software can: capture all keystrokes sources and then set up rules for typed, take screenshots of any computer how that content should be activity, monitor and read all employee modified (by an employee’s communications such as email and instant name, for example). message conversations, monitor and • Desk Tube – a desktop block software application use on a application that allows users to scheduled basis, monitor and filter browse and search YouTube Internet use on and off the company videos, and to access Twitter and network, monitor PCs that never connect Facebook accounts all from the to a network, screen all email attachments same location. for sensitive data, track documents to • Spokeo.com – a search engine follow all file use (deletions, renaming, and self-described “online USA moving, etc.), monitor removable media, phone book” that aggregates destroy data remotely, and locate and 35 people-related information from recover stolen computers. purportedly public sources, including phone directories, social networks, marketing surveys, mailing lists, government censuses, real estate listings, and business websites.

Social Media Surveillance Page 13

V. Legal Considerations for reasonable extent, a secluded and private Monitoring Employee’s Social life, free from the prying eyes, ears and Media Activities publications of others.”41 This broad right can give rise to four, separate claims: (1) A. General Privacy Law unreasonable intrusion upon the seclusion Considerations When of another; (2) appropriation of the Monitoring Social Media Use other’s name or likeness; (3) unreasonable publicity given to the No United States statutes or other’s private life; or (4) publicity that unreasonably places the other in a false regulations specifically govern the 42 monitoring of employees’ social media light before the public. use. The Electronic Communications Electronic monitoring could most Privacy Act of 1986 (“ECPA”), which is conceivably give rise to the first of those, intended to provide individuals with some a claim of unreasonable intrusion upon privacy protection in their electronic seclusion. Such a claim could result in communications, has several exceptions liability if the defendant “intentionally that limit its ability to provide protection intrudes, physically or otherwise, upon in the workplace.36 Consequently, courts the solitude or seclusion of another or his seeking to address electronic monitoring private affairs or concerns” and such intrusion would be “highly offensive to a of employees must look to the awkwardly 43 fitting laws that more generally govern reasonable person.” For sure, “there is privacy rights and employment. no liability for the examination of a Although U.S. courts have long public record concerning the plaintiff. . . . recognized the right to privacy, the Nor is there liability for observing him or protections afforded by the U.S. even taking his photograph while he is Constitution address only government walking on the public highway, since he action, and so apply only to governmental is not then in seclusion, and his 37 appearance is public and open to the employees. Many states, however, 44 have extended certain privacy protections public eye.” In other words, the to non-governmental employees through defendant must have intruded into a state constitutions and statutes.38 private place. The same principle appears Moreover, a common law right of privacy to apply to one’s online activities. is recognized in the majority of the Intrusion into a private place is the American jurisdictions.39 In fact, the tort focus of the Stored Communications Act action for invasion of the right of privacy, (“SCA”) which has, perhaps, become the primary federal law used to regulate in one form or another, is currently 45 recognized in thirty-six states.40 Thus, social media monitoring. The SCA is designed to protect private, electronic while a legal analysis of the privacy rights 46 of public and private employees differs, communications. Specifically, the SCA the basic principles are very similar. makes it an offense to “intentionally In sum, the right of privacy protects access[ ] without authorization a facility against “interference with the interest of through which an electronic the individual in leading, to some communication service is provided . . . Page 14 THE PRIVACY PROJECT IV – 2011 and thereby obtain[ ] . . . access to a wire more I realize how much I despise or electronic communication while it is in Coalinga,” and then made several electronic storage in such system.”47 negative comments about the town and its Exceptions to SCA prohibitions include inhabitants. Someone forwarded the ode “conduct authorized . . . by a user of that to the editor of the local newspaper who, service with respect to a communication in turn, published it in the newspaper’s of or intended for that user.”48 But the letters section. The community reacted SCA was written before the advent of the violently to the ode, including death Internet and, as a result, “the existing threats and a shot at the home of statutory framework is ill-suited to Moreno’s family. As a result, Moreno and address modern forms of communication” her family filed suit against the like social media.49 newspaper, claiming public disclosure of Applying the applicable laws, a private facts. critical issue is whether an employee has Affirming the district court’s a reasonable expectation of privacy, and decision, the court of appeals held that the that is determined on a case-by-case plaintiffs could not state a cause of action basis. When evaluating a particular case, for invasion of privacy because the ode some primary considerations may was not private.51The court found include: whether the employee’s social Moreno’s publication of the ode on media profile or website is public or MySpace was an “affirmative act that private in nature, the employer’s social made her article available to any person media policy, and the terms and with a computer” and “no reasonable conditions of the social medium itself. person would have had an expectation of privacy regarding the published B. Privacy Expectations Will to material.”52 Moreno thus shows that a Some Extent Depend on the person who openly shares information on Whether the Employee’s a public social media site will likely have Profile or Website is Public or little ground to complain when the Private information is re-published. In contrast, when an employee When an individual maintains a maintains a private social media website, social media website that is accessible to he or she will likely receive some the general public, he or she cannot have protection. To that end, when an online a reasonable expectation of privacy with website or profile is truly private, an respect to the content of that site. In employer who uses improper means to Moreno v. Hanford Sentinel, Inc.,50 a gain access to such information may be California district court rejected an held liable. invasion of privacy claim based on A New Jersey jury, for example, information posted on a MySpace page. awarded two plaintiffs lost wages and The named plaintiff, Cynthia Moreno, punitive damages against an employer had posted her opinion about her found to have accessed a MySpace chat 53 hometown in an “Ode to Coalinga.” The group without authorization. The ode began by saying “the older I get, the plaintiffs, employees of a restaurant, had Social Media Surveillance Page 15 set up an invitation-only MySpace chat pilot’s website to be private.58 The pilot group. In the initial posting, one of the controlled access to his website by plaintiffs stated that the purpose of the requiring visitors to log in with a user group would be to “vent about any BS we name and password. He created a list of deal with [at work] without any outside fellow employees who were eligible to eyes spying in on us. This group is access the website. And he programmed entirely private, and can only be joined by the website to allow access only when a invitation.”54 After being shown the person clicked the “SUBMIT” button on website by another employee, a manager the screen, indicating acceptance of the requested the employee’s password to log terms and conditions that prohibited any onto the site. Based on the content member of management from viewing the viewed, the manager fired the employees website and prohibited users from who created the site. They responded by disclosing the website’s contents.59 bringing an action against the employer, Despite the pilot’s precautions, a asserting claims of wrongful termination, Hawaiian Airlines vice president was able invasion of privacy, and violations of to view the website. He did so by wiretapping statutes. obtaining permission from two employees Following the verdict, the court to use their names to gain access to the denied the employer’s motion for site. One or both of the employees had judgment as a matter of law and motion never logged onto the website to create an for a new tria1.55 The employer argued account. that there was no evidence an invited The court of appeals’ analysis of the member of the chat group did not pilot’s SCA claim is significant. authorize the manager to use her Hawaiian argued that it was exempt from password. The court rejected the liability under the SCA because Section argument, ruling the jury could 2701(c)(2) of the act allows a person to reasonably have inferred that the authorize a third party’s access to an employee’s purported authorization was electronic communication if the person is “coerced or provided under pressure.”56 (1) a “user” of the “service” and (2) the Such coercion would make her consent communication is “of or intended for that not voluntary. user.”60 The district court granted Similarly, in Konop v. Hawaiian summary judgment for Hawaiian, but the Airlines, Inc.,57 an airline pilot, who court of appeals reversed, finding that the created and maintained a website where plain language of Section 2701(c)(2) he posted bulletins criticizing his indicates that only a “user” of the service employer, was able to survive a motion can authorize a third party’s access to the for summary judgment. Alleging that communication.61 The statute defines Hawaiian Airlines, Inc. had viewed his “user” as one who (1) uses the electronic website without authorization, the pilot communications service and (2) is duly asserted state tort claims, as well as authorized by the provider of such service violations of the federal Wiretap Act, the to engage in such use.62 Finding no Stored Communications Act, and the evidence that the consenting employees Railway Labor Act. The court found the actually used the website, as opposed to Page 16 THE PRIVACY PROJECT IV – 2011 merely being eligible to use it, the court extend their analysis of employee privacy held that the Section 2701(c)(2) exception expectations for emails to employee did not apply.63 This decision shows not privacy expectations for social media. only that a court may recognize one’s Conversely, the argument can be made privacy when the person takes great steps that there are inherent differences to protect it, but also that employers between social media and email, and that cannot use unauthorized means to those differences substantially diminish monitor their employees. any privacy expectations for social media. It can be argued, for example, that social C. Privacy Expectations May media (unlike email) is specifically Depend on an Employer’s designed to reach a large number of Policies and Practices. people. Posting information on a social media site is not just like sending an The employer’s written policies and email. It is like sending a mass email. practices may also become important in In addition, it appears only two determining an employee’s privacy rights. states—Delaware and Connecticut— Courts are focusing on any evidence that require employers who engage in employers affirmatively took steps to electronic monitoring to give written 66 inform employees of policies or notice to their employees. The regulations that govern their social media Connecticut statute sets forth noteworthy use. Although courts are just starting to exceptions; it allows an employer to grapple with the impact of employer monitor without prior notice when “an policies on social media use, courts firmly employer has reasonable grounds to embrace using employer policies to believe that employees are engaged in determine the privacy expectations for conduct which (i) violates the law, (ii) employee emails.64 To measure privacy violates the legal rights of the employer expectations for employee emails, the or the employer’s employees, or (iii) court in In re Asia Global formed, and creates a hostile workplace environment, other courts have adopted, the following and (B) electronic monitoring may 67 test: (1) is there a corporate policy; (2) produce evidence of this misconduct.” does the company monitor employee Employers in the remaining 48 states can email use; (3) do third parties have a right argue that the absence of a statutory duty of access; and (4) did the company notify to provide notice of electronic monitoring the employee or did the employee know suggests an absence of privacy rights. about the use and monitoring policies?65 In any event, the analyses for While it can be anticipated courts determining an employee’s privacy rights reviewing privacy expectations related to will likely be fact specific, thus an social media will make similar analyses, employer’s policy and practice regarding the full value of any guidance by the social media will likely be analyzed to above factors is uncertain. A potentially evaluate whether an employee’s persuasive argument can be made that expectation to privacy is reasonable. social media is simply the next generation Consequently, prudent companies of electronic mail, and that courts should have come to adopt written social media Social Media Surveillance Page 17 polices to regulate their employees’ social of the individual and not the media activity.68 The following points, employer;69 and where appropriate, should be considered • A prohibition on “Friending” for inclusion in social media policies: members of management by non-management personnel, and • A clear statement that misuse of vice versa. social media can be grounds for discipline, up to and including D. Privacy Expectations May termination; Depend on the Terms and • A prohibition on disclosure of Conditions of the Social the employer’s confidential, Medium. trade secret or proprietary information; Social media sites do not “guarantee • A request that employees keep complete privacy,” so a court may company logos or trademarks off conclude that the employee or applicant their blogs and profiles and not cannot have a reasonable expectation of mention the company in privacy.70 In fact, Facebook’s privacy commentary; policy expressly states: • An instruction that employees not blog or post during business Risks inherent in sharing hours, unless for business information. Although we allow you purposes; to set privacy options that limit • A request that employees bring access to your information, please be work-related complaints to aware that no security measures are human resources before perfect or impenetrable. We cannot blogging or posting about such control the actions of other users complaints; with whom you share your • A prohibition on using company information. We cannot guarantee e-mail addresses to register for that only authorized persons will social media sites; view your information. We cannot • A prohibition on posting false ensure that information you share on information about the company Facebook will not become publicly or its employees; available. We are not responsible for • A general instruction that third party circumvention of any employees use good judgment privacy settings or security measures 71 and take personal and on Facebook . . . . professional responsibility for what they publish online; A New York Supreme Court recently • A demand that all employees relied upon the terms and conditions of with personal blogs that identify Facebook and MySpace to reject a personal injury plaintiff’s objection to the employer include a 72 disclaimer that the views production of material on those sites. expressed on the blog are those The defendant moved for an order Page 18 THE PRIVACY PROJECT IV – 2011 granting it access to the plaintiff’s current media profile or website when making and historical Facebook and MySpace employment decisions. This general rule, pages on the grounds that the plaintiff had however, is rife with limitations based in placed information on the sites that was general employment laws. inconsistent with her claims concerning the extent and nature of her injuries, A. Hiring especially her claims for loss of 73 enjoyment of life. Employers certainly use social media Ordering the plaintiff to grant the sites to vet job candidates. Perhaps the defendant access to her Facebook and most notable example of such vetting MySpace pages, the court relied, in part, occurred in March 2009 when an upon the policies of those sites. The court applicant offered a job by Cisco tweeted, noted that Facebook policy states “Cisco just offered me a job! Now I have “`Facebook is about sharing information to weigh the utility of a fatty paycheck with others” and that MySpace “is self- against the daily commute to San Jose described as an `online community’ and and hating the work.”77 Soon thereafter, a as a ‘global lifestyle portal that reaches Cisco employee posted this reply: “Who 74 millions of people around the world.’” is the hiring manager. I’m sure they As the court also pointed out, “MySpace would love to know that you will hate the warns users not to forget that their work. We here at Cisco are versed in the profiles and MySpace forums are public web.”78 spaces and Facebook’s privacy policy But use of social media information set[s] forth, inter alia, that: ‘You post during the hiring process may create User Content . . . on the Site at your own liability risks for employers. For instance, 75 risk . . . .’” Because neither Facebook an employer is still obligated to adhere to nor MySpace guarantees “complete civil rights laws. Title VII of the Civil privacy,” and because the plaintiff when Rights Act of 1964 (Title VII), as creating her accounts consented to the amended, prohibits employment sharing of her personal information, the discrimination based on race, color, court held that the plaintiff had no religion, gender and national origin.79 In legitimate reasonable expectation to addition, the Americans with Disabilities privacy. Finally, the court concluded that Act of 1990, as amended, prohibits “given the millions of users, . . . privacy discrimination on the basis of disability.80 is no longer grounded in reasonable Social media profiles often reflect expectations, but rather in . . . wishful personal attributes that qualify a person as 76 thinking.’” part of a protected group under these statutes. A profile may reveal an VI. Adverse Employment Actions applicant’s gender, race, national origin, Based on Social Media Activities religious beliefs, age, health problems, political affiliations, sexual orientation As a general rule, an employer is and even whether the person plans to allowed to consider information on an have children. Because an adverse applicant’s or current employee’s social employment action based on a person’s Social Media Surveillance Page 19 protected status is strictly prohibited FCRA. The FCRA provides the following whatever the source of the information, definitions: an employer monitoring social media should target only information relevant to • “The term ‘consumer report’ the applicant’s abilities and qualifications means any written, oral, or other for the particular job position. communication of any In addition to civil rights laws, social information by a consumer media inquiries may be subject to reporting agency bearing on a limitations by the Fair Credit Reporting consumer’s credit worthiness, Act (“FCRA”).81 The FCRA is designed credit standing, credit capacity, to protect the privacy of consumers’ character, general reputation, credit report information and to guarantee personal characteristics, or that the information supplied by credit mode of living which is used or reporting agencies is as accurate as expected to be used or collected possible.82 Sections 604, 606, and 615 of in whole or in part for the the FCRA help ensure that applicants or purpose of serving as a factor in current employees are not denied establishing the consumer’s employment opportunities due to eligibility for . . .employment inaccurate or incomplete consumer credit purposes;”84 and reports. Those sections thus set forth • “The term ‘investigative certain responsibilities of employers consumer report’ means a when using consumer credit reports to consumer report or portion hire new employees or evaluate current thereof in which information on employees for promotion, reassignment, a consumer’s character, general or retention. reputation, personal Under the FCRA, if an employer characteristics, or mode of living uses a third party service to conduct is obtained through personal certain types of background checks, the interviews with neighbors, employer must give prior notice of the friends, or associates of the check to the individual being consumer reported on or with investigated. Some states have enacted others with whom he is more restrictive “FCRA plus” laws, acquainted or who may have which require prior notice and consent knowledge concerning any such from the applicant even if the employer items of information.”85 does not use a third party to do the search.83 Because prior notice affords an So while the legislature and courts applicant time to remove offensive have not definitively found that social material before the search begins, it media monitoring triggers FCRA potentially defeats the purpose of a social protections, the above definitions media inquiry. certainly appear broad enough to include It is still unclear whether social reports of a consumer’s social media use. media profiles are covered under the

Page 20 THE PRIVACY PROJECT IV – 2011

B. Discipline and Discharge lawful, leisure-time activity, for which the employee receives no compensation and As with hiring, many employers have which is generally engaged in for disciplined or even discharged employees recreational purposes, including but not for inappropriate messages on social limited to sports, games, hobbies, media.86 Just recently, a math and science exercise, reading and the viewing of teacher was asked to resign after she television, movies and similar 91 complained on Facebook about her job, material.” Exceptions to these statutes describing students as “germ bags” and may apply, such as when the employer’s school parents as “snobby” and restrictions are related to a bona fide “arrogant.”87 Notably, the teacher occupational qualification, or are claimed that she had arranged her privacy necessary to avoid a conflict of interest 92 settings to limit her profile to selected with the employees’ responsibilities. friends, but Facebook later defaulted her These “off-duty activity” statutes settings to allow viewing by the wider may be implicated by social media in Facebook community.88 numerous ways. For example, the statutes While many employers have may certainly limit an employer’s ability similarly disciplined or discharged to terminate an employee who posts employees for comments or other photographs of himself smoking tobacco. postings on social media sites, such The broader statutes generally protecting employment actions could run afoul of “lawful conduct” or “recreational employment laws. For sure, the same activities” could also limit an employer’s civil rights laws and FCRA ability to hire, terminate, or make other considerations described above regarding employment decisions based on the hiring process also apply to current information gleaned from an employee’s employees. social media page. Indeed, in states In addition to those considerations, embracing broad off-duty activity several states prohibit employers from statutes, one could argue that taking adverse action against a current participating in social media sites, such as employee for engaging in lawful, conduct posting photographs on Facebook, while the employee is not at work. Such blogging, or even “tweeting” rants about statutes vary in scope. On one end of the a supervisor, is a “recreational activity” spectrum, several states protect a single, itself and that adverse employment specific activity—such as lawful tobacco actions based on such participation is use.89 On the other end, a few states— unlawfully discriminatory. But, if such such as California, New York, and participation creates a conflict of interest Colorado—protect all “lawful conduct with the employees’ responsibilities (e.g., occurring during nonworking hours away negatively impacts an employer’s from the employer’s premises.”90 In business interest, customer relations, particular, New York restricts employers product image, or coworkers’ rights), an from taking any adverse employment adverse action may be justified. action against employees engaged in Also, the National Labor Relations “recreational activities,” meaning “any Act (“NLRA”) makes it an unfair labor Social Media Surveillance Page 21 practice “to interfere with, restrain, or unlimited discretion to publicly criticize coerce employees in the exercise of the their employers under the protections of rights guaranteed in [Section 7 of the the NLRA. NLRA].”93 Section 7 sets forth several For example, in Endicott rights, including the right “to engage in . . Interconnect Technologies, Inc. v. NLRB, . concerted activities for the purpose of the court found that an employee’s online collective bargaining or other mutual aid communications were not protected under or protection.”94 The National Labor Section 7 as they were disloyal to his Relations Board (“NLRB”) has held that employer.97 As background, after an employer’s actions violate Section 7 if Endicott Interconnect Technologies those actions would “reasonably tend to (“EIT”) permanently laid off 200 chill employees” in the exercise of their employees, an employee (who kept his rights under the NLRA.95 job) was cited in a newspaper article, Recently, the NLRB announced its commenting on his disagreement with the plans to prosecute a complaint under layoff.98 In response, an EIT owner Section 7 against American Medical reprimanded the employee for his Response of Connecticut, regarding the comments. Thereafter, the employee termination of an employee who posted posted on a public website a message that negative remarks about her supervisor on included: “This business is being tanked her Facebook page.96 The matter began by a group of people that have no good when an employee was asked to prepare a ability to manage it. They will put it into report related to a customer’s complaint the dirt just like the companies of the about the employee’s work. The past. . . .”99 As a result, EIT discharged employee asked for union representation the employee.100 regarding the complaint, and the company The Endicott court found that the denied her request. The employee then employee’s communications were not posted a negative comment about her protected by Section 7 of the NLRA. The supervisor on her Facebook page, which court explained that an employee’s elicited responses from coworkers and led communication to a third party is deemed to further negative comments by the protected under Section 7 only if: (1) “it employee. As a result, the company fired is related to an ongoing labor dispute” the employee, citing violations of the and (2) “it is ‘not so disloyal, reckless or company’s internet policies, which maliciously untrue as to lose the Act’s prohibited employees from making protection.’”101 The court found the disparaging remarks about their employer employees’ communications were or supervisors. The NLRB determined “unquestionably detrimentally that the Facebook postings constituted disloyal.”102 Thus, the court concluded “protected concerted activity” under that EIT did not violate the Act when it Section 7 of the NLRA and that the discharged the employee. company’s internet policy was overly Similarly, in Sears Holdings, the broad. While the outcome of this matter is NLRB’s Office of General Counsel pending, previous guidance has made issued an opinion memorandum clear that employees do not have concluding an employer’s social media Page 22 THE PRIVACY PROJECT IV – 2011 policy did not violate Section 8(a)(1).103 employers should be mindful of them. In The employer had issued a social-media short, social media monitoring can policy regarding its employees’ use of provide an employer too much blogs, social networks, and other social information. A few issues social media media. The policy listed several subjects monitoring may raise include: employee that employees were not permitted to records retention; unlawful collection of discuss online. The union filed an unfair- health records; discrimination and labor-practice charge, alleging that the retaliation claims based on the failure to policy violated the NLRA. apply employment policies fairly; and In short, the Office of General expensive litigation discovery. Counsel concluded that the employer’s One of the main drawbacks to social policy did not violate the NLRA because media monitoring is that an employer it could not reasonably be interpreted in a may become more susceptible to claims way that would chill activity under where liability is based on the employer’s Section 7 of the NLRA.104 The knowledge of an employee’s memorandum explained that a review of a inappropriate conduct. For example, if an complained-of social media policy employee posts a discriminatory remark requires an evaluation of the policy as a about a co-worker on the employee’s whole, as “a rule’s context provides the Facebook page, an employer monitoring key to ‘reasonableness’ of a particular that page may be unable to successfully construction.”105 The general counsel claim lack of knowledge of the concluded that Sears’ policy against posting.107 Similarly, an employer can be “[d]isparagement of company’s . . . held vicariously liable for its employee’s executive leadership, employees, [or] defamatory statements. Again, if an strategy . . . “provided sufficient context employer acquires knowledge of the to preclude a reasonable employee from defamatory remark (by way of monitoring construing the rule as a limit on Section 7 or otherwise), it may be easier to impose conduct.”106 liability on the employer.108 To be clear, Given the decisions in Endicott and employers have no affirmative duty to Sears Holdings, an employee cannot use scrupulously police employees’ social Section 7 of the NLRA as a complete media activities. If, however, the shield from discipline or discharge. These employer in fact becomes aware of decisions also highlight the value of a inappropriate social media activity that clear social media policy. impacts the workplace, the employer must take appropriate action. Otherwise, C. Unintended Consequences of the employer may be perceived as Social Media Monitoring condoning the inappropriate activity.

An employer who chooses to monitor VII. Conclusion its employees’ social media activity may be subject to some unintended As employee use of social media consequences. While these consequences continues to increase, employers have a are beyond the scope of this article, lot of windows through which to see their Social Media Surveillance Page 23 employees. The technical ability to monitor social media is rapidly of-us-internet-users-on-facebook-27-on- improving. Not only are monitoring tools myspace/ (last visited Apr. 12, 2010). more sophisticated and accurate now than 5 Id. 6 they were a year ago, the innovation of Id. 7 new tools continues to increase About Us: Latest Linkedln Facts, exponentially. Linkedln.com, http://press.linkedin.com/about (last visited Dec. 15, 2010). Employers must, however, take care 8 “A Conversation with Dick Costolo, COO, to avoid the legal pitfalls in monitoring Twitter,” CM Summit, June 7-8, 2010, employee social media activities. Thus, available at http://cmsummit.com/Gallery. employers should consider all the 9 Roy Wells, 41.6% of the US Population Has circumstances of its social media a Facebook Account, Social Media Today, monitoring, including whether the means http://socialmediatoday.com/roywells1/15802 of obtaining information are proper and 0/416-us-population-has-facebook-account (last visited Jan. 15, 2011). authorized, whether the information is 10 public or private in nature, the type of Lev Grossman, Person of the Year 2010: Mark Zuckerberg, TIME, Dec. 15, 2010, information they choose to monitor and available at http://www.time.com/time/ whether the information is related to a specials/packages/article/0,28804,2036683_20 protected status under civil rights laws, 37183_2037185,00.html. Interestingly, and how the employee uses such Facebook is banned in China. April Rabkin, information to make employment The Facebooks of China, FAST COMPANY, Jan. decisions. 12, 2011, available at http://www.fast company.com/magazine/152/the-socialist- 1 networks.html. Debra L. Bruce, “Social Media 101 for 11 HHS Center for New Media, “Social Media Lawyers,” TEX. BAR J., Vol. 73, No. 3 186 101 Overview: The WHAT and the WHY,” (2010) 2 available at http://newmedia.hhs.gov/Social Id.; see also Alan J. Bojorquez & Damien Media101Overview06-29-09.pdf. Shores, Article: Open Government and the 12 Id. Net: Bringing Social Media Into the Light, 11 13 “Micro-Blogs,” Social Media Training, TEX. TECH. ADMIN. L.J. 45, 47 (2009) http://socialtraining. (explaining that social media is “‘the Wetpaint.com/page/Micro-Blogs (last visited democratization of information, transforming Jan 5, 2011). people from content readers into content 14 HHS Center for New Media, supra note 11. publishers.’”) (citation omitted). 15 3 Id. See Anthony L. Hall & Deanna C. 16 Id. Brinkerhoff, “Implementing an effective social 17 Id. media policy,” NEVADA EMPLOYMENT LAW 18 Id. LETTER Vol. 15, Issue 6, Mar. 2010 (noting 19 Id. that social media is “becoming an increasingly 20 Wikis, ”“Webcontent.gov, http://www.usa. common method of communication for gov/webcontent/technology/wikis.shtml (last companies and their employees”). 4 visited Apr. 12, 2010). Lee Ann Prescott, “54% of US Internet users 21 FULBRIGHT & JAWORSKI L.L.P., on Facebook, 27% on MySpace,” FULBRIGHT’S 7TH ANNUAL VENTUREBEAT, Feb. 10, 2010, LITIGATION TRENDS SURVEY REPORT http://digital.venturebeat.com/2010/02/10/54- 55 (2010), available at http://www.fulbright Page 24 THE PRIVACY PROJECT IV – 2011

.com/index.cfm?fuseaction=publications.Prem 30 E.g., Teneros Social Sentry, http:// iumDownloadDetailNew&pub_id=4665&site www.teneros.com/socialsentry/ (last visited _id =391&detail=yes. Jan. 5, 2011). 22 Id. 31 Id. 23 Tamara Schweitzer, “Study: Inc. 500 CEOs 32 See e.g., Joshua Brustein, Keeping a Closer Aggressively Use Social Media for Business,” Eye on Employees’ Social Networking, N.Y. INC., Nov. 25, 2009, http://www.inc.com TIMES (Mar. 26, 2010). /news/articles/2009/11/inc500-social-media- 33 See id. usage.html# (last visited Apr. 12, 2010), citing 34 See http://www.activitymonitoringsoft Nora Ganim Barnes, Ph.D. & Eric Mattson, ware.com/ (last visited Jan. 15, 2011) (listing Center for Marketing Research, “Social Media common vendors including but not limited to: in the 2009 Inc. 500: New Tools & New Spiceworks, FuseStats, WebCam Corp., Trends,” 2009, available at Advanced Spy, CompetitiveVision, Capturix, http://www.umassd.edu/cmr/studiesresearch/s Compete, F1exiSPY, Logaholic, SAP ocialmedia2009.pdf. Business Objects, and PhoneStealth). 24 Nora Ganim Barnes, Ph.D. & Eric Mattson, 35 See, e.g., http://www.interguardsoft Center for Marketing Research, “Social Media software.com/websense.asp (last visited Jan. in the 2009 Inc. 500: New Tools & New 15, 2011). Trends,” 2009, available at http://www. 36 For example, the act does not prevent access umassd.edu/cmr/studiesresearch/socialmedia2 to electronic communications by system 009.pdf. providers, which could include employers who 25 Id. provide the necessary electronic equipment or 26 “Social Media Research and Trends: Do network to their employees. See, e.g., U.S. v. Top Brands Adopt and Use Social Media McLaren, 957 F. Supp. 215 (M.D. Fla. 1997). Tools?” http://webcache.googleusecontent. 37 See e.g., City of Ontario, Cal. v. Quon, 130 com/search?q=cache:ruq3p- S.Ct. 2619, 2627-28 (2010) (“The Fourth 1Ku_oJ:www.mastemewmedia.org/social- Amendment applies as well when the media-research-and-trends-do-top-brands- Government acts in its capacity as an adopt-and-use-social- employer.”) (internal citation omitted); 15 mediai+Measuring+success+was+determined Causes of Action 2d 139 §§ 1-2 (Sept. 2010) +as+improving+their+communications+appro (“A § 1983 claim may also lie for violation of ach,+building+intemal+ the public employee’s implied constitutional knowledge,+improving+marketing+and+sales rights to privacy which have been interpreted +as+well+as+guaranteeing+longterm+sustaina by the United States Supreme Court as falling bility+and+grovvth.&cd=l&h1=en&ct=clnk& within the ‘penumbra’ of several gl=us (last visited Apr. 13, 2010). constitutional amendments (and as applied to 27 See Russell Herder & Ethos Business Law, the states through the Fourteenth “Social Media: Embracing the Opportunities, Amendment). A Section 1983 claim for Averting the Risks,” Aug. 2009, available at violation of the employee’s constitutional http://www.russell rights to privacy will not lie as against a herder.com/SocialMediaResearch/. private employer.”) 28 38 Id. E.g., CAL. CONST., ART. I, §1; ARIZ. CONST. 29 FULBRIGHT & JAWORSKI L.L.P., ART. II, §8, MONT. CONST. ART. II, §10, WASH. FULBRIGHT’S 6TH ANNUAL CONST. ART. I, §7. LITIGATION TRENDS SURVEY REPORT 39 82 Am. Jur. 2d Wrongful Discharge § 165 (2009), available at http://www.fulbright.com/ (July 2010); Restatement (Second) of Torts § litigationtrends06 652A, cmt. a (1977). Social Media Surveillance Page 25

40 Restatement (Second) of Torts § 652A, 51 Id. at 862-63. reporter’s n. (1977) (identifying a right to 52 Id. privacy in following states: Alabama, Alaska, 53 See Pietrylo v. Hillstone Rest. Group., No. Arizona, Arkansas, California, Connecticut, 06-5754, 2009 WL 3128420, *1 (D.N.J. Sept. Delaware, District of Columbia, Florida, 25, 2009) (not for publication). Georgia, Hawaii, Idaho, Illinois, Indiana, 54 Pietrylo v. Hillstone Rest. Group., No. 06- Iowa, Kansas, Kentucky, Louisiana, 5754, Order and Opinion denying Defendant’s Maryland, Michigan, Mississippi, Missouri, Motion for Reconsideration of this Court’s Montana, Nevada, New Hampshire, New July 24, 2008 Opinion and Order, which Mexico, New Jersey, North Carolina, Ohio, granted in part and denied in part Defendant’s Oregon, Pennsylvania, South Carolina, South Motion for Summary Judgment (Feb. 25, Dakota, Tennessee, Texas, and West 2008) (Doc. 31) (not for publication). Virginia). 55 Pietiylo, 2009 WL 3128420, at * 6. 41 Id. at cmt. b. 56 Id. at *3. 42 Restatement (Second) of Torts § 652A. 57 302 F.3d 868 (9th Cir. 2001). 43 Restatement (Second) of Torts § 652B. 58 Id. at 875, 876, n. 3. 44 Id. at cmt. c. 59 Id. at 876, n. 3. 45 18 U.S.C. §§ 2701-2711 (2000). In 1986, 60 18 U.S.C. § 2701(c)(2); See also Konop, Congress passed the Electronic 302 F.3d at 879. Communications Privacy Act (“ECPA”), Pub. 61 Konop, 302 F.3d at 880. L. No. 99-508, 100 Stat. 1848, to afford 62 18 U.S.C. § 2510(13). privacy protection to electronic 63 Konop, 302 F.3d at 880. communications. Title I of the ECPA 64 In re Asia Global Crossing, Ltd., 322 B.R. amended the federal Wiretap Act, 18 U.S.C. 247, 257 (Bankr. S.D.N.Y. 2005); Brown- §§ 2510-2522 (2000), which previously Criscuolo v. Wolfe, 601 F. Supp.2d 441, 449 addressed only wire and oral communications, (D. Conn. 2009); Gates v. Wheeler, No. A09- to also include electronic communications. S. 2355, 2010 WL 4721331, *6 (Minn. App. Rep. No. 99-541, at 3 (1986), reprinted in Nov. 23, 2010). 1986 U.S.C.C.A.N. 3555, 3557. Title II of the 65 In re Asia Global Crossing, Ltd., 322 B.R. ECPA created the Stored Communications at 257; see also Brown-Criscuolo, 601 F. Act (“SCA”), which was designed to Supp.2d at 449; Gates, 2010 WL 4721331, *6. 66 “address[ ] access to stored wire and electronic See CONN. GEN. STAT. ANN. § 31-48D(B)(1) communications and transactional records.” (2011); DEL. CODE. ANN. TIT. 19, § 705 (2011). 67 Id. CONN. GEN. STAT. ANN. § 31-48D(B)(1) 46 See S. Rep. No. 99-541, at 35-36, 1986 (2011). U.S.C.C.A.N. at 3599 (“This provision [the 68 See Matt Leonard, Lawsuits and PR SCA] addresses the growing problem of Nightmares: Why You Need a Social Media unauthorized persons deliberately gaining Policy, SOCIAL ENGINE J., Aug. 18, 2009 access to ... electronic or wire communications http://www.searchenginejournal.com/why- that are not intended to be available to the employees-need-social-media- public.”). guidelines/12588// (listing, among others, 47 18 U.S.C. § 2701(a)(1). social media policies of Dell, Intel, IBM, 48 18 U.S.C. § 2701(c)(2). Wells Fargo, Greteman Group, and Cisco); see 49 Konop v. Hawaiian Airlines, Inc., 302 F.3d also http://walmartstores.com/9179.aspx and 868 (9th Cir 2002), cert. denied 537 U.S. 1193 http://www.ibm.com/blogs/zz/en/guidelines.ht (2003) (mem). ml. 50 91 Cal. Rptr.3d 858 (Cal. Ct. App. 2009). Page 26 THE PRIVACY PROJECT IV – 2011

69 Renee M. Jackson, Social Media Permeate fairness, impartiality, and a respect for the the Employment Life Cycle, NAT’L L. J. (Jan. consumer’s right to privacy.” 83 11, 2010). E.g., CAL. CIV. CODE § 1785.20.5. 70 C.f. Romano v. Steelcase, Inc., 907 84 15 U.S.C. § 1681a(d) (Emphasis added). N.Y.S.2d 650 (N.Y. Sup. 2010) (holding 85 15 U.S.C. § 1681a(e) (Emphasis added). personal injury plaintiff had no reasonable 86 See Catharine Smith & Bianca Bosker, expectation of privacy for information shared Fired Over Twitter: 13 Tweets That Got through social media). People CANNED, HUFFINGTON POST (Sept. 71 Facebook’s Privacy Policy, Facebook.com, 14, 2010), http://www.facebook.com/policy.php (last http://www.huffingtonpost.com/2010/07/15/fir revised Dec. 22, 2010). ed-over-twittertweetsn_645884.html#s112801. 72 Romano, 907 N.Y.S.2d at 656-54. 87 Facebook Faux Pas Leads to Teacher 73 Id. at 651. Losing Job, CBSNews.com (Aug. 20, 2010) 74 Id. at 653-54 & nn. 1-3 (quoting Facebook available at http://www.cbsnews.com/ Principles, http://www.facebook.com/policy. stories/2010/08/20/earlyshow/main6789897.sh piph (last visited April 3, 2009); About Us, tml (last visited Jan. 15, 2011). Myspace.com/index.dfm?fuseaction=misc.abo 88 Id. 89 utus (last visited June 16, 2009); MySpace E.g., ARIZ. REV. STAT. ANN. § 36-601.01(f) Safety Highlights, (2011); CONN. GEN. STAT. ANN. § 31-40S http://www.myspace.com/index.cfm?frseactio (West 2011); LA REV. STAT. ANN. § 23:966 n=cms.veiwpageplacement=saftety (last (2011); MO. ANN. REV. STAT. § 290.145 (West visited June 18, 2009). 2011); NJ STAT. ANN. § 34:6B-1 (West 2011); 75 Id. at 656 & nn. 7-8 (quoting MySpace TENN. CODE ANN. § 50-1-304 (West 2011). 90 General Tips, http://www.myspace.com/ E.g., CAL. LAB. CODE §§ 96(k), 98.6 (West index.cfm?frseaction=cms.veiwpage&placeme 2011); Accord N.Y. LAB. LAW § 201-d nt=safety-pagetips (last visited June 18, 2009; (McKinney 2011); COLO. REV. STAT. §24-34- Facebook Principles-Effective as November 402.5 (2007). 91 26, 2008, http:www.facebook.com/policy.php N.Y. LAB LAW § 201-d (McKinney 2011). (last visited June 18, 2009). Colorado’s statute is slightly narrower than 76 Id. at 657& n. 9 (quoting Dana L. Flemming New York’s and California’s statutes; it only and Joseph M. Herlihy, Department: Heads protects employees from termination. Colo. Up: What Happens When the College Rumor Rev. Stat. §24-34-402.5 (2007). 92 Mill Goes OnLine? Privacy, Defamation and See N.Y. LAB. LAW § 201-d (McKinney Online Social Networking Sites, 53 B.B.J. 16 2011). (Jan./Feb. 2009)). 93 29 U.S.C. § 158(a)(1). 77 Samantha Rose Hunt, How to use 94 29 U.S.C. § 157. 95 technology wrong, TG DAILY (Mar. 18, 2009), Martin Luther Mem. Home, Inc, 326 NLRB http://www.tgdaily.com/trendwatch- 826 (1998). opinion/41777-how-to-use-technology-wrong. 96 Steven Greenhouse, Company Accused of 78 Id. Firing Over Facebook Post, N.Y. TIMES, 79 42 U.S.C. §§ 2000e-2000e-17 (2008). (November 8, 2010) http://www.nytimes.com 80 42 U.S.C. §§ 12101-12181 (2010). /2010/11/09/business/09facebook.html?_r=3& 81 15 U.S.C. §§ 1681-1681(v) (2000). adxnn1=1&adxnnlx=1289358911- 82 15 U.S.C. §§ 1681 (“There is a need to EgmLbp7Ie0cXnExZ5bY4yw. insure that consumer reporting agencies 97 453 F.3d. 532, 537-38 (D.C. Cir. 2006). exercise their grave responsibilities with 98 Id. at 533-34. 99 Id. at 534-35. Social Media Surveillance Page 27

100 Id. at 535. 101 Id. at 536-37 (citing NLRB v. Electrical Workers Local 1229, 346 U.S. 464 (1953) (other citations omitted). 102 Id. at 537. 103 Op. Gen. Counsel, N.L.R.B., No.18-CA- 19801, 2009 WL 5593880, *1 (Dec. 4, 2009). 104 Id. 105 Id. at *3. 106 Id. at *3-4. 107 See Blakey v. Cont’l Airlines, Inc., 751 A.2d 538, 542-43 (N.J. 2000) (The plaintiff sued her employer, alleging workplace discrimination in violation of Title VII of the 1964 Civil Rights Act, 42 U.S.C.A. § 2000e et seq. Several male employees, in response to the lawsuit, published messages about the plaintiff on an on-line electronic bulletin board used by employees. The plaintiff considered the messages as harassing, false and defamatory. The court held that the electronic bulletin board could be so closely related to workplace environment and beneficial to the employer that continuation of harassment on the bulletin board should be regarded as part of the workplace. The court also held that if the employer had notice that the co-employees were engaged in a pattern of retaliatory harassment towards plaintiff, the employer would have a duty to remedy that harassment). 108 See id. Warrantless Searches Using GPS Surveillance and the Role of the Fourth Amendment

By George S. Hodges and George Hodges is a partner with Kelly A. Hodges Hodges Walsh & Slater in White Plains, N.Y. He served as IADC “The right of the people to be secure in President (2004-2005). He their persons, houses, papers, and effects, concentrates his practice in the areas against unreasonable searches and of product liability, toxic tort, drug seizures, shall not be violated….”1 and medical devices and business litigation. “A person traveling in an automobile on Kelly Hodges is a 2010 graduate public thoroughfares has no reasonable of Virginia School of Law. She is expectation of privacy in his movements awaiting admission to the New York from one place to another.”2 State Bar and is associated with a New York City law firm. “The needs of law enforcement…are quickly making personal privacy a distant memory. 1984 may have come a bit later driveway without a warrant violated his than predicted, but it’s here at last.”3 Fourth Amendment rights. The lower court denied his motion to suppress. On th United States v. Pineda-Moreno4 appeal, the Court of Appeals for the 9 Circuit affirmed the lower court’s N THE spring of 2007 Juan Pineda- determination, holding that the Pineda- I Moreno, an Oregon resident, was Moreno did not have a “reasonable arrested by agents of the Federal Drug expectation of privacy” in and about his Enforcement Administration (“DEA”) driveway and that there had been no and subsequently indicted for several Fourth Amendment violation possible drug-related activities. Utilizing 5 a number of mobile tracking devices United States v. Maynard attached to his Jeep at various locations, DEA agents had continuously monitored In March 2007, Lawrence Maynard the activities of Pineda-Moreno and and Antoine Jones were indicted on a several companions over the course of the series of drug related charges. At trial, almost four months, eventually leading both individuals were convicted of the agents to a marijuana “grow site.” A distributing quantities of cocaine. Jones subsequent search of Pineda-Moreno’s appealed his conviction, arguing in part trailer located a large quantity of against evidence that had been gathered marijuana. At trial, Pineda-Moreno by a joint police task force that had sought to exclude any evidence obtained monitored his activities on a twenty- through use of the tracking device, four/seven basis for four weeks, utilizing claiming that attachment of the system to a GPS device that had been installed on his automobile while it was in his his car without a warrant. In considering, and ultimately rejecting, the findings of Warrantless Searches Using GPS Surveillance Page 29 the Ninth Circuit in Pineda-Moreno, the the surveillance of actual and/or District of Columbia Circuit Court of perceived criminals, the Supreme Appeals reversed the rulings of the trial Court has not reviewed the issue of court and the conviction of Jones, holding Fourth Amendment rights and that under United States v. Katz6 the use unreasonable searches and seizures for of the GPS device twenty-four hours a more than 25 years. When the issue of day over the course of a month police surveillance and subsequent arrest constituted a search because it defeated comes before the courts today, judges Jones’ reasonable expectation of privacy. turn for guidance to opinions on Thereby, such surveillance required a technology issued in an era when Pong warrant. was the computer game of choice, 8- tracks provided our musical entertainment I. Introduction and “beepers” were the newest and most modern tool of surveillance. Back then, Just as with virtually every other following the activities of individuals facet of our lives, continuing through devices was limited by the advancements in technology have created technology of the time to a battery a new set of rules in the centuries old operated radio transmitter sending out game of Cops v. (alleged) Bad Guys. Just periodic signals to a radio transmitter as the planning and carrying out of which required personal monitoring; complex criminal schemes has been today the use of global positioning significantly modernized in recent years systems “yields … a highly detailed through the use of internet sources, data profile, not simply of where we go, but by bases, etc., so too have police easy inference, of our associations – investigative procedures in the continuing political, religious, amicable and amorous effort to stay one step ahead of the to name only a few – and of the pattern of “perpetrators.” This article will explore our professional and vocational the now frequent use of Global pursuits.”7 Or, as Wikipedia so Positioning System devices (“GPS”) in succinctly defines the GPS system and its surveillance of the day-to-day (and often uses: “a space- based global navigation week-to-week or even month-to-month) satellite system … that provides reliable activities of individuals and whether location and time information in all privacy rights afforded by the Fourth weather and at all times and anywhere on Amendment to the U.S. Constitution are or near the Earth ….”8 Certainly today’s violated by such surveillance. The issue surveillance methods are a far cry from has been a major focal point in multiple the “beepers” considered and ruled upon federal and state court actions in recent by the Supreme Court in U.S. v. Knotts9 years, resulting in a significant division of and seemingly such systems are worthy opinions and approaches, particularly of modern review and reconsideration of among the judges of the Circuit Courts. Fourth Amendment issues. Despite the rash of decisions, articles, blogs and other discussions, the topic of the use of modern technology in Page 30 THE PRIVACY PROJECT IV – 2011

II. History As the Court's opinion states, "the Fourth Amendment protects people, The core foundation for the majority not places." The question, however, is of rulings on search and seizure issues in what protection it affords to those the past 40 years was the decision of the people. Generally, as here, the answer Supreme Court in Katz v. United States.10 to that question requires reference to Katz was charged with transmitting a "place." My understanding of the wagering information between states by rule that has emerged from prior telephone in violation of federal wire decisions is that there is a twofold communication statutes. Katz was requirement, first that a person has convicted primarily due to the admission exhibited an actual (subjective) into evidence “of telephonic expectation of privacy and, second, conversations, overheard by FBI agents that the expectation be one that who had attached an electronic listening society is prepared to recognize as and recording device to the outside of the "reasonable."13 public telephone booth from where he had placed his calls.”11 The Court of Justice Harlan further explained the Appeals for the Ninth Circuit had rejected expectations of privacy to which an the argument that use of electronic individual is entitled: listening and recording devices had violated the defendant’s Fourth “[T]hat one who occupies [a Amendment Rights. In finding that Katz telephone booth] shuts the door had been subjected to an unreasonable behind him, and pays the toll that search and seizure and reversing his permits him to place a call is surely conviction, the Supreme Court entitled to assume that his emphasized: conversation is not being intercepted.” Ante, at 352. The [T]he Fourth Amendment protects point is not that the booth is people, not places. What a person “accessible to the public” at other knowingly exposes to the public, times, ante, at 352, but that it is a even in his own home or office, is temporarily private place whose not a subject of Fourth Amendment momentary occupants’ expectation protection. But what he seeks to of freedom from intrusion are preserve as private, even in an area recognized as reasonable. Cf. Rios accessible to the public, may be v. United States, 364 U.S. 253.14 constitutionally protected.12 Some sixteen years after delivering Since the issuance of the decision in its opinion in Katz, the Supreme Court Katz, the most cited and relied upon considered an issue of more “discrete” portion of the opinion has been the “two surveillance and evidence gathering in prong test” set forth in Justice Harlan’s United States v. Knotts.15 The facts in concurring opinion: Knotts were relatively simple. Drug enforcement agents in Minnesota Warrantless Searches Using GPS Surveillance Page 31 believed that the defendants had in Smith v. Maryland17 and reaffirmed in manufactured a variety of controlled Knotts, substances and that, as part of this operation, large amounts of chemicals “Consistently with Katz, this Court used in manufacturing “illicit drugs” had uniformly has held that the been stolen and/or purchased from application of the Fourth various facilities. The agents installed a Amendment depends on whether the radio transmitting beeper into a five person invoking its protection can gallon container of chloroform, which claim a ‘justifiable,’ a `reasonable,' was then purchased by one of the or a `legitimate expectation of suspected drug manufacturers. Police privacy' that has been invaded by followed the individual with both visual government action. This inquiry, as surveillance and monitoring of the beeper Mr. Justice Harlan aptly noted in resulting eventually in the obtaining of a his Katz concurrence, normally warrant to search the premises where the embraces two discrete questions. surveillance beeper led them and the The first is whether the individual, eventual conviction of the individuals by his conduct, has `exhibited an involved. As the Supreme Court noted, actual (subjective) expectation of “[t]he Eighth Circuit reversed the privacy,' — whether, in the words of conviction, finding that the monitoring of the Katz majority, the individual has the beeper was prohibited by the Fourth shown that `he seeks to preserve Amendment because its use had violated [something] as private.' The second respondent’s reasonable expectation of question is whether the individual's privacy, and that all information arrived subjective expectation of privacy is after the location of the cabin was fruit of `one that society is prepared to the illegal beeper monitoring.”16 recognize as ‘reasonable,’ id., at 361 Upon review, the Supreme Court — whether, in the words of reversed the Eighth Circuit’s decision and the Katz majority, the individual's reinstated the conviction. Although the expectation, viewed objectively, is Court was unanimous in its holding, there `justifiable' under the were several separate opinions included circumstances.”18 within the decision, each of which would provide ample support and reasoning for The Court in Knotts reiterated the future diverse approaches to and opinions longstanding rule that “a person traveling on the use of surveillance equipment and in an automobile on public thoroughfares applicability of the Fourth Amendment. has no reasonable expectation of privacy Initially, in delivering the majority in his movements from one place to opinion, Justice Rehnquist reaffirmed the another,”19 emphasizing that visual court’s holding in Katz and, more surveillance in and of itself along the particularly the two “discreet questions” route of travel would have revealed the referred to in Justice Harlan’s concurring same facts to the police and that “nothing opinion. These principles were discussed in the Fourth Amendment prohibited the police from augmenting the sensory Page 32 THE PRIVACY PROJECT IV – 2011 faculties bestowed upon them at birth poster child of the “dragnet-type law with such enhancement as science and enforcement practices” envisioned by technology afforded them in this case.”20 Justice Rehnquist had become a reality. This is equally true as to the exterior In fact, the GPS has become a focal point or the undercarriage of a vehicle since for many, if not most, police surveillance “the undercarriage is part of the car’s efforts and, not surprisingly has resulted exterior, and as such, is not afforded a in a multitude of Fourth Amendment reasonable expectation of privacy.”21 related decisions in recent years in both Either intentionally or federal and state courts. unintentionally, Justice Rehnquist left open the possibility that the Court might A. United States v. Pineda- have to re-visit its finding in Knotts Moreno should technology improve so that “twenty-four hour surveillance of any As discussed in the introduction, citizen of this country will be possible, drug enforcement agents suspected without judicial knowledge or Pineda-Moreno and several of his supervision.”22 The court seemingly left companions to be marijuana growers the door open for future reconsideration, based on the observations of grocery stating, “[i]f such dragnet-type law purchases common to the manufacturing enforcement practices as respondent of illegal substances. On separate envisions should eventually occur, there occasions, DEA agents attached tracking will be time enough then to determine devices to the underside of Pineda- whether different constitutional principles Moreno’s vehicle. Four of the devices may be applicable.”23 were attached while the vehicle was However, the Court summarily parked on a public street in front of the rejected the inference by the respondent Pineda-Moreno home. One of the of impropriety on the part of the police in installations took place in a public making use of advances in technology as parking lot. The other two devices were a means of detecting crime stating that: installed while Pineda-Moreno’s car was “we have never equated police efficiency parked in his driveway, a few feet from with unconstitutionality, and we decline the side of his trailer. The information to do so now.”24 gathered from the mobile tracking devices over the course of more than four months III. Division Among the Courts in resulted in DEA agents pulling over the Recent Years car and the subsequent arrest of three individuals in the Jeep premised upon As the “beeper at the core of the “violations of immigration laws.”25 A Knotts was replaced by the GPS system grand jury later added counts of and other modern surveillance devices conspiracy to manufacture marijuana and and the methods and means of keeping manufacturing marijuana. Pineda- track of the daily, weekly and monthly Moreno eventually entered a conditional activities of suspects became more guilty plea but reserved the right to appeal sophisticated, it might be argued that the the denial of his motion to suppress use of Warrantless Searches Using GPS Surveillance Page 33 any evidence related to or emanating of the issue before the entire court. As from the use of the GPS devices. the petition “failed to receive a majority The crux of Pineda-Moreno’s of the votes of the non-recused active argument was directed to the installation Judges” it was denied in a simple three of the devices while his car was parked in paragraph decision.28 However, Chief the driveway adjacent to his home. The Judge Kozinski, along with four other court summarily rejected this argument, Judges, dissented from the denial of holding that: rehearing. In a strongly worded, often sarcastic and belittling dissenting opinion, In sum, Pineda-Moreno cannot show Chief Judge Kozinski criticized and that the agents invaded an area in rejected the original opinion of his which he possessed a reasonable colleagues finding that: expectation of privacy when they walked up his driveway and attached The needs of law enforcement, to the tracking device to his vehicle. which my colleagues seem inclined to Because the agents did not invade refuse nothing, are quickly making such an area, they conducted no personal privacy a distant memory. search, and Pineda-Moreno can 1984 may have come a bit later than assert no Fourth Amendment predicted, but it’s here at last.29 violation.26 The dissent relied quite heavily on In other words, since the defendant Justice Rehnquist reference to “twenty- had not supplemented his driveway with four hour surveillance” in Knotts and “special features” such as enclosures, “dragnet-type law enforcement barriers on the gates, “‘no trespassing” practices,”30 warning that: signs and “did not take steps to exclude passersby from his driveway,”27 he could I don’t think that most people in the not claim a reasonable expectation of United States would agree with the privacy in it, regardless of whether a panel that someone who leaves his portion of the driveway was located car parked in his driveway outside within the curtilage of his home. The the door of his home invites people logic that the nature and number of to crawl under it and attach a device embellishments and security devices to that will track the vehicle’s every the driveway somehow should determine movement and transmit that the applicability of the Fourth information to total strangers. There Amendment, became a focal point in an is something creepy and un- unsuccessful petition for rehearing en American about such clandestine banc several months later. and underhanded behavior.31 The three member Ninth Circuit panel that originally heard the appeal was Judge Kozinski seemed equally unanimous in its decision to deny Pineda- concerned with what the future might Moreno’s motion to suppress. The bring, warning that “[i]n determining defendant then petitioned for a rehearing whether the tracking devices used in Page 34 THE PRIVACY PROJECT IV – 2011

Pineda-Moreno’s case violate the Fourth warrant would be required in a case Amendment’s guarantee of personal involving “twenty-four hour surveillance” privacy, we may not shut our eyes to the and “dragnet-type law enforcement fact that they are just advance ripples to a practice.36 More specifically, Circuit tidal wave of technological assaults on Judge Ginsburg, writing the opinion for our privacy.”32 the unanimous panel, found: A petition for certiorari was filed in November 2010, asking the Supreme In short, Knotts held only that "[a] Court of the United States to review the person traveling in an automobile on Ninth Circuit’s decision.33 As of public thoroughfares has no publication the Supreme Court has not reasonable expectation of privacy in indicated whether it will grant certiorari. his movements from one place to another," not that such a person has B. United States v. Maynard no reasonable expectation of privacy in his movements whatsoever, world The applicable portions of the without end, as the Government decision in this matter actually apply to would have it.37 and resulted in reversal of a conviction of Antoine Jones, a co-defendant with The court specifically distinguished Lawrence Maynard. As with many of the the decision of the Ninth Circuit in decisions relating to searches and Pineda-Moreno pointing out that the other seizures, this case involved alleged matter the defendant had not argued - that narcotic violations and surveillance the prolonged surveillance by means of a methods utilized by the authorities. Jones monitoring device - constituted a search. argued that the police had violated the The court found a significant difference Fourth Amendment through between the use of the GPS device on a “unreasonable searches,” which involved twenty-four hour per day basis over an tracking his movement twenty-four hours extended period of time and “normal surveillance,” since no argument could be a day for four weeks with a GPS device made that each and every act or they had installed without a valid 34 movement of an individual could be warrant. More specifically, Jones recorded over the course of an entire argued that under the decision in Katz the month using routine surveillance: GPS device violated his “reasonable expectation of privacy” and that it Here the police used the GPS device constituted a search subject to the not to track Jones's "movements from reasonableness required by the Fourth one place to another," Knotts, 460 35 Amendment. U.S. at 281, but rather to track In agreeing with the substance of the Jones's movements twenty-four hours contentions raised on behalf of Jones, the a day for twenty-eight days as he circuit court found that the decision in moved among scores of places, Knotts was not controlling and pointed thereby discovering the totality and out the reservation by the Supreme Court pattern of his movements from place in Knotts of the question whether a to place to place.38

Warrantless Searches Using GPS Surveillance Page 35

Utilizing the two-prong test Finally, the Court in Maynard had discussed in Katz39 the court held that some “words of wisdom” for its brethren “[w]hether an expectation of privacy is in the other Circuit that disagreed with its reasonable depends in large part upon holding, stating, “[t]he federal circuits whether that expectation relates to that have held use of a GPS device is not information that has been ‘expose[d] to 40 a search were not alert to the distinction the public.’" The court thereafter held drawn in Knotts between short-term and that “the information the police prolonged surveillance ….”44 discovered in this case—the totality of As with the decision of the Ninth Jones's movements over the course of a Circuit in Pineda-Moreno, a request was month—was not exposed to the public.”41 filed (this time by the Justice Department) The court noted that “[i]n considering for a full Appeals Court to review the whether something is "exposed" to the issues in Maynard, but the Judges public as that term was used in Katz we 45 ask not what another person can declined to do so by a five to four vote. physically and may lawfully do but rather A petition for certiorari to the United States Supreme Court was filed, but what a reasonable person expects another 46 might actually do.”42 summarily denied. After an extensive discussion of the expectations of privacy to which an C. Other Recent Federal decisions individual is entitled, Justice Ginsburg found: The findings of the D.C. Circuit in Maynard certainly appear to be an Applying the foregoing analysis to exception to the holdings of the Federal the present facts, we hold the whole District Courts in recent years, most of of a person's movements over the which echo the holding in Pineda- course of a month is not actually Moreno that Knotts is applicable today exposed to the public because the and that modern tracking devices utilized likelihood a stranger would observe over extended periods do not constitute all those movements is not just fourth Amendment violations. remote, it is essentially nil. It is one thing for a passerby to observe or 47 • United States v. Jesus-Nunez even to follow someone during a

single journey as he goes to the market or returns home from work. It The defendant was a suspected drug is another thing entirely for that supplier. GPS systems were attached stranger to pick up the scent again the to his cars while parked on a public next day and the day after that, week street on two separate occasions. One in and week out, dogging his prey GPS was in place for approximately until he has identified all the places, eleven months, the other for people, amusements, and chores that approximately ten months. The make up that person's hitherto private systems tracked the date, time and routine.43 precise locations of each stop of the car. The court denied the motion to suppress the evidence obtained Page 36 THE PRIVACY PROJECT IV – 2011

through the GPS systems citing the the arrest of accused burglar driving decision in Knotts as being directly plaintiff’s vehicle. The court found on point. The opinion openly that the use of the GPS device was expressed concern for the duration of not an unreasonable search or seizure the GPS tracking and referenced in violation of the Fourth commentary of Justice Rehnquist’s in Amendment, relying heavily on the Knotts concerning twenty-four hour Supreme Court’s decision in Knotts. surveillance without knowledge or supervision. In seemingly calling for the Supreme Court to revisit this issue, District Judge Sylvia Rambo • United States v. Sparks51 stated that “the court does not believe that it is in the position to rewrite This decision constitutes perhaps the constitutional principles long most thorough and up-to-date established by the Supreme Court consideration of the issues arising because of the changing landscape of from the use of modern technology, technology. This is the province including GPS devices, and the either of Congress or the higher applicability of Katz and Knotts courts; it is this court’s duty to apply several decades later. Sparks precedent to the facts.”48 involved the attaching of a GPS device to Sparks’ vehicle, based on • United States v. Burton49 the FBI’s suspicion that Sparks had committed several bank robberies In accepting that Knotts was and planned to commit even further controlling, the court rejected the robberies. The device was affixed in contention of an accused drug dealer the early morning hours of the day that evidence obtained through the prior to a robbery while the car was use of GPS devices over an extended parked in an open air lot used by period of time should be precluded tenants of several multi-unit holding that there was no reasonable residential buildings. The court expectation of privacy so long as a utilized the two-prong test motor vehicle was being used on established in from Katz in public streets. determining whether the installation of the GPS device on the car and the • Morton v. Nassau County Police monitoring of the location of the car Department50 infringed upon reasonable expectations of privacy. After A civil action was brought pursuant finding that the FBI agents had not to 42 U.S.C. §1983. Morton claimed invaded any constitutionally damages from the placement of a protected area within Sparks’ GPS transmitter on her automobile dwelling or curtilage and restating and the subsequent tracking of the earlier decisions that motor vehicles vehicle, which ultimately resulted in are entitled to a significantly Warrantless Searches Using GPS Surveillance Page 37

diminished expectation of privacy, placed under electronic surveillance,” the court determined that “[b]ecause he was charged with burglary related Sparks had no reasonable expectation crimes and was eventually convicted of privacy either in the shared premised in part upon use of the data parking lot or in the exterior of his obtained from the GPS surveillance. vehicle, the placement of the GPS The Court of Appeals of New York device on the vehicle cannot be held that the search obtained through considered a search or seizure.”52 the GPS was illegal and reversed the The Court also rejected Sparks conviction. While emphasizing that argument “that the aggregate of his its findings were premised on state travels are entitled to more law rather than federal, the majority constitutional protection than his in the four-to-three decision individual trips,” stating that it was distinguished modern technology “unwilling, and unable, to extend the from that which the Supreme Court reach of the Fourth Amendment that discussed in Knotts: far.”53 Here, we are not presented with D. Recent State Court Decisions the use of a mere beeper to facilitate visual surveillance The use of modern tracking devices during any single trip. GPS is a has not been limited to federal vastly different and exponentially jurisdictions, but has also come up at more sophisticated and powerful discussion in multiple criminal cases technology that is easily and passing through the state courts. As a cheaply deployed and has general rule, the state courts have been virtually unlimited and more willing to limit and/or suppress the remarkably precise tracking use of GPS data obtained without a capability. Constant, relentless warrant. In many instances, those courts tracking of anything is now not have relied on the applicable state merely possible but entirely constitution, rather than the U.S. practicable, indeed much more Constitution, as the basis for the practicable than the surveillance protection against warrantless searches. conducted in Knotts.55

• People v. Weaver54 • Foltz v. Commonwealth56

A GPS tracking device had been David Foltz was a registered sex placed underneath a street-parked offender on probation who was van and remained in place for 65 suspected by the police in a series of days constantly monitoring the sexual assaults. Based on the position of the van. No warrant had location of a series of sexual assaults been obtained for use of the GPS in the vicinity of where Foltz was surveillance while “it is not clear employed, the police attached a GPS from the record why defendant was system to one of his work vehicles Page 38 THE PRIVACY PROJECT IV – 2011

without a warrant and without of governmental intrusion that occurs permission from the employer. After when a GPS device is attached to a another sexual assault took place, the citizen’s vehicle regardless of police checked the GPS log and reduced privacy expectations due to found that Foltz’s vehicle had been advances in technology” and that a parked a short distance from the warrant is required for installation of scene of the attack at the time it GPS devices.59 Unfortunately, this occurred. The police then began a was the extent of the good news for visual observation of Foltz and Jackson, as the court also found that caught him in the act of assaulting the police had obtained valid another victim. At trial, Foltz moved warrants premised upon appropriate to suppress all evidence collected affidavits and that the evidence after the police began to track him obtained from the GPS systems was via the GPS system. In denying the appropriate. Although it created a motion to suppress, the court great deal of positive language to be recognized the warnings in Knotts used by others, Jackson’s conviction about “dragnets” and “mass and sentence were affirmed. surveillance” but found them 1 inapplicable to the facts in this case. U.S. CONST. amend. IV. The court did apply a two-prong Katz 2 United States v. Knotts, 460 U.S. 276, 281 test but found that defendant failed (1983). 3 both parts since there was no U.S. v. Pineda-Moreno, 591 F.3d 1212 (9th subjective expectation of privacy in Cir. 2010), rehearing en banc denied, 617 driving a work van down the street F.3d 1120, 1121(9th Cir. 2010) (Kozinski, J, dissenting). and no reasonable expectation of 4 591 F.3d 1212 (9th Cir. 2010). privacy for vehicles on public streets. 5 615 F.3d 544 (D.C. Cir. 2010). The Court of Appeals of Virginia 6 389 U.S. 347 (1967). soon after ruled that it would rehear 7 People v. Weaver, 909 N.E.2d 1194, 1199 the case en banc and the mandate (N.Y. 2009). entered by the panel of judges was 8 Global Positioning System, Wikipedia, stayed pending the full court’s http://en.wikipedia. org/wiki/Gps (last visited ruling.57 Dec. 20, 2010). 9 460 U.S. 276 (1983). 10 58 389 U.S. 347 (1967). • State v. Jackson 11 Id. at 348. 12 Id. at 352 (citations omitted). The court discussed at length why the 13 Id. at 361 (Harlan, J., concurring). use of a GPS device to monitor 14 Id. Jackson’s activities did not equate to 15 460 U.S. 276 (1983). merely following him on the road 16 Id. at 279-80. 17 442 U.S. 735 (1979). and how the GPS device constituted 18 a significant intrusion into private 460 U.S. at 280-81 (quoting Smith v. affairs. Since “citizens of this State Maryland, 442 U.S. 735, 740-41 (1979)) (citations omitted). have a right to be free from the type 19 Id. at 281. Warrantless Searches Using GPS Surveillance Page 39

20 Id. at 282. 50 No.05-CV-4000 (SJF) (AKT), 2007 WL 21 United States v. Rascon-Ortiz, 994 F.2d 4264569 (E.D.N.Y. Nov. 27, 2007). 749, 754 (10th Cir. 1993). 51 No. 10-10067-WGY, 2010 WL 4595522 22 460 U.S. at 283 (citing brief for the (D. Mass. Nov. 10. 2010). respondent). 52 Id. at *6. 23 Id. at 284. 53 Id. at *8. 24 Id. 54 909 N.E.2d 1194 (N.Y. 2009). 25 591 F.3d 1212, 1214 (9th Cir. 2010). 55 Id. at 1199. 26 Id. at 1215 (citations omitted). 56 698 S.E.2d 281 (Va. Ct. App. 2010). 27 Id. 57 699 S.E.2d 522 (Va. Ct. App. 2010). 28 United States v. Pineda-Moreno, 617 F.3d 58 76 P.3d 217 (Wash. 2003). 1120, 1120-21 (9th Cir. 2010). 59 Id. at 24. 29 Id. at 1121 (Kozinski, J., dissenting). 30 460 US at 284. 31 Id. at 1126. 32 Id. at 1125. 33 United States v. Pineda-Moreno, 591 F.3d 1212, petition for cert. filed sub nom., No. 10- 7515 (U.S. Nov. 10, 2010). 34 United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010). 35 Id. at 555. 36 Id. at 556 (quoting United States v. Knotts, 460 U.S. 276, 284 (1983)). 37 Id. at 557 (citations omitted). 38 Id. at 558. 39 289 U.S. 351, 361 (1967) (Harlan, J., concurring). 40 615 F.3d at 558 (quoting Katz, 289 U.S. at 351). 41 615 F.3d at 558. 42 Id. at 559. 43 Id. at 560. 44 Id. at 564. 45 United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), rehearing en banc denied sub nom., United States v. Jones, 625 F.3d 766 (D.C. Cir. 2010). 46 United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), cert. denied sub nom., Maynard v. United States, No. 10-7102, 2010 WL 4156203 (Nov. 29, 2010). 47 No. 1:10-CR-00017-01, 2010 WL 2991229 (M.D. Pa. July 27, 2010). 48 Id. at *4. 49 698 F. Supp.2d 1303 (N.D. Fla. 2010). Sealing Your Settlement Agreement from the Public Eye

By Christopher R. Christensen Christopher R. Christensen is a and Evan M. Kwarta partner with Condon & Forsyth LLP in New York City. He concentrates his N TWO previous editions of the practice in the areas of complex aviation, IADC Privacy Project, William B. product liability and commercial CrowI examined how and when settlement litigation. agreements that require court approval Evan M. Kwarta is an associate who can be kept under seal. In 2004, Mr. works in the same practice group. Crow examined the arguments in favor of, and in opposition to, sealing agreements has become even stronger. settlement agreements, as well as specific This article focuses on forums that efforts by certain jurisdictions to prevent embrace the movement against settlement agreements from being filed confidentiality, and examines recent under seal (hereinafter “Crow I”). In exemplary cases, including the success of 2007, Mr. Crow examined a variety of arguments commonly made in support of hypotheticals involving sealed settlement motions to seal settlement agreements. agreements, and the legal and ethical considerations attorneys must confront I. Additional Forums that Disfavor when attempting to shield settlement Sealed Settlement Agreements agreements from the public eye (hereinafter “Crow II”). Both articles In 2004, Mr. Crow carefully cautioned that parties, particularly reviewed certain forums that employ defendants, should not expect that judges “Sunshine Acts” or similar rules that will accept settlement agreements for prohibit or restrict the sealing of any court filing under seal, and advised that to the records, including settlement agreements, when those records contain information extent litigants hope to shield those 1 agreements from the public, they must related to a so-called “public hazard.” make every effort to refrain from entering Crow I noted that when defending cases into settlement agreements that require in any of those forums, parties must be judicial approval. That advice remains prepared for the probability that their the same today – even where the parties settlement agreement, even if intended to be kept confidential, could be revealed to to a settlement agreement agree to keep 2 that settlement confidential, they should the public. That advice is applicable to not expect it to remain so where the several additional forums identified settlement agreement requires judicial below. approval. State courts in South Carolina, much Since Mr. Crow’s articles were like their federal counterparts, are published, the movement among certain specifically prohibited from approving state legislatures, judges and plaintiffs’ settlements that are conditioned upon 3 attorneys to prevent sealed settlement being filed under seal. State courts in Louisiana and Arkansas prohibit Sealing Your Settlement Agreement from the Public Eye Page 41 confidentiality provisions in any a settlement agreement that precludes the contracts, including settlement parties from revealing the fact or terms of agreements, where those contracts relate a settlement (other than the amount of to public4 or environmental5 hazards, money paid), or precludes the respectively. dissemination of evidence from that case Like Texas, the state of Washington if the case involved matters relating to the has made a specific legislative finding public health or safety. that the public health is promoted by a “Sunshine” amendments to the prohibition of confidentiality provisions Federal Rules of Civil Procedure have that conceal matters that relate to public been proposed and rejected before.9 health.6 And under Virginia law, Moreover, because these particular bills protective orders entered in personal were opposed both by the ABA and the injury and wrongful death cases cannot Judicial Conference of the United States prohibit attorneys from conferring with they are not likely to become law. other attorneys, who are not involved in However, the continued proposal of the case in which the protective order was “Sunshine” acts in the U.S. Congress10 entered, but who are involved in similar and the increasing number of jurisdictions or related matters.7 Counsel defending with “Sunshine” acts,11 coupled with a cases in any of these jurisdictions should growing preference among judges for be aware that each of these rules reflects a open settlement agreements, should give policy preference in favor of transparency pause to attorneys who either believe that and against sealed settlement agreements. their client’s settlement agreement is Accordingly, in those jurisdictions, if a certain to remain confidential or who settlement agreement requires judicial factor the need for confidentiality into approval, it is unlikely to be accepted for their settlement negotiations. That filing under seal. growing preference among judges is This policy preference has made it to encapsulated in the recent case law the halls of the U.S. Congress where three detailed below. “Sunshine in Litigation” bills8 are pending that would modify the Federal II. The Judicial Movement Against Rules of Civil Procedure to (1) prohibit Sealed Settlement Agreements federal courts from entering Rule 26(c) protective orders and orders sealing a Before examining recent case law settlement agreement, where such orders concerning judicially approved sealed would restrict the disclosure of settlement agreements, it is worth information relevant to the public health examining the landscape in which the or safety; (2) dissolve all protective need for judicial approval of settlement orders (except those that sealed a agreements arises and how that need settlement agreement) upon the entry of factors into a judge’s decision as to final judgment, unless the court makes a whether to accept a settlement agreement separate finding that the protective order for filing under seal. This article will should remain in effect; and (3) prohibit primarily address cases decided federal courts from enforcing the terms of subsequent to Crow II because Mr. Page 42 THE PRIVACY PROJECT IV – 2011

Crow’s articles deftly addressed cases a public function.18 Judicial construction decided in 2007 and before. of plaintiffs’ FLSA rights has similarly Very few settlement agreements recognized a public-private interest require judicial approval. A Federal because, courts state, the FLSA was Judicial Center study12 of federal cases intended not simply to compensate with sealed settlement agreements employees for lost wages, but also to revealed that sealed settlement publicly punish employers for violating agreements are filed in approximately the FLSA, and to put other employees on four-tenths of one percent of all federal notice that they may have a claim against cases.13 The Federal Judicial Center also their employer.19 Accordingly, courts concluded that less than two-tenths of one have found that sealing FLSA settlement percent of all cases both had sealed agreements thwarts the public-private settlement agreements14 and arguably objective of the FLSA by permitting were related to the public health or employers to hide their violations from safety.15 Ultimately, the Federal Judicial the public and their employees.20 Judicial Center concluded that the number of analysis of the balance between the public cases with sealed settlement agreements and private interests that arise in FLSA was too small to necessitate a change in cases, therefore offers an effective the Federal Rules of Civil Procedure.16 window into the challenges judges Of that four-tenths of a percent of confront with sealed settlement cases that had sealed settlement agreements, as well as how attorneys can agreements, a plurality of those cases expect motions to seal settlement were ones that typically require judicial agreements to be resolved. approval, such as those involving a In recent cases analyzing motions to minor, or actions filed pursuant to the seal FLSA settlement agreements, courts Fair Labor Standards Act (hereinafter the have considered and rejected most of the “FLSA”), where, particularly among common arguments defendants make in FLSA cases, courts have found that the favor of sealing settlement agreements. public interest in open access to judicial For instance, defendants frequently argue records can outweigh the parties’ need for that confidentiality plays a vital role in privacy.17 The growing reluctance settlement negotiations and that among judges to seal FLSA cases is settlement agreements often cannot be discussed below. reached without the assurance that the settlement terms will not be disclosed.21 III. The Refusal to Seal FLSA Cases While courts are mindful that they must balance the harm that disclosure could A primary concern among those wreak on the settlement process against opposed to sealed settlement agreements the presumption of access to judicial is that confidentiality will conceal from records,22 courts typically have been the public certain vital information in persuaded that the public interest in which the public has an interest. In other access to FLSA records, and judicial words, certain settlement agreements records generally, is superior to serve not just a private function, but also defendants’ amorphous arguments Sealing Your Settlement Agreement from the Public Eye Page 43 regarding the nature of settlements.23 possibility of a trial, few parties withdraw This should be particularly alarming their settlement. because almost all motions to seal FLSA In short, courts considering motions settlement agreements are unopposed; to seal FLSA settlement agreements are courts are denying these motions for likely to reject the common and non- reasons that they come up with on their specific arguments that parties ordinarily own. make in support of these motions. While Courts analyzing motions to seal courts have not given any particularly FLSA settlement agreements also have helpful examples of what sorts of rejected other common, but non-specific interests might tip the balance in the favor arguments made by defendants, such as of parties seeking to file a settlement the fact that the parties privately agreed to agreement under seal (apart from the a confidentiality provision and they potential harm that could result from the should be entitled to the benefit of their release of trade secrets or other bargain;24 that unsealing a settlement proprietary information31), it appears that agreement may have a chilling effect on in order to prevail on these motions, the future, similar settlement negotiations;25 parties must present the court with that businesses are entitled to keep their specific and significant harms that would legal proceedings private;26 and that result from unsealing.32 disclosure of settlement agreements would prompt additional litigation and IV. Public Hazards and High-Profile make the defendant a target for similar Cases but frivolous lawsuits.27 Plaintiffs often favor sealing FLSA The classic case involving so-called settlement agreements as well, in the hope “public hazards” is a product liability that their personal and private case, and the movement against sealed information, and the settlement amount, settlement agreements in those cases is will not become public.28 Yet courts strong. For instance, in Perreault v. The deciding recent FLSA cases have found Free Lance-Star,33 a defendant that the plaintiff’s personal privacy pharmaceutical company settled four interests are ultimately subordinate to wrongful death claims arising from an both the public-private nature of FLSA allegedly contaminated liquid solution claims, as well as the need for judicial that was used in the decedents’ open heart transparency.29 surgeries. Pursuant to Virginia law Courts often reject these common requiring judicial approval of wrongful arguments while offering the parties the death settlement agreements,34 the parties opportunity to withdraw their settlement jointly moved the trial court for an in agreement,30 essentially challenging the camera inspection, and approval, of the parties to prove how important settlement agreements.35 Several news- confidentiality really is. Having already papers intervened, objecting to the in expended substantial resources in order to camera review, and the parties moved to reach a settlement, and faced with the file the settlement agreements under seal.36 The case ultimately made its way Page 44 THE PRIVACY PROJECT IV – 2011 to the Virginia Supreme Court, which Giants Stadium.40 The trial court granted concluded that where parties are required a motion to seal the Aramark settlement to obtain court approval of their agreement, but Public Citizen, a self- settlement agreements, a public interest in described public interest group focused seeing that the judiciary is fairly and on protecting public health and safety,41 honestly administering justice attaches, intervened and moved to unseal it.42 The and outweighs the parties’ interests in parties opposed the motion, the plaintiff keeping settlement agreements sealed.37 on the grounds that the seal protected the The court then went a step further and information of a minor, and Aramark on placed the burden in motions to seal the grounds that the seal furthered the settlement agreements squarely on parties public interest in settlements.43 The trial seeking to seal records, requiring them to court denied Public Citizen’s motion. put forth facts upon which a court could The appellate court reversed, finding make specific factual findings that that the public interest in whether alcohol support sealing court records, rather than could be safely dispensed at a football placing the burden on intervenors to game outweighed the plaintiff’s desire for demonstrate how they would be harmed if privacy.44 The court applied the analysis the records were maintained under seal.38 from Hammock v. Hoffman-La-Roche, High profile cases arguably involving Inc.,45 a case where Public Citizen also the public interest, or so-called “public intervened. In Hammock, the New hazards,” can also attract judicial scrutiny Jersey Supreme Court spelled out of sealed settlement agreements even in guidelines for when court records that jurisdictions without a clearly stated potentially affect the public health and legislative or judicial preference for open safety should remain under seal and settlements. In these jurisdictions, the applied those guidelines to discovery that common law regarding protective orders was attached to summary judgment governing discovery can be instructive in motions.46 In doing so, the New Jersey predicting whether a court would allow Supreme Court did not specifically refer parties to file a settlement agreement to settlement agreements, but did analyze under seal, because the same motivation “Sunshine” acts such as those in Florida, applies to both the prohibition of Texas, Virginia and New York, that are protective orders in cases relating to discussed above. The Verni court’s public hazards and the prohibition of application of the principles announced in sealed settlement agreements. Hammock highlights the interplay For instance, in Verni v. Lanzaro,39 a between the rules governing protective mother brought suit on her own behalf orders and those concerning sealed and her infant daughter’s behalf after they settlement agreements, and suggests that were injured by a drunk driver who the courts’ analysis of protective orders in became intoxicated at a New York Giants cases where the public health is arguably football game. After settling with some at issue can be instructive in forming defendants, the plaintiff entered into a arguments in support of motions to seal separate settlement agreement with settlement agreements.47 Aramark, the concession operator at Sealing Your Settlement Agreement from the Public Eye Page 45

Even high-profile cases that do not The litigation arose out of a claim by concern matters of public health can draw certain multi-national property insurers judicial scrutiny. In Schoeps v. Museum and property owners that a group of of Modern Art,48 plaintiffs claimed that airlines, airport security companies, an two world-famous New York art aircraft manufacturer, and the municipal museums owned Picassos taken from owner of the departure airport were plaintiffs’ ancestors by the Nazis, and that responsible for the property destruction the museums had turned a blind eye to the that occurred as a result of the 9/11 theft.49 The museums vigorously denied terrorist attacks. Most of the plaintiffs the accusations, and the case received a settled with some of the defendants, and great deal of media attention.50 On the the settling parties jointly moved the morning that trial was scheduled to start, court to approve their settlement, and the parties reached an agreement allowing maintain under seal information relating the museums to keep the paintings, but to (1) the total settlement amount; (2) the the parties refused to disclose the term of amount that each defendant was paying; the settlement to the public.51 The court and (3) the amount that each plaintiff was urged the parties to submit the agreement receiving (collectively, the “settlement under seal for the court’s review – which agreement information”).56 The parties they did – and convinced the museums to even secured a recommendation from the drop their objection to public disclosure former federal judge who mediated their of the settlement agreement, but the settlement, who advised the court that he plaintiffs refused to relent.52 In a believed the settlement agreement published opinion, the court strongly information should remain under seal.57 criticized the parties for agreeing to a The motion to seal was initially confidential settlement in such a high- unopposed and was granted.58 However, profile case.53 But constrained by rule the court noted its reluctance in and precedent, the court concluded it maintaining the settlement agreement could not disclose the terms of the information under seal, stressed the settlement.54 Although the agreement public importance of the case, and remains under seal, the fact that the court reserved its right to revisit its ruling felt it necessary to publish an opinion that should a motion for reconsideration be did nothing but urge the parties to presented.59 disclose the terms of their settlement Nearly three months later, the New speaks volumes about the trend among York Times (hereinafter “the Times”) some judges toward greater transparency. intervened, moved to unseal the In perhaps the most highly publicized settlement agreement information.60 The settlement since the last edition of the defendants argued that they had Privacy Project, the trial court In re Sept. reasonably relied on the sealing order, 11th Litigation, decided not only to and that the Times needed to show some remove the seal, but also to disclose the compelling need justifying disclosure in settlement’s terms, eviscerating the order to unseal the settlement agreement parties’ ability to successfully pursue the information.61 The court found that the issue on appeal.55 defendants could not have reasonably Page 46 THE PRIVACY PROJECT IV – 2011 relied on the sealing order because the ones in a jurisdiction that has a court had reserved its right to reconsider “Sunshine” act or similar rule disfavoring its decision, and therefore rejected that or prohibiting sealed settlement argument.62 The defendants also argued agreements. Parties also can look to that unsealing the settlement agreement cases involving public hazards and information would have a chilling effect protective orders over discovery to help on the defendants’ attempt to settle predict whether their settlement unresolved property damage cases, and agreement is likely to be accepted for that it would cast them in a false light by filing under seal in their jurisdiction. To suggesting that the amounts they were the extent that defendants are able to paying to settle the cases meant that they convince courts to maintain settlement were responsible for the 9/11 attacks.63 agreements under seal, they probably will The court was unsympathetic to these have to do so by referring the court to arguments because, as in most cases, the specific prejudice that one or both parties parties intended to go forward with their will incur absent confidentiality. settlement agreement regardless of how Arguments relying on vague assertions as the court resolved the motion to unseal.64 to the parties’ expectation of However, the court left under seal the confidentiality, the importance of amount each settling plaintiff was to maintaining private information, the receive,65 a peculiar result considering chilling effect unsealed settlement that the plaintiffs, most of which were agreements will have on future settlement multi-national insurance companies or negotiations, or the potential that a sizable domestic businesses, arguably had defendant could become a target for a lesser interest in maintaining the future frivolous lawsuits, are increasingly amount of their settlement proceeds under likely to be rejected without a showing of seal than did the defendants with respect a more specific harm. Ultimately, to the amounts that they paid. Moreover, whenever attorneys negotiate a settlement the court took the unusual step of not agreement, they need to be mindful that simply vacating its prior order although it does not appear that sealed maintaining the confidentiality of the settlement agreements will be outlawed settlement agreement, but of publicizing completely any time soon, judges the details in an order issued that same increasingly are taking matters day approving the settlement.66 concerning sealed settlement agreements into their own hands. V. Conclusion 1 Crow I identified Florida’s “Sunshine in The bottom line when it comes to Litigation Act,” FLA. STAT. § 69.801, which keeping settlement agreements under seal prohibits a court from sealing any record or is that if the settlement requires judicial information that has the effect of concealing a approval, it is unlikely to remain “public hazard.” “Public hazards” are confidential. This is particularly true of typically defined as products, persons or procedures that have caused, or are likely to high-profile cases, ones that arguably cause, injury. See id. The article also involve a so-called “public hazard,” or identified (1) Texas Rule of Civil Procedure Sealing Your Settlement Agreement from the Public Eye Page 47

76a, which creates a presumption that court 9 See Sunshine in Litigation Act of 2009: records are open to the public that can be Hearing Before the H. Subcomm. on overcome only by a showing of a specific, Commercial and Admin. Law, 111th Cong. 60 serious, and substantial interest that outweighs (2009) (statement of Judge Mark R. Kravitz both the presumption and any probable on behalf of the Rules Committees of the adverse effect that sealing the record will have Judicial Conference of the United States) on the public health and safety; (2) Uniform (hereinafter “Kravitz Statement”). Rules for New York State Trial Courts § 216.1 10 A “Sunshine in Litigation” bill was first that prohibits the sealing of any court record introduced to Congress 1991. See id. at 60. without a court first issuing a written finding 11 But see Crow I at 112 (noting that twelve of good cause that outweighs the presumption states have considered but rejected similar of public access to court records; and (3) legislation). Local Civil Rule 5.03 of the United States 12 See Sealed Settlement Agreements in District Court, District of South Carolina that Federal District Court, Federal Judicial specifically prohibits any settlement Center, 3 (2004) (hereinafter the “FJC agreement from being filed under seal. Report”). The FJC Report examined cases 2 See Crow I at 112. decided in 2001 and 2002. 3 13 S.C. R. CIV. P. 41.1. South Carolina also In approximately one quarter of those cases, requires that all settlement agreements to the settlement agreement was not initially filed which a minor is a party and that are in excess with the court and was only filed under seal of $25,000 be approved by a court. See S.C. later because it was attached as an exhibit to a CODE § 62-5-433. The combination of these motion to enforce the settlement agreement, or two rules means that any settlement with a as an exhibit to an otherwise sealed minor in excess of $25,000 cannot be filed proceeding or transcript. See id. at 6. Those under seal. cases are not addressed here. 4 14 LA. CODE CIV. PROC. § 1426. Kravitz Statement, supra note 9, at 65. 5 15 ARK. CODE § 16-55-122. FJC Report, supra note 12, at 8. The FJC 6 WASH. REV. CODE § 4.24.601. Despite this Report considered the following types of cases legislative finding, this provision of as related to public health or safety: (1) Washington code has not been applied in any environmental; (2) product liability; (3) cases. professional malpractice; (4) public-party 7 VA. CODE § 8.01-420.01. defendant; (5) death or serious injury; and (6) 8 Two of the bills are pending in the House sexual abuse. (H.R. 5419, 111th Cong. (2010), and H.R. 16 Kravitz Statement, supra note 9, at 65-67. 1508, 111th Cong. (2009)), and one bill is The FJC also noted that a rule prohibiting pending in the Senate (S. 537, 111th Cong. sealed settlement agreements was unnecessary (2009)). S. 537 and H.R. 1508 are identical. because in 97% of the cases identified in the H.R. 5419 is nearly identical to S. 537 and FJC Report, supra note 12, the complaint or H.R. 1508, except that it contains additional some other document detailing the nature of clauses relating to civil actions, wherein the any potential public hazard was not sealed. pleadings state facts relevant to public health See id.; FJC Report, supra note 12, at 6-7. or safety. The difference is semantic, This finding is critical because a common however, as the other two bills contain fewer, argument in opposition to permitting the filing but similar, clauses and the judicial of sealed settlement agreements is that they interpretation of H.R. 5419 would not likely conceal the nature of potential public hazards. be affected by its additional clauses. See, e.g., Crow I, at 107; Sunshine in Litigation Act of 2009: Hearing Before the H. Page 48 THE PRIVACY PROJECT IV – 2011

Subcomm. on Commercial and Admin. Law, WL 2079750, at *3; Poulin, 2010 WL 111th Cong. 24-37 (2009) (statement of Leslie 1257751, at *3; In re Sepracor Inc. FLSA A. Bailey of Public Justice) (hereinafter Litig., 2009 WL 3253947, at *3. “Bailey Statement”). 31 See, e.g., Poulin, 2010 WL 1257751, at *3; 17 FJC Report, at 5. Prater, 2008 WL 5140045, at *9; Arthur 18 See e.g., Crow I at 107; Richard A. Zitrin, Miller, Private Lives or Public Access?, 77 The Laudable South Carolina Rules Must Be A.B.A.J. 65, 68 (1991). Broadened, 55 S.C. L. Rev. 883, 887-890 32 See, e.g., Hens, 2010 WL 4340919, at *3-4; (2004); Bailey Statement, at 25-28. McCaffrey, 2010 WL 4024065, at *2; Taylor, 19 See Brooklyn Savings Bank v. O’Neil, 324 2010 WL 2079750, at *3; Poulin, 2010 WL U.S. 697, 704-08 (1945); Stalnaker v. Novar 1257751, at *3; In re Sepracor Inc. FLSA Corp., 293 F. Supp.2d 1260, 1263 (M.D. Ala. Litig., 2009 WL 3253947, at *2; Prater, 2008 2003). WL 5140045, at *9-10. 20 See e.g., Dees v. Hydrady, Inc., 706 F. 33 276 Va. 375 (2008). 34 Supp.2d 1227, 1242 (M.D. Fla. 2010). VA. CODE § 8.01-55. 21 Crow I, at 107. 35 Perreault, 276 Va. at 381. 22 See Hens v. Clientlogic Operating Corp., 36 Id. at 381-83. No. 05-CV-381S, 2010 WL 4340919, at *3 37 Id. at 389-90. (W.D.N.Y. Nov. 2, 2010). 38 Id. at 390. The court also rejected the 23 See, e.g., Taylor v. AFS Tech., Inc., No. parties’ arguments (1) that if the settlements CV-09-2567, 2010 WL 2079750, at * 2-3; were unsealed they would not obtain the Poulin v. General Dynamics Shared Res. Inc., benefit of their bargain; (2) that their privacy No. 3:09-cv-00058, 2010 WL 1257751, at *2- interests were superior to the public’s interest 3 (W.D. Vir. Mar. 26, 2010). in accessing court records; and (3) that the 24 See, e.g., Dees, 706 F. Supp.2d at 1242, defendant could become a target of nuisance 1246; White v. Bonner, No. 4:10-CV-105-F, suits. Id. at 390-91. 2010 WL 4625770, at *2 (E.D.N.C. Nov. 4, 39 960 A.2d 405, 407 (N.J. Super. Ct. App. 2010); Taylor, 2010 WL 2079750, at *2. Div. 2008). 25 See, e.g., Tabor v. Fox, No. 5:09-CV-338, 40 Id. 2010 WL 2509907, at * 2 (E.D.N.C. June 17, 41 See Public Citizen Homepage, 2010); In re Sepracor Inc. FLSA Litig., MDL http://www.citizen.org (2010). No. 2039, 2009 WL 3253947, at *1 (D. Ariz. 42 Verni, 960 A.2d at 408. Oct. 8, 2009). 43 Id. 26 See, e.g., Poulin, 2010 WL 1257751, at *3; 44 Id. at 409-11. Prater v. Commerce Equities Mgmt. Co., No. 45 142 N.J. 356 (1995). H-07-2349, 2008 WL 5140045, at *9-10, 46 Id. at 371-83. (S.D. Tex. Dec. 8, 2008). 47 See also Gleba v. Daimler Chrysler Corp., 27 See, e.g., id. at *3-4. 13 Mass. L. Rptr. 576, 2001 WL 1029678 28 See, e.g., McCaffrey v. Mortgage Sources (Super. Ct. Mass. 2001) (rejecting a motion to Corp., No. 08-2660, 2010 WL 4024065, at *1- seal a settlement agreement and applying 2 (D. Kan. Oct. 13, 2010); In re Sepracor Inc. Massachusetts law regarding sealed discovery FLSA Litig., 2009 WL 3253947, at *9-10. to a sealed settlement agreement). 29 See, e.g., McCaffrey, 2010 WL 4035065, at 48 603 F. Supp.2d 673 (S.D.N.Y. 2009). *2; In re Sepracor Inc. FLSA Litig., 2009 WL 49 Id. at 674. 3253947, at *1-2. 50 Id. 30 See, e.g., Hens, 2010 WL 4340919, at *4; 51 Id. Tabor, 2010 WL 2509907, at *2; Taylor, 2010 52 Id. Sealing Your Settlement Agreement from the Public Eye Page 49

53 Id. at 675-76. 54 Id. at 676. 55 Compare In re Sept. 11th Litig., 723 F. Supp.2d 526 (S.D.N.Y. 2010) with Perreault, 276 Va. at 383-84 (where the Virginia Supreme Court noted that the court below kept settlement agreements under seal pending appeal). 56 No. 21 MC 101, 2010 WL 637789, at *1 (S.D.N.Y. Feb. 19, 2010). 57 Id. 58 Id. 59 Id. at *2. 60 In re Sept. 11th Litig., 723 F. Supp.2d 526 (S.D.N.Y. July 1, 2010). 61 Id. at 531. 62 Id. at 531-32. 63 Id. at 532. 64 Id. 65 Id. at 533. 66 See In re Sept. 11th Litig., 723 F. Supp.2d 534 (S.D.N.Y. 2010). New Developments in PRC Privacy Laws following the First “Cyber Manhunt” Cases

By Ariel Ye and David Gu Ariel Ye and David Gu are lawyers at the Beijing office of King HE “Cyber Manhunt” engine is an & Wood. T Internet engine which utilizes participation by Internet users to filter asked all Internet users to find the search results and assists users in woman. In order to catch the woman, clarifying their search requests. Different many Internet users voluntarily donated from the automated search results from MPs or even cash in exchange for useful Google and Chinese Baidu engines, the information about her. The reward was cyber manhunt engine mobilizes Internet increased from 1,000 to 5,000 MPs. In users to search for and reveal specific March 2006, an Internet user “I am not an useful information about individuals on angel in sands” commented on Mao Pu the Web. Despite its efficiency in that “this woman is from a small town in identifying useful information, many Hei Long Jiang Province….” which people find this kind of searching turned out to be an important clue to other unacceptable because it violates Internet users. About six days after the individuals’ privacy. video clips were published, the identities Since 2006, the cyber manhunt has of three potential “suspects” were made become a popular method for Internet known on the Mao Pu website. users to “hunt down” those whose actions or comments go against social norms or The South China Tiger Incident moral and ethical standards in the PRC. The following three examples may shed In October 2007, Mr. Zhou some light on how the “cyber manhunt” Zhenglong, a peasant in Shan Xi engine works. Province, announced that he had taken some pictures of a South China tiger The Abused Cat Incident which had been believed for a long time to be an extinct species. In December In February 2006, an Internet user 2007, the Forestry Department of Shan Xi with the cyber name of “stepping upon Province held a news conference to show broken glass” published some video files the pictures to the public and gave Mr. on the Internet showing a woman Zhou a reward of around RMB 20,000 for crushing a cat under her high-heel shoes. the discovery. Several hours later, some Soon after, an Internet user named posts were logged on the Internet which “12ookie-hz” published a link to the questioned the authenticity of the tiger videos on the webpage “Mao Pu.”1 photos. Afterwards, Internet users cast Another Internet user “dark consul” further doubt upon the photos from the uploaded the woman’s image to the perspective of light, shooting angle and webpage “Tian Ya”2, and made a their similarity to some drawings in universal “order for arrest” which openly general circulation. On 15 November 2007, an Internet user asserted that the so- New Developments in PRC Privacy Laws Page 51 called “tiger photos” looked very similar incidents, help the authorities to collect to some drawings he had in his house. useful information and evidence against Another Internet user who played an offenders, and indeed play a role in important role in the “abused cat monitoring social behavior as well as incident” discovered that a traditional deterring misbehavior. Chinese character of “dragon” appeared On the other side, sometimes when at the bottom of the photos. As these self-righteous Internet users expose a photos were identified as fakes, Mr. person’s name, profession, home address Zhou, the photographer, was arrested, and other personal information to the charged and convicted under Article 266 public in the name of “justice,” that of the PRC Criminal Law of obtaining person becomes a victim as his or her public money by fraud and sentenced to privacy rights are inevitably damaged, two years in jail. either temporarily or permanently. It is well-known to the world that the The Corrupt Official Incident Internet has been a fast growing phenomenon in China. It is one of the In December 2008, Mr. Zhou most popular media - Chinese Internet Jiugeng, the head of Nanjing Jiang Ning users already exceed 400 million. At the District Real Estate Department was same time, PRC privacy laws have tracked by Internet users using the “cyber developed. This paper will touch upon an manhunt” engine. Some photos of Mr. interesting topic: how the developing Zhou were published on the Internet, privacy laws in China can adapt and which showed that he wore a very respond to the new cyberspace expensive wrist watch, smoked high- phenomenon, the “cyber manhunt.” In the priced cigarettes and owned a famous following chapters, this topic will be marque of car. Later, Internet users addressed from the judicial, legislative reported that Mr. Zhou’s brother was a and academic perspectives. local real estate developer and that the two were entangled in some corrupt The First Case of the “Cyber Manhunt” activities together. Since this incident and its Implications drew significant public attention, the local government was forced to conduct an The first published case of the investigation, which culminated in the “cyber manhunt” is actually three. In arrest of Mr. Zhou on 9 February, 2009. December 2008, the Beijing Chao Yang There are two sides to the “cyber District Court3 rendered three separate manhunt” coin. On one side, hundreds of first-instance judgments in respect of this thousands of Internet users deem landmark case. Some excerpts of the themselves as “Robin Hood on the judgments are presented as follows: Internet”, acting for justice. As the above examples indicate, through effective Wang Fei v. Zhang Le Yi4 interaction on the Internet, they deploy the power of each individual to identify The Court finds that Wang Fei is morally uncomfortable and/or illegal Jiang Yan’s (the deceased) husband, as Page 52 THE PRIVACY PROJECT IV – 2011 their marital relationship was registered apartments. As one example, on the wall and recorded on 22 February 2006. In the of their houses were painted words such evening of 29 December 2007, Jiang Yan as “immoral household,” “the good wife committed suicide by jumping from her was forced to die,” and “blood for blood” house of the 24th floor. etc. Even until the time of this trial, there During her life, Jiang Yan registered are still many articles on the Internet a personal blog titled as “A Migrant Bird providing comments about the incident. Flying towards the North,” and wrote In addition, Zhang Le Yi, the college articles in it. About two months prior to classmate of Jiang Yan, registered a non- her suicide, she blocked public access to profit website on 11 January 2008, titled her blog but did not stop writing. In her “A Migrant Bird Flying towards the blog, Jiang Yan wrote diaries that North,”5 (the “Website”) the same name recorded her emotional struggles with her as Jiang Yan’s blog. On the main failed marriage and published some webpage, Zhang Le Yi introduced this photos of her husband and Ms. Dong, website as “a place to make tributes and who were believed to be having an affair seek justice for Jiang Yan.” Zhang Le Yi together. In these diaries, her husband’s and Jiang Yan’s relatives published a name, working address and other personal number of articles dedicated to Jiang Yan information was exposed. Before Jiang there. Additionally, Zhang Le Yi set up Yan’s first attempt at suicide, she told an website links to “Tian Ya,” “Sina” and so Internet user the pin number for access to on. her blog and asked him to open her blog In particular, Wang Fei believed that after 12 hours. After Jiang Yan several articles published on the Website committed suicide, this Internet user let disclosed some details of his affair, his Jiang Yan’s sister know the pin number, name, working address and home address and the latter opened the blog. etc, included defamatory remarks, and Jiang Yan’s diaries in her blog were therefore violated his privacy right and read by an unnamed Internet user and reputation right. forwarded to the discussion forum of the The legal issue in this case lies in “Tian Ya” website. Consequently, these whether Zhang Le Yi’s conduct, such as diaries were published by Internet users disclosing Wang Fei’s real name, on different websites and triggered working address, home address and his extensive discussions among different affair on the website he created people, many of whom expressed the constitutes an infringement of Wang Fei’s view that Wang Fei’s affair was one of privacy right and reputation right. the main factors which cause[d] Jiang Yan’s suicide. Some Internet users A. Zhang Le Yi’s conduct has initiated a “cyber manhunt” on the “Tian infringed Wang Fei’s privacy Ya” seeking to disclose Wang Fei’s right and reputation right name, working address and home address etc. Some abused and humiliated Wang Privacy generally refers to private Fei with their words and some others life, private information, private space harassed Wang Fei and his parents at their and peace of individual life, which are New Developments in PRC Privacy Laws Page 53 deemed as interests attached to specific disclosing such information, as well as persons or personhood and which such the extent of disclosure, the purpose of persons do not wish to disclose to the disclosure and consequences of such general public. Privacy right generally disclosure should all be taken into means a type of personhood right, by account. which a natural person is entitled to In the instant case, Zhang Le Yi control his or her private secrets and criticized Wang Fei’s disloyalty in his private life and exclude any interference marriage with Jiang Yan. Prior to his from the outside. Any conduct such as disclosure of Mr. Wang’s affair and disclosing or publicizing a person’s personal information, Zhang Le Yi had private information, intruding on this actual knowledge that such information person’s private domain or interfering when disclosed by him would be received with such person’s private activities may by unidentified persons, and could constitute a violation of the privacy right foresee any relevant consequences arising belonging to this person. from this disclosure. Therefore, Mr. A citizen’s private affair of love, Zhang’s intent could be inferred from his including an out-of-marriage affair, falls conduct including disclosing Wang Fei’s squarely within the privacy domain. In a affair and his personal information. After normal social life, such information is such information was disclosed, Wang only known to a small number of persons Fei’s identity became known to Internet and would not be disseminated to a large users in the public, and many provocative number of unidentified persons. In the comments were made against him as a instant case, Zhang Le Yi knew the fact result. When Zhang Le Yi criticized that Wang Fei was involved in an affair, Wang Fei’s disloyalty to his wife, he given he was the classmate of Jiang Yan. should not have disclosed Wang Fei’s After Jiang Yan’s death, Zhang Le Yi not actual name, working address and home only publicized this fact on the website he address etc. Because he did, Wang Fei’s created, but also built website links to privacy was violated. other websites, so that this fact was Reputation refers to an objective and disseminated very broadly on the Internet comprehensive societal judgment upon a to those unidentified persons in the specific civil person’s6 characteristics, public. As such, Wang Fei’s privacy right skills and other features. Reputation right has been infringed. means a type of personhood right to In addition, in the course of social maintain society’s judgment and one’s interaction, a citizen may disclose his or own judgment of one’s intrinsic features her name, working address, home address and values as a civil person. and other personal information to others, The private information disclosed and such information may be known and about Wang Fei not only triggered utilized in one way or another. Whether endless criticisms and public outrage the disclosure or use of such information from Internet users, but also caused them infringes a person’s privacy right depends to adopt the “cyber manhunt” engine to upon the totality of the circumstances, search for other information in relation to where the manner of obtaining and Wang Fei and his parents. Later, this Page 54 THE PRIVACY PROJECT IV – 2011 search resulted in intensive and Le Yi did voluntarily delete some continuous personal attacks towards infringing information; (iii) Other than Wang Fei on the Internet, and some Zhang Le Yi’s conduct, there were other harassment to Wang Fei’s peace of life. things which caused the information to be In this regard, the societal judgment of disclosed, such as Jiang Yan’s blog and Wang Fei has been severely downgraded, the “cyber manhunt” engine adopted by directly because of Zhang Le Yi’s Internet users on other websites; and (iv) misbehavior. Thus, Zhang Le Yi has Wang Fei’s disloyalty to his wife is a fact infringed Wang Fei’s reputation right by and should be criticized in terms of the disclosing his private information in social norms.’ public. Wang Fei v. Beijing Ling Yun B. Zhang Le Yi’s Liability for His Interactive Information Technologies Malfeasance Co., Ltd.7

Zhang Le Yi, as the registered The website of “www.daqi.com” administrator of the Website, has a right (“Daqi”) is a for-profit website registered of free speech to write articles on his own and administered by Ling Yun Interactive and publish articles written by others on Information Technologies Co., Ltd. the Website. However, the exercise of his (“Ling Yun Company”). As Jiang Yan’s right should be consistent with applicable suicide drew the attention of the public, a laws and regulations, and in particular it special webpage was created on Daqi, should not infringe the legitimate interests titled “the last blog diary from the woman of others. However, this was not the case who committed suicide by jumping from here. the 24th floor” on 14 January 2008. The Accordingly, this Court holds that: webpage mainly included: an introduction (a) three articles published on the Website about Jiang Yan’s suicide; relevant web- should be deleted and a public apology post links; a site report about Internet should be made from Zhang Le Yi to users’ voluntary tributes at the place Wang Fei on the Website; (b) the request where Jiang Yan’s suicide took place; a for loss of salaries and wages is not site report about Internet users; phone sustained; (c) the request of public notary interview records with Jiang Hong (Jiang payments of RMB684 is sustained; Yan’s sister), Zhang Le Yi (Jiang Yan’s (d) damages for mental suffering is classmate) and the lawyer who sustained, but the amount should be represented Jiang’s family; Internet users’ reduced to RMB 5,000 considering: (i) messages; and “psychological analysis” prior to the information being disclosed, etc. On the webpage, the real names of Jiang Yan’s blog had been open to the Wang Fei, Jiang Yan and Ms. Dong were public, such that Zhang Le Yi’s adopted, and some photos of Jiang Yan, disclosure of private information was Wang Fei and Ms. Dong, Internet users’ only one reason, not the sole reason tributes on the site and the defacement of which caused Wang Fei’s anguish; (ii) Wang Fei’s apartment were published as when administering the Website, Zhang well. Under the photo of Wang Fei and New Developments in PRC Privacy Laws Page 55

Ms. Dong, a number of words read as characters are rich and diverse, and may “the photo with the third-party during the be combined in various expressions of Rome visit organized by Wang Fei’s cyberspace language. Under the company.” circumstances, it would be very difficult It seems proper for Daqi to set up a for websites to monitor every word. So special webpage analyzing the incident, far, even if the latest website management since it has the freedom to disseminate and technological measures are adopted, news in the public domain. That said, the website administrator may not where Daqi exercised this right, it should perform censorship of every post in have taken any technical measures of advance. As such, the monitoring duty redacting private information and photos, owed by the website is conditioned on the so as not to infringe others’ privacy right basis that it cannot always know whether and reputation right.’ published articles or comments are illegal or tortious in nature or infringe others’ Wang Fei v. Hainan Tian Ya Online lawful interests. Where such knowledge Website Technologies Co., Ltd8 exists, and the website disregards existing unlawful articles and comments, and The website of “www.tianya.cn” allows their dissemination, then the (“Tian Ya”) is a for-profit website website breaches its duty and indeed registered in March 1993. Its users infringes others’ rights; if it timely deletes number approximately 20 million. This such articles or comments, then its duty website provides rules such as “The are fulfilled. fundamental laws of Tian Ya” and “The In the instant case, Tian Ya’s duty of censorship measures of key words” etc. In monitoring may be fulfilled as long as it terms of these regulations, there are four has deleted or modified infringing layers of monitoring in respect of information since it was aware of such monitoring posts submitted by Internet information on its website or had actual users, including most sensitive key words knowledge of it after the infringed’s monitoring, very sensitive key words complaint. In fact, Tian Ya did delete the monitoring, relatively sensitive key words articles and comments prior to the filing monitoring and sensitive key words of the case. Therefore, this Court holds monitoring. that Wang Fei’s allegation that Tian Ya On 15 March 2008 (prior to the infringed his privacy right and reputation filing of the case), Tian Ya deleted right has not been established.’ relevant articles and comments regarding the incident from its website. The “Cyber Manhunt” Case’s The administrator of Tian Ya should Implications be responsible for monitoring any articles and posts published on its website. Since Several progressive steps in relation Tian Ya has set forth relevant rules to PRC privacy laws have been made in regarding monitoring and censorship the above case. First, the Court did not measures, it has fulfilled its duty as the arbitrarily hold that the “cyber manhunt” administrator. On the other hand, Chinese was illegal per se, since not every so- Page 56 THE PRIVACY PROJECT IV – 2011 called “cyber manhunt” will unavoidably personal posts, and held that Daqi’s intrude individuals’ privacy. Indeed, the reports were news reports. Therefore, the Court did not address the issue of the Court held that Daqi must live with the “cyber manhunt” extensively. Instead, the rules and disciplines that apply to Court took an indirect approach to deal traditional media, and should have with the “cyber manhunt,” and offered an “redacted private information and photos opinion that websites should at least be using technical measures”. If it did not, its responsible for posts or comments liability for infringement of the right of published by their users on their privacy would be established. webpages. Finally, the Court provided some In particular, the Court provided a guidelines for websites like Tian Ya, set of rules for finding liability in “where the website administrator has response to different behaviors on the actual knowledge of illegal or tortious Internet. In the case involving Zhang Le information which is detrimental to Yi, the Court reasoned that the others’ lawful interests, but disregards its administrator of a personal website existence or dissemination, it should be should be responsible for articles or liable for its infringement of such rights; comments made by himself on his however, if the administrator deletes this personal website. If such articles or information in a timely manner, then it comments are found to be tortious in would be safe from any liability.” This nature (e.g. they disclose a person’s rule is similar to the “safe haven” rule in private information or violate a person’s IP cases, and some commentators believe right of reputation), some liability would it is innovative, though it may not be be imposed upon the administrator. well-drafted.9 In any event it is very In addition, a similar rule was encouraging and impressive to see the adopted in the case involving Daqi. This Chinese Court craft different rules to website functions by collecting some accommodate nuances between published articles or comments from traditional media like Daqi (a news other websites and then creating a website) and newly-developed media like dedicated webpage where a hotly-debated Tian Ya and personal blogs. subject is raised for further discussion. Furthermore, this case is prominent The Court’s rationale was that the website because for the first time Chinese judges should take responsibility for monitoring have tried to define privacy and the any published articles or comments in it, privacy right in their own terms, and to regardless of whether they were originally independently address significant issues made or reprinted from other sources. The in relation to privacy law, rather than Court further opined that the collected having calibrated them to adhere to the information, even if it was not original traditional scheme of reputation right but reprinted, may still constitute a source infringement. The effects that this case of infringement of a privacy right, due to brings about in PRC privacy law will be its implicitly tortious nature. further addressed in the remainder of this Nevertheless, the Court distinguished paper. reports on Daqi’s site from Zhang Le Yi’s New Developments in PRC Privacy Laws Page 57

The Legislative Efforts for Developing starting point for further developments of the PRC Privacy Laws PRC privacy laws. Under this legal scheme, however, it bears emphasis that The landscape of Chinese privacy any violation of privacy is deemed a law has significantly changed since the violation of reputation right and there is 1980s. On 12 April 1986, the General no independent legal remedy provided for Provisions of the Civil Law of PRC (the privacy right infringement. “Civil Law”) was promulgated by the Afterwards, the substance of the National People’s Congress (the “NPC”). privacy right was further expanded by Under the Civil Law, the chapter on other judicial interpretations. In the “personhood rights” is independent from Answers for Several Questions regarding the chapter on “civil entities.” The Trials of Reputation Right,12 Article 7 (3) separation of the two chapters reflects the added some key words such as “without a fact that “personhood rights” were not person’s consent” or “unilaterally deemed as an ancillary to “civil entities” publicizing or disclosing private any more, but a totally different subject information” to define the concept of matter of civil law rights. Under the privacy. These newly-added terms chapter of “personhood rights,” several demonstrate one crucial element of rights are enumerated, among them name privacy infringement --- it is against the right, image right, and reputation right. will of a person who is entitled to freely Nonetheless, privacy right is not included dealing with his or her privacy. In the among these, and neither were specific same interpretation, Article 8 provides privacy laws legislated at that time. that information regarding sexually- In addition to the Civil Law, transmitted diseases can be deemed as numerous judicial interpretations made by private information deserving of the Supreme Court of China10 have protection. In this regard, the substance of enriched the body of Chinese privacy law. privacy expands from the interpersonal In the Several Opinions of relationship area to medical and health. In Implementation of the Civil Law dated on the Explanations of Several Questions as 2 April 1988, Article 140 states that, to Calculating Liabilities and Damages “disclosing a person’s privacy to the for Mental Sufferings arising from Civil public, in writing or orally, or fabricating Infringements dated 10 March 2001, the facts to publicly humiliate a person, as Chinese Supreme Court took the position well as insulting or defaming a person’s that privacy interests could be directly reputation with some consequences protected by civil proceedings, rather than arising therefrom, shall constitute a indirectly by claiming remedies for violation of a citizen’s reputation right.” violation of a reputation right.13 In other In this interpretation, the concept of words, any violation of privacy interests “privacy” was adopted for the first time,11 becomes actionable, 14even if a privacy though its substance under this law may right has not been recognized as a not be as rich as in some western privacy separate type of personhood right under laws. Nevertheless, the inclusive term of this interpretation. “privacy” in this legal context became a Page 58 THE PRIVACY PROJECT IV – 2011

Recently, the most important The appellate court held that Mr. Zhang milestone legislation relates to should be liable for his violation of Wang promulgation of the Law of Tortious Fei’s reputation right by exposing Mr. Liability of the People’s Republic of Wang’s privacy to the public, and China dated 26 December 2009. Under affirmed most parts of the first-instance Article 2 of this law, “privacy right” is judgments, except slightly reducing the expressly recognized as one of the damages awarded. Apparently, the enumerated civil law rights, together with appellate court took a conservative name right, image right, reputation right, approach and judged the case within the parenting right, intellectual property right boundaries of existing laws and judicial and shareholder right.15 From this time interpretations, rather than making new on, “privacy right” becomes a right, more laws or creating fresh ideas beyond these than a bundle of interests related to the existing limits. reputation right. It is well-known that China’s legal Academic Contributions and system is rooted in civil law traditions Criticisms and its lower court judges do not make laws, but follow the NPC’s legislation Compared to conservative judges, and the Chinese Supreme Court’s judicial Chinese legal scholars are more liberal interpretations (which are quasi- and free to introduce new ideas and legislative in nature). In the first case of constructive thoughts with regard to “cyber manhunt,” the judges not only privacy laws, particularly where existing defined in detail privacy and the privacy laws are less mature with some gaps to right, but also extended the legal analysis fill in. Additionally, academic criticism of privacy law from the traditional arena has contributed some meaningful (e.g. interpersonal relationships) to those developments to this subject. in the cyberspace, where both the NPC From an academic perspective, because the body of PRC privacy laws is and the Chinese Supreme Court have not currently growing, it appears that the done so. Slightly deviating from the trend of expanding privacy rights will not conservative tradition that a civil law stop in the future. However, the extension judge must follow laws, the judges in this of protection of privacy rights is not case may have liberally broadened the unfettered. Some commentators believe a substance of privacy or the privacy right, foreseeable limitation upon privacy right to the extent that includes rights for relates to the “cyber manhunt” private space or peace of individual life, phenomenon, where the conflict between concepts which have been cited and privacy right (the claimed right by Wang discussed by Chinese legal scholars for a Fei) and right to learn the truth (the right period of time. Nevertheless, it is not the possibly claimed by Internet users who first time for Chinese courts to provide conduct the “cyber manhunt”) and the judicial guidelines for the public, even if boundary between each right will become these rules are not precedents.16 a hotly debated topic.17 Another After the triple judgments were interesting topic relates to how much rendered, only Zhang Lei Yi appealed. privacy a public figure could enjoy. A football star, a famous singer or a New Developments in PRC Privacy Laws Page 59 politician could be viewed by the public infringement should be laid down in clear as someone whose privacy should be and straightforward language.22 protected in a limited way, in contrast with ordinary people.18 Therefore, Conclusion publicity law is another related area where scholars will delve. In conclusion, the triple judgment in Some commentators believe that a the landmark cases relating to the “cyber “privacy right” is unambiguously manhunt” of Wang Fei demonstrates that recognized and included in the Tortious the Chinese privacy right has been Liability Law, but conclude that this law expanded from the traditional arena of fails to articulate how liability should be interpersonal relationships to cyberspace, established. According to this law, it is and PRC privacy laws have developed in suggested that a general tort liability rule depth and breadth, due to tremendous should come into play, where four efforts made by Chinese legislators, elements must be presented, in order to courts and scholars. establish any liability for infringement of There is an evident trend that this privacy: (a) illegal conduct; (b) damages; privacy right will continue to be clarified. (c) causation: (d) scienter that refers to Chinese legislators and courts may either intentional infringement or continue to take a relatively conservative negligent infringement.19 The infringed approach to putting any legal bears the burden of proving these developments in this area within the elements to establish a valid case. framework of existing law. However, In order to resist or limit such legal scholars are evidently willing to liability, the defendant may raise certain take the lead and to accelerate discussion defenses, such as the infringed’s consent, of legal reform of privacy laws in China. limited privacy for public figures or right to learn the truth. Damages for mental suffering is one of the remedies which the 1 The “cyber manhunt” phenomenon infringed may seek. But the threshold to originally started from this website. Like trigger this remedy is that mental many other worldwide studying forums, suffering should be severe. As suggested, people ask questions on the “Mao Pu” site, “severe” mental suffering may be found, and are willing to pay for answers using a so long as a reasonable person would type of Internet currency called MP. Those believe that such suffering caused by the who provide answers in exchange for MP are infringement is generally intolerable and called “reward hunters”. The most MPs go to unacceptable.20 Accordingly, “severe” those reward hunters who can quickly should not be interpreted too strictly by respond to questions with accurate and courts.21 comprehensive answers. Finally, the current academic 2 This is one of a number of popular websites movement is to suggest that a prospective where the “cyber manhunt” engine is used. Civil Code of the PRC contain a chapter 3 The Chao Yang District Court is the first- on “personhood rights”, in which privacy instance court and has jurisdiction on these right should be expressly defined, and the cases. elements of establishing privacy 4 Chao Min Chu Zi No. 10930 (2008). Page 60 THE PRIVACY PROJECT IV – 2011

5 This website address is http: orionchris.cn. 15 However, the term of “privacy right” was 6 first adopted in another legal context, i.e. in Civil person may refer to a natural person, the Women Rights Protection Law of the legal person, and other non-legal-person PRC (Modified in 2005). organization. 16 7 A county court in Si Chuan held that “the Chao Min Chu Zi No. 29276 (2008). parent-child relationship” does not fall within 8 Chao Min Chu Zi No. 29277 (2008). the category of privacy (2000); another district court in Shanghai held that “a 9 “The Analysis of the three first-instance citizen’s name, home address, personal judgments of the first case of “cyber hobbies as her private information as well as manhunt’,” page 66, Hu Lin, , issue 7 (2009). and should not be publicized, utilized and 10 In relation to fundamental laws such as the infringed” (2000). Civil Law, the Chinese Supreme Court has 17 “The New Developments of Privacy Right”, quasi-legislative power to provide this speech note was given by Professor interpretations of laws. These judicial Wang Liming, at the forum of Legislative interpretations are part of China’s binding Research of Tortious Liability Law of PRC. written law. This note can be found at 11 The term of “privacy” appears in several http://www.civillaw.com.cn/ggf/weizhang.as laws, including article 30 of dated 4 September 18 “The Developments of PRC Privacy Laws”, 1991, Article 39 of dated 3 April 1992, Academics Journal>, volume 18 no. 2 (April and Article 30 of dated 31 March 1993. 19 “The Establishment of Infringement of 12 This judicial interpretation was promulgated Privacy and Its Stereotype Research>, Ma to the public on 7 August 1993. Article 7 (3) Te, , 2007. provides, “ without a person’s consent, 20 “The Developments of PRC Privacy Laws”, unilaterally publicizing this person’s private Zhang Xinbao, , volume 18 no. 2 (April or orally, to cause damages to such person’s 2010). reputation, may constitute violation of this 21 person’s reputation right.” Id. 22 13 Article 1 provides, “… when privacy or any “The New Developments of Privacy Right”, other types of personhood interests are Professor Wang Liming, , (2009); “The Chinese courts, seeking for damages of Three Most Important Questions to be mental sufferings, given the cause that such Solved for Legislating the Personhood Laws interests are infringed, and Chinese courts of PRC”, Professor Yang Lixin, , volume 16 no. 3 (June 2008). 14 According to the Regulations of Cause of Action in Civil Lawsuits dated 4 February 2008, the “privacy right dispute” is listed, among others, as a separate cause of action. Crispin v. Christian Audigier, Inc.: The Struggle to Maintain Privacy In The Face Of New Forms of Electronic Communication

By Nichole Cohen, M. King Hill, III and Craig A. Thompson M. King Hill, III is a partner with Venable LLP in the firm’s

Towson, Maryland office. His OURTS have traditionally struggled practice focuses on products liability to keep pace with the rapidly C and personal injurt litigation. changing fields of science and Craig A. Thompson is a partner technology. One area of particular and who practices in the same areas in constant struggle is that of information Venable’s Baltimore office. technology. Access to electronically Nichole Cohen is an associate stored information is an issue in nearly all who works closely with the same complex civil litigation today. Balancing practice group in the firm’s a litigant’s right to discover electronic Baltimore office. information with individual privacy concerns is a particularly difficult task for the courts. This article explores what is communication – including text being touted as the newest and perhaps messages, e-mail, online chats and instant most revolutionary form of electronic messages, and traditional Facebook messages – into one unified “social communication – Facebook Messages – 3 and how the courts might balance a inbox.” According to Facebook party’s entitlement to litigation discovery engineers, Facebook Messages is with individual privacy concerns in light designed to allow users to exchange messages without regard to the form of of this new way of communicating. 4 communication. Users can send and I. What is “Facebook Messages?” receive SMS messages (i.e., text messages), e-mails, chats, and traditional private messages from one centralized Facebook, the world’s most visited 5 website,1 announced in November that it location. In Facebook’s words, you simply choose a person and type a will unveil what CEO Mark Zuckerberg 6 believes is the future of modern message; the medium of communication communication: Facebook Messages.2 is immaterial. The new messaging system’s three In addition to sending messages, anticipated “features” are seamless chats or instant messages, and SMS messaging, conversation history, and a (text), Facebook Messages will also allow “social inbox.” users to send and receive e-mails. While Facebook’s new messaging framework is 7 II. Seamless Messaging not e-mail, Facebook Messages provides every Facebook user with an The new messaging system will @Facebook.com e-mail address. combine multiple forms of Individuals without Facebook accounts Page 62 THE PRIVACY PROJECT IV – 2011 can communicate with Facebook users Dan since the beginning of your via a user’s @Facebook.com e-mail Facebook-based communications together address. In other words, you can now use in one location. In Facebook’s words: Facebook to communicate with your “You can see everything you’ve friends and colleagues who do not have discussed with each friend as a single Facebook accounts by giving them your conversation.”12 @Facebook.com e-mail address. It remains to be seen whether Facebook will IV. Social Inbox allow users to send messages from other e-mail services like Hotmail or Gmail. In addition to providing Facebook Like traditional e-mail, Facebook users with a means to communicate with Messages will allow users to forward e- individuals outside Facebook, Facebook mails and send attachments (not only Messages will also condense all of a links and photographs, but also external user’s correspondence – of all types – into files).8 Yet unlike traditional e-mail, e- one prioritized Social Inbox.13 Unlike mails sent and received through Facebook traditional e-mail, using an will not have traditional cc, bcc or subject @Facebook.com e-mail address allows lines because, according to Zuckerburg, users (by default) to receive only those are formalities that are unneeded, messages from their Facebook friends and and even unwanted, in a modern friends of friends. Rather than having e- messaging system.9 By adding some mails from friends and family appear features normally found in e-mail and sandwiched between bills and junk mail, removing others, Facebook Messages is Facebook Messages provides its users designed to resemble text messaging, with a list of messages organized by with the hope that users will find it to be sender. Of course, @Facebook.com users “informal, immediate, personal, simple, will still receive unsolicited e-mails, but minimal, and short.”10 they will be segregated into an “Other” folder, much like a more conventional III. Conversation History “Spam” folder.

Facebook lauds its new Facebook V. Facebook’s Reach Messages feature as archiving and organizing all of a user’s conversations -- To be sure, Facebook-based no matter the medium -- in one communication is widespread: Facebook location.11 By threading messages, has over 500 million users, 350 million of Facebook Messages provides users with a which send over 15 billion “person-to- single history of every conversation with person messages” each month using a particular person. For example, if you Facebook’s current messaging communicate with your college friend infrastructure, and Facebook’s instant Dan using SMS (text) messages, e-mail, message service enables over 300 million and traditional Facebook messages, users to send more than 120 billion Facebook Messages will thread all of messages each month.14 Facebook your messages sent to and received from Messages --not to be confused with the Crispin v. Christian Audigier, Inc. Page 63 existing message infrastructure now in which includes “any wire, radio, use -- is currently being offered by electromagnetic, photooptical or invitation only, and Facebook plans to photoelectronic communications and any roll out Facebook Messages to all users in computer facilities or related electronic the coming months.15 equipment for the electronic storage of such communications.”21 A person or VI. Facebook and the Stored entity who does not qualify as an RCS or Communications Act16 ECS provider can “disclose with impunity the contents of an electronic Private messages exchanged on communication unlawfully obtained from social networking sites are now protected electronic storage.”22 from disclosure by social networking providers served with non-party civil VIII. Crispin v. Christian Audigier, Inc. subpoenas, at least according to one court. In May 2010, the U.S. District Crispin v. Christian Audigier, Inc. Court for the Central District of involved copyright infringement and California issued an order quashing breach of contract claims by artist subpoenas served on Facebook and Buckley Crispin against Christian MySpace, Inc. (“MySpace”) and website Audigier, his clothing company, and its hosting company Media Temple, Inc. sublicensees alleging that Audigier (“Media Temple”) because these violated an oral license granting Audigier businesses qualified as electronic the right to use specific works of communication service (ECS) providers Crispin’s art in the manufacturing of and remote computing service (RCS) certain types of clothing.23 In connection providers under the Stored with the suit, the defendants served Communications Act (SCA).17 document subpoenas on four non-party businesses, including Facebook, VII. About the SCA MySpace, and Media Temple. The subpoenas sought Crispin’s subscriber The SCA prohibits RCS providers information, all communications between and ECS providers -- with some Crispin and a particular artist, and all exceptions18 -- from knowingly communications referring or relating to disclosing (either voluntarily, or Audigier, his clothing company, the Ed involuntarily in response to direction Hardy brand (which was also designed by from the government) an individual’s Audigier), and any of the defendant private communications or records.19 sublicensees.24 The defendants claimed ECS providers are “any service which that the information sought in the provides to users thereof the ability to subpoena was relevant to the nature of the send and receive wire or electronic alleged oral license between Crispin and communications,” and RCS providers Audigier.25 supply “to the public computer storage or Crispin filed a motion to quash the processing services by means of an subpoenas on three grounds, including electronic communications system,”20 that the subpoenas sought electronically Page 64 THE PRIVACY PROJECT IV – 2011 stored information protected from A. Are the private messages and disclosure under the SCA.26 Magistrate e-mails in “electronic Judge John E. McDermott held that the storage?” SCA did not apply to Facebook, MySpace, or Media Temple, that the SCA Determining that the sites qualified does not protect ECS providers from as ECS providers was only the first step disclosure compelled by subpoena, that in the Crispin court’s analysis because the SCA only prohibits ECS providers ECS providers are only prohibited from from disclosing communications held in divulging “the contents of a “electronic storage,” and that the communication while in electronic communications in question were not storage by that service.”32 Under the held in “electronic storage” as defined by SCA, the term “electronic storage” refers the SCA.27 to “(A) any temporary, intermediate storage of a wire or electronic IX. Facebook, MySpace, and Media communication incidental to the Temple’s Status as “Providers” electronic transmission thereof; and (B) any storage of such communication by an On reconsideration, District Judge electronic communication service for Margaret M. Morrow found that the purposes of backup protection of such communications in question were communication.”33 Evaluating whether protected from disclosure because an ECS provider holds a communication Facebook, MySpace, and Media Temple in electronic storage also implicates the qualified as both ECS providers and RCS statute’s provisions regarding RCS providers under the SCA. Citing (among providers. An RCS provider: other decisions) the Ninth Circuit’s decisions in Quon v. Arch Wireless may not divulge the content of any Operating Co.28 and Thoefel v. Farey- communication received by Jones,29 Judge Marrow found that the electronic transmission that is providers of text messaging and e-mail carried or maintained on its service services qualified as ECS providers for a customer or subscriber “solely because they enabled users to send and for the purpose of providing storage receive electronic communications.30 or computer processing services to After recognizing that Facebook, [the] subscriber or customer, if the MySpace, and Media Temple provide provider is not authorized to access “private messaging or e-mail services” the contents of [the] like traditional web-based e-mail communications for purposes of providers, Judge Morrow held that all providing ... services other than three sites were ECS providers within the storage or computer processing.”34 meaning of the SCA.31 After analyzing decisions from various circuits, the Crispin court held that, with respect to messages (i.e., Facebook and MySpace private messages Crispin v. Christian Audigier, Inc. Page 65 and Media Temple’s e-mail messages) more difficult question because “in the that had not been opened and/or read by context of a social-networking site such the recipient, the three sites operated as as Facebook or MySpace, there is no ECS providers and the relevant messages temporary, intermediate step for wall were held in “electronic storage” because postings or comments…there is no step such storage was “temporary” and whereby a Facebook wall posting must be “immediate” under the SCA. With opened, at which point it is deemed respect to messages that had been read received.”40 This complexity led the and retained by the addressee, the three Crispin court to a somewhat incongruous sites operated as RCS providers supplying result. Noting precedent standing for “the storage services under the SCA.35 proposition that a user’s or an ECS provider’s passive decision not to delete a B. Are Facebook wall posts and communication after it has been read by MySpace comments in the user renders that communication “electronic storage?” stored for backup purposes as defined in the statute,” the court held that “a The Crispin defendants’ subpoenas Facebook wall posting or a MySpace also sought production of Crispin’s comment is not protectable as a form of Facebook wall and MySpace postings.36 temporary, intermediate storage.”41 In In evaluating whether these postings were other words, since there is no period protected, Judge Morrow compared them when a Facebook wall post or MySpace to an electronic version of the traditional comment is being held in storage before it “cork-and-pin bulletin board,” and noted is viewed by the recipient, the that the level of privacy a user selects communications are only protected if held when determining who can view these for backup purposes when the user opts communications is important: not to delete the communication. “Unquestionably, the case law… Alternatively, Judge Morrow held require[s] that the [bulletin board service that Facebook and MySpace also (“BBS”)] be restricted in some fashion; a qualified as RCS providers under the completely public BBS does not merit SCA. The court analogized Facebook protection under the SCA.”37 A private wall posts and MySpace comments to BBS, on the other hand, fits within the videos posted (and subsequently stored) SCA’s definition of ECS and is protected on YouTube that the user can keep from disclosure based on SCA legislative private using YouTube’s privacy history and court precedent.38 So long as settings.42 Facebook wall posts and access to the Facebook wall posts and MySpace comments are similarly MySpace comments is restricted in some “accessible to a limited set of users way, the court held that the sites are ECS selected by the poster and are stored on a providers.39 page provided by the website.”43 While e-mail communications held in However, because the court did not have electronic storage by an ECS provider are information regarding Crispin’s privacy protected under the SCA, Facebook wall settings and the extent to which Crispin posts and MySpace comments present a allowed or denied access to his Facebook Page 66 THE PRIVACY PROJECT IV – 2011 wall and MySpace comments, Judge One of the claimed features of Morrow remanded the issue for an Facebook Messages is its cataloging of a evidentiary hearing on these questions.44 user’s conversations into one centralized location, or “Conversation History.” X. Crispin and the Future of Facebook analogizes this feature to a Electronic Communication Privacy shoebox full of love letters beginning with a couple’s first meeting, continuing It remains to be seen how the SCA through their courtship, and up to and will apply to Facebook’s new and including a message about which parent potentially revolutionary messaging is picking up their child from soccer system. After all, the SCA was drafted practice.47 The cataloging of e-mails, “before the advent of the World Wide SMS messages, chats, and private Web in 1990 and before the introduction messages seems to qualify as long-term of the web browser in 1994,” and “is not storage of communications consistent built around clear principles that are with the services supplied by an RCS intended to easily accommodate future provider under the SCA. It appears that changes in technology.”45 “As a result, the courts have not yet tackled the issue the existing statutory framework is ill- of whether instant messages exchanged suited to address modern forms of through Facebook are protected under the communication,” and “[c]ourts have SCA. Does grouping instant messages struggled to analyze problems involving with e-mails and private messages -- modern technology within the confines of which clearly are protected under the this statutory framework, often with SCA -- automatically insulate instant unsatisfying results.”46 messages from disclosure pursuant to a It seems unlikely that a court civil subpoena served on a non-party? following Crispin’s analysis would Crispin certainly seems to suggest a distinguish between e-mail sent through willingness to extend privacy protections Facebook Messages using an to new forms of electronic @Facebook.com e-mail address, communication in the context of non- traditional e-mails, or private person-to- party civil subpoenas. person Facebook Messages. The Crispin court protected Crispin’s private XI. Obtaining Otherwise Private Facebook messages by analogizing those Electronic Information by Other messages to traditional e-mail, the latter Means of which has been consistently treated as protected under the SCA. If private The court in Crispin was only Facebook messages and traditional e- confronted with the issue of whether the mails are both protected from non-party relevant communications were protected disclosure pursuant to a civil subpoena, it under the SCA from compelled disclosure is likely that e-mails sent using Facebook by a non-party civil subpoena. Messages would receive similar Interestingly, the SCA deals primarily protection. with government demands for disclosure of electronic communications; the SCA Crispin v. Christian Audigier, Inc. Page 67 does not explicitly reference the service 48 of civil document subpoenas. Troubled 1 Daniel Ionescu, Google Names Facebook by the notion of “a user’s entire portfolio Most Visited Site, PC WORLD, May 28, 2010, of stored communications and data http://www.pcworld.com/article/197431/googl [becoming] fair game for an adversary,” e_names_facebook_most_visited_site.html. 2 the Crispin court created essentially a Miguel Heft, Facebook Offers New blanket immunity with respect to civil Messaging Tool, N.Y. TIMES, Nov. 15, 2010, http://www.nytimes.com/2010/11/16/ subpoenas by interpreting “the absence of technology/16facebook.html?_r=1&scp=1&sq a provision in the [SCA] for compelled =facebook%20messages&st=cse. third-party disclosure to be an intentional 3 Joel Seligstein, See the Messages that omission reflecting Congress’s desire to Matter, THE FACEBOOK BLOG, Nov. 15, 2010, protect users’ data, in the possession of a http://blog.facebook.com/blog.php?post third-party provider.”49 Some of the =452288242130. 4 electronic communications protected Id. 5 Heft, supra note 2. from disclosure pursuant to a non-party 6 civil subpoena under Crispin would still Seligstein, supra note 3. 7 Id. be subject to compelled disclosure to a 8 Help Center, The Facebook, http://www. government entity under certain facebook.com/help/?page=18845 (last visited circumstances as stated in 18 U.S.C. § 12/7/2010) 50 2703. Moreover, some, or perhaps all, 9 Gabriel Perna, Facebook Debuts New of the communications protected from Messaging Service, INTERNATIONAL BUSINESS non-party discovery under Crispin could TIMES, Nov. 16, 2010, http://www.ibtimes. nonetheless be subject to production in com/articles/82363/20101116/facebook- messaging-e-mail-mark-zuckerberg.htm. response to discovery requests served on 10 adversarial parties.51 Bianca Bosker, Facebook Unveils Email Addresses, New Messaging Features, THE The Crispin decision represents one HUFFINGTON POST, Nov. 15, 2010, court’s attempt to reconcile ever- http://www.huffingtonpost.com/2010/11/15/fa changing information technology with cebook-email-addresses- individual privacy rights and a litigant’s _n_783697.html#s182605. right to discovery of electronic 11 Seligstein, supra note 3. information. As Facebook continues to 12 Id. 13 embed itself in our communicative lives, Id. 14 it seems inevitable that other courts will Kannan Muthukkaruppan, The Underlying have to tackle the daunting task of Technology of Messages, Nov. 15, 2010, http://www.facebook.com/notes/facebook- evolving our jurisprudence to keep pace engineering/the-underlying-technology-of- with, or at least catch up to, information messages/454991608919. technology innovations like Facebook 15 Seligstein, supra note 3. Messages. Until then, under the Crispin 16 18 U.S.C. §§ 2701-12. analysis, Facebook users should be able 17 Crispin v. Christian Audigier, Inc., 717 F. to continue to communicate via Facebook Supp.2d 965 (C.D. Cal. 2010). 18 and enjoy the protections of the SCA in ECS and RCS providers may disclose the the context of non-party civil subpoenas. contents of a communication to third parties in several instances, including, inter alia: (i) to the intended addressee of the communication; Page 68 THE PRIVACY PROJECT IV – 2011

(ii) with consent of the originator or addressee that the text message pager service did not (or subscriber, in the case of RCS providers) qualify as an RCS provider -- despite the fact of the communication; (iii) to a person that the provider archived messages on its employed or authorized or whose facilities are server -- because the provider allowed users to used to forward such communication to its send and receive electronic communications destination (iv) as necessary for the provider and any storage of messages was for backup to render service, or to protect the right or purposes and was a “temporary, immediate property of the provider; (v) to law storage of communications incidental to the enforcement agencies if the contents “were electronic transmission thereof.” Crispin, 717 inadvertently obtained by the service provider, F. Supp.2d at 978-79 (citing Theofel v. Farey- and appear to pertain to the commission of a Jones, 359 F.3d 1066, 1070 (9th Cir. 2004) crime;” (vi) “to a governmental entity if the and 18 U.S.C. § 2510(17)). provider, in good faith, believes that an 29 359 F.3d 1066 (9th Cir. 2004). emergency involving danger of death or 30 Crispin, 717 F. Supp.2d at 979-80. serious physical injury to any person requires 31 Crispin, 717 F. Supp.2d at 980. disclosure without delay of communications 32 18 U.S.C. § 2702(a)(1). relating to the emergency.” 18 U.S.C. § 33 18 U.S.C. § 2702(a)(1); 18 U.S.C. § 2702(b)(1), (3), (4), (5), (7), and (8). A 2510(17). government entity can compel ECS and RCS 34 Crispin, 717 F. Supp.2d at 973 (quoting 18 providers to disclose electronic U.S.C. § 2702(a)(1) and (2)). communication -- to varying degrees -- using: 35 Crispin, 717 F. Supp.2d at 987. Note also (1) a subpoena; (2) a subpoena with notice to that the Crispin court was not presented with the subscriber; (3) a court order issued facts about the three sites’ storage of pursuant to 18 U.S.C. § 2703(d); (4) a court communications on their own private servers; order issued pursuant to § 2703(d) with prior instead, the court only dealt with notice to the subscriber; and (5) a search communications that were retained by Crispin. warrant issued according to the requirements However, with respect to storage on servers of the Federal Rules of Criminal Procedure or beyond that which was available to Crispin, state warrant procedures. 18 U.S.C. § 2703. the court noted “such archived copies [of The extent of the compelled disclosure varies messages] would plainly be for backup depending on the mechanism used by the purposes.” 717 F. Supp.2d at 987, FN 46. government entity, and on the classification of 36 Both Facebook and MySpace allow users to the relevant provider as an ECS or RCS post comments on other users’ profile pages provider. (e.g., Facebook wall postings) which are not 19 18 U.S.C. § 2702(a). private person-to-person messages but are 20 18 U.S.C. § 2711(2). instead viewable by a group of other users. 21 18 U.S.C. § 2510(14). “Facebook wall postings and the MySpace 22 Crispin, 717 F. Supp.2d at 973 (quoting comments are not strictly ‘public,’ but are Wesley College v. Pitts, 974 F. Supp. 375, 389 accessible only to those users plaintiff (D.Del. 1997) (citing 18 U.S.C. § 2702(a))). selects.” Crispin, 717 F.3d at 980. 23 Crispin, 717 F. Supp.2d at 968. 37 Crispin, 717 F. Supp.2d at 980-81. 24 Id. at 969. 38 Id. (citing, e.g., U.S. v. Steiger, 318 F.3d 25 Crispin, 717 F. Supp.2d at 969. 1039, 1049 (11th Cir. 2003), Konop v. 26 Id. Hawaiian Airlines, Inc., 302 F.3d 874, 875 27 Id. at 969-70. (9th Cir. 2002)). 28 529 F.3d 892 (9th Cir. 2008). According to 39 Crispin, 717 F. Supp.2d at 989. Judge Morrow, the court in Quon also found 40 Id. Crispin v. Christian Audigier, Inc. Page 69

41 Crispin, 717 F. Supp.2d at 989. 42 Id. at 990 (citing Viacom International Inc. v. YouTube Inc., 253 F.R.D. 256 (S.D.N.Y.2008)). 43 Crispin, 717 F. Supp.2d at 990. 44 Id. at 991. 45 Crispin, 717 F. Supp.2d at 972 (quoting William Jeremy Robison, Note, Free at What Cost? Cloud Computing Privacy Under the Stored Communications Act, 98 GEO. L.J. 1195, 1198 (2010)). 46 Crispin, 717 F. Supp.2d at 972 (quoting Konop, 302 F.3d at 874). 47 Seligstein, supra note 3. 48 Crispin, 717 F. Supp.2d at 974-75. 49 Id. at 975 (quoting Robison, supra note 45 at 1208-09 (footnote omitted)). 50 A government entity, “after fulfilling certain procedural and notice requirements, [can] obtain information from an RCS provider via administrative subpoena or grand jury or trial subpoena.” Crispin, 717 F. Supp.2d at 974-75 (citing 18 U.S.C. § 2703(b)). The SCA also “permits a governmental entity to obtain information from an ECS provider only pursuant to criminal warrant if the communication has been held by the provider for fewer than 180 days. In all other cases, the governmental entity can obtain information from an ECS provider using the subpoena procedures set forth in § 2703(b).” Crispin, 717 F. Supp.2d at 975. 51 See, e.g., Romano v. Steelcase, Inc., 907 N.Y.S.2d 650, 655-54 (N.Y. Sup. Ct. 2010) (granting defendant’s motion to compel disclosure of public portions of plaintiff’s Facebook and MySpace pages and noting that defendant’s need for the information outweighed plaintiff’s privacy concerns). United States National Security: Biometrics and Privacy in Iraq

By Leta Gorman and John Spomer Leta Gorman is a shareholder in “Sources of identification are the last Bullivant Houser Bailey, P.C.’s Portland, opportunity to ensure that people are who Oregon office, where her practice focuses they say they are and to check whether on the defense of manufacturers of they are terrorists.” consumer and industrial products. Leta is a member of the International “For terrorists, travel documents are as Association of Defense Counsel important as weapons.” (“IADC”). She is a frequent speaker at local and national legal conferences, -- The 9/11 Commission Report including the 2010 IADC Corporate Counsel College. She also served on the N September 11, 2001, 19 faculty of the 2010 IADC Trial Academy. “O terrorists boarded aircraft in Leta received her undergraduate degree Boston, Massachusetts and Dulles, from the University of Washington, Virginia and changed our world. All Jackson School of International Studies, had successfully passed through where she focused on U.S. Foreign Policy security screening prior to boarding and Diplomacy. the aircraft and, previously, had also John Spomer is a senior associate successfully passed through Bullivant Houser Bailey, P.C.’s immigration screening while entering Sacramento, California office. His the country. A suspected 20th practice focuses on both commercial terrorist had been refused entry by a litigation and general business suspicious immigration inspector at transactions, with particular emphasis on Florida’s Orlando International mergers and acquisitions, corporate Airport the previous month. Of the governance, corporate formations and remaining 19 terrorists, 18 had been financing and commercial leasing. issued U.S. identification documents. The global war on terror had reached the debate are those who believe that American soil, and the terrorists had essential liberties, such as privacy, must already realized how important never be given up or compromised. On identify was to be in this fight.”1 the other side are those who believe that the threat of terrorists operating in the I. Introduction U.S., who have access to weapons capable of causing incredible destruction, The tragic events of September require that Americans lower their 11, 2001 have generated much debate expectations of privacy. “over the extent to which individual This debate over the right to privacy privacy must give way in the quest versus concerns of national security has for greater security.”2 On one side of extended overseas to include the privacy rights of citizens of other countries. In United States National Security: Biometrics and Privacy in Iraq Page 71

Iraq, for over four years now, U.S. biometrics is the use of statistical military troops have been using scanners methods to analyze data from human to collect the fingerprints, iris scans and clinical trials that evaluate the relative other personal information of millions of effectiveness of competing treatments for Iraqi civilians. This data is then stored in disease.5 Another example involves the a central database that can be used to use of statistics to analyze data from protect the national security of the U.S. environmental studies regarding the by locating possible suspects in past and effects of pollution on the rate of human future terrorist attacks. The system of disease in a particular region.6 Recently, collecting this information, called however, the term “biometrics” has “biometrics,” is at the center of a received mainstream recognition because controversy that several human rights of its reference to the emerging field of groups are concerned is putting the lives technology associated with the of many Iraqis at risk on a daily basis. identification of individuals using Most, if not all, Americans will agree biological traits, such as those based on that U.S. national security and the fingerprints, retinal or iris scanning, or protection of U.S. citizens is of critical face recognition.7 import. After discussing the nature of Biometrics currently has several biometrics generally, the article will applications in the United States, both on discuss the current use of biometrics in governmental and commercial levels. For Iraq by the U.S. military to ensure U.S. example, biometrics is currently used at national security. The article then turns United States’ borders to ensure that the focus on the privacy concerns of the persons who are a known threat are not Iraqi civilians who fear that the private allowed entrance. Specifically, the biometric data collected by the U.S. to government utilizes a biometrics system, protect Americans will be used as a sort called “US-VISIT,” designed to identify of a “hit list” against innocent Iraqi lives. persons seeking entry into the United Finally, the article proposes several “best States who are a terrorist threat, while practice” guidelines that should be facilitating the flow of legitimate persons carefully considered by the U.S. into and out of the country.8 It contains government in operating and maintaining fingerprints, photographs and a biometrics system in Iraq. biographical information on foreign persons entering the country through II. Biometrics and its Applications ports of entry, those apprehended by the Customs and Border Protection or Historically, the term “biometrics” Immigration and Customs Enforcement, has referred to the “development of persons deported from the U.S., persons statistical and mathematical methods who have applied for border crossing applicable to data analysis problems in cards in Mexico, persons who have the biological sciences.”3 In 1948, R. A. applied for asylum, and lookout data.9 Fisher defined “biometry” as “the active US-VISIT closely coordinates with other pursuit of biological knowledge by U.S. government agencies, such as the quantitative methods.”4 One example of Department of Justice, to incorporate Page 72 THE PRIVACY PROJECT IV – 2011 information on foreign born individuals confirm the member's identity.19 that are wanted for crimes or suspected of Moreover, the system itself is voluntary terrorism.10 Upon arrival at a port of and members can still gain access to the entry, the individual has finger scans and club simply by showing their driver's a photograph taken.11 The purpose is to license.20 24 Hour Fitness claims that ensure that the person granted the visa is customer response has been extremely the same person attempting to gain entry favorable, including a 97% acceptance with that visa.12 rate among members in its northern Additionally, U.S. passports with division.21 facial biometric data were scheduled to be Walt Disney World® is responsible issued beginning in 2005.13 Technical for the nation’s largest single commercial difficulties, however, are delaying the application of biometrics.22 At The Walt integration of biometrics into passports in Disney World in Orlando, biometric both the United States and European measurements are taken from the fingers Union (“EU”).14 Some of these problems of multi-day pass users to ensure that the include the compatibility of reading pass is used by the same person from day devices, information formatting, and the to day.23 Privacy advocates criticize this nature of content (e.g. the United States usage of biometrics, arguing that it and United Kingdom currently expect to requires the customer to divulge too much use only image data, whereas the EU personal information simply for access to intends to use fingerprint and image data roller coasters.24 They also argue that in their passport biometric chip(s)).15 Disney fails to fully disclose the purpose On a commercial level, people are of its new system, citing that there are no finding biometrics more prevalent than signs posted at the entrances detailing ever in their daily lives. 24 Hour Fitness, what information is being collected and for example, recently introduced a how it is being used.25 cardless check-in system nationwide that Disney, meanwhile, counters that the uses fingerprint scans to identify scanned information is stored members.16 The company touted the cost “independent of all of our other systems” savings and environmental benefits from and “the system purges [the information] not having to issue about 1 million plastic 30 days after the ticket expires or is fully membership cards each year as an utilized.”26 Visitors who object to the incentive to go with a fingerprint fingerprint scanners can provide photo identification system.17 Instead of identification instead, although the option electronically scanning and storing is not advertised at the park entrances.27 members' full fingerprints, the system Although Walt Disney World in Orlando charts the distance between certain ridges is the only Disney location to use this of a fingerprint and converts the biometric technology at its entrances, information into a binary code that is other theme parks, such as Sea World and encrypted.18 To enter the club, a member Busch Gardens, have begun to use similar places their finger on an electronic technology.28 scanner and then enters a unique 10 digit The federal government has taken code on a keypad, which, together, notice of Disney’s use of biometrics. In United States National Security: Biometrics and Privacy in Iraq Page 73 fact, the federal government recently every time a foreign leader has visited sought out Disney’s advice in Washington, D.C. over the past few intelligence, security and biometrics.29 years, the federal government has made One Disney executive was part of a group sure that the leader enters into such an convened by the Federal Aviation agreement.34 Administration and other federal agencies Despite the concerns about to help develop a plan for “Passenger safeguarding biometric information, the Protection and Identity Verification” at use of biometrics continues to spread airports, using biometrics.30 The worldwide. The United Kingdom uses executive, Gordon Levin, also was part of biometrics in some of its schools as a a group asked by the National Institute of quick way for children to subtract money Standards and Technology and the from lunch spending accounts.35 And in National Security Agency to develop Germany, the biometrics business has national standards for the biometrics grown from about $15 million in 2004 to industry.31 more than $400 million last year.36 Even when used on a solely Germany was also one of the first commercial level, however, biometrics countries to implement biometric still poses a risk to an individual’s technology at the Olympic Games to security. Privacy activists in many protect German athletes.37 At the countries have criticized the technology’s Olympic Summer Games in Athens, use for the potential harm to civil Greece in 2004, accredited visitors to the liberties, privacy, and the risk of identity German Olympic village (e.g., athletes, theft. When thieves cannot get access to coaching staff, team management and secure properties, there is a chance that members of the media) received an the thieves will stalk and assault the identification card containing their property owner to gain access. If the item fingerprint biometrics data, which is secured with a biometric device, the enabled them to access the “German damage to the owner could be House.”38 irreversible, and potentially cost more than the secured property. In 2005, for III. Biometrics and its Impact on Iraq example, car thieves cut off the finger of a Mercedes owner when attempting to Biometrics in Iraq has a far more steal the car, which was protected by a significant impact than its use at theme fingerprint recognition system.32 parks and gyms. For nearly 1,500 years, In addition to collecting biometric the Sunni and Shiite Muslims have been information, many countries, including engaged in an open and bloody conflict. the United States, have begun trading As the two major denominations of Islam, biometric data. According to a recent it is estimated that 80-90% of the world’s article in National Defense, the United Muslims are Sunni and 10-20% are States Defense Department is under Shiite.39 Shiites, however, make up the pressure to share biometric data and has majority of the population in Iraq.40 The bi-lateral agreements to share biometric historic background of the Sunni–Shiite data with about 25 countries.33 In fact, split lies in the schism that occurred when Page 74 THE PRIVACY PROJECT IV – 2011 the Islamic prophet Muhammad died in checkpoints, attack sites, workplaces and the year 632 AD, leading to a dispute even homes.49 Today, there are at least over succession to Muhammad as a caliph three biometrics systems in operation in of the Islamic community spread across Iraq: (1) the Automated Fingerprint various parts of the world, which led to System, (2) the Biometrics Automated the Battle of Siffin.41 Sectarian violence Toolset, used to identify residents of a persists to this day in Iraq and has particular city, and (3) the Biometric become particularly heightened since the Identification System for Access, used for United States’ invasion.42 access to military and diplomat zones.50 Because there is no way to physically Personal information in the database tell a Sunni Arab from a Shiite Arab, includes an individual’s name, parents’ militiamen and insurgents are names, address, birth data, height and increasingly killing people based on weight.51 The information collected from common identification factors, such as a these biometric systems is then stored in a person’s name or whether that person central database inside the Pentagon’s resides in a province dominated by one Biometric Fusion Center.52 The database particular group.43 In June 2006, Sunni is administered by the U.S. military and gunmen dragged students from a bus, can be accessed by certain individuals identified and separated the Sunnis from within Iraq’s Interior Ministry and a the group, and then killed the 21 limited number of American remaining Shiites.44 A month later, contractors.53 Shiite gunmen set up fake checkpoints in The identification information in the Baghdad, dragged up to 50 people from database is used to help track suspected their cars and killed them after checking militants and identify suspects in attacks their identification cards.45 Accordingly, both on U.S. troops and Iraqi civilians.54 a growing number of Iraqis are changing Every military squad in Iraq is now their names to conceal their particular equipped with an electronic scanner that sect, many choosing “neutral” names can collect the records of up to 10,000 such as Ahmed or Muhammed.46 After people and display identification data, the bombing of a Shiite shrine in 2006 set allowing troops to view a person’s off a wave of sectarian violence, over background and decide whether he or she 1,000 Iraqis officially changed their should be detained.55 The information names.47 downloaded by the scanners is forwarded Despite the highly sensitive nature of to the central database, maintained by the an Iraqi’s name and residence, the U.S. military, and includes records of Iraqis military has been collecting the personal who have been detained or who work in information of Iraqi civilians in an U.S. facilities or for the Iraqi army or attempt to identify suspects in terror police.56 That data can be compared to attacks and stabilize various regions in fingerprints found at attack sites to find the country.48 To do so, the U.S. military potential suspects.57 began using mobile scanners in about Compliance with the biometric 2007 to gather fingerprints, iris scans and system in Iraq is effectively mandatory. other personal data from Iraqi civilians at U.S. troops have ordered Iraqi civilians, United States National Security: Biometrics and Privacy in Iraq Page 75 including children, out of their villages to the opportunity for improved security and record their fingerprints and iris scans audit controls in a centralized structure” before allowing them to return.58 Iraqis to offset many privacy concerns.68 The who refuse to give data can be blocked report goes on to discuss to discuss from neighborhoods, markets or other specific issues related to identity theft and places that require identification for biometrics.69 entry.59 As one military commander In general, the DSB report illustrates remarked, however, “virtually nobody some of the significant, touchstone issues refuses.”60 and makes numerous recommendations as After years of compiling information to how a vast biometric database should into its database, the U.S. military now be maintained and safeguarded by the has identification information on more U.S. government. To facilitate the than 2.5 million Iraqis.61 Lisa Swan, the current operation of the biometric deputy director of the U.S. Army’s database, President George W. Bush Biometric Task Force says that this issued Homeland Presidential Security biometric identification database has Directive 24 (“HSPD-24”) on June 5, allowed U.S. troops to capture more than 2008.70 The purpose of the directive was 400 “high-value individuals” in Iraq and to establish a “framework to ensure that Afghanistan over a one year period Federal executive departments and alone.62 agencies use mutually compatible In March 2007, the Defense Science methods and procedures in the collection Board (“DSB”) issued its report on storage, use, analysis, and sharing of Defense Biometrics to the U.S. biometric [information].”71 HSPD-24 Department of Defense.63 The DSB is a also calls for the privacy protection of Federal Advisory Committee established individuals under U.S. law, stating, “All to provide independent advice to the agencies shall execute this directive in a Secretary of Defense.64 The report lawful and appropriate manner, respecting focused on issues surrounding the use of the information privacy and other legal biometrics in the Department of Defense, rights of individuals under United States not only in Iraq, but worldwide.65 law, maintaining data integrity and Specifically, the 168 page report security, and protecting intelligence discusses biometric information sources, methods, activities, and sensitive management and sharing, research and law enforcement information.”72 Finally, development, technology, organizational HSPD-24 required the Attorney General issues and legal and privacy issues.66 In to create an “action plan” to implement acknowledging the various privacy risks the purpose and goals of the directive, involved with a biometric system, the including how “the information privacy report expressed “the clear need for the and other legal rights of individuals” establishment of uniform constructs in would be protected.73 It is unknown, complex areas of unsettled law and policy however, whether this action plan was related to biometrics, and privacy is a ever created or, if so, its contents. good place to start.”67 It also encouraged As for the future use of biometrics in the Department of Defense to “emphasize Iraq after the U.S. military departs, the Page 76 THE PRIVACY PROJECT IV – 2011 idea of turning over the database system consequences should protective measures to the Iraqi government is already being not be taken, it is paramount that specific considered. The Council on Foreign issues relating to the operation and use of Relations (“CFR”), an independent, the biometric database be considered and nonpartisan membership organization and addressed as soon as possible. “think tank,” has proposed a national identification program that would provide Iraqis with identification cards, similar to IV. Proposals for Establishing Security U.S. drivers’ licenses, with biometric data Measures over Biometric like fingerprints to be presented at Information in Iraq. security checkpoints.74 Combined with the existing biometric database system, The issue of privacy and securing the the identification cards would help identities of Iraqi civilians captured and “identify insurgents who blend in with the stored by a biometrics database is of civilian population.”75 Several problems immediate importance. In addition to the potentially exist with this plan, however. factors previously discussed, the First, there is the aforementioned problem technology of biometrics and its wide that the database could fall into the wrong variety of uses is growing considerably hands and be used for ethnic cleansing.76 faster than the policies related to its usage Another problem is the fact that an and consequences. As stated in the DSB estimated four million Iraqis are either report, “Effective security safeguards for internally displaced or living as refugees storage and use of biometrics information abroad and would not get identification are simply indispensible, and security cards, effectively denying them breaches in this area will be more than citizenship in their own country.77 There embarrassing. Due to the enormous are also issues regarding trusting the Iraqi importance that the Task Force attaches government with the vast amount of to biometrics generally, the future in this sensitive information contained in the area is simply too important to risk biometric database and whether the negative (or legislative!) reaction to country can afford to operate and avoidable errors.”79 maintain it.78 Before examining proposals for The current protocols and safety safeguarding the private information procedures designed to protect Iraqi contained in the biometric database, the civilians from the misuse of the vast proper agency or authority to promulgate amount of private information store in the these rules should be determined. biometric database is either unknown or Recognizing the desire to establish non-existent. Moreover, a plan to guidelines that can be followed both by ultimately transition the database the United States, currently, and Iraq, in information to the Iraqi government with the future after the database is turned over effective safeguards and procedures to to its government, it is tempting to first protect the privacy of the information consider an international body to oversee contained in the system also does not the adoption and adherence to these rules. exist. Given the potential for catastrophic The United Nations may seem like a United States National Security: Biometrics and Privacy in Iraq Page 77 particularly likely candidate. Its ability to right of privacy of these people when the draft a treaty or other set of rules with system is turned over to the Iraqi respect to such a specific issue and, even government. The DSB report suggests more importantly, its ability to enforce that the Office of the General Counsel, those rules, is doubtful in light of history, with assistance from the Department of however. Justice, should review the privacy For example, the International implications of biometrics within the Covenant on Civil and Political Rights Department of Defense.85 The results can (“ICCPR”) is a multilateral treaty adopted then be used by the Office of the by the United Nations General Assembly Secretary of Defense to create on December 16, 1966, which has been in comprehensive biometrics privacy force since March 23, 1976.80 It commits policies.86 its parties to respect the civil and political Although proposals for a specific set rights of individuals, including the right of rules relating to the entire biometric to life, freedom of religion, freedom of system is outside the scope of this article, speech, freedom of assembly, electoral it is helpful to examine certain “best rights and rights to due process and a fair practices” previously proposed by the trial.81 Article 17, in particular, mandates International Biometric Group (“IBG”) an individual’s right of privacy.82 The and which have particular relevance to United Nations High Commissioner for the privacy situation in Iraq.87 IBG Human Rights clarified that this right to groups these best practices into four privacy includes personal information categories: (1) scope and capabilities, (2) stored on computers and databanks, that data protection, (3) user control of parties must take effective measures to personal data, and (4) disclosure, protect against unauthorized access to this auditing, accountability, and oversight.88 information, and that this information is Within the category of Scope and never used for purposes incompatible Capabilities, particular emphasis in the with the treaties.83 The United States, use of a biometrics system in Iraq should however, ratified the ICCPR subject to focus on limiting the scope of the the non-self-execution declaration so that information gathered, as well as a careful it does not form part of the domestic law analysis of the scope of the system’s of the nation, effectively removing any actual and potential capabilities, such that obligation of the U.S. to comport with all of the system’s risks can be evaluated any of the covenant’s principles.84 and addressed.89 The DSB report places For the present time, the Department particular emphasis on communicating of Defense, which currently oversees the and understanding the purpose of the existing biometric database in Iraq, biometric system and limiting the data should not only promulgate specific collected to that purpose alone.90 procedures to protect against the Given the widespread sectarian unauthorized access and disclosure of violence in Iraq, the category of Data Iraqis’ personal information, but it must Protection is potentially the most also set up controls within the biometric significant in attempting to ensure the system that will continue to protect the safety of civilians from the unintended Page 78 THE PRIVACY PROJECT IV – 2011 consequences of a biometrics system. derived from such oversight should be Several methods can be deployed to help available “to facilitate public discussion best ensure that biometrics data is kept on the system’s privacy impact.”98 As a secure. For example, not only does the prerequisite to operating the biometric information itself need to be protected system, it should be clearly stated who is from theft but the means of transmitting responsible for system operation, to that data must also be kept secure.91 In whom questions or requests for addition, the system functions and data information are addressed, and what must be limited to certain personnel under recourse individuals have to resolve their certain conditions, with explicit controls grievances.99 Individuals should also be on usage and export set in the system.92 informed of any protections being taken The biometric data also should be kept to secure biometric information, separate from personal information about “including encryption, private networks, the individual, including the person’s secure facilities, administrative controls, name and address.93 Finally, a method and data segregation.”100 should be established by which a system Finally, in addition to formulating used to commit or facilitate privacy- rules and guidelines to protect the privacy invasive biometric matching, searches, or of Iraqi civilians, legal procedure issues linking “can be depopulated and must also be considered. For example, dismantled.”94 The responsibility for the evidentiary value, acceptance and making such a determination may rest standard of application of biometrics with an independent auditing group, measurements and identification must be outside of the Department of Defense, known before it is allowed in court.101 and would be subject to appropriate As the DSB noted, “In a appeals and oversight.95 counterinsurgency operation, like Iraq, The third category regarding User the biometrics identity system, how it Control of Personal Data is more functioned, where it resided, who was in difficult to achieve in insurgent areas, it and the standards by which that such as Iraq, where there is a compelling occurred was not known or regarded as interest for data to be retained for significant.”102 Accordingly, established verification or identification purposes, legal procedures need to be set in place in such that the option of unenrollment Iraq so that biometric data recovered from would render the system inoperable.96 a device, weapon, document, or other The final category involving the instrument is handled and presented in Disclosure, Auditing, Accountability, and such a way as to support the identification Oversight of the biometrics system is of and prosecution of suspected insurgents crucial significance in attempting to in court.103 develop protections of an individual’s In conclusion, it is important to bear privacy in Iraq. The centerpiece of this in mind a critical recommendation stated category is the creation of an independent in the DSB report, namely that privacy auditing body to ensure adherence to considerations be incorporated into the standards regarding data collection, design of any human identification storage, and use.97 In addition, the data system at an early stage.104 The U.S. United States National Security: Biometrics and Privacy in Iraq Page 79 military has already been using a comprehensive biometric system and 7 Id. 8 database in Iraq for nearly four years. DEFENSE SCIENCE BOARD, REPORT OF THE Yet it is uncertain whether any DEFENSE SCIENCE BOARD TASK FORCE ON regulations, or even suggested “best DEFENSE BIOMETRICS 131 (2007). 9 Id. practices,” exist to protect Iraqis from the 10 potential deadly misuse of the personal Id. 11 Id. information contained in the system. The 12 Id. 13 right to privacy exists as a fundamental Biometrics, NEW WORLD ENCYCLOPEDIA freedom enjoyed by American citizens in (AUG. 29, 2008), http://www.newworld this country. Today, Americans encyclopedia.org/entry/Biometrics#United_St increasingly are aware of the ates. government’s impact on their individual 14 Id. 15 privacy rights, as it seeks to protect these Id. 16 very same freedoms from future terrorist Steve Raabe, Fitness Club’s Fingerprint actions. Now, however, it is time for the Entry System Pumps Up Debate Over Biometric Identity, THE DENVER POST, United States to be vigilant in November 14, 2010, safeguarding these same basic rights http://www.denverpost.com/headlines/ci_1660 enjoyed by citizens a half world away, 1571. whose freedom for which this 17 Id. government is also fighting. 18 Id. 19 Id. 20 Id. 21 1 Id. National Science and Technology Council, 22 Karen Harmel, Walt Disney World: The BIOMETRICS in Government Post – 9/11, Government’s Tomorrowland?, NEWS 21, Advancing Science, Enhancing Operations, September 1, 2006, http://news August 2008, http://www.biometrics.gov/ initiative.org/story/2006/09/01/walt_disney_w Documents/Biometrics%20in%20Government orld_the_governments. %20Post%209-11.pdf. 23 2 The Canadian Press, Disney: It’s A Secure Fred H. Cate, Information Privacy in the World After All, CBC NEWS, September 5, War on Terrorism, White Paper, October 18, 2006, 2007. http://www.cbc.ca/technology/story/2006/09/0 http://web1.millercenter.org/debates/whitepap 5/tech-disney.html. er/deb_2007_1113_privacy.pdf. 24 3 Id. Definition of Biometrics, BIOMETRICS, A 25 Id. JOURNAL OF THE INTERNATIONAL BIOMETRIC 26 Id. SOCIETY, http://www.biometrics.tibs.org/ (last 27 Id. visited Dec. 7, 2010). 28 4 Id. R. A. Fisher, Biometry, BIOMETRICS, 1948, at 29 Karen Harmel, Walt Disney World: The 218. 5 Government’s Tomorrowland?, NEWS 21, Definition of Biometrics, BIOMETRICS, A September 1, 2006, http://news JOURNAL OF THE INTERNATIONAL BIOMETRIC initiative.org/story/2006/09/01/walt_disney_w SOCIETY, http://www.biometrics.tibs.org/ (last orld_the_governments. visited Dec. 7, 2010). 30 6 Id. Id. 31 Id. Page 80 THE PRIVACY PROJECT IV – 2011

32 Jonathan Kent, Malaysia Car Thieves Steal 44 Yahya Barzanji, Gunmen Kill 21 In Iraq, Finger, BBC NEWS, March 31, 2005, Many Of Them Students, THE WASHINGTON http://news.bbc.co.uk/2/hi/asia - pacific/43958 POST, June 4, 2006, http://www.washington 31.stm. post.com/wp-dyn/content/article/2006/06/04/ 33 Stew Magnuson, Defense Department AR2006060400155.html. Under Pressure To Share Biometric Data, 45 Edward Wong, To Stay Alive, Iraqis NATIONAL DEFENSE, January 2009, Change Their Names, THE NEW YORK TIMES, http://www.nationaldefensemagazine.org/archi September 6, 2006, ve/2009/January/Pages/DefenseDepartmentUn http://www.nytimes.com/2006/09/06/world/mi derPressuretoShareBiometricData.aspx. ddleeast/06identity.html. 34 Id. 46 Id. 35 Laura Emerson, Biometrics Company 47 Id. Brings New Level Of Protection To Las Vegas 48 In October 2005, the Iraqi constitution was Businesses, LAS VEGAS BUSINESS PRESS, approved. Article 17 of the Constitution sets November 22, 2010, forth two limited privacy rights. First, “Every http://www.lvbusinesspress.com/articles/2010/ individual shall have the right to personal 11/22/news/iq_39814564.txt. privacy so long as it does not contradict the 36 United Press International (UPI), Biometrics rights of others and public morals.” Second, Seen As Ultimate Secure ID, UPI.COM, “The sanctity of the homes shall be protected. November 24, 2010, Homes may not be entered, searched, or http://www.upi.com/Business_News/Security- violated, except by a judicial decision in Industry/2010/11/24/Biometrics-seen-as- accordance with the law.” Art. 17, Fed. Rep. ultimate-secure-ID/UPI-13281290633916/. of Iraq Const. (2005). The Iraqi armed forces 37 Will Sturgeon, Biometrics Used To Keep frequently did respect these privacy rights. German Olympians Safe, SILICON.COM, Iraqi armed forces regularly searched homes, August 11, 2004, workplaces, and individuals without first http://www.silicon.com/technology/security/2 obtaining a warrant or having probable cause. 004/08/11/biometrics-used-to-keep-german- Those captured in these searches were then olympians-safe-39123078/. indefinitely detained incommunicado. US 38 Id. State Dept., Human Rights Report 2006 – Iraq 39 THE PEW FORUM ON RELIGION AND PUBLIC (March 6, 2007), http://www.state.gov/g/ LIFE, MAPPING THE GLOBAL MUSLIM drl/rls/hrrpt/2006/78853.htm. 49 POPULATION, 8 (2009). Thomas Frank, U.S. Is Building Database 40 Id. On Iraqis, USA TODAY, July 12, 2007, 41 FEBE ARMANIOS, CONGRESSIONAL http://www.usatoday.com/news/world/iraq/20 RESEARCH REPORT FOR CONGRESS, ISLAM: 07-07-12-iraq-database_N.htm. 50 SUNNIS AND SHIITES, CRS-2-3 (2004). Jonathan E. Skillings, Biometrics And 42 Iraq 101: Civil War, MOTHER JONES, March Security In Iraq, CNET NEWS, August 17, 1, 2007, http://motherjones.com/politics/ 2007, http://news.cnet.com/8301-10784_3- 2007/03/iraq-101-civil-war. 9761654-7.html. 43 Edward Wong, To Stay Alive, Iraqis 51 Id. 52 Change Their Names, THE NEW YORK TIMES, Id. September 6, 2006, http://www.ny 53 Id. times.com/2006/09/06/world/middleeast/06ide 54 Thomas Frank, U.S. Is Building Database ntity.html. On Iraqis, USA TODAY, July 12, 2007, http://www.usatoday.com/news/world/iraq/20 07-07-12-iraq-database_N.htm. United States National Security: Biometrics and Privacy in Iraq Page 81

55 Id. U.N. GAOR Supp. (No. 16) at 52, U.N. Doc. 56 Id. A/6316 (1966), 999 U.N.T.S. 171, entered into 57 Id. force Mar. 23, 1976. 58 William Matthews, Double-Edged Sword: 81 Id. U.S. Biometric Database Yields Rewards – 82 Id. 83 And Risks, DEFENSE NEWS, August 24, 2009, General Comment No. 16 from the Office of http://www.defensenews.com/story.php?i=424 the High Commissioner for Human Rights: 6877. The right to respect of privacy, family, home 59 Thomas Frank, U.S. Is Building Database and correspondence, and protection of honour On Iraqis, USA TODAY, July 12, 2007, and reputation (Art. 17) (April 8, 1988), http://www.usatoday.com/news/world/iraq/20 http://www.unhchr.ch/tbs/doc.nsf/0/23378a87 07-07-12-iraq-database_N.htm. 24595410c12563ed004aeecd?Opendocument. 60 84 Id. 138 CONG. REC. S4781-84 (daily ed. Apr. 2, 61 William Matthews, Double-Edged Sword: 1992); S. EXEC. REP. NO. 102-23, at 15 (1992). 85 U.S. Biometric Database Yields Rewards – DEFENSE SCIENCE BOARD, REPORT OF THE And Risks, DEFENSE NEWS, August 24, 2009, DEFENSE SCIENCE BOARD TASK FORCE ON http://www.defensenews.com/story.php?i=424 DEFENSE BIOMETRICS 72 (2007). 6877. 86 Id. 62 Id. 87 IBG BioPrivacy Initiative: Best Practices 63 DEFENSE SCIENCE BOARD, REPORT OF THE For Privacy-Sympathetic Biometric DEFENSE SCIENCE BOARD TASK FORCE ON Deployment, International Biometric Group, DEFENSE BIOMETRICS (2007). LLC, http://www.bioprivacy.org/ (last visited 64 Id. December 8, 2010). 65 Id. 88 Id. 66 Id. 89 Id. 67 90 Id. at 71. DEFENSE SCIENCE BOARD, REPORT OF THE 68 Id. at 70. DEFENSE SCIENCE BOARD TASK FORCE ON 69 Id. at 72-82. DEFENSE BIOMETRICS 72 (2007). 70 Homeland Security Presidential Directive 91 IBG BioPrivacy Initiative: Best Practices 24: Biometrics for Identification and For Privacy-Sympathetic Biometric Screening to Enhance National Security, 2008 Deployment, International Biometric Group, WEEKLY COMP. PRES. DOC. 788 (June 5, LLC, http://www.bioprivacy.org/ (last visited 2008). December 8, 2010). 71 Id. 92 Id. 72 Id. at 790. 93 Id. 73 Id. at 791. 94 Id. 74 Lionel Beehner, Backgrounder: A National 95 Id. 96 ID Program For Iraq?, THE NEW YORK Id. 97 TIMES, May 29, 2007, http://www.ny Id. times.com/cfr/world/slot2_20070529.html. 98 Id. 75 Id. 99 Id. 76 Id. 100 Id. 77 101 Id. DEFENSE SCIENCE BOARD, REPORT OF THE 78 Id. DEFENSE SCIENCE BOARD TASK FORCE ON 79 DEFENSE SCIENCE BOARD, REPORT OF THE DEFENSE BIOMETRICS 130 (2007). 102 DEFENSE SCIENCE BOARD TASK FORCE ON Id. 103 DEFENSE BIOMETRICS 69 (2007). Id. 80 International Covenant on Civil and 104 Id. at 71. Political Rights, G.A. Res. 2200A (XXI), 21 Privacy in the Petition Process - Signing Your Privacy Away?

By Lauren A. Shurman, Lauren A. Shurman, a 2006 Monica S. Call, and graduate of Duke University School of John A. Anderson Law, and Monica S. Call, a 2004 graduate of Stanford Law School, are both litigation associates in the Salt Lake EARLY half the states in the United City office of Stoel Rives, LLP. N States have a petition or referendum IADC member John A. Anderson, a process for citizens to directly make or 1981 graduate of University of Virginia repeal laws. This form of direct School of Law, is a litigation partner in democracy has interesting First the Salt Lake City office of Stoel Rives, Amendment implications because petition LLP. Special thanks to Brigman L. signers have particular associational Harman for his excellent editorial rights they might like to protect by assistance. keeping their names private. Most state disclosure laws, however, permit the The recent United States Supreme public disclosure of the names of petition Court case of Doe v. Reed highlights the signers. Those that fear the loss of tension between these interests in the privacy through the disclosure of petition Digital Age. In Doe v. Reed, the Court signatures lament that that disclosure upheld Washington State’s disclosure laws—originally meant to prevent fraud laws against a First Amendment facial and promote confidence in the democratic challenge. The Court held that the process—now equip political opponents government’s interest in preserving the with a tool to harass and intimidate, integrity of the electoral process thereby discouraging participation in the permitted it to disclose the names of those democratic process. For these groups, that sign petitions. In that case, the signing a petition should be just as private petition signers feared harassment and as casting a secret ballot. In contrast, intimidation if their names were made those who seek full disclosure argue that public by the state and converted into an signing a petition is a public, legislative electronic searchable format by their act. In their view, disclosure is necessary political opponents. The decision left to prevent fraud and creates a more open the question of whether the petition informed electorate. The application of signers might succeed on their as-applied state disclosure laws to the electoral challenge. process has broad implications for The Court’s opinion in Doe v. Reed privacy rights in general, especially in and its guidance to lower courts that will this age of instantaneous information, be faced with as-applied challenges to where the Internet is the new political disclosure laws demonstrates the delicate battleground. balance of privacy rights in the electoral context.

Privacy in the Petition Process Page 83

I. Background on State Initiative and statewide initiative on the ballot was Referendum Processes Oregon, in 1904.6 The use of initiatives surged during the early part of the The initiative and referendum are twentieth century, but then dropped off “direct democracy” measures by which with the advent of World War I and the citizens can place statutes and Great Depression.7 The initiative constitutional amendments on the ballot. movement was reignited in 1978, when An initiative allows citizen-initiated California voters passed Proposition 13, statutes or constitutional amendments to which capped property taxes in the state be placed on the ballot after a certain to just 1 percent.8 After that, the use of number of signatures are collected on a the initiative and referendum process petition. Twenty-four states currently grew steadily, reaching a high point in allow for some form of an initiative (18 1996.9 In 1996, citizens placed 93 states allow constitutional amendments initiatives on statewide ballots, 47% of by initiative, and 21 states allow statutes which were approved by voters.10 In by initiative).1 Initiatives are also total, since Oregon’s first statewide commonly used by local and city initiative in 1904, 2,356 state-level governments. A referendum, by contrast, initiatives have been sent to the ballot, is a citizen-initiated proposal to repeal a and approximately 41% have been law that was previously enacted by the approved by voters.11 legislature. Like an initiative, a referendum is placed on the ballot after a II. Privacy and Voting threshold number of signatures is gathered on a petition. Twenty-four Although every state currently states currently allow for referendums, provides a secret ballot for voters, the though referendum use is less common states did not begin to adopt the secret than initiative use.2 Of the twenty-four ballot until the late 1800’s.12 The secret states that allow initiatives and ballot was adopted primarily as a means referendums, all but California treat the to combat abuses in the voting process petitions used to gather signatures as because the public means of voting public records under the states’ public previously employed by the states records statutes or “sunshine laws.”3 fostered voter coercion and bribery.13 The initiative and referendum Constitutional protections for secrecy processes were first promoted in the or privacy in voting and political activity United States, mostly in the west, during have gradually worked their way into the Progressive Era beginning in the First Amendment jurisprudence, 1890’s.4 The Progressives, who felt as primarily through the First Amendment’s though the representative form of right of freedom of assembly, which the government was out of touch with the Supreme Court has recognized citizens and controlled by special interest encompasses a right of freedom of groups, borrowed the initiative and association.14 In 1958, the Supreme referendum process from the Swiss Court in NAACP v. Alabama, recognized constitution.5 The first state to place a a “vital relationship between freedom to Page 84 THE PRIVACY PROJECT IV – 2011 associate and privacy in one’s Because of the importance of privacy associations.”15 The Court held that the and anonymity to First Amendment NAACP’s right to withhold its interests, the Court has subjected laws membership lists from the state was “so that seek to compel the disclosure of related to the right of the members to political speech to “exacting scrutiny.”22 pursue their lawful private interests Under this level of scrutiny, for a privately and to associate freely with disclosure requirement to pass muster, others” so as to come within the there must be a substantial relation protection of the Due Process Clause of between the disclosure requirement and a the Fourteenth Amendment, which sufficiently important governmental embraces freedom of speech.16 The interest.23 Applying the exacting scrutiny Court found this to be the case in light of standard, the Court has struck down laws the NAACP’s evidence that its members that banned the right to distribute had been subject to hostility and anonymous leaflets24 and that required economic and physical threats, such that petition gatherers to wear name tags,25 disclosure of its membership list would while upholding the Federal Election be likely to dissuade individuals from Campaign Act’s campaign contribution joining the association.17 disclosure requirements26. While Since NAACP v. Alabama, the Court acknowledging that each of the disclosure has reiterated the importance of privacy requirements at issue in those cases had in promoting First Amendment the potential to chill political speech, the interests.18 In Buckley v. Valeo, the Court Court reached different outcomes based noted that compelled disclosure of on how strongly the Court perceived the political speech “can seriously infringe on relationship between the government’s privacy of association and belief justification for the law and the guaranteed by the First Amendment.”19 information required to be disclosed. In The Court again noted in Brown v. Buckley v. Valeo, the Court found that the Socialist Workers ’74 Campaign Federal Election Campaign Act’s Committee that “privacy in group requirement that the names, addresses, association may in many circumstances and occupations of campaign contributors be indispensable to preservation of be made public was sufficiently related to freedom of association, particularly where the state’s interests in providing the a group espouses dissident beliefs.”20 electorate with information about political Several years later, in McIntyre v. Ohio candidates, deterring corruption by Elections Commission, the court exposing large contributions and acknowledged that the decision to remain expenditures, and in detecting violations anonymous in advancing political causes of campaign contribution limits.27 In was “an aspect of the freedom of speech McIntyre, by contrast, the Court held that protected by the First Amendment” and a law that barred anonymous political that the tradition of anonymity was leaflets was not sufficiently related to the “perhaps best exemplified by the secret state’s interests in informing the ballot, the hard-won right to vote one’s electorate and preventing fraud and conscience without fear of retaliation.”21 libel.28 With respect to the state’s Privacy in the Petition Process Page 85 informational interest, the Court held that suggests that the Court is willing to compelling disclosure of the speaker’s accept disclosure requirements, which identity did not add sufficient information inevitably result in a slight reduction in to the leaflet and that “[p]eople are the quantity of speech and the speakers’ intelligent enough to evaluate the source privacy, but only when doing so will of an anonymous writing.”29 With enhance the overall quality of political respect to the state’s interest in preventing speech and serve the government’s fraud or libel, the Court found that other interest in regulating the election process. provisions in the election code This analysis necessarily involves an sufficiently protected these interests.30 empirical weighing of costs and benefits that makes outcomes somewhat difficult Similarly, in Buckley v. ACLF, the Court to predict. held that a law that required individuals Issues surrounding the interplay handing out petitions to wear name tags between privacy and voting and other was not sufficiently related to the state’s political speech have come to the interests in administrative efficiency, forefront recently with the increasing use fraud detection, and informing voters, of the Internet to disseminate information especially because the state could meet about voters’ activities. Websites, such those interests through other means that as FundRace, provide information to the did not subject the petition circulators to general public about federal campaign “heat of the moment harassment,” as contributions in a searchable format.34 wearing a name badge might.31 FundRace claims to “make[] it easy to The Court has also acknowledged search by name or address to see which that the government’s interest in candidates or political parties your compelled disclosure is “diminished” friends, family, co-workers, and when dealing with minor political parties, neighbors are contributing to.”35 Many which are less likely to have a sound states offer “Am I registered to vote?” financial base, more likely to fear services on their websites, in which any reprisal, and are therefore more user can type in an individual’s name and vulnerable to the chilling effect that zip code or county to see if that individual compelled disclosure could have.32 is registered to vote and oftentimes Minor parties, however, are not per se whether they are a registered Democrat or exempt from compelled disclosure laws. Republican.36 For a fee, other websites Rather, minor parties may bring an as- advertise that they can provide voter applied challenge to such laws. By information to political campaigns, demonstrating “a reasonable probability including information about party that the compelled disclosure of a party’s affiliation, frequency of voting, and the contributors’ names will subject them to ethnicity of registered voters.37 threats, harassment, or reprisals from Privacy concerns become heightened either Government officials or private when these types of websites are targeted parties,” a minor party may obtain an towards controversial ballot measures, exemption from a compelled disclosure such as California’s recent Proposition 8, law.33 the state ballot measure defining marriage In sum, the “compelled disclosure” as only between a man and a woman. line of cases from the Supreme Court Under California’s campaign finance Page 86 THE PRIVACY PROJECT IV – 2011 disclosure law, information about anyone advancements all came to a head in the who contributed more than $100 to recent Doe v. Reed case. Like other cases Proposition 8 was made public, including the Court has faced recently, and will the contributors’ name, zip code, amount certainly face in the future, the Court had donated and, if the donor specified, to balance governmental interests with 38 employer. An anonymous group citizens’ privacy and technological collected this information about advances that make private information contributors and overlaid it with a Google 39 all the more accessible to the public at map at a website called eightmaps.com. large. Using this website, the identity and location of Proposition 8 supporters is A. Background made readily available to the public.

Supporters of the website argue that it empowers Proposition 8 opponents to At issue in Doe v. Reed was the exercise their First Amendment rights by, combination of Washington’s laws for example, boycotting businesses that concerning petitions and referendums and supported Proposition 8 and by engaging its Public Records Act. Washington is in debate with their neighbors who may one of the twenty-four states that permits appear on the website. But even its citizens to change legislation through 43 proponents of state disclosure laws were the referendum process. If enough uneasy about eightmaps.com.40 Many signatures are gathered in a petition, a contributors who appeared on the website referendum will be added to the general complained that they were subject to election ballot to allow the voters to harassment as a result.41 As the New decide whether to repeal legislation.44 A York Times commented, “The site pits … person signing a petition is required to put cherished values against each other: his or her legal name, address, and political transparency and untarnished signature.45 When the state determines if democracy versus privacy and freedom of there are sufficient signatures to include a 42 speech.” Indeed, although campaign measure on the ballot, Washington law disclosure laws were intended to enhance permits observers from both those that the political process by providing voters support and oppose a measure to be with helpful information about present to observe the state’s verification candidates, the use of such disclosure process “so long as they make no record laws in unintended ways, such as with of the names, addresses, or other eightmaps.com, may now threaten the information on the petitions or related very process it was intended to promote 46 by making some citizens afraid to records. . . .” Aside from the observer participate in the political process for fear provision, Washington law is silent of reprisal. concerning whether the names or other information on a petition are public III. Doe v. Reed documents. Washington’s Public Records Act The interplay between a state’s (“PRA”) requires each state agency to disclosure laws, the initiative and make available for public inspection and referendum process, and technological copying “all public records,” unless those Privacy in the Petition Process Page 87 records fall within certain exemptions.47 available.55 Sam Reed, the current The PRA was passed with the express Secretary of State for Washington, intent that Washington citizens remain considered the petitions to be public “informed so that they may maintain records and as a result, subject to the control over the instruments that they public records law.56 Some groups in have created.”48 In the context of support of the partnership law issued campaign finance disclosures, the policy press releases that they would make the of disclosure is further espoused by the names of petition signers available on the state of Washington: “mindful of the right Internet and in a searchable format.57 of individuals to privacy and of the This was all developing in desirability of the efficient administration Washington against the backdrop of the of government, full access to information debate in California over Proposition 8. concerning the conduct of government on Petition signers in Washington were every level must be assured as a concerned that the public availability of fundamental and necessary precondition their identities could lead to harassment to the sound governance of a free and intimidation, as it appeared to have society.”49 done so with respect to the Proposition 8 In 2009, Washington’s legislature supporters in California who contributed enacted a law to expand the state’s money to the cause.58 Two signers of the existing domestic partnership law to petition filed suit as anonymous John provide registered domestic partners Does arguing the Washington disclosure virtually all the state-law rights of laws were unconstitutional under both a married couples.50 The law was referred facial and an as-applied theory: (1) the to as the “everything but marriage bill.”51 disclosure of petition signers names was Citizens who opposed same-sex marriage unconstitutional because it would deter wanted to repeal the law and turned to people from signing petitions; and (2) Washington’s referendum process. The even if the disclosure law passes newly formed “Protect Marriage constitutional muster generally, these Washington” group organized to collect a plaintiffs were entitled to an exception to sufficient number of signatures on a the disclosure requirement because the petition and submitted it to the state for law was unconstitutional as-applied to final approval.52 their particular circumstances.59 The Supporters of the partnership law petition signers asked the court to requested copies of the petition under preliminarily enjoin the Secretary of State Washington’s PRA.53 Although not part from releasing the petition names.60 of the regulations governing petitions and referendums, Washington’s PRA B. Lower Court Decisions permitted public access to a wide range of documents in the possession of the The U.S. District Court for the state.54 For years, state officials had Western District of Washington granted taken the position that the names on the petition signers’ motion for a petitions were not considered public preliminary injunction on the basis that records and thus, were not made publicly they were likely to succeed on their facial Page 88 THE PRIVACY PROJECT IV – 2011 challenge and enjoined the release of the process than making the petition names petitions.61 Upon review, the Court of subject to general disclosure laws.72 Appeals for the Ninth Circuit reversed the injunction.62 On appeal to the U.S. D. U.S. Supreme Court Decision Supreme Court, the petition signers convinced the Court to stay the Ninth The U.S. Supreme Court held, 8-1, Circuit ruling, so the petitions would not that the First Amendment does not be released prior to the election.63 The categorically ban public access to the referendum was ultimately defeated and names and addresses of supporters of the state’s domestic partnership law is state-wide initiatives and referendums.73 now in effect.64 The Court determined that First Amendment challenges in the electoral C. Amicus Briefs context required the “exacting scrutiny” test where “the strength of the Given the backdrop of the gay- governmental interest must reflect the marriage issue, the case garnered media seriousness of the actual burden on the interest and the attention of many First Amendment rights.”74 As discussed organizations, who then filed amicus in more detail below, the Court left for briefs. Fifteen amicus briefs were filed in another day whether the privacy of support of the signers of the petition, 65 signers might outweigh the public interest and ten were filed in support of the State in disclosure if the signers could prove of Washington66. States with similar specific harm from disclosure. disclosures laws filed an amicus brief emphasizing the government’s interest in 1. The Majority Opinion making petitions publicly available.67 Some organizations discussed how the Chief Justice Roberts, joined by existence of the Internet has drastically Justices Kennedy, Ginsburg, Breyer, enhanced the ability for anyone to learn a Alito and Sotomayor, wrote for the great deal of information about an majority and as an initial matter, found individual.68 These organizations argued that the First Amendment applied because that if petition signers’ names and “[a]n individual expresses a view on a addresses are easily found in the Internet, political matter when he signs a petition. . it may be more difficult to convince . .”75 On the other side of the scale, the people to sign petitions.69 Other groups majority acknowledged that States are cited examples from around the world given “significant flexibility in where those who sign petitions face implementing their own voting threats and retribution.70 They argued systems.”76 The petition signers had that the petition signers should not be argued that the Court should apply the subject to such risks when Washington’s strict scrutiny test. In explaining why referendum law already allows for certain disclosure requirements were subject to public oversight to prevent fraud.71 In the less demanding “exacting scrutiny,” their view, much less intrusive means rather than “strict scrutiny,” the Court already exist to protect the electoral emphasized that the statute at issue was Privacy in the Petition Process Page 89

“not a prohibition on speech, but instead a Washington and other states filing disclosure requirement.”77 In Citizens amici briefs cited to several cases of United, the campaign finance case petition-related fraud.85 Even short of decided earlier that same term, the Court fraud, the Court noted that the state has an noted that “disclosure requirements may interest in allowing the petition signers’ burden the ability to speak, but they identities to be public to preserve the ‘impose no ceiling on campaign-related integrity of the electoral process in activities’ and ‘do not prevent anyone general.86 Although the government from speaking.’”78 The Reed Court relied might be positioned to combat fraud on a long history of First Amendment without disclosing the petition signers’ cases in the electoral context to provide names, the Court noted that citizens the “exacting scrutiny” standard.79 This themselves are in the best position to standard “requires a substantial relation uncover other types of problems in the between the disclosure requirement and a petition process: “Public disclosure also sufficiently important governmental promotes transparency and accountability interest.”80 Moreover, “[t]o withstand in the electoral process to an extent other this scrutiny, the strength of the measures cannot.”87 Thus, the majority government interest must reflect the held that the public disclosure laws were seriousness of the actual burden on First substantially related to the government Amendment rights.”81 interest in preserving the integrity of the Washington had argued that its electoral process. interests included “(1) preserving the The majority opinion left open the integrity of the electoral process by possibility that the petitioners could combating fraud, detecting invalid continue their legal challenge on an “as signatures, and fostering government applied” basis. The Court noted that transparency and accountability; and (2) “upholding the [disclosure] law against a providing information to the electorate broad-based challenge does not foreclose about who supports the petition.”82 The a litigant’s success in a narrower one.”88 Court found the first reason sufficiently The Court cited to what it considered the compelling that it did not address the relevant standard petitioners will have to second reason.83 The majority opinion satisfy on the as-applied challenge—the explained: disclosure may be unconstitutional if the petitioners can show “a reasonable The State’s interest is particularly probability that the compelled disclosure strong with respect to efforts to root of personal information will subject them out fraud, which not only may to threats, harassment, or reprisals from produce fraudulent outcomes, but either Government officials or private has a systemic effect as well: It parties.”89 The petition signers’ fight “drives honest citizens out of the now continues in the lower courts.90 democratic process and breeds distrust of our government.”84

Page 90 THE PRIVACY PROJECT IV – 2011

2. Concurring Opinions i. Justice Scalia Concurrence

While the decision at first glance Although Justice Scalia joined in the appears to be an easy one—8-1—there judgment upholding Washington’s were no less than six separate opinions in disclosure laws, his opinion is very the majority. Five justices joined Chief different from the majority. Justice Scalia Justice Robert’s majority opinion. Justice doubts whether the First Amendment Alito and Justice Breyer filed concurring even applies to the act of signing a opinions. Justice Sotomayor filed a petition because he views it as a concurring opinion joined by Justice legislative act.91 Justice Scalia repeats Stevens and Justice Ginsburg. Justice much of the analysis from his dissent in Stevens filed an opinion concurring in the McIntyre v. Ohio Elections part and concurring in the judgment, in Commission case, the case in which the which Justice Breyer joined. Justice court recognized the First Amendment Scalia joined in the judgment only and rights to distribute anonymous campaign wrote a separate concurring opinion. literature.92 Justice Scalia takes the The concurring opinions of Justice position that there is no First Amendment Scalia, Justice Sotomayer, and Justice right to anonymity.93 He cites to this Alito represent three very different country’s “longstanding traditions of approaches to balancing the privacy legislating and voting in public” to refute interests of the petition signers with the the claim that the First Amendment government’s interest in regulating protects anonymity in the performance of elections. Justice Scalia regards the act of an act with “governmental effect.”94 signing a petition much like a legislative “[T]he exercise of lawmaking power in act and as a result, void of any the United States has traditionally been expectation of privacy. In stark contrast, public.”95 Scalia also explains that voting Justice Alito sees the act of signing a was historically a public act as well and petition as an act protected by the First that the Court has never recognized a Amendment right to the privacy of right to vote anonymously.96 association and belief. While agreeing Justice Scalia is skeptical of the with the majority to uphold the disclosure petition signers’ ability to prove an as- laws on a facial challenge, Justice Alito is applied challenge that would exempt sympathetic to the petition signers’ as- them from disclosure laws. He states that applied challenge and thinks their burden “[r]equiring people to stand up in public of proof should be low. Justice for their political acts fosters civic Sotomayor’s concurrence explores the courage, without which democracy is middle ground between those two doomed.”97 He laments a society that extremes. Her opinion recognizes the allows anonymous campaigns where First Amendment protection for the direct democracy is “hidden from public expressive nature of signing a petition, scrutiny and protected from the but sets a high hurdle for the petition accountability of criticism.”98 And in signers to clear in order to prevail on their what might be the most quoted language as-applied challenge. from his opinion, Scalia remarks: “This Privacy in the Petition Process Page 91 does not resemble the Home of the at the time of signing whether their name Brave.”99 will be public.104 Justice Alito then outlines the ii. Justice Alito Concurrence strengths he sees in the petition signers’ as-applied challenge that outweighs the Justice Alito’s concurrence reads state’s interests. Justice Alito is especially more like a dissent because he goes into critical of the state’s “informational great detail about the strength of the interest.”105 Washington had argued that petition signers’ case for their as-applied the disclosure of petition signers names challenge. Alito agrees with the majority provided the public with insight into that the disclosure requirements survive a whether support for a measure comes facial challenge, but believes the petition from a particular group of citizens and signers have a strong as-applied case in that this information then assists a voter in that the disclosure laws can “seriously deciding whether to support or oppose the infringe on privacy of association and measure.106 Justice Alito notes that belief guaranteed by the First simply providing the public with the Amendment.”100 In contrast to Justice names and addresses of petition signers Scalia, Justice Alito’s concurrence is does not give the public the type of concerned with the burdens placed on the information that the state says voters need petition signers’ freedom of speech and to decide whether to oppose or support a association and privacy rights.101 measure.107 The state’s informational Justice Alito makes an important interest implies that the state would have caveat in his concurrence. While he an interest in gathering and disclosing believes the as-applied challenge is the other sensitive information like race, proper route for the petition signers to religion and sexual orientation.108 seek exemption from the disclosure laws, Obviously the public release of that he notes that their First Amendment information runs head-on into firmly rights will be adequately protected only established rights of privacy.109 if “(1) speakers can obtain the exemption Justice Alito is also critical of the sufficiently far in advance to avoid state’s interest in preserving the integrity chilling protected speech and (2) the of the electoral process. He points out showing necessary to obtain the that the petition process already provides exemption is not overly burdensome.”102 for observers to view the government’s If these requirements are not met, then review of petition signatures for Justice Alito is concerned that the validity.110 Justice Alito also explains disclosure laws might have a chilling that Washington has only recently taken effect on voters’ willingness to sign the position that petition signatures are petitions because of the uncertainty of subject to state disclosure laws.111 whether their information will be Previously, the state did not release that disclosed.103 Consequently, he information and Justice Alito claims the advocates that as-applied challenges state has not justified how circumstances must take place before a voter is asked to have changed to now necessitate the sign the petition so the signer will know public disclosure of the petition signers’ Page 92 THE PRIVACY PROJECT IV – 2011 names.112 Justice Alito cites to California In contrast to Justice Alito, Justice as the example of a state that keeps Sotomayor gives significant weight to the petitions signers’ names private and interest of the states to manage their maintains a process free from fraud.113 electoral processes and thus, her opinion Finally, Justice Alito suggests several is critical of the as-applied challenge.121 ways the state of Washington could She explains that petition signers will “easily and cheaply employ alternative bear a “heavy burden” to prove the “rare mechanisms for protecting against fraud circumstance in which disclosure poses a and mistake that would be far more reasonable probability of serious and protective of circulator’s and signer’s widespread harassment that the State is First Amendment rights.”114 unwilling or unable to control.”122 She Justice Alito sees the as-applied concludes with this guidance for the challenges as “critical” in protecting First courts below: Amendment Freedoms: “To give speech the breathing room it needs to flourish, [C]ourts presented with an as- prompt judicial remedies must be applied challenge to a regulation available well before relevant speech authorizing disclosure of referendum occurs and the burden of proof must be petitions should be deeply skeptical low.”115 He concludes that the petition of any assertion that the signers in Doe v. Reed have a “strong Constitution, which embraces case” that they are entitled to relief.116 political transparency, compels States to conceal the identity of iii. Justice Sotomayor Concurrence persons who seek to participate in lawmaking through a state-created Justice Sotomayor’s concurrence, referendum process.123 joined by Justice Stevens and Justice Ginsburg, recognizes the expressive 3. Justice Thomas Dissent interest in signing a petition, but wastes no time noting that disclosure does not Given Justice Thomas’s partial impair the expressive nature of that act or dissent in Citizen’s United earlier in the the associational rights of the signers.117 term, where he discussed the harassment Her opinion emphasizes the “considerable faced by the proponents of Proposition 8 leeway” states are given to decide what in California, his dissent in this case was issues are placed on the ballot and to set not a surprise.124 Indeed, Justice Thomas forth the procedure for ballot access.118 is the most vocal advocate of protecting Her opinion strongly favors disclosure the petition signers’ privacy. He would laws, explaining that the referendum have struck down Washington’s process is “inherently public,” with application of the disclosure laws to the citizens signing in public with no referendum process because he finds guarantee of confidentiality.119 In this “there will always be a less restrictive way, she rejects the idea that signing a means by which Washington can petition is akin to casting a secret vindicate its stated interest in preserving ballot.120 Privacy in the Petition Process Page 93 the integrity of its referendum referendum signer. Thus, disclosure process.”125 permits citizens to react to the Justice Thomas’s biggest divergence speech of their political opponents in from the majority is his application of the a proper—or undeniably improper— NAACP v. Alabama line of cases. He way long before a plaintiff could determines that strict scrutiny should prevail on an as-applied apply because signing a referendum challenge.132 amounts to political association.126 Justice Thomas explains the many things Justice Thomas concludes that the Washington could do to further its problem with ever being able to bring a interest in preserving the integrity of the timely challenge to the disclosure laws electoral process, without burdening means that not only are the First petition signers’ First Amendment rights. Amendment rights of petition signers 127 For example, Washington could harmed, but the direct democracy process institute an electronic referendum as a whole will be harmed: database.128 Justice Thomas explains that the state’s informational interest is in This chill in protected First contravention of the Court’s protection of Amendment activity harms others anonymous political speech in McIntyre besides the dissuaded signer. We v. Ohio Elections Commission. 129 For have already expressed deep these reasons, Justice Thomas would hold skepticism about restrictions that that the disclosure laws are not narrowly make it less likely that a referendum tailored to apply to any referendum and will garner the number of signatures would grant the facial challenge.130 necessary to place the matter on the Justice Thomas concludes by ballot, thus limiting the ability to describing the “[s]ignificant practical make the matter the focus of problems” that will result from requiring statewide discussion. Such petition signers to use as-applied restrictions inevitably reduce the challenges, in particular, the chilling of total quantum of speech on a public protecting speech.131 Justice Thomas issue. The very public that the explicitly addresses the changes in [Washington disclosure law] is technology and their impact on privacy supposed to serve is thus harmed by rights: the way Washington implements that statute here.133 [T]he state of technology today creates at least some probability that IV. Future Implications of Doe v. Reed singers of every referendum will be subjected to threats, harassment, or While the majority opinion in Doe v. reprisals if their personal Reed did not address the as-applied information is disclosed. The advent challenge to Washington’s disclosure law, of the Internet enables rapid the concurring and dissenting opinions dissemination of the information did not shy away from providing specific needed to threaten or harass every guidance to the lower courts. The Page 94 THE PRIVACY PROJECT IV – 2011 majority decision in dicta referred to the privacy proponents will need to be standard for minor political parties to creative in convincing the courts that they obtain an exemption from a disclosure are reasonably likely to be subjected to law from Buckley v. Valeo: that the threats, harassment, or reprisals if their disclosure may be unconstitutional as private information is made public. The applied to petition signers if they can Supreme Court has held that sufficient show “a reasonable probability that the proof includes “specific evidence of past compelled disclosure of personal or present harassment of members due to information will subject them to threats, their associational ties, or of harassment harassment, or reprisals from either directed against the organization itself. A Government officials or private pattern of threats or specific parties.”134 The court was deeply divided manifestations of public hostility may be over the showing that might be sufficient sufficient. New parties that have no to support an exception to the disclosure history upon which to draw may be able requirement. Justice Alito argued that the to offer evidence of reprisals and threats as-applied challenge should be easy.135 directed against individuals or In contrast, Justice Scalia argued that the organizations holding similar views.”138 as-applied challenge, if allowed at all, Historically, groups have succeeded in as- should make it exceptionally difficult to applied challenges by presenting evidence prove.136 The chances the specific of threatening phone calls and hate mail petition signers in Doe v. Reed will towards their members, as well as prevail is unlikely, given that five harassment by employers, the police, and members of the Court (Justice Stevens, the government itself.139 It remains to be Justice Breyer, Justice Sotomayor, Justice seen whether more modern forms of Ginsburg, and Justice Scalia) either “harassment,” such as online “bullying,” expressed significant doubts or outright standing alone, will be sufficient to obtain rejected the likelihood of the as-applied an exemption from disclosure laws. challenge succeeding.137 With Justice Certainly, in the Digital Age, it has Stevens’ retirement this past year, petition become easier for politically motivated signers may think they have a chance to groups to attempt to threaten or intimidate sway Justice Stevens’ replacement, their opponents through email, social Justice Elaina Kagan. Justice Alito and media websites, blogs, and sites such as Justice Thomas are sympathetic to the eightmaps.com. This type of harassment petition signers and would likely grant might well be enough to dissuade would- their as-applied challenge. Justice be petition signers from signing on to a Roberts and Justice Kennedy signed the petition that they support. But, is this majority opinion in Doe v. Reed, but did enough to overcome the state’s interests not sign onto any of the concurrences, so in regulating its election process, their respective positions on the as- informing the electorate, and detecting applied challenges are likely somewhere fraud in the petition process? This is a in the middle. balancing act that courts will be forced to Ultimately, to prevail on an as- grapple with in addressing as-applied applied challenge to a disclosure law, challenges. Privacy in the Petition Process Page 95

Interestingly, the Court in Doe v. the point where the movement cannot Reed, albeit in dicta, seemingly expanded survive. The public interest also the somewhat lenient standard for suffers if that result comes to pass, exemption to disclosure for minor for there is a consequent reduction in political parties to any group resisting the free circulation of ideas both disclosure.140 Originally, the rationale for within and without the political allowing minor political parties arena.141 “flexibility in the proof of injury” was that minor political parties were more Before Doe v. Reed, it was debatable vulnerable and less likely to influence an whether Buckley’s lenient standard for election. As the Court stated in Buckley obtaining an as-applied challenge should v. Valeo: apply to any group who fears reprisal from political opponents, or only to minor It is true that the governmental parties. On the one hand, the government interest in disclosure is diminished has a more compelling case for enforcing when the contribution in question is its disclosure laws with respect to made to a minor party with little political groups who are in the majority. chance of winning an election. As As the Supreme Court opinions have minor parties usually represent noted, compelled disclosure laws help to definite and publicized viewpoints, inform the electorate, which promotes there may be less need to inform the valuable First Amendment principles and voters of the interests that specific foster civic engagement. On the other candidates represent. Major parties hand, and especially with the potential for encompass candidates of greater widespread dissemination of information diversity. . . . The Government’s in the Digital Age, majority groups may interest in deterring the “buying” of be just as susceptible to threats and elections and the undue influence of harassment for their political views as large contributors on officeholders minority parties. For example, the also may be reduced where “Protect Marriage” groups claim that, contributions to a minor party or an although their opposition to gay marriage independent candidate are concerned, currently represents the viewpoint of the for it is less likely that the candidate majority of Americans,142 they are will be victorious. . . . We are not susceptible to harassment from gay rights unmindful that the damage done by minority groups. Admittedly, majority disclosure to the associational groups are unlikely to face the systemic interests of the minor parties and types of reprisal that the minority groups their members and to supporters of such as the NAACP or the Socialist party independents could be significant. faced throughout the last century, such as These movements are less likely to loss of employment and government have a sound financial base and thus surveillance. But at the end of the day, are more vulnerable to falloffs in are the privacy interests of members of contributions. In some instances fears majority groups any less important? of reprisal may deter contributions to Moreover, the distinction between Page 96 THE PRIVACY PROJECT IV – 2011 minority and majority groups becomes government record laws and keep private hard to discern when it comes to the names of petition signers. States initiatives and referendums. As the could also modify their state constitutions Supreme Court noted in Doe v. Reed, to provide privacy protections to petition petition signers may simply sign to show signers beyond the protections in the support for the notion that an issue should federal constitution. Justice Scalia noted be decided by the people, rather than to in his concurring opinion that although show support of the initiative or there is no constitutional right to an referendum itself. It may also be difficult anonymous ballot, many states took to determine whether supporters of an measures to ensure a secret ballot.145 initiative or referendum represent the Scalia explains that if states are majority or minority position. concerned about the threats and Oftentimes, this will not be known until intimidation that might result from public after the initiative or referendum is voted disclosure of petition signatures, they can upon. Even then, a position may be in the change their laws to keep the signatures minority in one community and in the from the scope of disclosure laws.146 majority in another. Should the courts States could also guard against fraud in examine the likelihood of harassment or some of the ways Justice Alito and reprisal on a local level, a state level, or a Thomas suggested, thereby decreasing the national level? These are only some of need for the petition signers’ names to be the interesting questions that will have to public.147 California currently is the only be addressed as the lower courts grapple state with a petition process that exempts with the standard the U.S. Supreme Court petition signers from public disclosure.148 suggests in Doe v. Reed. Interestingly, a measure was recently While lower courts might struggle introduced in the Washington state with the application of Doe v. Reed to as- legislature that would have excluded applied challenges, much of this debate petition signatures from public disclosure, may be left in the hands of the states but it failed to pass.149 In true “direct themselves, where several Justices in Doe democracy” fashion, voters could petition v. Reed implied it belongs.143 Although to include a measure on the ballot that the petition signers in Doe v. Reed lost would exclude petitioners’ names from their facial challenge and will likely face public disclosure. an uphill battle for their as-applied The inherent tension between privacy challenge, they could seek more privacy rights and public disclosure laws will protections by changing state disclosure continue to be played out in the lower laws. Several Justices noted the courts and at the state level. In this way, deference the Court gives to states to Doe v. Reed raises many more questions regulate their own electoral process.144 If than it settled and we are likely to see the it appears the technological advancements as-applied challenges back before the that make public release of information Court in the near future. like petition signatures are chilling that particular form of direct democracy, states could legislate an exception to their Privacy in the Petition Process Page 97

1 10 State-by-State List of Initiative and INITIATIVE AND REFERENDUM INST., supra Referendum Provisions, INITIATIVE AND note 9. 11 REFERENDUM INST., http://www.iandr INITIATIVE AND REFERENDUM INST., supra institute.org/statewide_i%26r.htm (last visited note 9; Ballotwatch, INITIATIVE AND Dec. 11, 2010); Chart of Initiative and REFERENDUM INST. (Nov. 2010), Referendum States, NAT’L CONFERENCE OF http://www.iandrinstitute.org/BW%202010- STATE LEGISLATURES, http://www.ncsl.org/ 2%20Election%20Results%20(11-6).pdf. default.aspx?tabid=16589 (last visited Dec. 12 See Burson v. Freeman, 504 U.S. 191, 203 11, 2010). For an overview of the different (1992) (plurality opinion). types of initiatives, see Initiative and 13 Id. 14 Referendum Institute, www.iandrinstitute.org. U.S. CONST. Amend. I. (“Congress shall 2 INITIATIVE AND REFERENDUM INST., supra make no law … abridging … the right of the note 1; NAT’L CONFERENCE OF STATE people peaceably to assemble.”); Daniel J. LEGISLATURES, supra note 1. Solove, The Virtues of Knowing Less: 3 Ballot Initiative Strategy Center State by Justifying Privacy Protections Against State Report Card, BALLOT INITIATIVE Disclosure, 53 DUKE L.J. 967, 995 (2003). 15 STRATEGY CTR. (July 2009), 357 U.S. 449, 462 (1958). http://bisc.3cdn.net/1fb0aa12d865ddd8c6_ww 16 Id. at 466. 17 m6b9zwc.pdf; CAL. GOV’T CODE §§ 6253.5, Id. at 462-63. 6253.6 (Deering 2010). 18 By the same token, it is also argued that 4 A Brief History of the Initiative and privacy protections which protect against the Referendum Process in the United States, disclosure of true information conflict with the INITIATIVE AND REFERENDUM INST., First Amendment’s guarantee of freedom of http://www.iandrinstitute.org/New%20IRI%2 speech. See, e.g., Eugene Volokh, Freedom of 0Website%20Info/Drop%20Down%20Boxes/ Speech and Information Privacy: The Quick%20Facts/History%20of%20I&R.pdf Troubling Implications of a Right to Stop (last visited Dec. 11, 2010); David B. People from Speaking About You, 52 STAN. L. Magleby, Governing by Initiative: Let the REV. 1049, 1090, 1095 (2000). Voters Decide? An Assessment of the Initiative 19 424 U.S. 1, 64 (1976). 20 and Referendum Process, 66 U. COLO. L. REV. 459 U.S. 87, 91 (1982). 13, 14-15 (1995). 21 514 U.S. 334, 342-43 (1994). 5 22 INITIATIVE AND REFERENDUM INST., supra Buckley v. Valeo, 424 U.S. at 64. note 4. 23 Id.; see also NAACP v. Alabama, 357 U.S. 6 I&R Historical Timeline, INITIATIVE AND 449, 462-63 (1958). 24 REFERENDUM INST., http://www.iandr McIntyre, 514 U.S. at 357. institute.org/New%20IRI%20Website%20Info 25 Buckley v. ACLF, 525 U.S. 182, 200 /Drop%20Down%20Boxes/Quick%20Facts/A (1999). lmanac%20-%20I&R%20Historical%20Time 26 Buckley v. Valeo, 424 U.S. at 84. line.pdf (last visited Dec. 11, 2010). 27 Id. at 66-68. 7 28 INITIATIVE AND REFERENDUM INST., supra 514 U.S. at 348. note 4. 29 Id. at 348 n.11. 8 30 INITIATIVE AND REFERENDUM INST., supra Id. at 349. note 4. 31 Buckley v. ACLF, 525 U.S. 182, 198-99 9 Initiative Use, INITIATIVE AND REFERENDUM (1999). 32 INST. (Sept. 2010), http://www.iandr Buckley v. Valeo, 424 U.S. at 70-71. institute.org/IRI%20Initiative%20Use%20(20 33 Id. at 74. 10-1).pdf. Page 98 THE PRIVACY PROJECT IV – 2011

34 HUFFPOST FUNDRACE, http://fundrace.huff times.nwsource.com/html/localnews/2008678 ingtonpost.com/ (last visited Dec. 13, 2010). 540_apwaxgrdomesticpartnerships2ndldwritet 35 Id. hru.html; Lornet Turnbull, Gregoire Expands 36 See, e.g., CANIVOTE.ORG, http://www. Same-Sex Partnerships, SEATTLE TIMES, May canivote.org/ (last visited Dec. 13, 2010) 18, 2009, http://seattletimes.nwsource. (providing links to states’ websites). com/html/localnews/2009233610_webdomesti 37 See, e.g., GOTVOTERS ONLINE, http:// c18.html. www.voter-lists.com/voter-lists.cfm (last 52 See Doe v. Reed, 130 S.Ct. 2811, 2816 visited Dec. 13, 2010). (2010). 38 Brad Stone, Prop 8 Donor Web Site Shows 53 Id. 54 Disclosure Law Is 2-Edged Sword, N.Y. See, e.g., § 42.56.070 55 TIMES, Feb. 7, 2009, www.nytimes. See, e.g., Wash. Op. Att’y Gen. 55-57 No. com/2009/02/08/business/08stream.html. 274 (1956). 39 56 PROP 8 MAPS, http://www.eightmaps.com Brief for Respondents at 5-6, Doe v. Reed, (last visited Dec. 13, 2010). 130 S.Ct. 2811 (2010) (No. 09-559). 40 Stone, supra note 38 (“‘When I see those 57 Press Release, KnowThyNeighbor.org, maps, it does leave me with a bit of a sick Whosigned.org Refutes Intimidation Charges; feeling in my stomach,’ said Kim Alexander, Will Post Names of Petition Signers as president of the California Voter Foundation, Planned (June 8, 2009), which has advocated for open democracy. http://knowthyneighbor.blogs.com/home/2009 ‘This is not really the intention of voter /06/whosignedorg-refutes-intimidation- disclosure laws. But that’s the thing about charges-will-post-names-of-petition-signers- technology. You don’t really know where it is as-planned.html (“While he acknowledges that going to take you.’”). some find it surprising to learn that petition 41 Stone, supra note 38. information is a matter of public record, 42 Stone, supra note 38. [Aaron] Toleos [co-director of 43 WASH. CONST., art. II, §1(b), (d); WASH KnowThyNeighbor.org] says, ‘Anyone that is REV. CODE §§ 29A.72.010—.290 (2010). honest about wanting a clean, transparent 44 In the case of a referendum, the “person or process should welcome the scrutiny that our organization demanding any referendum of an website makes possible. And if they don't, you act or part of an act of the legislature has should wonder why.’”). obtained a number of signatures of legal voters 58 Brief for Petitioners at 10, Doe v. Reed, 130 equal to or exceeding four percent of the votes S.Ct. 2811 (2010) (No. 09-559). cast for the office of governor at the last 59 See Doe v. Reed, 130 S.Ct. 2811, 2816 regular gubernatorial election prior to the (2010). submission of the signatures for verification. . 60 Id. . .” § 29A.72.150. 61 Doe v. Reed, 661 F. Supp.2d 1194, 1205-06 45 § 29A.72.130. (W.D. Wash. 2009). 46 § 29A.72.230. 62 Doe v. Reed, 586 F.3d 671, 681 (9th Cir. 47 § 42.56.070(1). 2009). 48 § 42.56.030 . 63 See Adam Liptak, Court to Rule on Right to 49 § 42.17.010(11). Privacy for Referendum Petition Signers, N.Y. 50 S.B. 5688, 61st Leg., Reg. Sess. (Wash. TIMES, Jan. 16, 2010, at A13. 2009). 64 Id. 51 See Rachel La Corte, Lawmakers Announce 65 The briefs in support of the petitioners ‘Everything But Marriage’ Bill, SEATTLE included those filed by the following groups: TIMES, Jan. 28, 2009, http://seattle Common Sense for Oregon, the Oregon Anti- Privacy in the Petition Process Page 99

Crime Alliance, and Oregonians in Action; Dakota, Tennessee, Utah, Vermont, and Concerned Women for America; Institute for Wisconsin; Lambda Legal Defense and Justice; CATO Institute; American Center for Education Fund, Inc., Gay & Lesbian Law and Justice; American Civil Rights Advocates & Defenders, National Center for Union; Committee for Truth in Politics, the Lesbian Rights, the Human Rights Campaign, National Organization for Marriage, the and National Gay and Lesbian Task Force; Family Research Council, and American Reporters Committee for Freedom of the Values; Voters Want More Choices; Alliance Press, Gannett Co., Inc., National Newspaper Defense Fund; Protectmarriage.com-Yes on 8, Association, Newspaper Association of A Project of California Renewal; Liberty America, The Radio-Television Digital News Counsel; The Abraham Lincoln Foundation Association, and Society of Professional for Public Policy Research, Inc., American Journalists; National Conference of State Conservative Union, American Target Legislatures, International City/County Advertising, Inc., Citizens in Charge Management Association, National Foundation, Citizens United, Citizens United Association of Countries, and International Foundation, ClearWord Communications Municipal Lawyers Association; American Group, Inc., the Conservative Legal Defense Business Media, Consumer Data Industry and Education Fund, The Constitution party Association, First American Corelogic, Inc., National Committee, Downsize DC the National Association of Professional Foundation, SownsizeDC.org, Eberle & Background Screeners, Reed Elsevier, Inc., Associates, Inc., English First, English First the Software & Information Industry Foundation, Free Speech Coalition, Inc., The Association, Transunion, and Thomson Free Speech Defense And Education Fund, Reuters; National Conference of State Inc., Gun Owners Foundation Gun Owners of Legislatures, the International City-County America, Inc., the Institute on the Management Association, the National Constitution, law Enforcement Alliance of Association of Counties, and the International America, Inc., The Lincoln Institute for Municipal Lawyers Association; and Research and Education, the National Right to Massachusetts Gay and Lesbian Political Work Legal Defense and Education Caucus and Susan Wagner. Foundation, Inc., Production Solutions, Inc. 67 Brief for States of Ohio, Arizona, Colorado, Public Advocate of the United States, The Florida, Idaho, Illinois, Maine, Maryland, Richard Norman Company, 60 Plus Massachusetts, Mississippi, Montana, New Association, U.S. Border Control, U.S. Border Hampshire, New Jersey, New Mexico, North Control Foundation, U.S. Justice Foundation, Dakota, Oklahoma, Oregon, South Carolina, and Young America’s Foundation; and Center South Dakota, Tennessee, Utah, Vermont, and for Constitutional Jurisprudence. Wisconsin in Support of Respondents, Doe v. 66 The briefs in support of the respondents Reed, 130 S.Ct. 2811 (2010) (No. 09-559). included those filed by the following groups: 68 See, e.g., Brief for Committee for Truth in Direct Democracy Scholars; City of Seattle; Politics, National Organization for Marriage, National and Washington State News Family Research Council, and American Publishers, News Broadcasters and News Values as Amici Curiae in Support of Media Professional Associations; States of Petitioners at 8-17, Doe v. Reed, 130 S.Ct. Ohio, Arizona, Colorado, Florida, Idaho, 2811 (2010) (No. 09-559). Illinois, Maine, Maryland, Massachusetts, 69 Id. at 21-25. Mississippi, Montana, New Hampshire, New 70 Brief for Electronic Privacy Information Jersey, New Mexico, North Dakota, Center (EPIC) and Legal Scholars and Oklahoma, Oregon, South Carolina, South Technical Experts as Amici Curiae in Support Page 100 THE PRIVACY PROJECT IV – 2011

of Petitioners at 15-19, Doe v. Reed, 130 S.Ct. 91 Id. at 2833 (Scalia, J., concurring). 2811 (2010) (No. 09-559). 92 Id. at 2832. 71 Id. at 23-29. 93 Id. 72 Id. 94 Id. at 2832-33. 73 Doe v. Reed, 130 S.Ct. 2811 (2010). 95 Id. at 2833. 74 Id. at 2814. 96 Id. at 2834-35. 75 Id. at 2817. 97 Id. at 2837. 76 Id. at 2818. 98 Id. 77 Id. 99 Id. 78 Citizens United v. FEC, 130 S. Ct. 876, 914 100 Id. at 2822 (Alito, J., concurring). (2010) (quoting Buckley v. Valeo, 424 U.S. 1, 101 Id. at 2822-23. 64 (1976); McConnell V. FEC, 540 U.S. 93, 102 Id. at 2822. 201 (2003)). 103 Id. at 2822-23. 79 Reed, 130 S.Ct. at 2818. This line of cases 104 Id. goes all the way back to Buckley, 424 U.S. 1 105 Id. at 2824. through Citizens United, 130 S.Ct. 876. 106 Id. 80 Reed, 130 S.Ct. at 2818. In this sense, Reed 107 Id. confirmed that “exacting scrutiny” will be the 108 Id. standard that applies in disclosure campaign 109 Id. finance cases as well. Lower courts have 110 Id. at 2825-26. already cited to Reed for that proposition. See 111 Id. at 2826. Human Life of Wash., Inc. v. Brumsickle, No. 112 Id. 09-35128, 2010 U.S. App. LEXIS 21028 at 113 Id. at 2826-27. *34 (9th Cir. Oct. 12, 2010) (“As the latest in 114 Id. at 2827. a trilogy of recent Supreme Court cases, Reed 115 Id. confirmed that exacting scrutiny applies in the 116 Id. campaign finance disclosure context. We 117 Id. at 2828-29 (Sotomayor, J., concurring). therefore apply exacting scrutiny to Human 118 Id. at 2827. Life's facial challenges to the Disclosure Law 119 Id. at 2828. and examine whether the law's requirements 120 The distinction between whether signing a are substantially related to a sufficiently petition is more like a legislative act or like important governmental interest.”). casting secret ballot has been debated by 81 Reed, 130 S.Ct. at 2818. various courts. For example, in 82 Id. at 2819. Shepherdstown Observer, Inc. v. Maghan, No. 83 Id. 35446, 2010 W. Va. LEXIS 98 (W. Va. Sept. 84 Id. 23, 2010), the West Virginia Supreme Court 85 Id. of Appeals consider the ruling of a lower state 86 Id. at 2820. court that dismissed a complaint seeking the 87 Id.. names of those that signed petitions, at least 88 Id. at 2821. partially, on the grounds that petition signers 89 Id. at 2820 (citing Buckley, 424 at 74; had privacy interests in signing a petition Citizens United, 130 S.Ct. 876). because it was similar to casting a secret 90 See Janet I. Tu & Kyung M. Song, Ref. 71 ballot. Id. at *21-22. The court reversed, Signatures are Public, Supreme Court Rules, citing to Doe v. Reed, and held that the lower SEATTLE TIMES, June 24, 2010, court had erred in finding the signing of a http://seattletimes.nwsource.com/html/localne petition as the functional equivalent to casting ws/2012196559_scotus25m.html. a secret ballot. Id. at **27-30. Just as in Doe Privacy in the Petition Process Page 101

v. Reed, the Shepherdstown court found that (detailing evidence of FBI surveillance, the state’s interest in protecting the integrity of employer retaliation, threatening phone calls the electoral process outweighed any First and hate mail, burning of group’s literature, Amendment interests of the petition signers. and destruction of group’s property in Id. at *30. affirming as-applied challenge to disclosure 121 Reed, 130 S.Ct. at 2828-29 (Sotomayor, J., law brought by a Socialist political party). concurring). 140 Doe v. Reed, 130 S.Ct. at 2820 (“those 122 Id. at 2829. resisting disclosure can prevail under the First 123 Id. Amendment if they can show ‘a reasonable 124 See Citizens United v. FEC, 130 S.Ct. 876, probability that the compelled disclosure [of 980 (2010) (Thomas, J., dissenting). personal information] will subject them to 125 Reed, 130 S.Ct. at 2838 (Thomas, J., threats, harassment, or reprisals from either dissenting). Government officials or private parties.’"). 126 Id. at 2839. The Supreme Court similarly stated, 127 Id. at 2841. discussing Buckly v. Valeo, in Citizens United 128 Id. v. FEC, 130 S. Ct. 876 (2010), that “the Court 129 Id. at 2842-43. acknowledged that as-applied challenges 130 Id. at 2844. would be available if a group could show a 131 Id. at 2844-46 reasonable probability that disclosure of its 132 Id. at 2845 (internal quotations and citations contributors names will subject them to omitted). threats, harassment, or reprisals from either 133 Id. at 2846-47 (internal quotations and Government officials or private parties.” Id. at citations omitted). 914 (internal quotations omitted). 134 Id. at 2820 (majority opinion) (citing 141 Buckley v. Valeo, 424 U.S. at 70-71; see Buckley v. Valeo, 424 U.S. 1, 74 (1976); also FEC v. Hall-Tyner Election Campaign Citizens United, 130 S.Ct. 876, 916 (2009)). Comm., 678 F.2d 416, 420 (2d Cir. 1982) 135 Id. at 2822-23 (Alito, J., concurring). (“There is a paramount public interest in 136 Id. at 2836-37 (Scalia, J., concurring). maintaining a vigorous and aggressive 137 Justice Stevens and Breyer also express political system which includes even doubts about the as applied challenge: “[f]or participants whose ideologies are abhorrent to an as-applied challenge to a law such as the that system. This principle repels [Public Records Act] to succeed, there would totalitarianism and the rise of dictators by have to be a significant threat of harassment permitting even those whose views are directed at those who sign the petition that anathema to ours to partake in the dynamics of cannot be mitigated by law enforcement an open and vigorous election without fear of measures.” Id. at 2832 (Stevens, J., reprisal. Acknowledging the importance of concurring). The justices “demand strong fostering the existence of minority political evidence before concluding that an indirect parties, we must also recognize that such and speculative chain of events imposes a groups rarely have a firm financial foundation. substantial burden on speech. A statute is not If apprehension is bred in the minds of to be upset upon hypothetical and unreal contributors to fringe organizations by fear possibilities, if it would be good upon the facts that their support of an unpopular ideology as they are.” Id. at 2831-32 (internal quotation will be revealed, they may cease to provide marks omitted). financial assistance. The resulting decrease in 138 Buckley v. Valeo, 424 U.S. at 74. contributions may threaten the minority party's 139 See Brown v. Socialist Workers '74 very existence. Society suffers from such a Campaign Comm., 459 U.S. 87, 100 (1982) consequence because the free flow of ideas, Page 102 THE PRIVACY PROJECT IV – 2011

the lifeblood of the body politic, is necessarily 149 H.B. 2277, 60th Leg., Reg. Sess. (Wash. reduced. . . . Privacy is an essential element of 2007) (“An act relating to encouraging the right of association and the ability to initiatives and referenda by extending privacy express dissent effectively. . . . [F]orced protections to signatories and assuring revelations would likely lead to vexatious accurate verification. . . .”). inquiries which consequently could instill in the public an unremitting fear of becoming linked with the unpopular or the unorthodox.”(internal quotation marks omitted)). 142 See, e.g., Gay Marriage May 24, 2010, GALLUP, http://www.gallup.com/poll/128297/Gay- Marriage-May-2010.aspx (last visited Dec. 13, 2010). 143 See Doe v. Reed, 130 S.Ct. at 2827 (Sotomayor, J., concurring); id. at 2836-37 (Scalia, J., concurring). 144 Id. at 2819 (majority opinion) (“States allowing ballot initiatives have considerable leeway to protect the integrity and reliability of the initiative process, as they have with respect to election processes generally.”); Id. at 2827 (Sotomayor, J., concurring) (“States enjoy ‘considerable leeway’ to choose the subject that are eligible for placement on the ballot and to specify the requirements for obtaining ballot access . . . .”). 145 Id. at 2834-35 (Scalia, J., concurring). 146 Id. at 2836-37. 147 See Id. at 2827 (Alito, J., concurring) (suggesting that the secretary of state could check for duplicate signatures using a digitized copy of the submitted petitions, as well as, digitally cross check the names and addresses on the petition with those found on the statewide voter registration database); Id. at 2840-42 (Thomas, J., concurring) (stating that Washington could easily create a digital database of the submitted petitions where state officials could verify voter registration, check for duplicate names, and even allow individual citizens to determine if their name had been fraudulently placed on a petition). 148 See CAL. ELEC. CODE § 18650 (Deering 2009). The Ambiguous "Right To Privacy": Launching Australia's Privacy Law Into The 21st Century

By Caroline Bush, S. Stuart Clark, Caroline Bush is a partner in and Amanda Graham Clayton Utz's Canberra office. She is a litigator with a particular focus on public IKE many of its western law issues including complex regulatory L counterparts, Australia worships at matters, freedom of information and the altar of celebrity. As such, it is not privacy as well as administrative uncommon for the personal decision-making by Australian misadventures of some of its more Government agencies. famous citizens to feature on the pages Stuart Clark is a partner with and websites of the mass media. While Clayton Utz and an Adjunct Professor at there are many examples of this Macquarie Law School in Sydney. He is phenomenon, an incident that the a litigator with a particular interest in the Australian public found particularly defence of class actions and complex engrossing occurred in March 2010 when litigation. He has been a member of the pictures of Lara Bingle, a minor celebrity IADC since 1993. who featured in a recent Australian Amanda Graham is an associate with tourism promotion in the United States the Clayton Utz public law group in its and former fiancée to an Australian Canberra office. Professional Cricket star, brought Australia's ambiguous lack of a general them) are a work in progress. In right to privacy back into sharp focus. particular, Australia's federal privacy The incident involved photographs legislation is undergoing its most taken of Ms. Bingle, without her consent, significant reforms since it was while she was in the shower. The introduced in 1988. Notably, amidst a photographs were published in a popular mass of reform proposals being Australian women's magazine and the considered is the introduction of a fact of their existence featured statutory cause of action for serious prominently in the Australian mass breach of privacy. In time, there is the media. Ms. Bingle threatened legal prospect that those in situations similar to action against the photographer and Ms. Bingle may have redress through a distributor of the photo, a former cause of action the existence of which is professional football star for a breach of intended to prevent breaches in the first her privacy.1 Unfortunately for Ms. place and compensate those who suffer if Bingle, the current status of privacy laws breaches nonetheless occur. within Australia is such that her prospects The scale of reform being considered of successfully prosecuting such an action in Australia is considerable. As such, this are slight. paper will only outline the reform process The fact is that Australia's privacy over the last several years at a federal laws (and the common law surrounding level and detail the progress that is presently being made towards the next chapter of privacy law in Australia. The Page 104 THE PRIVACY PROJECT IV – 2011 current status of the reforms will be "making laws and related processes more considered, including a brief discussion equitable, modern, fair and efficient."2 of some key aspects of those reforms, The key focus of the review was to including the introduction of the so called consider "the extent to which the Privacy Australian Privacy Principles and the Act 1988 and related laws continue to proposed introduction of a cause of action provide an effective framework for the for a serious breach of privacy. protection of privacy in Australia."3 In August 2008 the ALRC released I. Background and context of the its report "For Your Information: Australian privacy environment Australian Privacy Law and Practice" and reform (ALRC Report). The general tenor of the report was that, while the Privacy Act has At a national level, the legislation been effective in the past, there is a need regulating privacy is the Privacy Act 1988 for reform in order to bring it up to date (Cth) (Privacy Act) and it is its reform with the information age. The Federal that is the focus of this paper. Australia's Government delivered a two-stage federal Privacy Act regulates the response to the 295 recommendations in management of personal information the ALRC Report. through a series of broadly stated The first stage response was released principles set out in the Privacy Act, with in October 2009 entitled, "Enhancing a particular focus on the collection, use National Privacy Protection: Australian and disclosure, retention and access to Government First Stage Response to the personal information. The Privacy Act Australian Law Reform Commission applies to the federal government and its Report 108" (First Stage Response). It is associated departments and agencies primarily concerned with replacing the (through the Information Privacy existing Information Privacy Principles Principles) and certain private sector and National Privacy Principles contained organizations (through the National in the Privacy Act with a single set of Privacy Principles). As Australia is a uniform Australian Privacy Principles. federation, privacy law in Australia is These will apply to Government agencies also necessarily fragmented between and private sector organisations alike. federal, state and territory legislation and They will become the cornerstone of indeed other content-related legislation Australia's privacy protection framework. such as the New South Wales Health In June 2010, the Federal Government Records and Information Privacy Act. released the Exposure Draft of the On 31 January 2006, the Australian legislation intended to implement this Government instructed the Australian First Stage Response. The Senate Law Reform Commission (ALRC) to Finance and Public Administration conduct a review of Australia's privacy Committee is considering the Exposure law regime. The ALRC is a federal Draft. It will report in July 2011. government agency that is tasked with reviewing Australia's laws with a focus on ensuring greater access to justice by Launching Australia’s Privacy Law Into The 21st Century Page 105

II. Reform - First Stage Response to The Australian Privacy Principles ALRC outlined in the Exposure Draft are intended to replace the existing The First Stage Response deals with Information Privacy Principles, which 197 of the recommendations. These were apply exclusively to government agencies largely accepted by the Government. A and departments and the National Privacy key theme is the recognition of the need Principles which apply exclusively to to balance, on the one hand, the selected private sector organisations. The protection of personal information in an Australian Privacy Principles will create a appropriate manner given the evolving uniform set of principles that will apply information age, with, on the other hand, equally to the public and private sector the need to ensure that government and when dealing with personal information. business efficiency is not overly The acceptance of the ALRC restricted. recommendations for the adoption of The Companion Guide to the uniform principles is an affirmation by Exposure Draft for the First Stage government that an overly prescriptive Response (Companion Guide), states that approach to privacy regulation is not "Australians deserve a modern privacy appropriate. Rather, a principles-based law, which provides robust protections approach is more likely to evolve to meet about the collection and use of our the privacy challenges that will continue personal information" and that the to arise with the information age as purpose of the reform is "revitalising the technology changes. A principles based law for the 21st Century."4 As such, it is approach acknowledges that high level clear that the reform is particularly guidelines and generally stated principles seeking to address certain deficiencies in provide protection to personal the current privacy law regime which do information while providing agencies and not adequately deal with privacy issues organisations with the ability to tailor that arise in the information age. personal information handling practices to their individual needs and technology A. The Australian Privacy practices. Principles In particular, it is intended that the privacy principles should continue to be That said, the Exposure Draft only technology neutral.5 That is they should deals with implementing the Australian not be directed at any specific technology Privacy Principles, recommended by the but rather should state principles of ALRC. However, this is only one of general application. The principles four key aspects that are to be introduced should be sufficiently flexible to ensure as part of the first stage of the reform. that personal information stored in all With this in mind, it may be some time mediums, including those not yet before Australia's privacy laws are anticipated, will be protected and that the appropriately brought into the 21st principles need to remain current in the century. context of an ever evolving technological environment. Page 106 THE PRIVACY PROJECT IV – 2011

The Australian Privacy Principles are staff about privacy practices and the structured to address each stage of the establishment of procedures to receive information-handling process. They and respond to privacy complaints and address openness (relating to general enquiries. privacy policies and practice), anonymity and pseudonymity, collection, dealing 2. Anonymity and Pseudonymity with unsolicited information, notification, use and disclosure, direct marketing, This principle will require agencies cross-border disclosure, dealings with and organizations to give individuals the government-related identifiers, data option to interact anonymously or quality, data security and access to and pseudonymously, where it is lawful and correction of personal information. Set practicable in the circumstances. A out below is a summary of the effect of similar obligation currently exists in the proposed Australian Privacy National Privacy Principle 8. This new Principles. Principle will extend that obligation to government agencies. 1. Openness The Privacy Commissioner will be given the function of developing and An Openness Principle will require publishing guidance the operation of this agencies and organizations to set out a Principle, especially regarding when it is clearly expressed privacy policy that "lawful and practicable" to allow details how that entity collects, holds, information to be given anonymously or uses and discloses personal information pseudonymously. This is vital, given that (i.e. how it handles personal information anonymous or pseudonymous interactions at all stages of the information cycle). will likely not be practicable for the In addition to improving delivery of government services, benefits transparency of the management of and entitlements as well as in personal information, this is designed to investigative contexts. ensure that organizations are aware of their privacy obligations and are 3. Collection integrating ways to conform to these obligations from the point of designing A broadly framed Collection and developing the information systems Principle will ensure that: "entities must that collect and manage the personal not collect personal information (other information. than sensitive information) unless the The Openness Principle also has an information is reasonably necessary for, inward-looking focus. The Principle will or directly related to, one or more of the require agencies and organizations to take entity’s functions or activities (the reasonable steps to develop and functions test)."6 implement internal policies and practices The Government has argued that this that enable and promote compliance with will assist in ensuring that the individual the Australian Privacy Principles. This is aware that their personal information is includes activities such as the training of being collected and that the information is Launching Australia’s Privacy Law Into The 21st Century Page 107 as accurate, complete and up-to-date as 4. Notification possible. There are public interest exceptions The Notification Principle will to this general Collection Principle, which require an agency or organization, at the allow for the collection of personal time of collecting personal information, information in circumstances which to take reasonable steps to notify or involve assisting: in times of emergency; otherwise ensure that the individual, the in carrying out war or peacekeeping subject of the personal information, is operations; in the location of missing aware of numerous issues. In particular, persons and collection for diplomatic or the notification will include details of the consular processes. facts and circumstances of collection (if The Exposure Draft has also the individual is not aware that personal proposes a principle that deals with the information was collected), the purpose receipt of unsolicited personal of collection, rights of access to and information and the collection of sensitive correction of the information, third parties information. Where an agency or to which similar information is usually organization receives unsolicited personal disclosed, and relevant privacy complaint information, it must either (if lawful or handling mechanisms. Agencies and reasonable to do so): organizations should also take steps to notify individuals, if their personal • destroy the information as soon information is reasonably likely to be as practicable; or transferred overseas. • alternatively comply with the Australian Privacy Principles 5. Use and Disclosure that apply to the information in question as if the agency had The Use and Disclosure Principle taken active steps to collect that will regulate the use and disclosure of information. personal information. This principle will generally provide that the personal The Government will encourage the information must not be used for a development and publication of guidance purpose, other than the purpose that it by the Privacy Commissioner as to: was collected for, unless the individual has consented to its use for another • when it is, and is not, reasonable purpose. and practicable to obtain There are however some public personal information from interest exceptions that will apply to this another source; and principle, notably including • the meaning of "unsolicited circumstances where an agency personal information". reasonably believes that certain use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or the public.

Page 108 THE PRIVACY PROJECT IV – 2011

6. Direct Marketing access and the other in relation to correction. The Government has agreed with the The Companion Guide suggests that ALRC's recommendation that the the purpose of the proposed Access Australian Privacy Principles should also Principle is "to ensure that individuals regulate "direct marketing" in a discrete, have access to personal information that stand-alone Privacy Principle (separate entities hold about them and can correct from the Use and Disclosure Principle, the information where it is inaccurate, under which it is currently regulated in irrelevant, out-of-date or incomplete".7 the National Privacy Principle). The key The principles also provide some to the principle is that a person's consent limitations on an individual's general is required in various circumstances and right of access to their personal that people must have choices to opt out. information. The degree and scope of Different rules will apply to direct these limitations will depend on whether marketing practices depending upon the information is held by an agency or whether the information proposed to be organization. An individual will be used for direct marketing purposes is entitled to access personal information sensitive information (for example, held by an agency, except to the extent information about a person's race or that the agency is required or authorized political opinions or sexual preference), to refuse to provide access under a federal in which case you need consent and law (for example, where the FOI Act depending upon whether the information provides that a particular document is was collected by the entity that is actually exempted from disclosure). An using it for direct marketing purposes, or organization will be obliged to provide by another entity. access to personal information except to This principle also requires that when the extent one of the public interest using direct marketing, individuals must factors identified in subsection (3) of the be given a means by which they can proposed principle applies. request not to receive direct marketing Similarly, the proposed Correction communications. Principle creates an obligation for entities to take reasonable steps to "correct 7. Access and Correction personal information if it is inaccurate, out-of-date, incomplete or irrelevant".8 In its First Stage Response, the This Principle will also impose an Government indicated that there would be obligation on the entity to notify certain an Access and Correction Principle that other entities to which the information contains an enforceable right to access has been disclosed, of the relevant and correct an individual's personal changes (providing the individual has information that is held by an agency or requested that this notification occur). organization. In the subsequent Exposure There is significant overlap between Draft, the proposed Access and the Freedom of Information Act 1982 Correction Principle was broken into two (FOI Act) and the Privacy Act with independent principles, one in relation to respect to accessing and correcting of Launching Australia’s Privacy Law Into The 21st Century Page 109 personal information held by agencies. purposes of data-matching of information The Government proposes that the Access that is held by other organisations. and Correction Principle (now two This principle will not however separate principles) will be the primary restrict an organisation's use of means of access to, and correction of, an government related identifiers for the individual's own personal information. purposes of verifying the identity of an The focus of the FOI Act is thus intended individual. The Companion Guide to be on access to documents other than provides an example of an appropriate an individual's own personal information. use of identifiers by organisations and However, many of the FOI Act's rights to states that: "the principle is not intended access and correct personal information to prevent a courier service from will be retained, given that most checking a person’s driver’s licence to documents containing personal ensure that a parcel is being delivered to information will also contain personal the correct recipient."11 information of third parties and non- personal information. 9. Data Quality

8. Identifiers A Data Quality Principle will oblige agencies and organizations to take While noting the potentially intrusive reasonable steps to ensure that personal capacity of government related information they collect, use and/or identifiers, the Government clearly feels disclose is accurate, complete, up-to-date that those identifiers serve as effective and relevant, in light of the purposes of tools for identifying and linking personal collection, use or disclosure. information and have sought to strike a The steps that must be taken are balance between these competing "reasonable steps." This indicates that a imperatives. The core purpose of the proportional approach will be taken to principle Identifiers Principle is compliance with the principle, having essentially to ensure that government regard to the actual purpose of collecting, related or issued identifiers do not using or disclosing the information. become "de facto national identity numbers"9. 10. Data Security The principle will seek to restrict organisations (as distinct from A Data Security Principle will oblige government agencies) from using agencies and organizations to protect the government related identification personal information that they hold from numbers as their own identifier of an misuse, loss and unauthorized access, individual. The kinds of identifiers that modification or disclosure. In particular, are affected are, for example, numbers the principle will require the taking of such as a driver's licence number or a reasonable steps to destroy or render non- Medicare number.10 The principle is identifiable personal information if it is also intended to prohibit the use of no longer needed for any purpose for government related identifiers for the which it can be used or disclosed and Page 110 THE PRIVACY PROJECT IV – 2011 retention is not required or authorized by scheme in their own jurisdiction which is law. The Government sees this as an substantially similar to the Australian effective way to reduce the risk that scheme in terms of its protection of personal information will be mishandled. personal information. If an exemption applies, the recipient 11. Cross Border Data Flow will essentially become responsible for the personal information. However, if the Finally, the Australian Privacy Australian agency or organization Principles will include a Cross-border remains accountable, any act by the Data Flow Principle designed to bolster recipient that would be an interference of the protection offered to personal privacy if committed in Australia is taken information that is disclosed to a recipient to have been an act of the Australian outside Australia. As stated in the agency or organization. Companion Guide, the principle is intended to ensure that: "… the B. What else will happen in the obligations to protect personal First Stage? information set out in the Australian Privacy Principles cannot be avoided by The other anticipated reforms that disclosing personal information to a will be addressed as part of the First recipient outside Australia."12 Stage Response include reforms for The principle provides that before enhancing protection for credit reporting disclosing personal information to a and health information and clarifying the person who is not in Australia, unless a Privacy Commissioner's powers and relevant exemption applies, the entity functions. From 1 November 2010, the must take such steps as are reasonable in role of the Privacy Commission has come the circumstances to ensure the overseas under the umbrella of the newly created recipient does not breach the Australian Office of the Australian Information Privacy Principles in relation to the Commissioner (which is also responsible information. While it is not stated in the for Australia's FOI laws). The principle itself, it is thought that the Government has indicated that the First relevant steps in most cases are likely to Stage Response will be introduced in comprise contractual obligations to parts and we can anticipate Exposure comply with the Australian Privacy Drafts of legislation dealing with these Principles. topics once the form of the uniform The principle will provide that an privacy principles are finalised. agency or organisation that discloses personal information to a recipient III. Reform - Second Stage Response to outside Australia will also be accountable ALRC for that information unless an exemption applies. A notable exemption contained It is anticipated that the Government in the principle applies if an overseas will issue the Second Stage Response recipient of the relevant personal after the First Stage Response has been information is subject to a law or binding fully implemented (which as noted above Launching Australia’s Privacy Law Into The 21st Century Page 111 will, of itself, involve considerable legislative reform). IV. Watch this space - an action for The Second Stage Response is likely breach of privacy? to focus on the remaining 98 recommendations in the ALRC Report, As already observed, Australia does and it is largely accepted that these not have a right to privacy that is readily recommendations are the more enforceable and compensable in controversial issues that were raised in Australian courts.13 The issue of whether the ALRC Report. These issues include: there is a general or common law "right • proposals to clarify or remove to privacy" has been considered by a certain exemptions from the number of Australian courts, which have, Privacy Act; in effect, determined that, at this point in • introducing a statutory cause of the evolution of the common law, there is action for serious invasion of no general right to privacy under privacy; Australian law. Notwithstanding this, • serious data breach notifications; Australian courts have been inclined, in a • privacy and decision making handful of cases, to allow, what is in issues for children and effect a claim for damages caused by authorised representatives; what may be described as a breach of 14 • handling of personal information privacy. under the Telecommunications To remedy what it regarded as a lack Act 1997; and of a clear common law cause of action • national harmonisation of enforceable in the courts, the ALRC privacy laws (partially recommended the introduction of a cause considered in stage one). of action for a breach of privacy. The recommendation provides that, in order to establish the cause of action, a claimant The Government has not yet made it 15 clear the degree to which the Government must show: "(i) there is a reasonable is likely to accept or reject the relevant expectation of privacy; and (ii) the recommendations within the ALRC act or conduct complained of is highly Report. offensive to a reasonable person of The First Stage Response could be ordinary sensibilities." described as largely uncontroversial. Of The recommendation also provides the 40 submissions made in relation to the that, when determining whether the cause Exposure Draft there appears, on the of action can be established, the relevant whole, to be a good deal of support for court must consider "whether the public the proposed amendments with many interest in maintaining the claimant's submission proposals relating to privacy outweighs other matters of public terminology and clarification, rather than interest (including the interest of the substantive policy changes. It is public to be informed about matters of public concern and the public interest in anticipated that the Second Stage 16 Response will attract significantly more allowing freedom of expression)." debate. Page 112 THE PRIVACY PROJECT IV – 2011

Other characteristics of the "claimant's privacy outweighs other recommendation include that the cause of matters of public interest"). action would only be able to be brought The debate over the introduction of a by natural persons, it would be actionable cause of action for breach of privacy has without proof of damage, and would be only just begun in Australia and it is not restricted to intentional or reckless acts on known how the current administration the part of the respondent. The will react. Of course, even if the cause of recommendation also suggests that the action is enacted, Australian judges will appropriate remedies should include be required to rule on the statutory criteria damages, account of profits, injunctions set out in the legislation. Their and correction orders. perceptions of the need to balance There are two key areas of debate freedom of expression (which is only that are likely to arise in the context of the partially enshrined in Australia in an possible introduction of a cause of action implied constitutional right of freedom of for a breach of privacy. The first is political communication) and the need for whether the creation of a cause of action privacy will be important in the evolution for breach of privacy, is appropriate in and effectiveness of any cause of action. light of concerns that the action may have Critically however, the mere existence of implications for freedom of expression the cause of action may give individuals (journalists have naturally spoken out and organisations some pause for thought against the need for such a cause of action before embarking upon some of the more and indicated what they see as the risks of gratuitous invasions of privacy. Indeed it impeding their freedom to publish is this very fact that has journalists and particularly with respect to "public" commentators concerned. figures). The second will revolve around the form that any cause of action should V. Conclusion take and the extent to which the public interest will feature. Australia is in the midst of launching Interestingly, the New South Wales its most significant reforms to the Law Reform Commission has also national privacy regime since the recently considered the introduction of a introduction of the Privacy Act in 1988. cause of action for a breach of privacy in It is clear from the Exposure Draft that it the context of the New South Wales is the Government's intention to develop a Privacy Act.17 The New South Wales regime which allows Australia to proposal is much broader18 omitting the appropriately deal with the multiplicity of "highly offensive" requirement from the privacy issues that arise in the age of necessary elements, and limiting the information in a fashion which is public interest defence such that it would intended to be technology neutral. only require that regard be had to the However, given that the current Exposure relevant public interest (as distinct from Draft deals with only a fraction of the the requirement intended to be included least controversial recommendations in the cause of action recommended by made within the ALRC Report, and it is the ALRC which would require that the unlikely that these proposals will receive Launching Australia’s Privacy Law Into The 21st Century Page 113 legislative implementation until the end of 2011, it is clear that dragging [2007] VCC 281; and Giller v. Procopets Australia's privacy law into the 21st [2008] VSCA 236. 15 century will be a time consuming and AUSTRALIAN LAW REFORM COMMISSION possibly difficult process. REPORT 108 - For your Information, 11 August 2008, Recommendation 74-2, p. 2584. 16 AUSTRALIAN LAW REFORM COMMISSION REPORT 108 - For your Information, 11 August 2008, Recommendation 74-2, p. 2584. 1 Gordon Farrer, Bingle photo privacy poser, 17 New South Wales being the largest state of THE AGE (Melbourne), 3 March 2010, the Australian federation. 18 http://www.theage.com.au/victoria/bingle- NEW SOUTH WALES LAW REFORM photo-privacy-poser-20100302-pgfo.html. COMMISSION, Report 120 - Invasion of 2 About the ALRC, Australian Law Reform Privacy, April 2009. Commission at 14 December 2010. 3 See ‘Terms of Reference', AUSTRALIAN LAW REFORM COMMISSION, For Your Information: Australian Privacy Law And Practice, Report 108 (2008) (ALRC Report). 4 'Companion Guide: Australian Privacy Principles', Australian Government, June 2010, pages 2-3. 5 See Recommendation 18-1 of the ALRC Report, page 34 and the First Stage Response page 6. 6 See the Companion Guide, page 10. 7 See the Companion Guide, page 14. 8 See the Companion Guide, page 14. 9 See the Companion Guide, page 13. 10 Medicare is Australia's universal healthcare system. 11 See the Companion Guide, page 14. 12 See the Companion Guide, page 12. 13 Albeit that there is a mechanism in the Privacy Act whereby a person can make a complaint to the Australian Privacy Commissioner (who is not a judicial officer) about an interference with privacy (commonly comprising a breach of a relevant privacy principle) and the Commissioner can make a determination in relation to the complaint (which can be enforced if the respondent to the complaint does not comply with the determination). 14 See in particular Australian Broadcasting Corporation v. Lenah Game Meats Pty Ltd. (2001) 208 CLR 199; Doe v. ABC and Ors Voyeurism in the Computer Age: A School District’s Experience

By Basil A. DiSipio, John J. Bateman Basil DiSipio is managing and Lorraine B. McGlynn shareholder and John Bateman and Lorraine McGlynn are shareholders NEW JERSEY college student leapt of Lavin, O’Neil, Ricci, Cedrone & A to his death from the George DiSipio. Mr. DiSipio and Mr. Washington Bridge after learning that his Bateman are IADC members. roommate had streamed live video to the internet of his sexual encounter with an an affluent Philadelphia suburb, had another student. The footage was issued to every one of its more than 2000 allegedly broadcast from a webcam high school students an Apple MacBook secretly activated in the students’ shared laptop equipped with an integrated dormitory room. The roommate and webcam. LANrev computer management another student have been charged with software installed on the laptops enabled invasion of privacy and have reportedly them to communicate with the Lower withdrawn from school. The case has Merion server when connected to the attracted international attention, internet. The LANrev software included prompting anew concerns about how best “TheftTrack,” a feature that could be to deal with the effects of carelessly used remotely activated. Capable of locating technology. But what if the school was the Internet Protocol address for the the accused? That question was raised in laptop’s internet connection and of Robbins v. Lower Merion School simultaneously photographing both District,1 and Hasan v. Lower Merion whatever appeared in front of the webcam School District,2 a pair of highly and on the computer screen, a publicized civil lawsuits filed early last “screenshot,” TheftTrack could be set to year in a federal court in Pennsylvania. record the images at timed intervals. Its The actions forced Lower Merion School purpose was to assist in the recovery of District to defend itself against claims of lost or stolen laptops. Lower Merion did cyberspying. It is a cautionary tale in not inform its students or their families which the student became the teacher, of that the laptops had this functionality. So lessons learned about privacy and neither student nor family would ever be property rights and the unforeseen aware that the TheftTrack feature had consequences of new technologies on been activated. both. The school district might argue that Student Blake Robbins alleged that the now resolved litigation is proof that in the fall of 2009, a Lower Merion the road to hell is paved with good assistant principal accused him of intentions. The students, that cyber- improper behavior while at home, bullying exists at the institutional level. confronting him with an image of himself The reality is both may be correct. obtained from his laptop’s webcam. It According to court documents, was then that he and his parents first Lower Merion School District, located in learned that Robbins’ computer was equipped with TheftTrack and of the Voyeurism in the Computer Age: A School District’s Experience Page 115 school district’s covert webcam students or to collect images for illicit monitoring. Several months later, purposes. Forensic computer experts Robbins and his parents filed a class hired by both sides descended on the action complaint on behalf of themselves school district to sift through evidence in and other Lower Merion families alleging its electronic files. With each passing that the school district had secretly day, the recriminations mounted. The equipped school-issued laptops with FBI and U.S. Attorney’s Office, acting in webcams and tracking devices to spy on conjunction with local and county district students in their homes. Asserted officials, launched a federal investigation. were causes of action for violation of the The U.S. Department of Justice issued a Electronic Communications Privacy Act, statement that “[t]he issues raised by the Computer Fraud Abuse Act, the these allegations are wide-ranging and Stored Communications Act, 42 U.S.C. involve the meeting of the new world of §1983, the Pennsylvania Wiretapping and cyberspace with that of physical space. Electronic Surveillance Act, in addition to Our focus will be on whether anyone constitutional and common law claims for committed any crimes.” Amidst the invasion of privacy. Two days after the turmoil, two groups of intervenors, Robbins complaint was filed, the school backed by a substantial percentage of district discontinued the use of district parents, sought to join in the TheftTrack. Robbins action requesting the prohibition On the day after that, the Robbins of any further activation of the webcams family moved for a temporary restraining and proscribing the dissemination of order prohibiting the school district from images already collected. Some parents remotely activating the webcams, also requested an order banning press contacting members of the putative class, interviews near the school or students’ taking possession or altering the student- homes to quell the media frenzy that issued laptops, and destroying evidence. surrounded the litigation. The American Civil Liberties Union The facts were soon revealed.3 The quickly joined the fracas, seeking software had been activated on more than permission to file an amicus brief in 175 occasions by one or both of two support of the issuance of a TRO. A district information services employees. decision on the TRO was averted by the The employees had permission to trigger entry of an order stipulated by the parties the feature but no distinct guidelines for prohibiting the remote activation of the its use. The report from the school cameras, the destruction of evidence, and district’s internal investigation noted that communication by the school district with “[t]he informal procedures that [the Lower Merion students with respect to employees] used varied over time and the lawsuit’s allegations. were not followed consistently.” Report The school district acknowledged at 2. At least 58,000 images of district installation of the anti-theft software on students had been captured by webcams, the computers, but denied that it was used including hundreds of Blake Robbins. in conjunction with the webcam to One in which Robbins is pictured conduct illegitimate surveillance of sleeping was released to the media. It Page 116 THE PRIVACY PROJECT IV – 2011 was also discovered that there were district’s own defense was reportedly instances in which the software was not hovering around the million dollar mark. deactivated for extended periods of time, Ultimately, the school district was even after a laptop thought missing was cleared of criminal wrongdoing. The located. Jalil Hasan4 claimed to be one of U.S. Attorney’s Office announced that it the students affected by the district’s had “not found evidence that would failure to turn the webcam off, filing his establish beyond a reasonable doubt that own suit asserting the same causes of anyone involved had criminal intent.” action as Robbins. The school district’s insurer also reversed While Lower Merion was busy its initial decision denying coverage for dealing with the maelstrom created by the the civil litigation, agreeing to shoulder exposure of its clandestine activities, $1.2 million of the fees and costs another entity weighed in. Its insurer, associated with the litigation. Eight denying coverage for conduct it months after they were commenced the characterized as “a non-consensual, cases settled for $610,000; $175,000 to surreptitious, remote visual voyeurism Robbins, $10,000 to Hasan and $425,000 inside the claimant’s own home,” filed its to their attorney. The Court permanently own action seeking a declaration that it enjoined Lower Merion from: remotely owed Lower Merion neither a defense nor activating webcams on school-issued indemnity.5 It claimed that its coverage computers; purchasing software, was for claims of personal injury, not hardware or any other technology that invasion of privacy. As a result, the allowed for the remote activation of taxpayers of Lower Merion were facing a webcams on student laptops or the remote double threat, to their privacy and their monitoring or recording of audio or video pocketbooks. from student laptops; capturing The school district was contrite. It screenshots; accessing or reviewing any admitted and apologized for the mistakes student-created files contained on student made, including the failure of its laptops, including emails, photographs, administration to fully appreciate the instant messaging records, internet usage privacy concerns implicated by tracking logs and web browsing histories, except students using webcam capabilities. It as explicitly allowed by the district’s pledged full disclosure of its past and newly adopted policies or by parental future technological actions with respect consent; and viewing, disseminating or to the laptops and set to work drafting permitting access to images already policies and procedures. The Court gathered. The order did not ban the use ordered that parents and students whose of global positioning systems or other images had been collected be notified and anti-theft tracked technology outright, but given an opportunity to view the images. mandated conspicuous, written disclosure It also directed the school district to pay of its functionality and usage and student interim fees and costs to counsel for and parental consent. Robbins and Hasan of about a quarter of a With its new-found appreciation of million dollars. At that point, the school the paradoxical virtues of transparency and privacy, the written measures Voyeurism in the Computer Age: A School District’s Experience Page 117 implemented by Lower Merion are odes in the absence of illicit intent. They also to both.6 In addition to requirements address the danger of supervisory mandating disclosure and consent for the personnel abdicating responsibility for use of any tracking technology and a computer-related issues and reposing the proscription against using webcams for administration of information services in that purpose, the regulations forbid the hands of technicians who are unaware remote access to student laptops except to of the ramifications of their actions, or resolve technical problems or when a worse yet, intent on spying. laptop is reported missing or stolen by There was no shortage of hyperbole written report filed with the district. If during the pendency of the litigation. The permission for remote access is given, a plaintiffs labeled TheftTrack “peeping record of the time, date and duration of tom technology.” Commentators the access will be generated. As for lambasted Lower Merion for spying on personal files saved to a student’s children and suggested that child computer, district personnel may access pornography charges be considered. them only with express, written consent Others blamed school district hubris, or after the laptop is permanently castigating Lower Merion as an returned, at the end of the year or authoritative bully with little regard for otherwise, after the opportunity for the privacy of its students or the law. removal of student files is given. An With the benefit of hindsight, rogue important caveat is that if a “reasonable seems a harsh adjective for Lower suspicion” exists that a student has Merion’s activities, though surreptitious violated the law, district rules, or policies, they undeniably were. Perhaps better the laptop can be confiscated, but not explained as a case of bad judgment, poor remotely accessed, and the files may be training, or both, the school district’s reviewed by district personnel. Student experience teaches that covert activities, data stored on the district’s network, no matter how well-intended, can have however, is fair game. “Students have no far-reaching implications. Complacency expectation of privacy in any material or in technological affairs is simply not an information stored on, created on, option. accessed through or transmitted through In our brave new world, the right to [the school district network].”7 privacy is often juxtaposed against Other policies ratified by Lower increasingly more invasive technologies Merion as a result of the imbroglio which serve as effective weapons in law address the chain of school district enforcement. From global positioning authority for dealing with laptop issues.8 systems in cars, cell phones, and They mandate technology training for computers to airport scanners, innovation administrators, teachers, computer often comes at the price of anonymity. support personnel and anyone else While presumptive confidentiality may be involved with the laptops. Their a thing of the past, the expectation of implementation speaks to the charge that privacy cannot be ignored. The Lower ignorance of the capabilities of Merion melee sparked interest from technology and its uses are culpable, even legislators, like then Pennsylvania Page 118 THE PRIVACY PROJECT IV – 2011

Senator Arlen Spector, who suggested that any gap in wiretap laws be closed to address privacy concerns wrought by technological advances. The law may eventually catch up with present day capabilities, but, as Lower Merion discovered, existing common law principles and legislative enactments are of limited utility as guideposts for the use of technology. The boundaries of the right to privacy are elusive and as the technology continuum advances emerging applications may outgrow the legal paradigm adopted. The risk is great that any individual, institution, business, employer, and organization engaged in computer-based covert surveillance may be accused of cyberbullying, civil rights violations, criminal conduct and more. Disclosure is therefore the watchword for the future. It is a lesson Lower Merion paid dearly to learn.

1 No. 10-0665 (E.D. Pa. 2010). 2 No. 10-3663 (E.D. Pa. 2010). 3 The report of the school district’s internal investigation conducted by the law firm of Ballard Spahr in association with computer forensic consultant L3 Services, Inc. is available at the district’s website at http://www.lmsd.org/sections/laptops/default. php?&id=1258. 4Id. 5Graphic Arts Mutual Insurance Co. v. Lower Merion School District, No. 10-1707 (E.D. Pa. 2010). 6 No. 10-1707 (E.D. Pa. 2010). 7 The newly adopted policies are available at the school district’s website at http://www.lmsd.org/sections/laptops/default. php?t=pages&p=laptops_docs. 8 Id. The Privacy Implications and Legal Footing of Arizona’s Immigration Law: S.B. 1070

By Steven J. Strawbridge and Steven J. Strawbridge is a Member of Bryan S. Strawbridge Frost, Brown Todd, LLC, in Indianapolis, Indiana, and is the Chair of the Fidelity . . . It hit at the clever homeless portion of and Surety Committee of the IADC. the population which wasn’t tied down to Bryan S. Strawbridge is an Associate anything. In the early stages, people with Krieg DeVault, LLP, in Indianapolis, made many mistakes with those Indiana. All comments and opinions passports—and those not registered at expressed herein are the authors’ own. their places of residence, and those not registered as having left their former being a necessary step to stem the tide of places or residence, were raked into the illegal immigration, especially in an Archipelago, if only for a single year. economy with near double digit unemployment rates. However, others And so the waves foamed and rolled.1 demonized the legislation as a discriminatory, isolationistic, and flat out I. Introduction and Overview of S.B. un-American attempt to rectify a serious 1070 and growing concern, while reminding others of 1930s era fascism. While S.B. N APRIL 23, 2010, Arizona 1070 is, of course, limited to the state of Arizona, at least two dozen other states O Governor Jan Brewer signed into 4 law state Senate Bill 1070 (“S.B. 1070”).2 are considering similar enactments. Although the statute’s numeric In the markets of human and drug smuggling, Arizona is the United States’ designation may not be a household 5 name, few are unaware of Arizona’s leading brokerage house. With controversial new immigration law, approximately 460,000 illegal immigrants which mandates that all law enforcement currently residing in Arizona, the impact of S.B. 1070 is by no means officials shall take steps to verify the 6 immigration status of any individual with insignificant. The existence of these whom they come in contact if there exists realities has not gone unnoticed by the reason to suspect that the individual is in Arizona electorate. Polls taken on violation of federal immigration laws.3 immigration issues in the state routinely With little time and great fanfare, S.B. show that the majority of residents favor the law as well as an increase in 1070 was propelled by the media to the 7 forefront of national attention, spurring enforcement. As noted by Miriam punditry and protest. It became Jordan in a recent Wall Street Journal immediately and undeniably clear that the article: public had varied opinions as to the efficacy, legality, and scope of the Frustration over illegal immigration legislation. Many proclaimed the law as has been mounting in the state in recent years amid reports of kidnappings and gun battles on the Page 120 THE PRIVACY PROJECT IV – 2011

state’s highways and in the heart of enumerated legislative intent of S.B. 1070 Phoenix. Concerns about the poor provides: economy and unemployment in the state also have contributed to The legislature finds that there is a dissatisfaction with illegal compelling interest in the cooperative immigration.8 enforcement of federal immigration laws throughout all of Arizona. The Awash with aggravation over legislature declares that the intent of growing violence and rampant drug this act is to make attrition through trafficking coinciding with the tempest of enforcement the public policy of all the national economic catastrophe, state and local government agencies Arizona’s legislature turned to the in Arizona. The provisions of this comfort of an immigration bill which, act are intended to work together to according to its supporters, would quell discourage and deter the unlawful these concerns. According to its entry and presence of aliens and detractors, the bill is a knee jerk reaction economic activity by persons to a complex problem that cannot be so unlawfully present in the United simply remedied. States.12 This Note will parse the language of the statute, analyze its legality, and Although the stated intent of S.B. provide an overview of the judicial 1070 appears relatively benign and review that has been conducted to date. straight forward on its face, the Finally, this Note advocates for the substantive provisions contained in the removal of the legislation from the legislation have produced significant Arizona code as being an undue burden vitriol. on civil freedoms and an unconstitutional The Obama Administration’s state attempt to usurp the exclusive response to the enactment of S.B. 1070 federal authority to manage and supervise into law was immediate and forceful. immigration law enforcement. President Obama affirmed his displeasure with S.B. 1070 stating that “[t]he Arizona II. Provisions of S.B. 1070 law [threatens] to undermine basic Coined the “Support Our Law notions of fairness that we cherish as Enforcement and Safe Neighborhoods Americans, as well as the trust between Act”, S.B. 1070 has shifted immigration police and our communities that is so laws, which have traditionally been crucial to keeping us safe.”13 codified as civil statutes, into the realm of Unsurprisingly, the Mexican Foreign criminality.9 S.B. 1070 has classified Ministry concurred with President mere unlawful presence in the state as a Obama’s assessment.14 However, the criminal offense, to-wit, criminal sharpest critique of the legislation came trespass.10 Accordingly, pursuant to S.B. from the Catholic Church.15 Cardinal 1070, illegal immigration is a more Roger M. Mahony of Los Angeles said enforceable and punishable act.11 The that governmental authorities’ ability to demand documents on demand harkened Arizona’s Immigration Law: S.B. 1070 Page 121 back to Nazism.16 “While police sharing such information demands of documents are common on with other federal, state, or subways, highways, and in public places local governmental entity in some countries, including France, for the following purposes: Arizona is the first state to demand that To ascertain eligibility for immigrants meet federal requirements to any public benefit, service, carry identity documents legitimizing or license provided by the their presence on American soil.”17 state; Looking to the specific provisions of To verify a claim of S.B. 1070, the act provides the following: residence if such determination is required by (a) Directs law enforcement to statute or judicial decree; To determine the immigration status validate the identity of any of all persons who are arrested detained person; and as well as those individuals that To establish whether an they reasonably suspect to be individual has abided with illegal aliens during a lawful federal registration laws stop; under the Immigration (b) Proclaims attrition by Nationality Act;18 enforcement to be Arizona (d) Grants legal residents of Arizona policy; the civil remedy to bring action (c) Permits law enforcement to if they believe a government transfer illegal aliens into federal agency or its policies are in custody; discord with federal immigration laws; Precludes law enforcement (e) S.B. 1070 is in accord with from implementing policies federal alien registration laws by that limit or prohibit requiring illegal aliens that enforcement of federal violate federal alien registration immigration laws; Provides laws (8 U.S.C. §§ 1304(e), that individuals who provide 1306(a)), which require aliens to any federal, state or local register and bear their identification, which immigration documents at all requires verification of times) are now subject to arrest lawful status when issued, and sanction under Arizona are presumed to be lawfully criminal laws; present in the United States; (f) Proscribes citizens from hiring Precludes state officials or and/or picking up day laborers agencies from implementing while impeding traffic; constraints on transferring (g) Prohibits day laborers from or storing information soliciting work; regarding individuals’ (h) Bans illegal aliens without work immigration statuses, or authorization from applying for Page 122 THE PRIVACY PROJECT IV – 2011

work, soliciting work in a public District Court for the District of Arizona place, or working in Arizona; significantly weakened the scope and (i) Illegalizes the transport, harbor, effect of S.B. 1070.20 Judge Bolton or encouragement of illegal issued a preliminary injunction that aliens to remain in the United precluded the most controversial aspects States if the individual knows or of the law from taking effect, which was recklessly disregards that to occur the following day, July 29, persons are illegal. 2010.21 The specific sections, which had (j) Endorses law enforcement to been forcefully belied by the act’s make warrantless arrests if there oppositions, that were enjoined by the exists probable cause to believe injunction, included: the individual has committed any offense which subjects the (a) The section which mandated a individual to removal from the state officer to make a country; reasonable attempt at (k) Mandates that employers must determining the immigration keep a record of all employees’ status of an individual stopped, E-Verify verification for either detained, or arrested if the (a) the employment term or (b) officer has reasonable suspicion at least three years; that the individual was in the (l) Prescribes impoundment or country illegally; forfeiture of cars driven by (b) The section which created the illegal aliens as well as vehicles crime of soliciting, applying, or used to unlawfully transport performing work as an illegal illegal persons; and immigrant; (m) Creates the Gang and (c) The section which made it a Immigration Intelligence Team crime for an individual to fail to Enforcement Mission Fund to apply for or carry “alien provide funds to combat gangs registration papers” as required and assist in immigration by federal law; and enforcement as well as for (d) The section which permitted the reimbursing county jails for warrantless arrest of a person costs associated with illegal upon the finding of probable immigration.19 cause that the individual has As is readily apparent from the above committed an offense punishable noted provisions, the scope of reforms by removal from the United contained in S.B. 1070 are expansive. States.22 The litigation that resulted challenging the act was expected and immediate. However, the injunction does not obviate Arizona public safety officers’ III. Procedural Background discretion that existed prior to S.B. 1070, On July 28, 2010, District Judge which they enjoy in choosing whether to Susan R. Bolton of the United States assist in the enforcement of federal Arizona’s Immigration Law: S.B. 1070 Page 123 immigration laws.23 Instead, the In the interim, analyzing the legal footing injunction vitiates the requirement of S.B. 1070 is appropriate. contained in S.B. 1070 that officers are IV. Legal and Policy Critique of S.B. mandated to enforce federal immigration 1070 law or face private civil actions.24 The actions which led to injunction As a general proposition, the various in the district court were filed by a myriad plaintiffs in the actions challenging the of individuals, government bodies, and legality of S.B. 1070 have made similar special interest groups, including both assertions. This Note will focus on three public and private actors.25 Specifically, overarching legal arguments made in these plaintiffs included the United States opposition to the legislation. First, S.B. Department of Justice, the American 1070 is an attempt by Arizona to usurp Civil Liberties Union, Phoenix and exclusive federal authority to manage and Tucson law enforcement officials, various supervise immigration law enforcement. municipalities, illegal immigrants Second, uniformity in immigration law individually, and non-profit and immigration law enforcement leaves organizations.26 no place for state laws like S.B. 1070. As publicly expressed by Gov. Third, S.B. 1070 cuts to the core of Brewer, the procedural ladder is just American freedoms to be free of undue beginning.27 Governor Brewer has government interference into individuals’ proclaimed that “[t]his fight is far from daily lives and is manifestly unjust. over. In fact, it is just the beginning. . . .”28 She noted that Arizona intends to a. S.B. 1070 is an improper attempt by Arizona to usurp immigration “battle all the way to the Supreme Court, law, which is the exclusive if necessary, for the right to protect the citizens of Arizona.”29 However, the purview of the federal government. official reaction from the Department of Homeland Security (“DHS”),30 which oversees federal immigration, could not Immigration law is a field of have been more supportive of the court’s jurisprudence that is consigned to the injunction.31 The spokesman for DHS federal government to dictate.33 The stated that the court’s decision “correctly Supremacy Clause provides that the affirms the federal government’s “Constitution, and the Laws of the United responsibilities in enforcing our nation’s States which shall be made in Pursuance immigration laws.”32 Despite the wholly thereof . . . shall be the supreme Law of divergent viewpoints, one consensus can the Land.”34 Furthermore, the drafters of be garnered; both sides concur that legal the Constitution articulated that resolution will not be attained until the immigration and naturalization matters Supreme Court issues a dispositive ruling are exclusively vested in the federal on the issue or a petition for writ of government.35 To this end, the Supreme certiorari is denied. Either way, Court has affirmed that “[t]he authority to conclusion is not likely in the near term. control immigration . . . is vested solely in the federal government.”36 Accordingly, Page 124 THE PRIVACY PROJECT IV – 2011

Arizona’s attempt to enter the field of its implications in “foreign relations and immigration is an impermissible act in international commerce.”40 These fragile discord with the United States and significant concerns mandate Constitution and federal law. S.B. 1070 “delicate policy judgments.”41 should, therefore, be struck down as Furthermore, the international unconstitutional. implications of immigration law vests the The Congress has given DHS, and federal government with exclusive one of its arms, the United States authority. Finally, the federal Immigration and Customs Enforcement government’s instituting of immigration (“ICE”), authority to operate federal law occupies the field and preempts state enforcement programs with state and authority to enact contradictory and even local agencies.37 This statutory authority complimentary statutes. includes requirements for local authorities Pursuant to S.B. 1070, state law under which they are required to comply enforcement officials—a group whose in their enforcement of immigration laws. principal concerns relate to public safety “In S.B. 1070, Arizona has attempted to and criminal law enforcement—would be bypass requirements of ICE supervision called upon to apply and enforce and management of its immigration immigration law by establishing the enforcement under a [memorandum of presence of reasonable suspicion and agreement of which Arizona enforcement inquiring as to immigration status.42 authorities have entered into].”38 The However, properly detained individuals American Bar Association most under the law may include political or succinctly decried S.B. 1070 when it religious asylum seekers coming to stated: “[i]n order to maintain uniformity America yearning to be free. The in immigration law and immigration law effectiveness of state law enforcement in enforcement, and unless Congress recognizing asylum seekers and coping determines to the contrary, a state should with such situations in light of the not be permitted to usurp federal criminal nature of S.B. 1070’s provision authority to manage and supervise is unknown. immigration law enforcement c. S.B. 1070 is contrary to the activities.”39 United States Constitution, b. Immigration law requires United States laws, and the uniformity and cohesiveness. intrinsic principles upon which S.B. 1070 is an impermissible the United States was founded. confusion in national policy. It is axiomatic under American The need for uniformity in national constitutional provisions and inherent immigration law and its enforcement freedoms that an individual should not be require a consistent system of subject to undue interference, unfounded jurisprudence that does not vary by state. accusations, and unreasonable searches. The Supreme Court has commented on Of course, S.B. 1070 does not permit law the nature of federal immigration law and enforcement officers from questioning Arizona’s Immigration Law: S.B. 1070 Page 125 individuals concerning their immigration other services, that work is not available status absent reasonable suspicion; to be undertaken by a valid Arizona however, one does not need a juris resident. Even so, is it appropriate for doctorate in order to perceive the intrinsic S.B. 1070 to make it a crime for any proverbial slippery slope upon which this individual, even an illegal immigrant, to statute stands on the precipice. The secure gainful employment? In theory, subjective reasonable suspicion of one the harder one works, the greater the officer is obviously disparate when magnitude of the crime. This seems to be compared to his colleagues. Moreover, contrary to the American work ethic. the presumption of appropriateness given Moreover, “[o]pponents are to an officer’s internal mindset in finding particularly concerned about the reasonable suspicion is difficult to refute trespassing provision, stating that it will and improper racial animi are difficult to increase racial profiling. They argue that establish. U.S. citizens and legal immigrants will be Application of any criteria for approached on the basis of their skin “reasonable suspicion” by its very nature color.”43 Statutes such as S.B. 1070 that must be subjective. Because of its are drafted so broadly are assured to vagueness, the difficulty in applying any ensnare legal American citizens.44 These such criteria becomes immediately opponents further note that state and local apparent. Does an Arizona law officials are poorly trained to handle enforcement official have “reasonable enforcement of complex federal law.45 suspicion” to question any individual with Attempting to refute this assertion, dark skin? If so, how dark? Does this Sheriff Joseph Arpaio of Maricopa apply only to Hispanics or would there be County46 asserts that a two-hour long “reasonable suspicion” as to anyone with training class for deputies is wholly dark skin such as African-Americans, sufficient to educate the officers on Indians or even a California Caucasian federal and state immigration law.47 This with a sunburn? Does the fact that a is a dubious contention. person is not well dressed and is wearing Furthermore, the possibility of shabby dirty clothes become a further detention of individuals who are in fact factor in considering whether or not there documented citizens but do not have is “reasonable suspicion.” Therefore, are identification is a real concern. poor people more likely to create According to the ABA and the ACLU, reasonable suspicion as compared with the likelihood of improper arrest due to a well dressed middle class individuals? lack of documentation is almost Ironically, S.B. 1070 even made it a assured.48 According to a 2006 study by crime for an illegal immigrant to solicit, the Vera Institute of Justice, 125 apply or perform work. It remains to be individuals in federal immigration seen what would be the mens rea of an detainment facilities were believed to individual who merely is attempting to have valid U.S. citizenships but remained find work to raise funds for food and in detention due to oversight, electronic support. No doubt one can argue that if errors, or other failings.49 It has been an illegal immigrant provides labor or noted that the federal databases are poorly Page 126 THE PRIVACY PROJECT IV – 2011 integrated, lack complete records, or are 50 flat-out inaccurate. These concerns are 2 2010 Ariz. Legis. Serv. Ch. 113 (West material and pose a threat to the freedom 2010). of individuals in this country legally and 3 Rick Su, The Overlooked Significance of illegally. The concerns and failings of Arizona’s New Immigration Law, 108 MICH. L REV. FIRST IMPRESSIONS 76, 76 (2010). this statute far outweigh any positive 4 remedial effect. Miriam Jordan, Judge Blocks Arizona Law, WALL ST. J., July 29, 2010, available at V. Conclusion http://online.wsj.com/article/SB100014240527 48703940904575395314079925720.html (last With the sour financial condition of visited Nov. 7, 2010). the United States combined with the 5 Id. rampant influx of illegal immigrants in 6 Id. border states such as Arizona, it is 7 Id. 8 Id. understood that state legislatures would 9 attempt to stem the tide of low-paid Pierre Georges Bonnefil, Understanding the workers who are undercutting many Immigration Debate: An Immediate Look at Arizona’s Proposed Immigration Refordm and unemployed Americas in garnering jobs. Federal Government’s Response, Aspatore However, S.B. 1070 is the improper Spec. Rep., Oct. 2010, at 20. mechanism to effectuate this goal. 10 Id. Setting aside the legal argument that the 11 Id. act is an improper attempt to interfere 12 S.B. 1070, supra note 3, at § 1. with the exclusive federal prerogative of 13 Randal C. Archibald, Arizona Enacts setting national immigration policy, the Stringent Law on Immigration, N.Y. TIMES, statute is manifestly unseemly and is in April 23, 2010, available at discord with the tenets of American http://www.nytimes.com/2010/04/24/us/politic s/24immig.html?_r=1 (last visited Nov. 7, freedoms. Basic rights to privacy, rights 2010). to work, and rights to due process strike 14 Id. against the enforcement of this statute. It 15 Id. is unclear what will occur procedurally as 16 Id. Indeed, the authors’ first thoughts of the litigation proceeds through the district S.B. 1070’s provision permitting law court and climbs up the ladder of judicial enforcement to request immigration review to the circuit courts of appeal. documents upon request involved Steve Notwithstanding the route this issue takes McQueen and his WWII compatriots escaping to final adjudication, one result is proper: a German Stalag in The Great Escape (1963) and the Gestapo’s subsequent demands to S.B. 1070 should be found to be produce their “papers.” unenforceable as a matter of law. 17 Id. 18 See generally Immigration Nationality Act 8 U.S.C. § 1101 et seq. (2010). 19 1 Federation for American Immigration ALEKSANDR SOLZHENITSYN, GULAG Reform, Support Our Law Enforcement and ARCHIPELAGO (1973), available at Safe Neighborhoods Act Summary of Arizona http://mitteleuropa.t35.com/wk2_the_gulag_ar SB 1070 as Enacted, April 27, 2010, available chipelago_01.html (last visited Nov. 15, at 2010). http://www.fairus.org/site/DocServer/ariz_SB Arizona’s Immigration Law: S.B. 1070 Page 127

1070_summary.pdf?docID=4761 (last visited Crime Under New Law, 15 PUB. INT. L. REP. Nov. 7, 2010); see also S.B. 1070, supra note 141, 144 (2010) (internal citations omitted). 3. 44 Id. at 144-45. 20 See United States v. Arizona et al., No. CV 45 Id. at 145. 10-1413-PHX-SRB (D. Az. July 28, 2010) 46 Sheriff Arpaio is perhaps the best known (Doc. 87, Order Granting Preliminary municipal sheriff in the country. Nationally Injunction (the “Order”)); see also Friendly known for requiring county inmates to wear House et al. v. Whiting et al., No. CV10-1061- pink colored fatigues as a means of mental PHX-SRB (D. Az. July 28, 2010) (Doc. 424, punishment, Sheriff Arpaio is an outspoken Order) supporter of S.B. 1070. See generally, Natalie 21 Order, supra note 20. Rivers, Sheriff Arpaio facing lawsuit from 22 Id. immigration activist, AZFAMILY.COM, Oct. 29, 23 Id.; Bonnefil, supra note 9. 2010, available at http://www.az 24 Bonnefil, supra note 9. family.com/news/local/Sheriff-Arpaio-facing- 25 Id. lawsuit-from-immigration-activist- 26 Id. 106348288.html (last visited Nov. 15, 2010). 27 Jordan, supra note 4. 47 McMahon, supra note 43, at 145. 28 Id. 48 See Brief of Amicus Curiae American Bar 29 Id. Association in Support for Preliminary 30 As an interesting twist of historical irony, Injunction, supra note 29, at *7. Secretary of Homeland Security Janet 49 Id. Napolitano (D-Az.) is the former governor of 50 Id. Arizona and had vetoed legislation similar to S.B. 1070 on repeated occasions prior to her appointment to her current position by President Obama in 2009. 31 Jordan, supra note 4. 32 Id. 33 Su, supra note 3. 34 U.S. CONST., art. VI, cl. 2. 35 U.S. CONST., art. I, § 8, cl. 4. 36 Traux v. Raich, 239 U.S. 33, 42 (1915). 37 See generally Brief of Amicus Curiae American Bar Association in Support for Preliminary Injunction, Friendly House et al. v. Whiting et al., No. 10-CV-01061-SRB (D. Az. July 14, 2010). 38 Id. at *4. 39 Id. at *6. 40 Matthews v. Diaz, 426 U.S. 67, 80 (1976). 41 Id. 42 See Brief of Amicus Curiae American Bar Association in Support for Preliminary Injunction, supra note 37, at *6-7. 43 Christina McMahon, Amidst Controversy Over Federal 287(G) Immigration Program, Arizona Approves Immigration Trespassing Privacy Implications Associated With Medicare Secondary Payer Act and the 2007 Medicare, Medicaid and S-CHIP Extension Act Reporting Requirements

By: Tamela J. White and Ms. White is a Member of Farrell, Allison N. Carroll Farrell & Farrell, PLLC. A former critical care nurse and hospital HE 2007 Medicare, Medicaid and S- administrator, Ms. White practices in T Chip Extension Act (MMSEA)1 has Huntington West Virginia. She will been the subject of much discussion as receive her Masters’ in Public Health the private business sector becomes from the Johns Hopkins Bloomberg prepared to meet the obligation to School of Public Health in 2011. Ms. electronically report payments made in White’s practice includes health law and civil litigation and other contexts.2 The regulation, medical defense and litigation MMSEA compliments the Centers for in the fields of product liability, health Medicare and Medicaid Services’ (CMS) law and medical negligence. recovery initiatives pursuant to the Ms. Carroll is an associate with Medicare Secondary Payer Amendments Farrell, Farrell & Farrell, PLLC. She to the Social Security Act (MSP).3 The received her law degree, cum laude, from MSP requires any primary payer4 to be the Louis D. Brandeis School of Law at responsible for payment of medically- the University of Louisville in 2006. Her necessary care. The MSP entitles the practice includes medical defense and United States to recover prior conditional litigation in the areas of product liability, health care payments directly from health law and medical negligence. beneficiaries,5 primary payers,6 beneficiaries’ attorneys7 and others.8 increased. With adoption of the Medicare, Since the existence and identity of Medicaid S-CHIP Extension Act, CMS primary payer sources may be unknown and OIG (the Office of Inspector General) anticipate a greater repayment recovery of or uncertain at the time health care is 9 provided and payment obligations are prior conditional payments made. incurred, very often Medicare makes The MMSEA’s mandates implicate payments to health care providers which privacy issues because they require are deemed conditional and subject to MMSEA reporting entities to obtain and MSP repayment in the event a primary report individually identifiable, personal payer source subsequently acknowledges information. Each primary payer must and pays for the subject medically- designate a Registered Responsible Entity (RRE)10 that must register with CMS for necessary care. As the federal 11 government has improved its computer reporting purposes. Each RRE must networking interoperability, and its populate CMS data fields with specific, capacity to track and mandate conditional personal, individual, identifiable payment, repayment compliance has information into CMS’ secure computer Privacy Implications Associated with Medicare Page 129 data base. For each individual, this (ONCHIT) published a final report, on includes name (and any former names or January 15, 2009, outlining numerous derivations of the same), address, sex, interventions it deemed to be necessary to social security number or Health protect individual health identity.17 Identification Claim Number (HICN) and Health (medical) identity theft happens at least one ICD-9 code.12 when a person uses another person’s The RRE, who may be the primary name and some other unique individual payer or an entity contracted to provide identifier, such as insurance information, this service for a primary payer,13 has the a social security number, or an HICN for obligation to report payments to the purpose of obtaining medical goods or beneficiaries, agreed upon generally services or to obtain money by falsifying through a contract of insurance, medical services claims.18 The essence settlement agreement or judgment.14 The of this crime is the use of the medical primary payer does not have the fiduciary identity of another without knowledge of duty to maximize recovery for the the person whose information is being beneficiary. The beneficiary’s interests used.19 often are protected through counsel The statistical summaries of health whose duties include zealous identity theft are mere estimates and are representation and maximization of the believed to underestimate the scope of the final dollar amount realized by the client problem.20 Identity theft reports, not beneficiary. RREs, the primary payer specific to health/medical identity, have plan(s), and its/their respective counsel, risen yearly since data on this broad each have separate and distinct duties to category of crimes has been collected. preserve and represent their respective For instance, in 2001 the number of interests and not necessarily to maximize persons reporting identity theft was a beneficiary’s personal recovery. For 86,168 and in 2005, this number was instance, with respect to the MMSEA 255,565.21 The Social Security specifically, RREs and primary plans Administration, Office of Inspector have the highly-motivating self interest to General’s beneficiary hotline has reported avoid the $1,000 per day “late claim” that from March through September reporting sanction and liability for double 2001, it received 25,991 identity theft damages in the event of a failure to timely reports with 548 of these including report a payment or an ongoing payment allegations of medical identity theft.22 obligation.15 Substantial resources are spent each In this electronic generation, identity year in the private and public sectors theft and misuse or misappropriation of attempting to prevent inadvertent personal identifiers is a substantial publication of individual identifiers and problem and concern. Identity theft is one misappropriation of confidential of the “fastest growing crimes in information. A Privacy Impact America.”16 Health (medical) identity Assessment (PIA) is required by each theft is such an increasing concern that governmental agency, pursuant to Titles the Office of the National Coordinator for II and III of the E-Government Act of Health Information Technology 2002.23 A PIA was been completed by Page 130 THE PRIVACY PROJECT IV – 2011 the United States Office of Personnel obligations governing privacy and other Management concerning the Medicare interests which may arise. Secondary Payer System (MSPS) as of This article provides a brief overview September 7, 2007.24 However, this PIA of the MMSEA Reporting Obligations, was prepared before release of any followed by a discussion of these proposed MMSEA enforcement opinions and the privacy and ethical regulations or guidelines and the issues presented in them concerning mandatory MSP data reporting system. exchange of social security number, Primary payer plans and RREs HICN and ICD-9 Code designation generally have established compliance required by compliance with the programs which safeguard dissemination MMSEA. of private health information and unique personal identifiers. The phrase “Zero I. Brief Overview of the MMSEA Tolerance” is commonplace in industry Reporting Obligations jargon. The Privacy Act of 1974,25 the Health Insurance Portability and The MMSEA requires an RRE to Accountability Act of 199626 with report “claims” to CMS through its corresponding Privacy Standards,27 and Coordination of Benefits Contractor other laws, such as state insurance (COBC). A “claim” is the overall claim department regulations, provide a for liability insurance (including self- complex framework designed to protect insurance), no-fault insurance or workers' the individual’s privacy interests.28 compensation rather than a single claim Notwithstanding these facts, as MSP for a particular medical item or service.33 recovery efforts intensify and the Claim information relates to a primary MMSEA electronic data reporting plan’s payment to a Medicare beneficiary becomes a reality29 discovery disputes where the beneficiary claims medical will arise in the trenches. There are two damages which are released or satisfied published opinions from 2010 discussed by settlement, judgment, award or herein, in which trial courts addressed otherwise.34 Each RRE must register settlement and discovery issues arising with its designated COBC and must out of the MMSEA and the MSP: designate a responsible authorized Hackley, et al. v. Garofano, et al.30 and representative,35 an authorized account Seger v. Tank Connection, LLC., et al.31 manager,36 and account designees37 for Each is instructive in providing guidance compliance purposes. in those domains. Primary payer (insurer RREs must register with CMS’ and RRE class) electronic storage and secure user electronic reporting data retention of personally identifiable health bank.38 It is CMS’ intention that once an information was opposed by a plaintiff in RRE is registered, it will be assigned a State Farm Mutual Automobile Insurance quarterly reporting schedule for Claim Company v. Bedell.32 That decision, Input File Submission. The quarterly data while having no MSP/MMSEA issue input period assigned to each RRE is before it, is a good example of how limited to a 7-day window.39 Access to counsel must consider competing legal the portal is closed to the RRE for Privacy Implications Associated with Medicare Page 131 reporting purposes. However, the RRE was agreed upon to settle the claim. After may query the data bank at any time as to that agreement was reached, USAA whether a claimant is a beneficiary, by requested the social security number of inputting name, sex, date of birth, and both the minor and father. The plaintiffs either the social security number or refused on the basis that the requested HICN.40 Social security numbers or information was confidential, the son was HICNs drive the identity confirmation a minor and obviously was not Medicare since it is through these unique personal eligible, and the father’s social security identifiers that CMS manages the benefits information was not relevant. provided to individuals. Many primary The Court recognized the MSP plans and RREs will rely upon the query obligations and concerns asserted by the process to document their attempt to insurer. Since the insurer had failed to determine, through CMS itself, whether specifically include the demand for an individual claimant is a beneficiary for release of social security numbers in the MSP purposes. settlement negotiations, the court refused to enforce the settlement. In recognition II. Hackley, et al. v. Garofano, et al.,41 of the consequences for failed MSP Seger v. Tank Connection, LLC., et reporting, the Court affirmed an insurer’s al.42 and State Farm Mutual right to condition a settlement upon the Automobile Insurance Company v. provision of social security numbers to be Bedell43 used for CMS MMSEA querying and reporting. The Court rejected plaintiffs’ In Hackley, et al. v. Garafano, et al, arguments that the minor plaintiff was not the Connecticut Superior Court concluded Medicare eligible and also found that the that there had been no meeting of the father’s social security number could be minds and refused to enforce a settlement demanded since the MMSEA “affect[s] when, after the settlement amount had all parties involved in a payment of a been agreed upon by the parties, the settlement, judgment or award.”45 The plaintiffs objected to the insurer’s request Courts’ conclusion bears a reminder for for their social security numbers. all participants in these discussions: Importantly, the Court found that the insurer could have made disclosure of This is hardly the first settlement to social security numbers, even for a minor be derailed because of unresolved plaintiff and non-Medicare beneficiary, a questions relating to Medicare liens. pre-condition to settlement but, its having Rarely, these have led to published failed to do so, there was no enforceable decisions. See, e.g., Riccardi v. agreement. 44 Strunk, Judicial District [Initial caps The underlying facts were as follows. needed?] of New London, Docket The minor plaintiff was injured in a motor No. CV 08 5008671 (January 22, vehicle accident on July 1, 2007, and was 2010, Cosgrove, J.). More still a minor at the time his father frequently, they have simply led to attempted settlement with the insurer, frustration and misunderstanding. USAA. The monetary sum of $7,500.00 Counsel would therefore be well Page 132 THE PRIVACY PROJECT IV – 2011

advised to be aware of developments The Court found that the in this area of law and take them into MSP/MMSEA reporting mandates account in fashioning unambiguous controlled and it ordered the plaintiff to settlement agreements.46 respond to the discovery. The Court found that there was no harm in providing Therefore, when preparing for a the information before settlement or mediation or settlement conference, as judgment. However, the Court did not well as in the negotiation of the terms of agree with the defendant’s position that any settlement, parties should include MMSEA compliance information was mandatory MSP/MMSEA compliance necessary in order to negotiate a data and include as a material term in the settlement, implying that this information settlement documents, confirmation of the was available through alternative means accuracy of all such data uniquely in the including medical records relied upon in possession of the beneficiary and his or the case. The Court ultimately concluded her counsel. that the requested information would have Seger v. Tank Connection, LLC47 to be provided at some point in time and involved a discovery dispute. that the discovery was proper, requiring Interrogatories were sent to plaintiff Rule 26 compliance by the plaintiff in requesting the specific information responding.50 required to populate the CMS data bank An important issue not discussed in reporting fields, including the plaintiff’s the Seger decision is whether a protective social security number. The requesting order is warranted prior to a plaintiff party based its request upon MMSEA responding to interrogatory or deposition compliance mandates, asserting inter alia questioning intended for MSP/MMSEA that it may be impossible to obtain the compliance. By way of example, a requested information after a settlement, typical set of discovery may include: judgment or finding of liability because plaintiff would have no incentive to For purposes of mandatory provide the information at those times.48 compliance with the Medicare Plaintiff objected on grounds that the Secondary Payer Act, the Medicare, information was irrelevant, immaterial Medicaid and SCHIP extension act and not likely to lead to the discovery of of 2007 or any private contractual admissible evidence. Plaintiff argued that subrogor, provide each name by no mandatory reporting obligation existed which ______has ever been unless liability was accepted and that the known, his date of birth, his social requested information would be provided security number, the date(s) (if any) “within a time specified by the Secretary that he qualified for Medicare, the [of the Department of Health and Human date(s) (if any) that he became a Services] after the claim is resolved Medicare beneficiary, his Health through a settlement, judgment, award or Identification Claim Number other payment (regardless of whether or (HICN), each ICD-9 diagnostic code not there is a determination or admission relating to the claimed injury for of liability).”49 which recovery is sought in this Privacy Implications Associated with Medicare Page 133

case, whether or not the appropriate MSP or MMSEA construction. However, Medicare benefits coordinator has the issue presented was and is a been contacted regarding this civil foreseeable one for future MSP/MMSEA action and whether or not Medicare claims management. has notified you that it seeks The plaintiff in Bedel was injured in conditional medical expense an automobile accident. During the payment reimbursement from any discovery phase of the litigation, plaintiff recovery in this action. objected to production of health Please state whether information absent a protective order ______had, at any time prior requiring that the defendants’ insurer to to his death, been a Medicare abstain from electronic storage of private beneficiary by virtue of end stage health information and to return or renal disease and/or disability of any destroy disclosed information at the kind. conclusion of the case. The trial court Please produce all notices of entered a protective order, over the claim of any nature from any objection of the defendants, requiring, in governmental or third party entity relevant part: asserting a right to repayment of prior medical payments made arising out of Defendants' counsel will not disclose the injuries for which recovery is orally or in summary form, any of sought in this matter. the Plaintiff's or Decedent's medical Please produce all notices by you records, or medical information, to or on your behalf to and/or from the any person other… than their clients, Centers for Medicare and Medicaid office staff, and experts necessary to Services (COBC) concerning your assist in this case, and any such attempt to recover damages arising person shall be advised of this out of the health care expenses Protective Order and receive and incurred for which recovery is sought review a copy of it and be informed in this matter. that they are bound by the non- disclosure terms and the other Each of these sample requests is provisions of this Protective Order if specific to MSP/MMSEA compliance and they receive such protected liability issues. Whether requesting information. No person shall scan or counsel should preempt delay by store any of Plaintiff's or the proposing a protective order governing Decedent's medical records or dissemination of this information is for medical information by any method, evaluation with his/her client and including but not limited to, responsible primary plan representatives. computerized storage, filming, The issue of protective orders photographing, microfiche or other governing personally identifiable similar method…. information was addressed State Farm Also, upon conclusion of this Mutual Automobile Insurance Company case, all medical records, and v. Bedell.51 This case did not involve medical information, or any copies Page 134 THE PRIVACY PROJECT IV – 2011

or summaries thereof, will either be To further protect the destroyed with a certificate from confidentiality of an insured's Defendants' counsel as an officer of medical records, the Insurance the Court that the same has been Commissioner has promulgated a done, or all such material will be legislative rule, W. Va.C.S.R. § returned to Plaintiff's counsel 114-57-15 (2002), based on the without retention by Defendants' model privacy rules of the counsel or any other person who was National Association of furnished such materials and Insurance Commissioners, which information pursuant to the terms of are patterned after the federal this Protective Order. Provided Gramm-Leach-Bliley Act, 15 however should Defendants' counsel U.S.C. § 6801 (2009), et seq. desire to retain a copy of the Among other things, this rule protested [sic] medical records prohibits insurers from disclosing produced in this case, the same shall ‘nonpublic personal health be permitted as long as those information’ without protected medical records are authorization by the individual. maintained in a sealed manner in W. Va.C.S.R. § 114-57-15.1. Defense Counsel's file and not used Thus, insurers operating in West for any other purpose whatsoever Virginia are required to prevent except upon further order of this the unauthorized disclosure of Court or in response to lawful confidential medical records process after notice to the protected contained in claim files, whether person, or in response to a lawful those files are stored order of another Court with electronically or in paper jurisdiction, or upon written consent format.54 of the protected person whose medical records and information is As MSP/MMSEA challenges protected herein.52 materialize in the future, counsel should consider these collateral sources of State Farm relied principally upon confidentiality protection in fashioning a the records retention requirements of the means by which to accomplish that which West Virginia Insurance Commissioner in all participants in the dispute need: asserting its objections. Those record exchange of information in the least retention requirements included, inter restrictive and yet protective manner alia, confidentiality obligations, storage respectful of the privacy of the obligations, electronic storage options, beneficiary. and a mandatory retention period. The Bedel Court declared the III. Discussion protective order to be improper, relying upon the state insurance commissioner’s These three decisions prompt a rules and regulations.53 Specifically, the robust privacy discussion. The MSP Court found: preempts state law.55 To the extent that Privacy Implications Associated with Medicare Page 135 state law conflicts with MSP the international standard diagnostic enforcement, courts have found that the classification for all general federal information recovery mandates epidemiological [and] many health are superior.56 Further, the filing of a management purposes and clinical Medicare claim by or on behalf of a use. These include the analysis of the beneficiary is an express authorization by general health situation of population the beneficiary for “any entity, including groups and monitoring of the State Medicaid and workers’ incidence and prevalence of diseases compensation agencies and data and other health problems in relation depositories” to release information to other variables such as the concerning the subject claim to CMS for characteristics and circumstances of MMSEA enforcement.57 the individuals affected, An underlying apparent assumption reimbursement, resource allocation, was made in Hackley that the absence of quality and guidelines. It is used to Medicare age qualifying status , end-stage classify diseases and other health renal disease, or dual eligibility is not a problems recorded on many types of basis for a plaintiff to object to a primary health and vital records including payer’s protection of its interests by death certificates and health records. conditioning settlement upon release of In addition to enabling the storage otherwise protected information. and retrieval of diagnostic However, the settlement phase of a claim information for clinical, or litigated case is late in the process for epidemiological and quality purposes, both plaintiffs’ and defendants’ counsel to these records also provide the basis be thinking about the subrogation for the compilation of national interests of third parties, including the mortality and morbidity statistics by government. Counsel should be willing WHO Member States. 58 to respect the obligations of all participants in pre-litigation and In simple terms, the ICD code drives discovery. By application of a primary reimbursement and with respect to payer’s own compliance programs, government health care payments, it operation of state law, and conformity drives CMS’ assessment of disease states with federal privacy standards and for which a beneficiary has received requirements, appropriately tailored treatment. The consequences of a protective orders and discovery primary payer or RRE populating a guidelines should be attainable by mandatory CMS MMSEA data field with agreement between the parties. the wrong ICD are self apparent. For Emphasis thus far in this article has example: been upon social security number and HICN disclosure. An additional and ICD-9-CM codes do not differentiate significant MMSEA disclosure mandate between right and left appendages. warrants special consideration: the Thus, report of an ICD-9-CM code International Classification of Diseases for a left ankle injury incurred in a car (ICD) disclosure mandate. The ICD is: accident may cause Medicare to Page 136 THE PRIVACY PROJECT IV – 2011

include in its claim medical bills foreseeable future. For instance, on Medicare paid for an injury to the March 9, 2010, United States claimant's right ankle. This can, in Representative Patrick Murphy turn, cause CMS to grossly introduced the “Medicare Secondary overestimate the total amount owed, Payer Enhancement Act of 2010” leaving a disparity between what the (MSPEA).60 Section 4 of the Bill RRE reports and what CMS proposes the adoption of safe harbors expects.59 with respect to the MMSEA reporting obligations and restructures the penalty If the wrong ICD is used, a beneficiary obligations for late reporting based upon may sustain compromised benefits. If a intent. Section 5 provides that “the beneficiary’s attorney is not careful and Secretary [of the Department of Health includes in a demand the ICD coding for and Human Services] shall modify the numerous unrelated conditions or reporting requirements . . . so that entities expenses, the attorney may be unable to responsible for reporting information . . . maximize his or her client’s realized are not required to access or report to the recovery. Stated simply, asking for more Secretary beneficiary social security than reasonably arises out of the alleged numbers or health identification claim dispute may result in adverse numbers.”61 Whether this bill will be consequences for the injured party. acted upon soon or gains material traction Likewise, if the beneficiary and his or her is to be seen. It does not, however counsel refuse to identify the appropriate address ICD information. It also does ICD code prior to mandatory reporting, a nothing to relieve the present obligations RRE may have no other choice but to under existing regulations. The next populate the CMS data bank fields with chapters in this saga will take some time all ICDs listed on a claimant’s bills. Any to work out. Hence, as the Hackley court negotiating RRE, primary plan or primary admonished, “[c]ounsel would therefore plan counsel must include express ICD be well advised to be aware of designation as a pre-condition to developments in this area of law and take settlement. Those ICD designations must them into account in fashioning match the subject matter in the litigation unambiguous settlement with all parties recognizing that the agreements.”62 ultimate determination of that which constitutes a prior conditional payment being the discretion of CMS. This emphasizes the obligation that counsel 1 Medicare, Medicaid, and SCHIP Extension representing the beneficiary should Act of 2007, Pub. L. No. 110-173, 121 Stat. cooperatively work with CMS to define 2492 (2007). the ICD code(s) related to the lawsuit. 2 See, e.g., OIG 2011 Work Plan, These and other significant privacy Longstanding Issues, Recovery Act concerns must be anticipated and Reviews Among Areas of Focus, 20 No. 3 managed in a proactive manner. This HTHCR 6, Aspen Publishers 2010; Jason field will continue to evolve in the D. Lazarus, Medicare Myths: What Every Trial Lawyer Should Know About the MSP Privacy Implications Associated with Medicare Page 137

& Liability Medicare Set Asides, 84NOV Harris, No. 5:08CV102, 2009 WL 891931 FLA. B.J. 46 (November, 2010); Brent M. (N.D. W. Va. Mar. 26, 2009), aff’d, 334 Timberlake and Monica A. Stahly, Fool Me Fed. Appx. 569 (4th Cir. 2009). Once, Shame on Me; Fool Me Again and 6 See supra note 5; 42 C.F.R. § 411.21 You’re Gonna Pay For It: An Analysis Of (2008). Medicare’s New Reporting Requirements 7 United States v. Harris, No. 5:08CV102, For Primary Payers And The Stiff Penalties 2009 WL 891931 (N.D. W. Va. Mar. 26, Associated With Noncompliance, 45 U. 2009), aff’d, 334 Fed. Appx. 569 (4th Cir. RICH. L. REV. 119 (2010); Frederick C. 2009). Geilfuss, B. McGrath and M. Kwiecinski, 8 MSP obligations exist for employers, Reporting Risk Management Activities to workers’ compensation plans, group health CMS Under the MMSEA: Hospitals, plans and others. See supra note 5; 42 Physicians and Provides Need to Become C.F.R. § 411.21 (2008). Familiar with New Guidance, 12 No. 5 J. 9 See OIG 211 Work Plan, Longstanding HEALTH CARE COMPLIANCE 53 Issues, Recovery Act Reviews Among (September/October 2010); Tamela J. Areas of Focus, 20 No. 3 HHTHCR 6, White, The Medicare Secondary Payer Act Aspen Publishers, 2010. and Section 111 of the Medicare, Medicaid, 10 RREs are those entities responsible for SCHIP Extension Act of 2007: Implications complying with the reporting requirements for Claim Management and Resolution for of MMSEA Section 111. See MMSEA User Liability Insurance Plans, 77 DEF. COUNS. Guide, at 9, 21 (“42 U.S.C. J. 157 (2010). 1395y(b)(8)(2010) provides that the 3 42 U.S.C.1395y(b) (2010). ‘applicable plan’ is the RRE and defines 4 Primary payer means, “when used in the ‘applicable plan’ as… ‘the following laws, context in which Medicare is the secondary plans, or other arrangements, including the payer, any entity that is or was required or fiduciary or administrator for such law, responsible to make payment with respect plan, or arrangement: (i) liability insurance to an item or service (or any portion (including self-insurance); (ii) no-fault thereof) under a primary plan. These entities insurance; (iii) Workers’ compensation include, but are not limited to, insurers or laws or plans.’”). self-insurers, third party administrators, and 11 CMS, MMSEA Section 111 Medicare all employers that sponsor or contribute to Secondary Payer Mandatory Reporting: group health plans or large group health Liability Insurance (Including Self- plans.” 42 C.F.R. §411.21(2008). Insurance), No-Fault Insurance, and 5 Medicare beneficiary means an individual Workers’ Compensation USER GUIDE who is entitled to or enrolled in Medicare (hereinafter “MMSEA User Guide”), Part A (Hospital Insurance) or enrolled in Version 3.1, July 12, 2010, at 18. Part B (Supplementary Medical Insurance) 12 MMSEA User Guide, supra note 11 at or both under title XVIII of the Act. 20 Appendix A (setting forth the complete list C.F.R. §418.3010(b)(8)(2005). 42 C. F. R. of fields which must be populated when 411.24(h) (2008) requires a beneficiary “or reporting a claims pursuant to MMSEA other party” that receives a primary Section 111). payment to reimburse Medicare within 60 13 MMSEA User Guide, supra note 11 at 21- days. Failure to repay promptly may 29 (“Agents are not RREs for purposes of compromise a beneficiary’s status and CMS the MSP reporting responsibilities for 42 may require the beneficiary to make U.S.C. 1395y(b)(7). However, the payment, with interest. United States v. Page 138 THE PRIVACY PROJECT IV – 2011

applicable RRE may contract with an entity begin during the first calendar quarter of to act as an agent for reporting purposes.”). 2011. The compliance date has now been 14 See 42 C.F.R. §411.210(2008) (“Primary moved to the first calendar quarter of 2012 payment means, when used in the context in for all liability insurance (including self- which Medicare is the secondary payer, insurance) TPOC (Total Payment payment by a primary payer for services Obligation to the Claimant) amounts with that are also covered under Medicare.”) no ORM (Ongoing Responsibility for 15 42 U.S.C. §1395y(b)(2)(B)(ii)(2010). Medical Payment). Revised Implementation 16 Social Security Administration, http:// Timeline for TPOC Liability Insurance www.ssa.gov/pubs/10064.html (last (Including Self-Insurance) Settlements, accessed Dec. 10, 2010). Judgments, Awards or Other Payments, 17 United States Department of Health and Alert from the Centers for Medicare & Human Services, Office of the National Medicaid Services Office of Financial Coordinator for Health Information Management/Financial Services Group, Technology, Medical Identity Theft Final November 9, 2010. Liability insurance Report, January 15, 2009, Prepared by Booz (including self-insurance) ORM reporting is Allen Hamilton. not subject to this delay, therefore, reporting 18 The World Privacy Forum, Medical Identity begins on January 1, 2011, as scheduled. Theft: The Information Crime That Can Kill 30 2010 WL 3025597 (Conn. Super. July 1, You. Spring, 2006. Available at http:// 2010). www.worldprivacyforum.org/pdf/wpf_medi 31 2010 WL 1665253 (D. Neb. April 22, calidtheft2006 (last accessed Dec. 10, 2010). 2010). 32 226 W.Va. 138, 697 S.E.2d 730 (2010). 19 Id. at 16. 33 MMSEA User Guide, supra note 11 at 18. 20 Id. at. 20. 34 MMSEA User Guide, supra note 11 at 18. 21 Id. (reporting information received from the 35 The authorized representative is the person Federal Trade Commission pursuant to a with legal authority to bind the plan entity FOIA request, FTC FOIA-2006-00560). and has ultimate compliance accountability. 22 Id. at 21. The authorized representative may assist in 23 42 U.S.C. §101 (2002), et seq. registration of an entity but is not issued an 24 Medicare Primary Payer System (MSPA) account Login ID or password and cannot Privacy Impact Assessment, United States be an account user or agent. The authorized Office of Personnel Management, Available representative is responsible to designate at the account manager. The authorized http://www.opm.gov/privacy/PIAs/pia_msp representative must approve the account s.asp (last accessed December 10, 2010). profile setup and is the agent for service of 25 5 U.S.C. §552a (2010). non-compliance notifications. MMSEA 26 Pub. L. No. 104-191, 110 Stat. 1936 to User Guide, supra note 11 at 31. 1996 (codified at 29 U.S.C. 1162(2)(A)(v) 36 The account manager controls the RRE (2000)). account administration and reporting 27 45 C.F.R. pts. 160, 162, 164. process. The account manager is 28 See generally, 50 STATE STATUTORY responsible for web-access registration and SURVEYS, INSURANCE GENERAL, Thomson account setup. Persons reporting to the Reuters/West December 2009. account manager, known as “account 29 The required submission of liability designees” are provided authorized insurance (including self-insurance) initial reporting access once invited by the account claim reports was initially scheduled to manager. The account manager oversees Privacy Implications Associated with Medicare Page 139

the logistics of information transfer to the MSP, as are any state laws that otherwise COBC. The manager can monitor RRE interfere with federal recovery); Cox v. usage activities, such as file transmission Shalala, 112 F.3d 151 (4th Cir. 1997) histories, processing status, and file (federal law pre-empted the North Carolina statistics. The account manager cannot also wrongful death act which placed a serve as the authorized representative or as $1,500.00 cap on third party recovery of an account designee for the same RRE ID. medical expenses; Medicare entitled to MMSEA User Guide, supra note 11 at 31- recover the $181,187.75 that it 32. conditionally paid when the parties to the 37 Account designees are essentially the data wrongful death action settled the matter processing personnel that input data into the (citing Fla. Lime & Avocado Growers, Inc. electronic system. Account designees v. Paul, 373 U.S. 142, 142-43 (1963)); State cannot serve as an account manager or Farm v. State of California, ___ F. Supp. authorized representative. MMSEA User ___ (C.D. Calif. 1997) (memorandum Guide, supra note 11 at 31-32. opinion) (Medicare entitled to recover the 38 The portal for the data bank entry is at entire settlement res where its conditional www.Section111.cms.hhs.gov. payments exceeded the paying automobile 39 MMSEA User Guide, supra note 11 at 44. insurer's policy limits). 40 MMSEA User Guide, supra note 11 at 110. 56 See supra note 55. 41 2010 WL 3025597 (Conn. Super. July 1, 57 42 C.F.R. §411.24(a)(2006). 2010). 58 World Health Organization, International 42 2010 WL 1665253 (D. Neb. April 22, Classification of Diseases definition, 2010). available at 43 226 W.Va. 138, 697 S.E.2d 730 (2010). http://www.who.int/classifications/icd/en/in 44 2010 WL 3025597, at *5-6 (Conn. Super. dex.html (last accessed December 10, July 1, 2010). 2010). 45 59 Id. at *4 (Conn. Super. July 1, 2010). Timberlake and Stahly, 45 U. RICH. L. REV. 46 Id. at *6 (Conn. Super. July 1, 2010). at 119 (internal citations omitted). 47 2010 WL 1665253 (D. Neb. April 22, 60 Medicare Secondary Payer Enhancement 2010). Act of 2010, H.R. 4796, 111th Congress. 48 Id. at *2 (D. Neb. April 22, 2010). 61 Id. 49 Id. at *3 (D. Neb. April 22, 2010). 62 2010 WL 3025597 * at 6 (Conn. Super. July 50 Id. at *6 (D. Neb. April 22, 2010). 1, 2010). 51 226 W.Va. 138, 697 S.E.2d 730 (2010). 52 Id. at 734 (emphasis in original). 53 Id. at 740. 54 Id. at 738. 55 Zinman v. Shalala, 67 F.3d 841, 845 (9th Cir. 1995); see also English v. Gen. Elec. Co., 496 U.S. 72, 79 (1990); Pac. Gas & Elec. Co. v. State Energy Res. Conservation and Dev. Comm’n, 461 U.S. 190, 204 (1983); United States v. R.I. Insurer’s Insolvency Fund, 80 F.3d 616 (1st Cir. 1996)(state laws designed to protect private interests in the event of liability insurance carrier insolvency are preempted by the Privacy Breach Notification under Canadian Privacy Law – Case Studies for Understanding an Emerging Regime

By John P. Beardwood and John P. Beardwood is a partner and Gabriel M. A. Stern Gabriel M. A. Stern is an associate at the Toronto office of Fasken Martineau DuMoulin LLP. ANADA has one of the world’s most

comprehensive legal regimes for C I. The Canadian Privacy Regime protecting personal information. This Generally regime covers both the private and public sectors and is largely the result of detailed legislation1 in force across the country, A. Structure of the Canadian which sets out rules for how personal Privacy Regime information can be collected, used and disclosed. Notwithstanding the scope of The Canadian privacy law regime is this regime, one long-standing gap has characterized by both federal and 2 been in respect of establishing what provincial privacy legislation, in both obligations organizations have when there the public and private sectors. In the has been a personal information breach. private sector, which is the focus of this 3 In 2010, however, certain legislative paper , the application of these laws to amendments were made and proposed different organizations depends on (a) the that established breach notification nature of the organization, (b) the type of obligations. These legislative activities carried out by the organization, amendments promise to introduce new and (c) the places of activity of the challenges for organizations as they seek organization. On a general level, the basic to comply with Canadian privacy law. structure of the Canadian privacy law In order to assist counsel in understanding regime is that the federal private sector these new and pending Canadian privacy privacy legislation - the Personal breach notification obligations, this paper Information Protection and Electronic 4 (a) introduces the Canadian privacy Documents Act (“PIPEDA”) – protects regime generally, (b) outlines the new personal information collected, used or Canadian breach notification rules, and disclosed (a) by all federal works, 5 (c) reviews three breach notification undertakings and business , and (b) in scenarios in order to illustrate the connection with the commercial activities considerations organizations will need to of all private sector organizations across address in complying with this new and Canada, unless a particular province has developing regime. in force provincial privacy legislation that is deemed “substantially similar” to the 6 federal legislation ; in this sense it is Privacy Breach Notification under Canadian Privacy Law Page 141

“gap-filling” legislation. In contrast, each organizations’ privacy obligations. The of the provincial privacy legislation amendments, which are described in applies to the activities of all private detail below, are the first in Canada to sector organizations in that province. . deal with breach notification and are the Since PIPEDA has been enacted, focus of this paper. legislation in the provinces of Quebec7, British Columbia8 and Alberta9 (the C. Definition of Personal “Alberta PIPA”) has been deemed Information “substantially similar”. As a result, PIPEDA only applies in those three PIPEDA broadly defines “personal provinces to the collections, uses and information” as “information about an disclosures of personal information where identifiable person,” but excludes the conducted by a federal work, undertaking name, title or business address or or business, or where disclosed outside telephone number of an employee of an the province for a commercial purpose. organization11. The provincial legislation At both the federal and provincial levels, generally includes similar definitions – privacy commissioners are appointed to for example, the Alberta PIPA12 contains oversee and enforce privacy legislation. a similar definition, but excludes a broader range of business contact B. Application Outside of Canada information than PIPEDA by additionally excluding business email and facsimile It is significant to note that the numbers13. Canadian privacy law regime does not apply only to Canadian organizations but II. Privacy Breach Notification also to any organization carrying on Requirements business in Canada, even if they do not have a physical presence in the country. A. Comparing the Federal and This point was explicitly made in respect Alberta Models Generally of the Federal Privacy Commissioner and the scope of her jurisdiction in 2007 when In the spring of 2010, in respect of the Federal Court of Canada confirmed breach notification (a) the Alberta PIPA that the federal privacy commissioner (the was significantly amended as a result of “Federal Commissioner”) had important amendments that came into jurisdiction to investigate cross-border force on May 1, 2010, and (b) significant flows of personal information, even when amendments were proposed for PIPEDA the organization it was investigating was on May 25, 2010, pursuant to Bills C-28 not located in Canada such that 14 10 and C-29 . enforcement might be difficult . Under the proposed PIPEDA In 2010, significant amendments amendments, a new Division 1.1 will were, respectively, made to the Alberta require organizations (a) to report to the PIPA and proposed to be made to Federal Privacy Commissioner any PIPEDA concerning the notification that material breach, as defined in PIPEDA, of must be made when there are breaches of security safeguards involving any Page 142 THE PRIVACY PROJECT IV – 2011 personal information under that threshold, which arguably allows for organization’s control, and (b) to notify more flexibility as it will better reflect the individuals of such breaches where it is differing circumstances of each breach. reasonable under the circumstances to The proposed test for this threshold is, believe that the breach creates a real risk objectively, a “material breach of of “significant harm” (as defined in security safeguards”, where relevant PIPEDA) to the individual. Along with factors include (a) the sensitivity of the defining the thresholds for when such personal information in question, (b) the breaches will impose the obligations to number of individuals, and (c) a report these breaches to the Federal subjective assessment of the organization Commissioner and/or notify the subject as to whether reflective of systemic individuals, Division 1.1 also sets out problems. details as to the timing for such In contrast, under the Alberta PIPA, notification and the form in which it must the threshold for reporting breaches to the be provided. Alberta Commissioner is both Similar to what has been introduced significantly lower (in that there may only by the proposed revisions to PIPEDA, the be one individual involved) and amended Alberta PIPA introduces both a significantly higher (in that breaches of reporting and a notification regime in low sensitivity information, which are respect of security breaches. Under this either frequent, or involve a large number regime, certain privacy breaches must be of individuals, are effectively excluded reported to the Alberta privacy from the reporting requirement). The commissioner (the “Alberta applicable test is whether, objectively, “a Commissioner”), and under very similar reasonable person would consider that circumstances affected individuals must there is a real risk of significant harm to notified of such breaches. an individual”. While the federal and Alberta breach notification models may appear C. Threshold for Notifying the somewhat similar at first glance, they Affected Individuals differ in five significant ways: (a) the threshold for reporting a breach, (b) the The proposed test under PIPEDA for threshold for notifying the affected to when organizations would need to notify individuals, (c) the definition of individuals that there has been a breach of “significant harm”, (d) the responsibility their personal information is an objective for notification, and (e) offences. test that considers whether it is “reasonable in the circumstances to B. Threshold for Reporting a believe that the breach creates a real risk Breach of significant harm to the individual”. The comparable test under the Under the proposed PIPEDA breach Alberta PIPA is also objective and notification model, the threshold for when requires organizations to “notify a breach needs to be reported to the individuals to whom there is a real risk of Federal Commissioner is a contextual significant harm”. Interestingly, this test Privacy Breach Notification under Canadian Privacy Law Page 143 is almost identical to the Alberta PIPAs following definitional guidance, which is reporting test discussed above. The more general – and our view therefore significant difference is that the reference more helpful - than the proposed PIPEDA to “reasonable person” contained in the definitions: Alberta test for reporting is deleted. It is unclear whether this deletion was (a) “significant harm” is “material 15 intentional and what will be the result harm”, having “non-trivial of this missing language. consequences or effects”. Examples: may include D. Definition of “Significant “possible” “financial loss, Harm” identity theft, physical harm, humiliation to one’s professional The proposed definition for or personal reputation”. This test “significant harm” under PIPEDA is objective – therefore one does includes bodily harm, humiliation, not need to assess the subjective damage to reputation or relationships, circumstances of the particular loss of employment, business or individual; and professional opportunities, financial loss, (b) “real risk”: a “reasonable degree identity theft, negative effects on the of likelihood that the harm could credit record and damage to or loss of result”. Note that “[t]he risk of property.” Interestingly, the PIPEDA harm is not hypothetical or definition appears to effectively deem all theoretical, and it is more than of the above kinds of harm as being merely speculative”. Again, the “significant”, while in fact “damage to test is objective. relationships”, “loss of business or professional opportunities” and “damage E. Responsibility for Notification to or loss of property”, for example, may not – depending on the context – be In terms of responsibility for making significant. Additionally, identifying the decision as to whether to notify whether there is a “real risk of significant individuals of breaches of their personal harm” includes a review of the following information, the proposed PIPEDA model relevant factors: sensitivity of the requires that an organization makes the personal information; and probability (i.e. determination independently and then risk) of misuse. In short, the applicable notifies the individual of any breach. This equation under PIPEDA will be is notably different from the model under sensitivity of info + probability = harm; the Alberta PIPA, where it is the Alberta plus an evaluation as to whether the harm Commissioner who may require that an is significant. organization to notify the individual of Under the Alberta PIPA, “significant any breach. harm” and “real risk” are not defined. Note however that a publication from the Alberta Commissioner16 (“Alberta Information Sheet 11”) provides the Page 144 THE PRIVACY PROJECT IV – 2011

F. Offences duplicate copies available for the first set, which are in the form of hard copy files, Under the proposed PIPEDA model, so the Bank knows the name of the the breach notification provisions do not employees in question (the “Known create a new offence. This is different Employee Files”). The second set, from the Alberta model, whereby under located on a laptop, was of certain new the Alberta PIPA, a failure to provide and transferred employees and had not notice to the Alberta Commissioner – i.e. yet been copied, so the Bank does not a failure by an organization to “make the know which specific individuals were right decision” based on the reasonable identified in those files (the “Unknown person test – creates an offence. This Employee Files”). distinction is arguably appropriate given The files were in the car of an the structure of the Alberta PIPA whereby employee of the Bank responsible for effectively a breach of any obligation human resources matters which was under the act (i.e. a breach of compliance, stolen while the employer was at the consent, collection, use and disclosure grocery store. The employee’s obligations) can result in an offence. recollection is that the hard copy files of the Known Employees were under the III. Privacy Breach Notification driver’s seat, and that the laptop with the Scenarios Generally Unknown Employees Files was in the trunk. The files were not encrypted, but Organizations and their counsel access to the laptop was password subject to PIPEDA and the Alberta PIPA protected, albeit with a very simple, 6- will obviously need to understand the digit password, which happens to be the implications of these rules. Moreover, it same as the customized licence plate on is likely that as a result of the instruction the stolen car. The police believe that it is of breach notification rules at the federal possible that a person with minimal IT level and in Alberta, the other experience could circumvent the substantially similar jurisdictions will password protection and thus access the follow course and introduce their own files on the laptop. respective breach notification rules. In The Known Employee Files contain order to assist in understanding how these relatively generic and non-sensitive rules will apply in practice, we have set information about the employees’ work out below three scenarios designed to records. However, one of the employee illustrate some of the issues organizations files references the fact that the subject and their counsel will need to consider. employee, who is a practicing Muslim, has requested and been granted access to Scenario 1: Personal Information in a a storage room for the purposes of Stolen Car periodic prayer throughout the day. At the request of the employee, both the request and the granting of such request, have A bank branch office in Toronto, been kept confidential. The Bank knows Ontario (the “Bank”), loses two sets of that this particular employee, for various confidential employee files. There are Privacy Breach Notification under Canadian Privacy Law Page 145 reasons, would like to continue to keep Issue 2: Contents of the Notice such information confidential. Additionally, the Unknown Employee Notwithstanding the issue of how the Files may or may not contain sensitive Bank could conduct the required material information. breach/significant harm analysis for the The stolen car was eventually purpose of determining if notification was recovered, two days later. There are no required under PIPEDA, the second issue suspects, but the police suspect university raised by this scenario is how to student joyriders. The hard copy files of determine what should be the contents of the Known Employee were still under the the required notice PIPEDA would driver’s seat. The laptop with the “Not yet require that the notification contain Known Employees” files was still in the sufficient information to allow the trunk, but suffered damage such that it is affected individuals to understand the no longer working. It is not clear that the significance to them of the breach and to thieves accessed or tried to access either take steps, if any are possible, to reduce set of files. the risk of harm that could result from it, The Bank is a federal work, or to mitigate that harm. Yet if the undertaking or business and is therefore contents of the Unknown Employee Files subject to PIPEDA. are not known to the Bank it will be difficult, if not impossible for the Bank to Issue 1: Material Breach/ provide the required information to the Significant Harm Analysis affected individuals.

The first issue raised by this scenario Issue 3: Reporting Threshold is that the Bank does not know what (PIPEDA) information was in the Unknown Employee Files. The Bank has an The third issue raised by this scenario obligation under the PIPEDA breach is whether the breach regarding the notification model to engage in a material Known Employee Files passes the breach/significant harm analysis. material breach threshold such that it is However, in not knowing what reportable under PIPEDA. In order to information was contained in the determine this, the Bank would need to Unknown Employee Files, it is unclear establish whether the breach passes the how the Bank would be able to undertake “real risk of significant harm” threshold this analysis for the purpose of such that they are notifiable under determining if the incidents are reportable PIPEDA. and/or notifiable. This first issue therefore PIPEDA defines “significant harm” illustrates how conducting the analysis as including bodily harm, humiliation, required to assess if a reporting and/or damage to reputation or relationships, notification threshold has been met will loss of employment, business or require a certain de minimis amount of professional opportunities, financial loss, information to be available. identity theft, negative effects on the credit record and damage to or loss of Page 146 THE PRIVACY PROJECT IV – 2011 property. Again, PIPEDA appears to Issue 4: Reporting Threshold effectively deem all of the above kinds of (Alberta PIPA). harm as being “significant”, while in fact “damage to relationships”, “loss of As discussed above, the reporting business or professional opportunities” thresholds under PIPEDA and the Alberta and “damage to or loss of property”, for PIPA are different. While this fact pattern example, may not be significant, is set in Ontario, what would be the result depending on the degree. Moreover, the if the same breach happened to an test is an objective one. organization governed by the Alberta There are some nuances, however, to PIPA? As such, the fourth issued raised the application of this test in practice. For by this scenario is whether the breach example, in the case of the Muslim regarding the Known Employee Files employees, while (a) subjectively, it is passes the “real risk of significant harm known that the employee in question test ” so that the breach would be would consider the information regarding reportable and notifiable under the his request for religious accommodation Alberta PIPA. to be very sensitive and confidential, (b) Alberta Information Sheet 11, like objectively, it is not clear that a the proposed PIPEDA model, lists reasonable person would consider that the “humiliation or damage to one’s fact that an employee wishes to arrange professional or personal information.” for a space for prayer would cause Again, objectively, it is not clear that the “humiliation”, “damage to reputation or information regarding this religious relationships” or “loss of business or accommodation would meet those two professional opportunities”. criteria. Alberta Information Sheet 11 Additionally, it is unclear how, also states, however, that: “The test is an objectively, this scenario is to be objective one: whether a reasonable assessed. For example, under this person would consider the harm to be objective test, is it proper to assume that significant. In other words, an there is a certain level of Islamophobia in organization does not have to consider the general public, which should be a whether a particular individual would factor considered in reviewing this consider the harm to be significant, only situation objectively? Unless it was a whether the ordinary person would Bank employee who stole the car, it is consider the harm to be significant.” unlikely that this information regarding (emphasis added). In this case, then, religious accommodation become under the Alberta PIPA, it is unclear available to another Bank employee. whether the organization suffering the Arguably, that fact pattern diminishes the breach should even consider the specific likelihood of humiliation, etc. even more. concerns of the employee regarding If this is a subjective test, however, potential sensitivity. should the specific circumstances of this one employee even be properly considered? The next issue set out below explores this question further. Privacy Breach Notification under Canadian Privacy Law Page 147

Issue 5: The Impact of Facts on therefore, there is a question as to what Determining the Real Risk of skills are attributed to the thieves – should Significant Harm they be considered to be lay persons, technologically speaking, or someone The fifth issue raised by this scenario with basic (or even advanced) IT skills? is how the facts relating to the recovery of Such assumptions could radically change the stolen car affect the analysis as to one’s perception of the risk of significant whether there is a “real risk of significant harm. So too would these assumptions harm”. The proposed PIPEDA model change the analysis based on facts such as describes the determination of a “real risk the information not being encrypted, but of significant harm” as including a review password protected. Additionally, if the of the following relevant factors: standard of password protection does not sensitivity of the personal information; meet industry standards, should that be and probability (i.e. risk) of misuse. In part of the analysis of real risk of other words, as noted above, sensitivity of significant harm? info + probability = harm, with there then being required an evaluation as to Scenario 2: Website/Network Security whether the harm is significant. In this Breaches context then, does the recovery of the stolen car affect the probability factor, As the result of implementing a new and to what extent? series of software applications at a small In contrast, Alberta Information e-commerce company, the CTO discovers Bulletin 11 notes that: “An example of a that one employee has access through security breach that would not pose a real their desktop computer to all 5000 of the risk of significant harm is where the company’s customers’ credit card information is recovered before it could information . This employee has no “need possibly be accessed…”. In this case, two to know” this information for his job days is an abbreviated time frame, but the function. When confronted, the employee files could possibly have been accessed. professes to not knowing that he had such However, if the thieves were focused on access, never mind having actually ever joyriding in the car, as is suspected, it accessed this information. The recently may not be likely that they found the completed implementation means that it laptop, or if they did, if they even is not possible to assess whether access endeavoured to try and open it. Similarly, was ever made using the computer. Even it is not clear that the joyriders found the if such access could be determined, the files under the seat. company is designed with an open- Moreover, Alberta Information concept floor plan, such that anyone Bulletin 11 also notes that a breach may could have accessed the customer not pose a real risk of significant harm information. “…where the information is protected The same e-commerce company, (e.g. encrypted) such that the information several months later, realizes that, due to could not reasonably be accessed by an human error, for the past two months the unauthorized individual.”. Here, unsecured beta version of its new e- Page 148 THE PRIVACY PROJECT IV – 2011 commerce website has been operating in whether the existence of two potential production, such that the company has breaches at the same company is (a) therefore been collecting customer credit indicative of a systemic problem, or (b) card information through an unsecured too different for that to be the case. The site. While there is no evidence of any former argument is assisted by the fact breach in the security of the database in that (i) both breaches are in respect of the either of the two months, there is same type of information – credit card evidence that at one point in the second information; (ii) both potential breaches month the network was accessed by an were due to failures to adequately ensure unauthorized person. IT-related safeguards, and (iii) that one As a result of investigating the potential breach was related to an existing breach of network security, it is employee, and the other was related to a determined that the person making such past-employee, suggesting a systemic unauthorized access was an ex-employee issue with HR/management practices. On of the company. the other hand, the company may want to The company is in Ontario, such that take into consideration that (i) the IT PIPEDA applies. systems involved were different, (ii) the policies involved were arguably different Issue 1: Reporting Threshold (i.e. policies re existing vs past employees), (iii) the level of control the In this scenario, the company would company had in each case was arguably need to consider whether the breach different (again, existing vs past regarding this customer information employees), and (iv) there is no evidence passes the material breach threshold such of any actual privacy breach in both that it is reportable under PIPEDA. cases. Relevant factors would include the fact that financial information (i.e. credit card) Issue 3: Notification Threshold information may have been at risk, and Real Risk of Significant Harm that more than one individual may have affected by the breach. The second issue is whether the breach regarding the Known Employee Issue 2: Systemic Problems Files passes the “real risk of significant harm” threshold such that it is notifiable The PIPEDA threshold for reporting under PIPEDA. Recall that under to the Federal Commissioner is an PIPEDA, sensitivity of info + probability objective test that requires a “material = harm. Given this calculus, it is unclear breach of security safeguards”, where if the real risk of significant harm relevant factors to consider include threshold will be met; more specifically, sensitivity; number of individuals; and a while the information is sensitive given subjective assessment of company as to its financial nature, the actual probability whether the breach is reflective of a that there was harm is unclear. This systemic problem. In light of this latter uncertainty is the result of it being purely factor, the Company will need to consider speculative whether there was (a) any Privacy Breach Notification under Canadian Privacy Law Page 149 access to the unsecured information sent amount annually at the company’s stores, through the company’s website, or (b) that specific monetary threshold is policy- any malicious intent, notwithstanding that driven and was not set out in the lost information may have been generally customer information. available in the company’s office. In An individual informally determines other words, it is important to consider at that this breach has happened, and what point, if any, the fact that there complains to the Federal Commissioner. could have been harm should equate to an The Federal Commissioner wants to assumption that there was in fact harm. determine if the company should have reported the breach to her office pursuant Issue 4: Evidence Required for to Section 10.1(1), as being a “material Notification breach of security safeguards”. Only a few of the individuals in the customer The third issue raised by this scenario information were identified as VIPs, is whether the fact that the opportunity for however, based on the facts of the loss the unauthorized collection of personal Federal Commissioner suspects that other information existed for a prolonged offices in other provinces may have period of time means that such collection suffered a similar breach. To her should deemed to have taken place, even knowledge, there has not yet been a without any evidence to support such relevant complaint made against the conclusion. Similarly, consider whether company in any of the other provinces. other factors such as the breach in the She would like to raise the issue with the network (albeit not in the database) privacy commissioners in other Canadian should have on the analysis. One might jurisdictions, in order to assess the scope argue that the longer the possibility of of the potential breach. unauthorised collection exists, and the The company determined that, based more factors that exist that could lead to on the facts of the disclosure, (a) it was unauthorised collection, the more willing not necessary to notify the VIP one should be to assume there has been individuals of the privacy breach, on the unauthorised disclosure, such that basis that it was not reasonable in the notification may be required under circumstances to believe that the breach PIPEDA. created a real risk of significant harm to the individual, and (b) there was no Scenario 3: National Breach “potential breach of security safeguards”, after taking into account, among other A national luxury retail company, factors, the number of individuals with stores across the country, suffers a involved, such that reporting to the loss of customer information at one office Federal Privacy Commissioner was not in Ontario. The information in question is required. In the context on either issue, the customer’s contact information, and the Federal Commissioner is not the fact that they are “VIP” customers. convinced that the company has made the While this status is conferred on those correct decision. The company is customers than spend more than a certain Page 150 THE PRIVACY PROJECT IV – 2011 governed by PIPEDA, as well as other or exercise of any of [its] duties or provincial privacy legislation. power” in respect of protection of personal information in the private Issue 1: Whether Personal sector.17 Query therefore whether this Information is Sensitive falls either within (a) the Section 20(3) exemption that lessens these constraints The first key issue to consider is where it is it necessary to conduct an whether the personal information in investigation or audit, or establish the question – the VIP status of customers – grounds for findings and should be considered to be sensitive. recommendations, or (b) the Section Certainly, the VIP status is based on the 20(2) exemption, which allows the income of individuals. Therefore, Federal Commissioner to make public knowing that an individual was a VIP any information relating to the personal would given, at least to employees of the information management practices of an company, the knowledge that these organization if the Commissioner individuals were in a certain income considers that it is in the public interest to bracket. However, the information of its do so. own would not provide any information Note that Alberta has a to a third party unfamiliar with the confidentiality restriction, and an company’s operations given that actual exemption under its breach notification income was not listed on the VIP status regime which is identical to Section 20(3) list. of PIPEDA. However, consider whether disclosure by the Alberta Commissioner, Issue 2: Breadth of Breaches if any, in response to the disclosure by the Federal Commissioner, falls under the This scenario also raises the issue as same exemption. This point is debatable to whether the possibility of related given that such a disclosure by the breaches in other jurisdictions might be Alberta Commissioner might not be relevant to the determination, in any one considered to be part of Alberta jurisdiction, as to whether a breach is conducting its own investigation. material. Finally, one should consider whether the Federal Commissioner could use Issue 3: Communication by Section 20(2) of 20(2) to itself notify the Privacy Commissioners affected individual, where the Federal Commissioner is not convinced that the To what extent can a privacy company has made the correct decision in commissioner liaise with his or her respect of breach notification. While colleagues in other jurisdictions to assess individuals so affected by breaches might whether a breach is material? PIPEDA support such disclosures by the Federal imposes an obligation of confidentiality Commissioner, such a disclosure might on the Federal Privacy Commissioner in arguably be contrary the intent of the respect of “any information that comes to proposed PIPEDA amendments (in [its] knowledge as a result of performance contrast to the model under the Alberta Privacy Breach Notification under Canadian Privacy Law Page 151

PIPA) which, in effect, grant each organization the discretion to determine that of PIPEDA, the Governor in Council may when disclosure is required. by order exempt organizations or activities subject to such provincial legislation from the IV. Conclusion application of Part 1 in respect of the collection, use or disclosure of personal The introduction of a breach information that occurs within that province 7 notification and reporting regime is an An Act respecting the protection of personal important development in Canadian information in the private sector, S.Q., 1993, c. 17. privacy law. While it will take some time 8 to fully appreciate how the Canadian Personal Information Protection Act, S.B.C. 2003, c. 63. privacy breach regime will operate in 9 Personal Information Protection Act, S.A. practice, it is important for counsel and 2003, c. P-6.5. organizations subject to this regime to 10 See (a) Lawson v. Accusearch Inc., [2007] 4 consider its implications in advance so F.C.R. 314., (b) PIPEDA Case Summary that, in the case of an occurrence of a #2009-09, and (c) the Federal Commissioner’s privacy breach, they will be prepared to Report of Findings Complaint under PIPEDA quickly address the issues within the against Accusearch Inc., doing business as required time frames. Abika.com. 11 PIPEDA, s. 2(1). 1 While certain Canadian privacy law is the 12 As well as the equivalent legislation in result of the common law, its effect is limited British Columbia. and outside the scope of this paper. 13 Alberta PIPA, ss. 1(1) and 4(3). 2 At the sub-federal level in Canada, there are 14 As this paper was being written in January both provinces and territories. For ease of 2011, while Bill C-28 has received Royal reference, use of “provincial” and similar Assent, the more substantial PIPEDA- terms in this chapter refer to both Canadian amending bill, had only received first reading provinces and territories. in the House of Commons, and, as such, has to 3 Accordingly, references to the Canadian make further progress through the federal privacy law regime in this paper are, unless legislative system before becoming law. otherwise noted, references to the Canadian Additionally, were a Parliament to be private sector privacy law regime. prorogued or an election called – both 4 S.C., 2000, c. 5. In particular, Part 1 of same. possibilities given Canada’s current minority Other parts of PIPEDA seek to clarify government status – this legislation would evidentiary and functional equivalence issues “die” and have to be reintroduced. Regardless, regarding e-documents and e-signatures. this legislation is important to understand as it 5 Applying, per PIPEDA s. 4(1)(b), “to every would represent the first material revision of organization in respect of personal information PIPEDA since its entry into force. that…is about an employee of the organization 15 It may be that the omission of “reasonable and that the organization collects, uses or person” is linked to the fact that, unlike under discloses in connection with the operation of a PIPEDA, under the Alberta PIPA it is the federal work, undertaking or business” Alberta Privacy Commission, rather than the 6 More specifically, where a province has organization itself, who makes the decision as enacted “substantially similar legislation” to to whether to notify. Page 152 THE PRIVACY PROJECT IV – 2011

16 Notification of a Security Breach – Personal Information Protection Act Information Sheet 11. Available online at http://pipa. alberta.ca/resources/pdf/InfoSheet11.pdf. 17 PIPEDA, s.20(1). Caution: What You Post Can Hurt You!

By Robert A. Baugh Robert A. Baugh is a shareholder with the firm of Sirote and Permutt in HE EXISTENCE of a “generation Birmingham, Alabama. Robert has a T gap” reveals itself in new ways for wide-ranging litigation practice that each generation. For those of us who includes business disputes, insurance witnessed the emergence of rock and roll coverage and bad faith actions and and long hair, we saw our parents’ heads intellectual property and products shaking and looks that were either liability cases also. disapproving or simply quizzical. Today, those same looks are coming from the members of the generation that said not to trust anyone over the age of was sometimes misplaced and an 30. However, this time, it’s not the music inappropriate conversation might be or the clothes that demonstrate that repeated to a third party. But generally, “older” people view the world differently there was a short life cycle to the story than young adults. and a limit to how many times the story The emergence of the use of social may be repeated. Thus, the speaker took media, such as Facebook and MySpace, a calculated risk as to whether a reveals sharp differences in what the confidential story might be repeated or “older” generation views as acceptable revealed to the wrong person. conduct and what is seen by the Today, those oral conversations “younger” generation as common continue to take place. However, there is communication and expression. When something much more going on. Social looking at posts or pictures commonly media sites have proliferated in popularity found on young people’s social media among young people. Facebook and sites, older folks are thinking: “Why in MySpace have become omnipresent the world would someone put that out among high school and college students. there for the world to see?” The familiarity with instant For members of the “older” communications on these sites has led to generation, there has always been a a huge volume of written material that willingness to talk, tell stories, or tell documents people’s communications and jokes. Sometimes those conversations thoughts. What’s more, photographs of were appropriate. But, human nature the users, often in compromising being what it is, sometimes those situations, are routinely posted. conversations may have included gossip, While many of these writings and coarse language or been politically photographs on social media sites may be incorrect. The speaker made judgments harmless, there is a fundamental about what could be said, based upon the difference between these new speaker’s knowledge of the listener and communications and old-fashioned whether that person was a trusted friend conversations: There is a long-term who could hold the conversation in record of communications on social confidence. Of course, that confidence media sites. Social media users seem to Page 154 THE PRIVACY PROJECT IV – 2011 lack an appreciation for the permanency II. Are Posts on Social Media Sites of these writings on the Web. So, what “Private”? was once an off-the-cuff, smart aleck oral response to a friend is now is available Some social media users may believe for the world to see, even long after the that their privacy is being invaded by post is written. third parties who go to their site. However, postings on social media sites I. Social Media Comes to the are generally not treated as “private.” Attention of Employers This may come as a surprise to someone who uses privacy settings on their site so With all of the information that is that the public does not have access to all now so easily accessible, it is not of the writer’s communications. surprising that employers are inevitably While there are innumerable ways viewing these postings. Employers for these issues to arise, the most routinely examine social media sites of common situation may be where a prospective employees. Additionally, plaintiff brings suit for personal injuries. some employers may review social media Social media sites, where a plaintiff may sites of current employees. Thus, since be inclined to post pictures and comments many of the people that hold executive or about his personal life, are natural fodder supervisory positions in companies are in for an enterprising defense lawyer. the “older” generation, the differing Courts have generally been views of what is “appropriate” unsympathetic to parties who have information or photographs to place on alleged that postings on social media sites the Web can lead to adverse employment should be considered “private.” Even decisions for workers who post their where the party used a privacy setting on thoughts on social media sites. the site, the courts are unlikely to keep A recent example of such different such information confidential. viewpoints was demonstrated when the The rationale behind these legal City of Bozeman, Montana adopted a decisions is two-fold: (1) There can be policy requiring job applicants to provide no expectation of privacy in postings on the City with the user’s name and log-in social media sites and (2) The defendant information for social media sites. The should be able to discover statements policy was revoked after an uproar from a plaintiff that potentially contradict occurred when the policy was publicized the plaintiff’s testimony about the extent in an on-line version of the ABA Journal. of the plaintiff’s injuries.2 1 This incident confirms that there are Requests for discovery of the two different views of information on plaintiff’s social media site, including social media sites: Employers want to those areas ostensibly labeled as use this information as part of routine “private”, have resulted in several courts screening of job applicants while social issuing orders allowing such discovery. media users think such information is “off In one case, the Court noted that the limits” for prospective employers. Facebook policy states that “it helps you share information with your friends and Caution: What You Post Can Hurt You! Page 155 people around you,” and that “Facebook a plaintiff has ostensibly taken steps to is about sharing information with keep information on a social media site others.”3 The New York judge allowed “private”, the rules of discovery will the defendant to obtain access to the likely trump these self-set privacy labels. plaintiff’s social media sites, including sections marked “private” or that had III. Social Media in the Workplace been deleted. The Court also noted the following from a similar Canadian Many employees acknowledge that decision: they access social media sites for their personal benefit, while they are at work.6 To permit a party claiming very Additionally, the fastest growing segment substantial damages for loss of of new users of social media are people enjoyment of life to hide behind over the age of 55. Thus, it is reasonable self-set privacy controls on a to predict that increasing numbers of website, the primary purpose of employees will be accessing social media which is to enable people to share while at work. information about how they lead Employers may have concerns about their social lives, risks depriving the the time that employees are spending on opposite party of access to material social media sites during work hours and that may be relevant to ensuring a the accompanying loss of productivity. fair trial.4 But, there can be more serious issues that arise where the actions of the employees Courts have also noted that when directly impact the employer. creating the Facebook and MySpace One well-known example of a accounts, the plaintiff consented to the YouTube prank gone bad involved fact that personal information would be Domino’s Pizza. Several employees shared with others, notwithstanding the filmed a fictitious incident in the kitchen privacy settings. Indeed, that is the very of a Domino’s restaurant. The video nature and purpose of these social purported to show many gross activities networking sites. Since the plaintiff knew of employees, which were obvious health that this information may become code violations, if they had been true. publicly available, claims that the Within days, the YouTube video had been plaintiff had a reasonable expectation of seen by more than a million viewers and privacy in these postings rings hollow.5 was reported on national television.7 These cases reveal the inherent In addition to embarrassment or harm conflict between the court system and to a company’s brand, employees’ social media users. An important goal of postings can result in legal discovery is to allow counsel to determine entanglements. In Pietrylo v Hillstone whether the opposing party is being Restaurant Group,8 employees of a New truthful in the claims that are asserted. Jersey restaurant created a MySpace The tools that litigators use in discovery group where they “privately” posted allow lawyers to cast a wide net to gather derogatory and graphic sexual statements factual evidence. As a result, even where regarding the restaurant’s management, Page 156 THE PRIVACY PROJECT IV – 2011 patrons and policies. After a manager included many messages of a personal obtained access to the password-protected nature. When disciplined for violating site, two employees were terminated for the City’s policy, the employee objected their comments posted on the site. and claimed that his privacy had been A New Jersey jury found that the invaded. employer violated the Federal Stored The Supreme Court found that the Communications Act by secretly employer had a right to see text messages monitoring the employees’ postings on sent and received on the employer’s the private password-protected Internet pager. The Court concluded that, even chat room. There was evidence that the assuming an expectation of privacy in the employee who gave the manager access text messages, the search performed by to the site may have done so under duress. the City was reasonable under the While the Court found that no free speech circumstances. As a result, the search issues were implicated because the blog was not in violation of the Fourth did not implicate matters of public Amendment. This decision confirms the concern, the jury verdict was upheld. importance for an employer to implement This case illustrates the need for a clear policy that addresses privacy employers to strike an appropriate expectations in communications by balance between monitoring employees’ employees on employer-issued on-line postings and invading the equipment.10 employees’ privacy. The Eleventh Circuit recently addressed a claim of gender A. Public Employers discrimination where a female firefighter posted photographs in the private section In City of Ontario v Quon,9 the U.S. of her MySpace page.11 These Supreme Court unanimously held that a photographs showed the plaintiff with public employer’s review of an other members of the fire department, as employee’s text messages on a device well as personal photographs that issued by the employer was a reasonable revealed her in various states of undress. search under the Fourth Amendment. She brought a claim of gender Here, a pager was issued to the employee discrimination after she was terminated by the City. The City maintained a for posting unauthorized photographs on computer policy which made clear that her MySpace page. However, her employees should not have any discrimination claim was rejected when expectation of privacy in communications she could not show that other employees when using the City’s equipment. The had been treated differently than her. City’s employees were later made aware Finally, the United States Supreme that this policy would apply to pagers. Court has upheld a City’s right to When the employee exceeded the terminate a police officer where his off- allocated number of text messages per duty conduct brought disrepute to the month, the City reviewed the messages department and was contrary to the goals and found that the excessive text of professionalism of the police force.12 messages made during work hours While not involving social media, this Caution: What You Post Can Hurt You! Page 157 same rationale will likely permit an the employee’s view point is contrary to employer to discipline an employee based the position of the employer? If so, what on unprofessional off-duty conduct causes of action may be available to the involving social media. This is especially employee who receives this discipline? true where there is a nexus between the Isn’t the employee being treated unfairly off-duty conduct and the workplace. based on his/her right to free speech? Is the employee’s privacy being invaded? B. Private Employers As a general rule, claims based upon free speech and the First Amendment are An increasingly common practice is applicable only against State actors.13 for employers to closely monitor So, private employers should not be activities of employees while on the job. subject to such claims. However, private GPS units can track an employee’s employers may find themselves accused vehicle; software programs can monitor of violating state laws that provide keystrokes at an employee’s computer; additional protections to employees while telephone calls may be recorded; e-mail away from the job. messages may be reviewed; and surveillance of work areas is now IV. Statutes That May Affect Social commonplace. While one may question Media whether George Orwell’s world of 1984 has become reality, today’s place of A. State Privacy Laws May employment clearly affords little privacy Impact Social Media to an employee. While such monitoring at the In recent years, several states have workplace is commonplace, the enacted laws that prohibit employers from proliferation of social media sites, such as interfering with lawful conduct of Facebook and MySpace provides new employees while off-duty. 14 Many of opportunities for employers to be made these laws were intended to protect aware of activities of employees while workers who smoked from they are away from the office. For discrimination. However, these laws example, if an employee “friends” a co- have also been used to challenge actions worker or supervisor, those people are by employers who attempt to monitor off- granted access to a great deal of duty activity, such as dating, by information about what the employee is employees. doing in his or her spare time. For example, New York’s privacy What is the employer permitted to do law prohibits discrimination against an when the employee is found to be employee who participates in “legal engaging in inappropriate or illegal recreational activities outside work activity while away from the office? Is it hours.” 15 The statute defines permissible to discipline or terminate an “recreational activities” as “any lawful, employee for such actions? leisure-time activity, for which the What about an employee “blog” that employee receives no compensation and raises political or social issues? What if which is generally engaged in for Page 158 THE PRIVACY PROJECT IV – 2011 recreational purposes, including but not own about this supervisor. One month limited to sports, games, hobbies, later, the employee was fired. exercise, reading and the viewing of The employer contends that the television, movies and similar postings violate policies of AMR which material.”16 prohibit: To date, there have not been any reported decisions that address the Posting of “disparaging, question of whether the use of social discriminatory, or defamatory media or blogging can be considered comments when discussing (AMR) “recreational activity.” But, there is no or the employee’s supervisors, co- obvious reason why such activities, while workers, and/or competitors on the done on personal time, should not fall Internet; within the protection of these statutes. As a result, in states with such privacy laws, “(r )ude or discourteous behavior to employers will likely be constrained from a client or co-worker; and taking disciplinary action against an employee for blogging or social media the use of language or action that is activity, so long as the employee does not inappropriate in the workplace disparage the employer or disclose trade 17 whether racial, sexual or of a general secrets. offensive nature.”

B. Does the National Labor The NLRB conducted an Relations Act Protect investigation and concluded that the Comments About an Employer postings by the employee constituted on a Social Media site? protected activities under the National

Labor Relations Act (NLRA). In November 2010, the National Generally, Section 7 of the NLRA Labor Relations Board (“NLRB”) filed a protects the rights of workers, in both complaint against American Medical union and non-union settings, to Response of Connecticut (AMR). This is communicate with each other about the first case where the NLRB has taken wages, hours, and other terms and the position that workers’ criticisms of conditions of employment. Thus, the their boss or employer are generally NLRA restricts employers from protected activity and that employers may interfering with employees’ attempts to not punish workers for such statements. “improve their lot as employees through This complaint arose after an channels outside the immediate employee posted negative comments employee-employer relationship.” 18 about her supervisor on her Facebook Additionally, an employer’s general page. The postings were made on the policies can violate the NLRA if they employee’s home computer and on her “reasonably tend to chill employees in own time. Several co-workers joined in the exercise of their Section 7 rights.” 19 and offered supporting comments of their Such a policy can be deemed an unfair Caution: What You Post Can Hurt You! Page 159 labor practice by an employer for simply 1. A conflict of interest is created, maintaining such a policy. such as performing work for a The NLRA prohibits employers from competing company; punishing workers, whether union or non- 2. The employee’s job performance union, for discussing working conditions is impaired. This can occur with or unionization. The NLRB’s position is late-night second jobs that that AMR’s social media policy is prevent the employee from “overly broad” and improperly limits obtaining sufficient rest to employee’s’ rights to discuss working perform as required; or conditions among themselves. 3. Where the conduct compromises The NLRB contends that the the employee’s judgment. A termination of the employee unlawfully common example is where a interfered with those protected activities supervisor dates a subordinate and discouraged others from engaging in and the supervisor must continue those same activities. Thus, the NLRB is to evaluate the job performance seemingly doing away with any of the subordinate. distinction between airing criticisms and concerns at the water cooler and posting Conflicts of interest issues can arise these same concerns on the Web. by employees’ use of social media or This issue may not be big a problem blogging. For example, blogs written by for employers in right to work states. employees can create concerns for an There, an employee can be terminated for employer. A blog is the author’s any reason, so long as it is not an illegal observations about life in general, or reason. But in other states, postings that more specific issues which can involve arguably disparage a co-worker, politics or other social issues.20 supervisor or employer may prove to be However, a blog also allows others to fertile ground for employees and their post statements or opinions to the site. lawyers who contend that discipline is Thus, a blog can create a forum for ideas based upon private communications that can be read on a world-wide basis. posted on social media sites. These statements by bloggers, or others on the site, can be attributed to the V. Application employer. So, the employee should conspicuously state that the views A. Inappropriate Conduct expressed on the site are personal to the Involving Social Media Can employee. Lead to Discipline Employers are justifiably concerned about the loss of copyrights or trade As a general rule, employers should secrets by the posting of blogs by not take disciplinary action against an employees. But, traditional company employee for lawful off-duty conduct policies concerning the protection of unless the conduct falls into one of the company information should apply to the following categories: blogosphere. Employers need to be clear Page 160 THE PRIVACY PROJECT IV – 2011 that intellectual property protections inappropriate statements, even made off- apply to these blogs. duty, will be grounds for discipline or Some companies now sponsor blogs termination. and encourage employees to contribute to It should be noted that these laws these blogs. Given the fast-paced nature only protect off-duty activities that are of the writings on these blogs, companies otherwise legal. So, if an employee is may be concerned about the content that blogging and making statements that are is posted therein. Again, company defamatory or may lead to a hostile work policies against discrimination, environment, the employer should not be harassment and defamatory statements prohibited from taking action against the should apply to prevent such statements employee for such statements. that may be made in company-sponsored blogs.21 C. Suggestions for Employers

B. Social Media Policies While the drafting of a social media policy for employers is beyond the scope The action by the NLRB in the AMR of this article, the following topics should case demonstrates that an employer who be addressed by employers when drafting maintains an overly broad social media such a policy: policy may face a challenge that the policy constitutes an unfair labor practice. • If an employee writes about his Such a charge may be brought even or her employer, the employee where the policy has not been used to must use his or her real name pursue enforcement of the policy against and make clear that any opinions an employee. offered are his/her own and do Employers should review their social not represent the company’s media policies to determine if they are positions, strategies or opinions. susceptible to an employee’s claim that • If an employee writes positively that the policy will “reasonably tend to about the Company’s products chill employees” in the exercise of their or services, the employee must rights to discuss wages, working disclose the employee’s conditions and unionization. relationship with the The first decision to be made by an Company.22 employer is whether the policy will apply • The privacy rights of others must only to postings made at work or whether be respected in posts and the policy will also address off-duty comments. communications. As discussed • Posts are not permitted that may previously, there are laws in several states be considered obscene, that prohibit an employer from threatening, defamatory, terminating an employee for lawful off- harassing or embarrassing to duty conduct. Therefore, an employer, others. especially in those states, should avoid • Employers should clearly blanket pronouncements that address the level of privacy that Caution: What You Post Can Hurt You! Page 161

employees expect in their work assets. As such, the identity of computer systems, including e- these relationships should not be mail and use of the Internet. publicized without express Courts will consider whether an permission. employer has an electronic • Obtain permission to use the communications policy when company’s intellectual property, determining whether an such as materials protected by employee had a reasonable trademarks or copyrights. expectation of privacy in the use • Managers should not send of the company’s computer “friend” requests to system. With such a policy in subordinates, even when off- place, an employer will have duty. more freedom to take • All employees should be free to disciplinary action against an reject a “friend” request from employee who misuses the any other employee. company’s computer system. • The policy should include a clear • Even for off-duty posts, the warning that a violation of the policy should clearly state that social media policy will be the employer will monitor the grounds for discipline, up to and employee’s use of social media including termination. and that the employee should not have an expectation of privacy in D. Suggestions for Employees any post or blog. • Employees must comply with all • Do not post inappropriate other company policies with pictures or images. respect to electronic • Be careful about any comments communications. For example, concerning your job or statements that can be supervisors. While complaining considered discriminatory or about the Boss to a confidant is harassing are prohibited. nothing new, posting these • The company’s computer system complaints for the world to see cannot be used to download or is just asking for trouble. distribute pirated software. • Assume that everything you • No electronic communication write on-line will be forwarded about internal company matters. to someone else. This goes back • Confidential or proprietary to the question: Would you information that may rise to the want this published on the front level of company trade secrets page of your local paper? If not, may not be disclosed. you need to re-think what you • Ban references to customers or are writing. clients. The Company’s • Fair use and copyright laws relationships with customers or apply to your on-line writings. clients are valuable company The improper use of logos or Page 162 THE PRIVACY PROJECT IV – 2011

other authors’ writings can get chipped away, there are consequences in you in legal hot water. While the workplace for postings on social on-line posts can seem more media sites. informal than a published article, In the legal world, words matter. you cannot ignore the Those words have significance, whether intellectual property rights of written in a formal document or quickly others. typed at home on a web site when voicing • Many companies now encourage a complaint about a supervisor. For that employees to post information reason, members of the “younger” about the company or its generation who are comfortable with products. If you, as an social media must recognize that the legal employee, choose to write on the system can impose consequences for what Web, clearly state that the you write. As a result, an employee can statements and opinions are face adverse consequences at work for yours, and not those of your comments that were mistakenly assumed employer. Take care not to to be personal, private and made on the reveal confidential or proprietary employee’s own time. information about the company, such as company strategy, 1 Molly McDonough, Town Requires Job upcoming product releases or Seekers to Reveal Social Media Passwords, financial information about the ABA J. LAW NEWS NOW, June 19, 2009, company. http://www.abajournal.com/news/article/town • Use common sense. Think twice _requires_job_seekers_to_reveal_social_medi a_passwords/ before you post something that is 2 Robert S. Kelner & Gail S. Kelner, Social “pushing the envelope.” Once Networking Sites and Personal Injury you post a writing that is Litigation, N.Y. L.J., Vol. 242, Sept. 22, 2009. inappropriate or discloses 3 Romano v Steelcase, Inc., 907 N.Y.S.2d 650, information that is proprietary to 2010 N.Y. Slip. Op. 20388 (2010). your employer, you may not be 4 907 N.Y.S.2d at 655. 5 able to repair the damage. You Leduc v Roman, 2009 Carswell Ont 843 (Feb. 20, 2009). are solely responsible for what 6 you write. So, ask a friend or SOCIAL NETWORKING AND REPUTATIONAL RISK IN THE WORKPLACE: DELOITTE LLP, 2009 co-worker for a second opinion ETHICS AND WORKPLACE SURVEY RESULTS, before you publish your thoughts http://www.deloitte.com/assets/Dcom- for the world to see. UnitedStates/Local%20Assets/Documents/us_ 2009_ethics_workplace_survey_220509.pdf . VI. Conclusion 7 Stephanie Clifford, A Video Prank at Domino’s Damages its Brand, N.Y. TIMES, The informal nature of social media April 15, 2009, at http://www.nytimes. can mislead users into thinking that com/2009/04/16/business/media/16dominos.ht posting inappropriate material is “no big ml?_r=2. 8 2008 WL 6085437 (D.N.J. 2008) (order deal.” However, while the wall between denying in part defendant’s motion for work and personal life continues to be summary judgment). See Konop v Hawaiian Caution: What You Post Can Hurt You! Page 163

Airlines, Inc., 302 F.3d 868 (9th Cir. 2002) 21 See Varian Med. Sys., Inc. v Delfino, 6 Cal. (secret monitoring of password protected Rptr. 3rd 325 (Cal. Ct. App. 6th Dist. 2003) website visited by an employee while at work (former employees fined after making violated the Federal Stored Communications thousands of posts which included personal Act). attacks on former co-workers) (depublished 85 9 130 S. Ct. 2619 (2010). P.3d 444 (Cal. 2004); Apple Computer, Inc. v. 10 Posts that complain about employer and Doe, 2005 WL 578641 (Cal. Super. Ct. Mar. supervisor can be grounds for discipline or 11, 2005), order set aside, O'Grady v. termination. See Spanierman v Hughes, 576 F. Superior Court, 44 Cal. Rptr. 3d 72 (Cal. Ct. Supp.2d 292 (D. Conn. 2008) (teacher firing App.), as modified, (June 23, 2006) (Apple for inappropriate MySpace communications obtained Order to disclose names of bloggers with students upheld by District Court); but who allegedly leaked trade secret information see Garcetti v. Ceballos, 547 U.S. 410 (2006) to websites). (public employee statements made pursuant to 22 See The Federal Trade Commission Guides official duties, even if made while off-duty, Concerning the Use of Endorsements and not protected by First Amendment). Testimonials in Advertising, 11 Marshall v. Mayor of Savannah, 366 Fed. http://www.ftc.gov/os/2009/10/091005revised Appx. 91 (11th Cir. 2010) endorsementguides.pdf. The guides address 12 City of San Diego. v. Roe, 543 U.S. 77 endorsements by employees. (2004). 13 See Golden Gateway Ctr. v. Golden Gateway Tenants Ass’n, 29 P.3d 797 (Cal. 2001). 14 Such statutes have been adopted in New York, California, Colorado, Connecticut, Montana and North Dakota. 15 N.Y. LAB. § 201-d(2)(c). 16 Id. 17 The New York statute clearly provides that it does not sanction employee activity that “creates a material conflict of interest related to the employer’s trade secrets, proprietary information or other proprietary or business interest.” N.Y. LAB. § 201-d(3)(a). New York courts confirm that employees owe a duty of loyalty to their employer and may not disclose confidential knowledge or trade secrets. See Bus. Networks of N.Y., Inc. v. Complete Network Solutions, Inc., 1999 WL 126088 (N.Y. Sup. Ct. Feb. 19, 1999), aff’d, 696 N.Y.S.2d 433 (App. Div. 1999). 18 Eastex, Inc. v. NLRB, 437 U.S. 556, 566 (1978). 19 Lafayette Park Hotel, 326 N.L.R.B. 824, 825 (1998). 20 Twitter is a web service that provides “microblogging” capabilities. “A Sign of the Times: Massachusetts Strengthens Protection Requirements for Consumer Information”

By Edward A. Kendall, Jr. and Edward A. Kendall, Jr., Esq. is an Robert A. Curley, Jr. Associate at the Boston firm of Curley & Curley, P.C. His practice involves the ITH THE RISE of the global defense of product liability, personal W economy, new challenges arise for injury, municipal law and general civil business, government and individuals in litigation matters. Attorney Kendall is a protecting the financial and personal member of the Defense Research Institute information of customers from those who as well as the Massachusetts Defense seek to misappropriate it. In order to help Lawyers Association. consumers fight this battle, the Robert A. Curley, Jr., Esq. is Commonwealth of Massachusetts passed president of the Boston firm of Curley & legislation that aims to protect consumer Curley, P.C. His practice involves the information used in business transactions. defense of product liability, catastrophic Massachusetts General Laws Chapter personal injury cases, general civil 93H, which affects all types of litigation and insurance coverage businesses, attempts to prevent and limit matters. Attorney Curley is a Fellow at the impact of security breaches in the the American College of Trial Lawyers. Commonwealth of Massachusetts when He is a former president of the dealing with the personal information of Massachusetts Defense Lawyers Massachusetts residents. The legislation Association as well as a former President and related regulation requires the of The Foundation of the International substantial protection of private data Association of Defense Counsel. He is through a written information security the Director-Elect of the Defense Trial program as well as specific protections of Academy of the International Association computer based personal information. of Defense Counsel for 2012. It appears the Massachusetts General Court passed the act related to the database of TJX Companies and had protection of consumers’ privacy and data misappropriated consumers personal information as well as financial in response to several instances of highly 1 publicized breaches of security which information for illegal purposes. Based affected many Massachusetts residents. It upon early estimates of the damage appears the extensive breach of security inflicted by the hackers in the TJX case, it concerning personal information that appeared that over 45 million credit and occurred at Massachusetts based TJX debit card numbers (in addition to Companies and its affiliates was a driver’s license numbers and Social Security numbers) were stolen from TJX primary instigator behind the legislation 2 at issue. In late 2006 and early 2007, TJX and its related companies. In addition, Companies discovered that a group of as described by Mr. Pereira, important to hackers had gained access to the central note was “[t]he ease and scale of the A Sign of the Times Page 165 fraud expose how poorly some companies the definition of “data” and “personal are protecting their customers’ data on information” to be protected. “Data” is wireless networks, which transmit data by defined as “any material upon which radio waves that are readily intercepted.”3 written, drawn, spoken, visual, or The information contained on those electromagnetic information or images wireless networks would be a major focus are recorded or preserved, regardless of of the Massachusetts personal physical form or characteristics.”6 Such a information security measures contained definition of data is broad and expansive, in Massachusetts General Laws. ch. 93H seeking to capture both electronic and and related legislation as well as paper records. However, the law requires regulations. only that the “personal information” of a Massachusetts General Laws ch. 93H resident of the Commonwealth be relates to the safeguarding of personal protected. “Personal Information” is information contained in both paper and defined as “a resident’s first name and electronic records. The legislature, in last name or first initial and last name in response to the significant data breaches combination with any 1 or more of the briefly discussed above, provided following data elements that relate to guidance to the Massachusetts such resident: (a) Social Security number; Department of Consumer Affairs and (b) driver’s license number or state-issued Business Regulation in how to protect identification card number; or (c) important consumer information of financial account number, or credit or residents of the Commonwealth of debit card number, with or without any Massachusetts which is owned or licensed required security code, access code, by any person.4 Mass. Gen. Laws ch. personal identification number or 93H, § 2(a) seeks to “insure the security password, that would permit access to a and confidentiality of customer resident’s financial account; provided, information in a manner fully consistent however, that ‘Personal Information’ with industry standards; protect against shall not include information that is anticipated threats or hazards to the lawfully obtained from publicly available security or integrity of such information; information, or from federal, state or local and protect against unauthorized access to government records lawfully made or use of such information that may result available to the general public.”7 in substantial harm or inconvenience to The legislation only requires the any consumer.”5 Importantly, the significant protection of “personal legislation and accompanying regulation, information” by a person who owns or only require the protection of personal licenses such information. A person that information related to Massachusetts simply maintains or stores personal residents. information is subject to a less stringent Mass. Gen. Laws ch. 93H establishes set of requirements pursuant to Mass. the information to be protected and what Gen. Laws ch. 93H. Mass. Gen. Laws ch. individuals, businesses or agencies are 93H, §1(a) defines a “person” as “a required to comply with the section. natural person, corporation, association, Mass. Gen. Laws ch. 93H, § 1(a) provides partnership or other legal entity.”A Page 166 THE PRIVACY PROJECT IV – 2011

“person” does not include a government definition of “owns or licenses” contained agency, department, board, or any in 201 CMR 17.02, it appears the political subdivision thereof.8 Once a regulation goes beyond the scope of breach occurs related to personal Mass. Gen. Laws ch. 93H to specifically information, persons that own or license subject those who simply maintain or such data are required to report the breach store such personal information of security to the Massachusetts Attorney concerning residents of the General, the director of consumer affairs Commonwealth of Massachusetts to the and business regulation as well as the requirements of the 201 CMR 17.00. A affected resident.9 Persons or agencies person is considered to own or license that do not own or license the data, but such information, pursuant to 201 CMR maintain or store such personal 17.02, when one “Owns or licenses, information are also required to report receives, stores, maintains, processes, or breaches of security related to such otherwise has access to personal data.10 information in connection with the Pursuant to Mass. Gen. Laws ch. provision of goods or services or in 93H as directed by the final legislation, connection with employment.”15 the Massachusetts Department of Therefore, any person who deals with Consumer Affairs and Business personal information in a business setting Regulation (“MA Consumer Affairs”) is subject to the requirements of 201 issued regulations outlining the standards CMR 17.02.16 for the protection of personal information It appears that Massachusetts may be of residents of the Commonwealth of one of the first states in the nation to Massachusetts.11 The regulation, which require a written security information went into effect on March 1, 2010, program along with specific computer “establishes the minimum standards to be security requirements from all individuals met in connection with the safeguarding and/or businesses who deal with personal of personal information contained in both information of residents of the paper and electronic records.”12 It is the Commonwealth of Massachusetts. objectives as outlined in Mass. Gen. Laws Massachusetts, and specifically the Office ch. 93H, § 2(a), as described above, of Consumer Affairs & Business which provide the basis for 201 CMR Regulation, makes clear that the scope 17.00. and requirements of the statute as well as The regulations apply to those who the regulation depend upon the scope and own or license personal information about size of the business in the residents of the Commonwealth, Commonwealth. The security breaches excluding government agencies and/or and information related thereto will be departments.13 The regulations require analyzed on a case by case basis. The that “[e]very person that owns or licenses statute and regulations highlight the fact personal information about a resident of that the Commonwealth of Massachusetts the Commonwealth…” develop a will analyze the breaches (and safeguards comprehensive information security required of each business) by looking at program.14 However, based upon the A Sign of the Times Page 167 the total circumstances of the business at program. Such program shall include issue. (but not be limited to) the following: The Massachusetts General Court (which is the Massachusetts legislature) a) Designating one or more included the following factors in the final employees to maintain the legislation for determining the level of comprehensive information security required of a business: the size security program. and type of the business, resources of the b) Identifying and assessing business, the amount of stored data, and reasonably foreseeable internal the need for security and confidentiality and external risks to the security, of consumer and employee information.17 confidentiality, and/or integrity In addition, the safeguards maintained by of any electronic, paper or other a person as outlined in Mass. Gen. Laws records containing personal ch. 93H and 201 CMR 17.00 must also information, and evaluating and comply with any additional state and improving, where necessary, the federal regulations by which the business effectiveness of the current may already be regulated.18 safeguards for limiting such Persons who own or license personal risks, including but not limited information were required to be in full to: 1. ongoing employee compliance with 201 CMR 17.00 by (including temporary and March 1, 2010.19 The written contract employee) training; 2. information security program for a person employee compliance with who owns or licenses personal policies and procedures; and 3. information has several requirements as means for detecting and discussed in 201 CMR 17.00. 201 CMR preventing security system 17.00 establishes two sets of requirements failures. in relation to the securing of personal c) Developing security policies information. The first set, 201 CMR relating to the storage, access 17.03(2) lists the requirements for the and transportation of records comprehensive security information containing personal information programs while the second set20 outside of business premises. establishes computer system security d) Imposing disciplinary measures requirements to be included in the for violations of the written, comprehensive security Comprehensive information information programs. security program rules. e) Preventing terminated I. The Written Information Security employees from accessing Program records containing personal information. The key requirements of 201 CMR f) Oversee service providers, by: 17.03(2) require the person who owns or 1. Taking reasonable steps to licenses personal information to maintain select and retain third-party a comprehensive information security service providers that are Page 168 THE PRIVACY PROJECT IV – 2011

capable of maintaining actions taken, if any, to make appropriate security changes in business practices measures to protect such relating to protection of personal personal information information. consistent with these regulations and any II. Computer Security Requirements applicable federal regulations; and The comprehensive information 2. Requiring such third-party security programs require persons who service providers by own or license personal information to contract to implement and provide security systems for technology maintain such appropriate used by the business. It is in these security measures for specific computer security requirements personal information… that Massachusetts moves to the forefront g) Reasonable restrictions upon in protecting personal information of its physical access to records residents. Such computer security containing personal information, requirements include secure user and storage of such records and authentication protocols, secure access data in locked facilities, storage control measures, encryption of areas or containers. transmitted records and files containing h) Regular monitoring to ensure personal information that will travel that the comprehensive across public networks, reasonable information security program is monitoring of systems, encryption of all operating in a manner personal information stored on laptops or reasonably calculated to prevent other portable devices, for files unauthorized access to or containing personal information on a unauthorized use of personal system that is connected to the Internet, information, and upgrading reasonably up-to-date versions of system information safeguards as security agent software, and education necessary to limit risks. and training employees on the proper use i) Reviewing the scope of the of the computer security system and the security measures at least importance of personal information annually or whenever there is a security.21 material change in business Secure user authentication protocols practices that may reasonably include: Secure access control measures implicate the security or include restricting access to records and integrity of records containing files containing personal information as personal information. well assigning unique identifications and j) Documenting responsive actions passwords “that are reasonably designed taken in connection with any to maintain the integrity of the security of incident involving a breach of the access controls.”22The computer security, and mandatory post- security requirements are required to the incident review of events and extent technically feasible for the person A Sign of the Times Page 169 who owns or licenses the information at security pursuant to Mass. Gen. Laws ch. issue. Therefore, as with the written 93H § 3(b).28 Information to be included information security program, the is the resident’s right to a police report computer security requirements depend and information regarding security freeze on the size and scope of the business at related to the resident’s personal issue.23 information.29 The introduction of the stringent III. Notice Requirements of Mass. Gen. security measures represents costly Laws ch. 93H modifications that many businesses, including small businesses, who deal with In addition to the stringent security personal information of Massachusetts requirements provided in Mass. Gen. residents have to take. It was estimated, Laws ch. 93H and propounded upon in in or around October of 2008, that 201 CMR 17.00, the statute requires a compliance with Mass. Gen. L. c. 93H person who knows of a security breach would cost a business with 10 employees regarding personal information they around $9,000 a year.30 Based upon that maintain or store to the individuals whose estimate, it appears the costs of information is involved in the security compliance will be substantial. breach.24The person is required to notify Furthermore, the Massachusetts Attorney the owner or licensor of the information General’s Office is allowed to bring a involved, the date of the security breach consumer protection action pursuant to at issue and steps taken by the person Mass. Gen. Laws ch. 93A against a relating to the incident.25Persons who person to remedy violations of Mass. own or license personal information have Gen. Laws ch. 93H. more stringent notice requirements Compliance with the new law regarding a breach of security related to regarding personal information security personal information. Mass. Gen. Laws may be costly and cumbersome for ch. 93H § 3(b). Persons who own or businesses large and small, but time will license personal information are required tell whether the personal information of to notify the attorney general, the director Massachusetts residents will be of consumer affairs and business sufficiently protected by the new regulation as well as the resident of the legislation. As quickly as the political breach in security related to personal establishment may be able to establish information.26Notice is required once a guidelines and requirements, those who person or agency knows or has reason to seek to misappropriate the information know of a breach of security or when the may be able to establish new means and person or agency knows the personal methods for securing such personal information was acquired or used by an information. unauthorized person or for an unauthorized purpose.27 The person who owns or licenses the information is 1 See Joseph Pereira, Breaking the Code: How required to include certain information to Credit-Card Data Went Out the Wireless the Massachusetts resident upon breach of Door, WALL ST. J., May 4, 2007, at A 2 Id. Page 170 THE PRIVACY PROJECT IV – 2011

3 Id. 4 See MASS. GEN. LAWS ch. 93H, §2(a). 5 MASS. GEN. LAWS ch. 93H, § 2(a). 6 MASS. GEN. LAWS ch. 93H, § 1(a). 7 MASS. GEN. LAWS ch. 93H, § 1(a). 8 Id. 9 Id at § 3(b). 10 Id at § 3(a). 11 201 CMR 17.00. 12 201 CMR 17.01(1). 13 201 CMR 17.01(2). 14 201 CMR 17.03(1). 15 201 CMR 17.02. 16 See also “Frequently Asked Question Regarding 201 CMR 17.00” issued by the Commonwealth of Massachusetts, Office of Consumer Affairs and Business Regulation dated November 3, 2009. 17 MASS. GEN. LAWS ch. 93H § 2(a). 18 201 CMR 17.03(1). 19 201 CMR 17.05. 20 201 CMR 17.04. 21 201 CMR 17.04 (1) – (8). 22 201 CMR 17.04 (2). 23 201 CMR 17.04. 24 MASS. GEN. LAWS ch. 93H § 3(a). 25 Id. 26 Id. 27 Id. 28 Id. 29 Id. 30 See Ben Worthen, New Data Privacy Laws Set for Firms, WALL ST. J., October 16, 2008, B1.

Outsourcing Privacy: Confidentiality Concerns Surrounding Sending Legal Services Overseas

By Amy Sherry Fischer and Amy Sherry Fischer is a Lindsey Parke shareholder at Foliart, Huff, Ottaway & Bottom in Oklahoma City. She IKE many other industries that take focuses her practice in the areas of L advantage of lower costs and products liability, particularly drug increased efficiency obtained through and medical products, personal outsourcing, the legal industry has begun injury, and insurance related matters. sending work overseas. The recent Lindsey Parke was a law clerk at economic downturn, as well as increasing Foliart, Huff, Ottaway and Bottom. costs for legal services and dramatic have “a sense of operating on a 24-hour- growth of electronic discovery, has 3 prompted law firms to consider basis.” Corporations are often able to outsourcing as a promising option. In its save a tremendous amount of money infancy, legal outsourcing was limited to through outsourcing because the work can functions traditionally performed by be completed at a significantly lower rate paralegals and office assistants. Over than those incurred in the United States. time, however, many firms have begun outsourcing work that would otherwise be II. Emerging Trends in Outsourcing performed by attorneys. Outsourcing legal services raises unique concerns Offshore outsourcing, initially a related to privacy. strategy employed by the business industry, has traditionally consisted of I. What is Outsourcing? activities such as data processing, call center operation, medical transcription, 4 Outsourcing is the business practice and software design. Law firms of sending work previously performed followed suit, and more than three million legal jobs were outsourced offshore in the inside a company or firm to an outside 5 company for performance.1 This article early years, from 2001 to 2005. Legal focuses on offshore outsourcing, a outsourcing can consist of sending work process through which a portion of a to subsidiaries, directly hiring foreign law firms, and delegating work to legal business’s activities are relocated and 6 delegated to a third party in a different process outsourcers (LPOs). The use of (offshore) location. The new location LPOs has increased rapidly as many firms ideally allows the business to capture transition from sending only work increased efficiency while decreasing previously completed by paralegals and 2 legal assistants in the United States to labor costs. For example, the time 7 difference between the United States and outsourcing more routine legal work. India, the country to which most legal Because corporations have become more work is outsourced, can be used to boost cost conscious as a result of the recession, efficiency because U.S. law firms can businesses and law firms are looking to cut costs where possible, and legal Page 172 THE PRIVACY PROJECT IV – 2011 budgets in particular have been targeted client gives informed consent or the as a way to reduce costs. As a means to disclosure is impliedly authorized in order cut costs across the board, many firms to carry out representation.12 Additional have begun to consider greater utilization ethical considerations relating to privacy of LPOs. include protecting privileged India is the main destination for legal communication between the client and outsourcing from the United States. attorney as well as preventing While India’s LPO industry is still small, unauthorized practice of law through it is growing fast. According to an Indian proper supervision. consulting firm, the number of legal outsourcing companies in India was more A. Confidentiality than 140 at the beginning of this year, up from just 40 in 2005.8 India’s LPO The duty to protect a client’s industry is expected to reach revenues of confidentiality is perhaps the most $440 million by the end of 2010.9 important privacy consideration related to India is a particularly attractive offshore outsourcing of legal services. outsourcing location to American Every jurisdiction in the United States businesses. American firms are enticed protects against disclosure of a client’s by Indian-educated and licensed attorneys confidential information. Rule 1.6 who speak English and can perform legal charges lawyers with the duty to protect a work at a fraction of the price of their client’s confidences and secrets. American counterparts.10 Some experts Comment 16 to Rule 1.6 explains a predict that 80,000 or more legal jobs lawyer should be vigilant to “act may be outsourced offshore over the next competently to safeguard information ten years.11 As the trend continues relating to the representation of a client toward legal offshore outsourcing, several against inadvertent or unauthorized privacy concerns must be addressed. disclosure by the lawyer or other persons who are participating in the representation III. Privacy Concerns of the client or who are subject to the lawyer’s supervision.”13 There are several key ethical Law firms in the United States considerations in offshore outsourcing of constantly remind their employees, both legal services. While outsourcing offers lawyers and non-lawyers, of the crucial cost-savings, increased efficiency, and importance of protecting a client’s convenience, it can also raise questions of confidential information and privacy. security and confidentiality. The United Because legal representation invariably States legal profession places great includes securing documents containing emphasis on the duty to protect a client’s confidential information, law firm privacy. ABA Model Rule 1.6, for policies generally provide for protection example, addresses the duty of of such documents. Such measures confidentiality and states that a lawyer include using code names or numbers to shall not reveal “information relating to mask identities, restricting access to the representation of the client” unless the confidential information to necessary Confidentiality Concerns Surrounding Sending Legal Services Overseas Page 173 individuals, and limiting, tracking, and protections similar to those found in shredding copies.14 Employees are also America. Interpretation of a duty like instructed on the dangers of accidental that to protect confidentiality will disclosure. undoubtedly be influenced by a country’s While attorneys and law firms in professional culture.19 the United States are aware of the duty to Intimately related to the duty to protect a client’s confidential information, protect a client’s confidentiality is the privacy concerns arise with the attorney/client privilege. “Privilege” outsourcing of confidential information to protects any communication between the countries where such protections may not client and lawyer for purposes of seeking be in place or enforced. Firms must first legal advice. The attorney/client deal with the question of whether a privilege, like the duty of confidentiality, client’s confidential information can be may be construed differently in many transmitted overseas in accordance with countries. Privilege may exist only with U.S. law. Existing local, state, or federal outside counsel, as a matter of company laws may regulate what confidential policy, or as a contract.20 information can be exported.15 Law firms that seek to outsource Legal questions may also arise in overseas must be aware of the dangers of connection with the laws of the vendor risking clients’ privacy by releasing country. Some countries, for example, confidential information to those who may subject an organization’s property to may not be bound by the same rules of judicial or administrative seizure.16 A professional conduct. As previously disgruntled employee or creditor of an mentioned, different societies espouse LPO could seek to seize confidential different corporate cultures and standards client information in connection with a of conduct. Because of this, employees in suit against the organization. The ease some cultures may not realize that their with which private information can be norm of discussing work information or seized depends on the substantive law of high-profile clients may be embarrassing the country in which the legal services are or harmful.21 ABA Formal Opinion 08- being performed. 451 warns of the risk that any outside If a U.S. firm determines that a service provider may inadvertently (“or client’s confidential information can perhaps even advertently”) reveal legally be transmitted and used overseas, confidential client information to the firm must next ask whether practical unprivileged or even adverse parties.22 safeguards exist to adequately protect a The risks of bribery, commercial theft, client’s confidential information.17 and industrial sabotage or espionage India’s legal system, like that of America, likely vary depending upon the region. has a common-law basis. Like all foreign Other industries that have experienced jurisdictions in the common- and civil- intentional mismanagement of private law traditions,18 India recognizes that information at the hands of offshore lawyers have a duty to protect client vendors warn against the potential misuse confidentiality. The mere presence of of confidential or private client data.23 such a duty does not, however, guarantee Page 174 THE PRIVACY PROJECT IV – 2011

The outsourcing firm must take Conduct.”28 Rule 5.3(b) details similar affirmative measures to train receiving obligations with regard to non-lawyers. It parties working on a particular client provides that lawyers who retain or matter on the American application of associate with non-lawyers must “make these rules to avoid inadvertent reasonable efforts to ensure that the disclosures of confidences or secrets. Not person’s conduct is compatible with the only do breeches of confidentiality violate professional obligations of the lawyer.”29 the Model Rules of Professional Conduct, Workers to whom confidential client they subject American firms to tort information is outsourced are often not liability and disciplinary action. licensed to practice law in the United American attorneys have been held liable States. While those unlicensed workers for both inadvertent and intentional may not be subject to U.S. ethics rules, disclosures of confidential information.24 the law firms and attorneys employing them certainly are. Outsourcing lawyers B. Unauthorized Practice of Law must therefore “ensure that tasks are delegated to individuals who are Law firms outsourcing overseas competent to perform them, and then to should be aware of the potential threat to oversee the execution of the project clients’ privacy posed by unauthorized adequately and appropriately.”30 If LPO practice of law. Non-lawyers and lawyers employees were to inadvertently not licensed in the United States compromise confidential client performing outsourced legal work raise information, for example, the supervising significant ethical questions. The legality attorney could be held liable. Such a of outsourcing of legal services is widely possibility is even more reason to attempt accepted, but several authorities suggest to guarantee protection of client privacy. “that supervision of all work by a fully- To meet the requirements laid out in qualified lawyer is ‘key.’”25 Rules 5.1 and 5.3, the ABA Opinion The ABA Standing Committee on suggests that “a lawyer outsourcing Ethics and Professional Responsibility services for ultimate provision to a client described outsourcing as a “salutary should consider conducting reference trend” in the global economy in its checks and investigating the background Formal Opinion, “Lawyer’s Obligations of the lawyer or non-lawyer providing the When Outsourcing Legal and Non-legal services as well as any non-lawyer Support Services” (“ABA Opinion”).26 intermediary involved, such as a The ABA Opinion advised that the placement agency or service provider.”31 supervisory requirements of Rules 5.1 The opinion recommends heightened and 5.3 apply to attorneys outsourcing supervisory practices when privacy and legal and non-legal support services.27 confidentiality concerns are at stake: Rule 5.1(b) requires that “[a] lawyer having direct supervisory authority over Depending on the sensitivity of another lawyer shall make reasonable the information being provided to efforts to ensure that the other lawyer the service provider, the lawyer conforms to the Rules of the Professional should consider investigating the Confidentiality Concerns Surrounding Sending Legal Services Overseas Page 175

security of the provider’s for an LPO accidentally reveal premises, computer network, and confidential client information to the perhaps even its recycling and detriment of both the client and the refuse disposal procedures. In lawyer, who could be sanctioned for some instances, it may be improper supervision.35 The fact that the prudent to pay a personal visit to U.S. attorney paid a personal visit to the the intermediary’s facility, facility may (or may not) help the regardless of its location or the attorney’s defense, but it does little to difficulty of travel, to get a actually protect the client’s privacy. firsthand sense of its operation and the professionalism of the IV. Recommendations lawyers and non-lawyers it is procuring.32 Law firms in the U.S. are increasingly utilizing offshore The ABA Opinion emphasizes that, outsourcing as a way to cut costs and when it is apparent that significant increase efficiency. This trend is not dissimilarities exist between the likely to end soon. Law firms will professional cultures of the United States continue to make use of LPOs in light of and the nation to which work is downward pressure on costs and outsourced, “it will be more important increasing utilization of technology. The than ever for the outsourcing lawyer to ABA’s eager acceptance of legal scrutinize the work done by the foreign outsourcing has removed some unease lawyers – perhaps viewing them as non- surrounding the practice, and law firms lawyers – before relying upon their work are proceeding with outsourcing at in rendering legal services to the lightening speed. Despite increasing client.”33 acceptance and employment of legal Practical application of the ABA outsourcing, ethical concerns regarding Opinion’s suggestions seems more client confidentiality and privacy exist. difficult and less effective than it would Awareness of privacy concerns will allow suggest. Some believe the guidance is outsourcing attorneys to better protect little more than “steps in hiring any their clients and themselves. Some vendor for any large project,” in the U.S. recommendations to improve the practice or abroad.34 Investigating the security of of legal outsourcing include disclosing a provider’s premises and its refuse any use of outsourcing and obtaining disposal procedures may realistically do client consent, contracting for all little to ensure confidential information is confidentiality obligations and restrictions kept secure. with companies receiving confidential The trend toward outsourcing more information, and limiting access to complicated legal work, such as e- confidential information. discovery projects, raises significant concerns about the unauthorized practice A. Disclosure and consent of law. It is not difficult to imagine a situation in which non-lawyers working Page 176 THE PRIVACY PROJECT IV – 2011

The previously mentioned ABA Opinion addressed the need to provide Outsourcing remains a highly information to the client concerning the controversial practice and many clients do utilization of offshore outsourcing. Prior not want their confidential information to the 2008 ABA Opinion, most U.S. sent overseas.39 Privacy concerns may lawyers equated disclosure requirements lead a client to choose a firm that utilizes in the case of outsourcing to disclosure in-house paralegals rather than less costly requirements in the case of temporary workers overseas. While some state bars lawyers. In 1988, the ABA Committee differentiate between lawyers and non- on Ethics and Professional Responsibility lawyers when deciding whether client held that a client was not entitled to full consent is necessary for outsourcing, disclosure that a temporary lawyer was informed consent should always be performing its legal work.36 This opinion obtained when there is a possibility that was based on the assumption that the client confidences and secrets will be temporary lawyer in question would be disclosed. Furthermore, client consent is carefully supervised and controlled by a a necessary requirement of most privacy licensed attorney. The 2008 ABA legislation that allows companies to Opinion refuted this assumption in the outsource personal information.40 For case of offshore outsourcing. It practical purposes, it seems prudent to recognized that such a high degree of inform a client of the possibility of legal supervision essentially making the outsourcing as early as the situation supervised lawyer tantamount to an allows. Making the disclosure and employee will typically not exist in the gaining consent before steps to outsource context of offshore outsourcing.37 The are initiated is the safest move for all ABA Opinion strongly advocated parties involved. obtaining client consent in situations where client confidentiality is a concern: B. Contract confidentiality obligations and restrictions Thus, where the relationship between the firm and the Despite the inherent difficulties individuals performing the services involved in closely supervising overseas is attenuated, as in a typical employees, supervisors are obligated to outsourcing relationship, no make “reasonable efforts” to ensure information protected by Rule 1.6 employees follow the rules of [concerning confidentiality] may be professional conduct. U.S. attorneys revealed without the client’s open themselves up to liability if they do informed consent. The implied not or cannot adequately supervise the authorization [in the Rules] to share actions of foreign lawyers and non- confidential information within a lawyers to whom confidential client firm does not extend to outside information is disclosed. The most entities or to individuals over effective way U.S. law firms and whom the firm lacks effective attorneys can protect themselves and their supervision and control.38 clients from ethical breaches are to enter Confidentiality Concerns Surrounding Sending Legal Services Overseas Page 177 into a contract with the overseas utilize third party vendors that restrict company.41 access to secure documents only to those Such a contract should set forth working on that particular issue. Vendors confidentiality and privacy can also redact identifiable information, responsibilities and restrictions. Overseas prevent copying and downloading of employees are expected to maintain the confidential material, and track access of confidentiality of information relating to confidential records.47 the representation of the client.42 Limiting the outsourced worker’s Outsourcing attorneys in the United access to confidential client information States should take the time and effort is also beneficial for purposes of avoiding necessary to ensure that foreign workers conflicts of interest. Screening overseas understand what the duty of employees from all client information that confidentiality entails as well as its rules is unrelated to their work on a matter and application.43 Offshore workers, for helps prevent conflicts of interest for the example, may not understand that the U.S. attorneys and law firms.48 duty of confidentiality continues even Many LPOs understand the after the project has been completed.44 importance of protecting confidential The contract should provide the U.S. client information. LPO Atlas Legal firm with confirmation that, not only do Research, for example, “promises to overseas workers understand their duties thoroughly check for any potential of confidentiality, “the outsource supplier conflict of interest and, at customer’s has enforceable and enforced rules and request, will alter any personally procedures pertaining to the safeguarding identifying information before sending of confidential information.”45 If the work assignment to India.”49 If overseas overseas employees are expected to employees have limited access to protect client information under United confidential client information, the States laws, such language should be chances for unintentional or deliberate included in the contract.46 Educating disclosure decrease dramatically. overseas workers and binding employees at both ends through a contract will likely V. Conclusion decrease both inadvertent and deliberate disclosures of confidential information. The legal outsourcing industry is thriving. Offshore outsourcing of legal C. Limited access to confidential services offers decreased costs and information increased efficiency, but it also raises ethical issues regarding a client’s privacy The most practical and effective and the duty to protect a client’s strategy to protect a client’s privacy and confidentiality. U.S. law firms and prevent disclosure of confidential attorneys can combat the dangers of information may be to limit the inadvertent or deliberate disclosures of outsourced worker’s access to confidential client information in several information. For document review ways. Attorneys must gain client consent services, for example, a law firm can for any offshore outsourcing. If they Page 178 THE PRIVACY PROJECT IV – 2011 decide to proceed with legal outsourcing, U.S. firms and LPOs should enter into Perspectives From the United States, 27 PENN contracts governing confidentiality ST. INT’L L. REV. 323, 324 (2008). obligations and restrictions. Limiting the 11 Id. 12 outsourced worker’s access to a client’s Model Rules of Prof’l Conduct R. 1.6. 13 confidential information can also have a Model Rules of Prof’l Conduct R. 1.6, cmt significant impact on preserving client 16. 14 Daly, supra note 2, at 436-437. confidentiality. Outsourcing of legal 15 The Health Insurance Portability and services is not likely to slow down in the Accountability Act of 1996 (HIPAA) is one near future, so lawyers should take such federal law that may restrict who has precautions to protect the client’s access to a client’s confidential information. confidential information and privacy. Ham, supra note 10, at 334. 16 Daly, supra note 2, at 438. 17 1 See Thomas L. Friedman, THE WORLD IS Ham, supra note 10, at 335. 18 Daly, supra note 2, at 438. FLAT: A BRIEF HISTORY OF THE TWENTY-FIRST 19 CENTURY 137 (2d ed. 2006). Id. (Explaining that, “China and the Islamic 2 See Mary C. Daly, Flattening the World of countries where the shari’a is adopted…are Legal Services? The Ethical and Liability certain to have radically different perspectives”). Minefields of Offshoring Legal and Law- 20 Related Services, 38 GEO. J. INT’L L. 401, 403 Marcia L. Proctor, Considerations in (2007). Outsourcing Legal Work, 84 MICH. B. J. 20, 3 Alison M. Kadzik, The Current Trend to 22 (2005). 21 Id. Outsource Legal Work Abroad and the Ethical 22 Issues Related to Such Practices, 19 GEO. J. ABA Comm. on Ethics and Prof’l LEGAL ETHICS 731, 733 (2006). Responsibility, Formal Op. 08-451 at 5 (2008) 4 Daly, supra note 2, at 403. (Lawyer’s Obligations When Outsourcing 5 Legal and Nonlegal Support Services). Lee A. Patterson, III, Outsourcing of Legal 23 Services: A Brief Survey of the Practice and “For example, recently, an offshore the Minimal Impact of Protectionist subcontractor handling patient-record Legislation, 7 RICH. J. GLOBAL L. & BUS. 177, management for the University of California 182 (2008). at San Francisco (“UCSF”) Medical Center 6 Id. threatened to post confidential patient records 7 See Kadzik, supra note 3, at 733; Patterson, on the internet unless the Medical Center supra note 5, at 182; See ValueNotes, straightened out a problem with the third-party Outsourcing in the Changing Marketplace, vendor handling UCSF’s accounts payable http://www.sourcingnotes.com/content/view/6 department. In another case, a Bangladore, 67/92/ (last visited Dec. 5, 2010). India-based data manager held an American 8 See ValueNotes, Outsourcing in the company’s data hostage and refused to return Changing Marketplace, http://www. it unless the American company dropped its sourcingnotes.com/content/view/667/92/ (last legal claims against it.” Ham, supra note 10, at 335. visited Dec. 5, 2010). 24 9 Daly, supra note 2, at 435-436. Id. Revenues may even surpass this number, 25 as the industry is picking up pace as the global Steven C. Bennett, The Ethics of Legal economy begins to recover. Outsourcing, 36 N. KY. L. REV. 479, 482 10 (2009). James I. Ham, Ethical Considerations 26 Relating to Outsourcing of Legal Services by ABA Comm. on Ethics and Prof’l Law Firms to Foreign Service Providers: Responsibility, Formal Op. 08-451 at 2 (2008) Confidentiality Concerns Surrounding Sending Legal Services Overseas Page 179

(Lawyer’s Obligations When Outsourcing 38 ABA Comm. on Ethics and Prof’l Legal and Nonlegal Support Services). Responsibility, Formal Op. 08-451 at 5 (2008) 27 Id. (Lawyer’s Obligations When Outsourcing 28 Model Rules of Prof’l Conduct R. 5.1(b). Legal and Nonlegal Support Services). (citing 29 Model Rules of Prof’l Conduct R. 5.3. Model Rules of Prof’l Conduct R. 1.6 (a), 1.6 30ABA Comm. on Ethics and Prof’l cmt. 5 (2008)). Responsibility, Formal Op. 08-451 at 3 (2008) 39 Patterson supra note 5, at 188. (Lawyer’s Obligations When Outsourcing 40 Id. at 193. Legal and Nonlegal Support Services). 41 Ham, supra note 10, at 325. 31 Id. 42 Kadzik, supra note 3, at 736. 32 Id. 43 Ham, supra note 10, at 336. 33 Id. at 4. 44 Daly, supra note 2, at 438. 34 Gabe Acevedo, Legal Olympics Update: 45 Ham, supra note 10, at 336. Outsourcing E-Discovery Sliding Down 46 Proctor, supra note 20, at 22. Slippery Slope, at Record Speed, Feb. 16 2010 47 Ham, supra note 10, at 337. http://abovethelaw.com/2010/02/legal- 48 Kadzik, supra note 3, at 735. olympics-update-outsourcing-e-discovery- 49 http://www.atlaslegal.com/ Atlas Legal sliding-down-slippery-slope-at-record-speed/ Research, http://www.atlaslegal.com/ (last (last visited Nov. 25, 2010). visited Nov. 29, 2010). 35 Id. According to Gabe Acevedo at “Above the Law,” some firms have already found themselves in similar situations. 36 The committee opined that, “when a lawyer engaged the services of a temporary lawyer, a form of outsourcing, an obligation to advise the client of that fact and to seek the client’s consent would arise if the temporary lawyer was to perform independent work for the client without the close supervision of the hiring lawyer or another lawyer associated with her firm.” ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 08-451 at 4 (2008) (Lawyer’s Obligations When Outsourcing Legal and Nonlegal Support Services), citing ABA Comm. on Ethics and Prof’l Responsibility Formal Op. 88-356 (Dec. 16, 1988) (Temporary Lawyers). 37 Explaining that such a situation “ordinarily will not be the case in an outsourcing relationship, particularly in a relationship involving outsourcing through an intermediary that itself has the employment relationship with the lawyers or nonlawyers in question.” ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 08-451 at 5 (2008) (Lawyer’s Obligations When Outsourcing Legal and Nonlegal Support Services). The Judgment of Google

By Valerio Vallefuoco

N THE 24 February 2010, Valerio Vallefuoco is a managing O partner with Studio Legale Vallefuoco & judgement was entered, and defendants Associati in Rome, Italy. He concentrates Drummond De Los Reyes, Google’s his practice of law in commercial senior vice president of corporate litigation, European and international development, Peter Fleischer, global law. Currently, he is a professor of privacy counsel, and George Reyes, a international tax law at the Lum Jean former chief financial officer, were Monnet University in Italy. convicted, as a result of a video that appeared on the Google Video site portraying an autistic person being beaten The proceedings also had a huge by his classmates at a school on the media following because of the cruel outskirts of Turin. Prosecutors in Milan facts, the identity and status of the victim, brought charges after an appropriate and and the fact that the youths of the video complete investigation. The individuals wanted to make public their vile mentioned above were accused of the behaviour. Since then, interest has grown crimes of defamation and dissemination in part because of the implication of the of sensitive information without proper most powerful and well known search authorization. engine in the world, Google, and its The events in question occurred in a possible liability. public school where there were a number The issue concerning the removal of of youths with their autistic companion. defamatory content on web space The commentary on the video shows one provided by Google has been a rather of the youths making a mocking call to tricky subject in the past. For example, the “Vivi Down” charity, and Vivi Down the decision of the Supreme Court of New was the civil party asserting the crime of York, which issued a ruling in favor of defamation during the criminal Canadian model Liskula Cohen and proceedings. ordered Google turn over the name of an It goes without saying that the story anonymous blogger so that Cohen could had a huge media following, not only pursue a lawsuit against the blogger for because of the importance of the parties defamation. The plaintiff also asked the concerned, but also because the sentence court for the removal of all content from could have been in one way or another a the sites. It took just under a year, but precedent for or against those who own eventually Cohen succeeded in forcing websites and are involved in the the most popular search engine in the uploading and downloading of world to reveal the identity of the information continuously from users who anonymous Internet user. This case surf the web. illuminates an important issue concerning people who choose to abuse the freedom The Judgment of Google Page 181 provided by the Internet and its life. It is only logical that these legislative anonymity and their obligation to answer gaps cannot be filled so easily, but they for any revelation of private, sensitive must be recorded and resolved one by information. one, to ensure that there is no doubt or The case in Milan involved inconsistency in the application of one allegations against the directors relating rule to another. to the defamation of the charity "Vivi Article 595 of the Italian Criminal Down" and the beating of the boy, Mr. De Code states the crime of defamation: Leon. The allegations involved harm to “Anyone, except for cases mentioned in the interests of people who had not given the previous article, communicating to their consent for the processing of more people, injures another's reputation, information entered into the system which shall be punished with imprisonment of was used by Google to produce profits. up to one year or a fine of up to € 1032. If The technical and legal connections the offence concerns the attribution of a involving the search engine in question given fact, the penalty is imprisonment have been thoroughly explained before for up to two years or a fine of up to € and leave no doubt as to the conduct of 2065. If the offence went through the the same American company. press or any other means of publicity, or The relevant charges specifically in a public deed, the punishment shall be involved: 1) Complicity of the defendants from six months to three years in defamation, having contributed to the imprisonment or a fine of no less than € defamation of the “Vivi Down” charity 516. If the offence went to a political, by the implementation of omissive administrative or judicial body, or any of behavior (the defendants failed to either its representative offices, or by a panel do something to solve the situation, warn authorities, the penalties are increased.” those who controlled the uploaded videos In this case, the imputations are or to try to change the rule to prevent flanked by another behavior, identified in internet users from uploading such Article 40 of the Italian Criminal Code, videos) and 2) benefiting from the which requires verifying a well-defined disclosure of personal information about a behaviour: failing in forbidding a criminal person without permission. action is tantamount as causing it. The As is easy to understand, the Court found that there was not enough interests at stake are not only related to sufficient evidence of the behaviour of one of the largest corporations in the the defendant by the prosecution, and world, but also to the millions of people therefore the defendants were found every day that are on the net. We must innocent under Art. 40. assume that there is no universal specific Above all, we must consider that the legislation on the rules to be followed in defendants did not deny that the carrying out activities on the web, and defamation occurred, and the Judge ruled that the rules being used are derived from that the owners of the site could not be laws created in other areas which also held responsible for the crime, as it was apply in this media world that every day not intended. Specifically, the youths in is becoming more prominent in our daily the video portrayed themselves as being Page 182 THE PRIVACY PROJECT IV – 2011 part of "Vivi Down," and that portrayal If the video.google site was and the associated comments not only considered by the Court to be a simple defamed the company in question, but host provider, the problem on the liability also affected the whole world in part and the allegations in question would connection with Down syndrome. not even be up for discussion, but the The reason that prompted the jury to Prosecutor's investigations revealed that acquit the accused on the first charge was the site, although it is free, does not the fact that the charges, as proposed merely allow the user to upload or required a prior or subsequent control of download videos, but handles them, the information entered into the site without screening their content. This video.google, but this control, in the difference has placed the site in a very Court’s opinion, was impossible to awkward position, because Google has exercise. Preventive control was not become complicit in the dissemination of possible if attempted, because it would information uploaded by a third person, effectively block the use of Google due to even if the information is made public the amount of information uploaded by without proper authorization. users of the Web at any time. The control In fact, the sentence on the first needed in another level, however, as charge of the indictment does not say that suggested by the prosecution is not Google Italy, and therefore the accused, required given the lack of specific did not commit the fact, but ruled instead legislation governing its activities that the indictment provides as follows: According to the Public Prosecutor, the expected behaviour that administrators failure of control occurred after the should have taken but was impossible to release of information into the system, apply, because the control needed would which would have warned them of the have made it impossible for the service offence, and it would not have happened rendered. Therefore if Google was (or would have happened but with less applying the level of control the harm to the victim). Prosecutor wanted, no service would have This assumption, however, is not been provided at all. If the site had been provable because even if there had been a considered a simple video.google host follow-up, the fact remains that it could provider, then there would have be no have still passed unnoticed, given the charges against the administrators who thousands of videos uploaded daily on the run the company (at least in Italy). site. However, it is vital to understand The fact that the site has been how the PM has come to challenge the identified as a content provider poses a offence of defamation by the different question. The prosecution did administrators and Google Italy Google not prevail only because prevention Inc. The fundamental distinction that control was not possible in this case in involves the Google administrators on the question. Furthermore, the construction witness stand relates to the difference of a position of security requires the between content providers (content person against whom is entrusted with an management system) and host providers obligation "quote" to prevent the event (third party liability). and not a general obligation to make an The Judgment of Google Page 183 end to the effects occurred. This means provisions of Articles 17, 20, 21, 22, that the obligation is fulfilled the moment paragraphs 8 and 11, 25, 26, 27 and that the internet user tries to prevent the 45, shall be punished, if harm comes event, but if for any reason such event from the fact, with imprisonment from occurs, then it is not longer his obligation one to three years.”1 to end it. (Given the extreme technical difficulty of this solution and the The prosecution therefore had to consequences that might ensue, it would demonstrate the link between Google Inc. be viewed as an "unreasonable" and its representative company in Italy, requirement and therefore not criminally Google Italy, in the management of a site liable under Article 40 of the Italian apparently free to users, but that is a criminal code.) source of income. The site which was On the other hand, the second used to "load" the video in question indictment involves the processing of allows any registered user to enter any personal data of De Leon. This second kind of (video) information in the system charge is rooted in the fact that the with the only filter being a flag-in on the video.google site in Italy for which privacy law. In the jury’s opinion, this Google Inc. is responsible is considered, was a completely inappropriate way to as mentioned before, a content provider, inform users on the law of privacy. The i.e. a site that is not just a passive information that is "loaded" on the site is intermediary, but that manages the managed by Google, although in an information that is entered into their autonomous way: the video, depending system. The article in reference to this on the number of downloads is placed in charge is Article 167 of the Privacy Law, a ranking, then the same is put into a which states that: category, so that the site handles the information and advises users, offering “1. Unless the act constitutes a serious one video instead of another. In fact, if a crime, whoever, in order to gain profit video is entered into this website, it then for himself or others or to cause harm places it among the top in the category of to others, must not process personal funny videos, invariably the operator of data in violation of the provisions of the website recommends watching that Articles 18, 19, 23, 123, 126 and 130, video to users. or Article 129, shall be punished, if In the case in question, the harm comes from the fact, with Prosecutor of Milan found that the imprisonment from six to eighteen accused Drummond, De Los Reyes and months or, if the fact consists in Fleisher, in their individual capacity as communication or dissemination, by officers, (the first two from Google Italy imprisonment from six to twenty-four and the third from Google Inc.) in relation months. 2. Unless the act constitutes a to the privacy policy for Europe, serious crime, whoever, in order to committed the crime in question by gain profit for himself or others or to failing to properly handle personal data cause harm to others, must not process and sensitive information of Giovanni personal data in violation of the Francesco De Leon, allowing the loading Page 184 THE PRIVACY PROJECT IV – 2011 of the video file on September 8, 2006 immediate cancellation of data and and maintaining it on the Google video.it communications and a report of criminal site in order to make a profit. This profit, activity). according to the prosecution derives from Accordingly, the Court considered it the relationship between Google Italy insufficient to meet the requirements of with the video.google site and operations the law "to hide" the information on these on the same site of the AdWords system. obligations within the general conditions This system, in short, allows anyone of the service accepted at the time of who wants to advertise to have their registration of the user for use of the advertisements seen when the most service. Thus, in fact, the Judge was not successful videos are downloaded. So if satisfied with the knowledge that every the company "Acme" wants to advertise user should have to respect, giving due on the most downloaded video of the weight to this statement, among other moment, it pays to make its site have a things, not being informed about the link with the video. In such a case, the consequences that could arise if the user requirement of the second aspect of the does not comply with the law. In light of configuration provided by Art. 167 of the these facts, the directors of Google Inc. Privacy Act would be met, namely the and Google Italy were found guilty of the profit. second part of charge ascribed. Based on this interpretation, where Other factors helped to strengthen the substantiated by the facts, those argument of the prosecution. Research of responsible for the site should therefore the accused has shown that Google Inc. be held jointly responsible for the offence operates in all respects for Google Italia under Art. 167 because this kind of ISP from a commercial entity, Google Italy. (website) not only provides a simple For any type of decision Google Italy report of interconnection, but also must request permission from Mountain manages data in its possession, such that View, based in the United States. This it becomes somehow "dominus" and then does not mean that the company Google "the data controller" in accordance to law Italy Srl cannot exist without the with corresponding obligations. administrators, even if nominally and While confirming what was formally responsible for the company. previously said, one cannot ask the Investigations have shown specifically a content provider to perform prior lack of respect for the Italian law and at checking on the information entered into the same time the enormous difficulties in the system, it is possible, and even the operation of the company in dealing necessary, to ask the provider to meet with priority needs, which was reflected another kind of obligation: the operator of in the choice of the Administrators. the site which enables users to "load" the The continuing need to ask video’s on the video.google domain must authorisation for every modification, have correct information and must request or problem can halt the normal comply with the consequent obligations activities of the company, to the extent imposed by the same law, or the operator that Google Inc. and Google Italy often runs the risk of non-compliance (the had to pay penalties in compliance for The Judgment of Google Page 185 late entry in the book of records of trust placed in the parent company was business. Specifically, administrators and misplaced. heads of Google Italy, selected by Administrators like it or not, are American leadership, had management responsible for everything that happens problems arising out of unawareness within the company they represent, and it about the national legislation. Because does not matter if one is part of a larger the Defendants were not Italians, they company. In this case the defendants found themselves in a somewhat have the sin of superficiality, because awkward situation: they are formally their named positions mandated their responsible as they are the legal entities responsibility from legal point of view. It involved in the management of the is unthinkable that the volume of company concerned, but investigations management decisions in a large or small revealed that the internal structure of company can be handled by a person who Google Inc. is vertical, and that all does not fully know the issues relating to decisions are made in Mountain View. relevant accounting and legal principles. No one responsible had ever bothered to Moreover, the growing daily relations raise the issue concerning the privacy of with users of a service with a higher users or those using the service rendered power of information than television and by video.google, or bothered to change other media must be approached with the privacy statement at the time of the care and dedication, which the directors service or to apply for permission to of Google Italy did not do. The result Google Inc. to adapt the announcement of was that the directors have had to bear conditions of privacy found only on the responsibility for their choices. general conditions of service. Naturally we must keep in mind the The directors, as such, should deal position of the accused within the with the company as if it were really company to fully understand the nature of them, that is, controlling all the aspects the charges against them. Italian Civil that can put the company in unpleasant Code Art. 2392 identifies the situations. In this writer’s view, the responsibilities of directors to the directors have borne the brunt of the company. The article stipulates that complicated corporate management of "those who occupy a post of senior Google Inc. who personally manage management have an obligation to fulfil every decision, something completely duties imposed by law and by statute, unthinkable given the volume of the with the diligence required by the nature company. The conduct of the directors to of the assignment.” There does not manage or to "pretend" to manage a very appear to be any problem from this complex society that not only provides provision, but in this case, from the some occasional signature, but needs corporate structure of Google and the much more attention than an ordinary administrative positions they held, the company, not only due to the fact of the defendants have been put in a position sensitivity of information handled, but where they have to be responsible for also because of the number of users who everything that concerns corporate access the service every day, shows the activity, especially in a unique company Page 186 THE PRIVACY PROJECT IV – 2011 which continuously manages hundreds of The doctrine would provide a logical thousands of items of sensitive solution to address a problem of any information. The directors’ behavior, as director belonging to large media shown by the evidence adduced by the companies: The law allows an prosecution, was not exemplary. administrator responsible the use of Although the defendants, in different "delegation" where they cannot "see". A ways have shown that they have never defence of delegation was previously really been aware of what "their" weakened by the prosecution from the company did. Therefore, when the video evidence sought by the Prosecutor. in issue was uploaded to the site, it put Several people from Google Inc. and the U.S. search engine in an Google Srl were called to testify only to uncomfortable situation of control. As a say that no one had been delegated to deal result, control was not sufficiently with the problem directly. The evidence performed by anyone. Indeed, the fact not only showed that the management of that it categorized the video as "more fun" the company was only nominally in the just worsened the situation for Google hands of the defendants, but also and its directors who failed to exercise the demonstrated that the operation carried necessary control. In this regard, Art. 40 out by Mountain View was not adequate. of the Italian Criminal Code states, "He The ruling was proof that even in the who does not prevent an event who has a absence of a law degree, despite the legal duty to do so, amounts to cause." changes to the facts that every day change The obligation of directors, and update, the rules can, although with individually and separately, derives from some difficulty, be applied to new their designated positions within the situations that arise each day. In fact, company. In theory, they should have even if the law cannot update on real time controlled the relevant company (in this case, represented by many operations, no matter who was in different situations), we clearly see that Mountain View, because ultimately, from today it is still possible to apply old a legal point of view, they and they alone solutions to the present problems. had the responsibility. The Italian The significance of Google's media doctrine defines this position as "position decision certainly was a wake-up call, not of guarantee," where the charge of a only for operators of the website, but also particular person is created to avoid for large companies that tend to centralize situations in violation of law. In this the control of “affiliated entities" in their respect Article 41 of the Italian own hands in the manner of Google Inc. Constitution was also involved, granting Surely by now all the operators of freedom of economic initiative and sites, blogs or general information should implicitly recognizing that it is the monitor the space they make available on holders of the initiative (profiting from it) the network. This ruling confirms that he that have to provide adequate is punished who benefits from the organizational security for the interests incorrect behaviour of another person. It protected. is necessary that the operator does not The Judgment of Google Page 187 contribute to spreading the wrong message by neglect or omission. In this respect it is the exemplary remarks made by the Judicial body, which, in the expectation and hope there could soon be a good law formulated for governing such situations, stated, using a famous Latin sentence, that there is no worse dictatorship than that exercised in the name of absolute freedom, "legum servi esse debemus, ut liberi esse possumus."

1 DL 196/03. Privacy Please: How Companies Should Navigate Strict Foreign Privacy Laws in Today’s Global Economy

By: Kyle Dreyer, Wendy May Kyle H. Dreyer and Wendy D. and Joy Tull May are partners with Hartline Dacus Barger Dreyer LLP in Dallas, INCE the expansion of sweeping Texas. Mr. Dreyer’s practice areas S American-style discovery over the last include complex product liability, several decades, foreign countries have commercial and malpractice enacted privacy laws in an effort to litigation. prevent or severely limit United States Ms. May concentrates her (U.S.) litigants and courts from obtaining practice in the areas of complex otherwise discoverable but private product liability and commercial materials from within the borders of litigation. foreign countries.1 Foreign privacy laws Joy R. Tull is an associate in the generally restrict both foreign and Dallas office and practices in the domestic entities from reviewing, same areas. collecting or disseminating personal information, defined as any information subsidiaries or affiliates may be forced to relating to an identifiable individual.2 choose between potential sanctions by a However, the privacy often treated as U.S. court for non-production or the consequences imposed by a foreign sacrosanct by foreign countries, has long 6 been discounted by U.S. courts. country for violating privacy laws. Traditionally, perhaps pressured by the Recognizing this dilemma, some recent tenant of open discovery, U.S. courts U.S. rulings have signaled a shift toward have acknowledged the existence of genuine consideration of foreign privacy foreign privacy laws but have not interests. However, U.S. courts are far recognized these laws as a barrier against from consistent in their protection of broad form orders requiring production of private foreign information. Until they information collected and maintained are, U.S. litigants should be prepared to abroad. U.S. courts have consistently protect against the increased risk of determined domestic litigants’3 interest in penalties for privacy law violations. full disclosure should prevail over foreign privacy interests.4 I. Foreign Privacy Laws and the Adding to the conflict, the European Impetus for Increased Union (EU) and member countries have Enforcement begun using their newfound power to strengthen privacy protection A generalized disdain for the broad enforcement, including criminal penalties pretrial discovery process allowed in the United States is well-documented actually imposed on privacy law 7 violators.5 In this increasingly global abroad. Foreign privacy laws have long economy, U.S. litigants with foreign existed and included criminal sanctions as How Companies Should Navigate Strict Foreign Privacy Laws Page 189 penalties for those who disseminate were not sought against those responding protected private information. to U.S. discovery requests until 2007.13 Nonetheless, litigants who produce Other EU countries have since followed protected private information in response suit, as exemplified by Italy’s imposition to U.S. court-ordered production have not of criminal sanctions against three Google been prosecuted in the past. Recently, executives for violating the country’s however, foreign jurisdictions have begun privacy restrictions.14 enforcing criminal penalties against U.S. litigants and their foreign affiliates for B. Impact of the Patriot Act privacy law violations. 8 Since countries throughout the world have privacy laws The widespread adoption of the that have been largely dormant until now, Privacy Directives by EU member it is necessary to understand the catalyst countries, as well as the increased for increased regulations and enforcement willingness of these countries to enforce in order to predict which countries this their respective pre-existing privacy laws, trend may next reach. may represent a response to international sensitivity over the U.S. Patriot Act15 A. Geopolitical Changes passed in 2001. The Patriot Act is seen by foreign leadership as the latest and Although the EU has existed in perhaps most egregious step toward various forms since 1948, its current undermining EU citizens’ privacy economic and political powers have rights.16 And, EU member countries increased over the last 20 years and have responded, in part, to U.S. particularly since 1995.9 Relying on its enforcement of the Patriot Act with the enhanced power and influence, the EU’s first criminal sanctions imposed under Parliament and Council drafted a set of pre-existing privacy laws.17 regulatory directives for enactment by individual EU member countries as C. Increased Electronic Data domestic law.10 One EU directive, Directive 95/46/EC (the “Privacy Another trigger for recent foreign Directive”), requires member countries to privacy law enforcement is the protect the privacy rights of individual exponential increase in private citizens through legislation.11 information now available electronically. Compliance with this directive requires Simply put, far more personal data is now member countries without privacy laws to collected, stored, and accessible due to pass and enforce them and member the increased capacity afforded by digital countries with privacy protection laws to processes. Moreover, much potentially more strictly enforce them.12 France is private information can exist with non- one example of an EU member country protected data but be hidden in the with longstanding privacy laws, which metadata or electronically stored has recently increased enforcement. information (ESI). Thus, foreign France’s privacy laws were enacted in countries see increased restrictions as 1974 but the criminal penalties permitted necessary to prevent dissemination of Page 190 THE PRIVACY PROJECT IV – 2011 private information accessible in ESI court would recognize the Hague files. Convention as a valid solution to foreign discovery issues; much less seriously II. U.S. Court Response to Foreign consider the threat of foreign Privacy Law Enforcement prosecution.24 Now, outcomes in cross- border discovery disputes range from The Hague Convention on the applying all five comity factors and Discovery of Evidence Abroad (the finding in favor of foreign privacy “Hague Convention”) is one method interests, to at least a willingness to utilized by U.S. litigants to avoid consider the protections offered by the violating foreign laws during the Hague. 25 discovery process.18 The Hague In the few U.S. cases decided after Convention is intended, in part, to ensure France first began imposing criminal that foreign privacy laws are not violated sanctions for privacy law violations, U.S. while allowing U.S. litigants to obtain courts have incorporated into their discovery of information located application of Aerospatiale a more abroad.19 However, U.S. courts have thorough evaluation of specific foreign often criticized Hague Convention privacy interests. Specifically, these procedures and generally opposed using courts have focused on whether U.S. them.20 U.S. litigants found justification litigants or their foreign affiliates for bypassing the Convention’s realistically face a risk of foreign procedures altogether21 in the Supreme prosecution for complying with a Court’s Societe Nationale Industrielle particular discovery request and how Aerospatiale v. U.S. Dist. Court for S. vigorously the foreign jurisdiction Dist. of Iowa analysis.22 While the defends its own privacy laws.26 Aerospatiale Court adopted a test to For example, in Gucci Am., Inc. v. weigh foreign privacy interests against Curveal Fashion, the United States domestic discovery interests, in its District Court for the Southern District of application by U.S. courts, this five-factor New York, recognized that criminal comity analysis has historically amounted sanctions authorized by Malaysian to little more than token recognition of privacy laws “suggest that Malaysia has a foreign privacy laws. In fact, U.S. courts strong [privacy] interest” demanding have frequently refused to temper some consideration by U.S. courts.27 discovery orders that may potentially However, because the Malaysian violate such privacy laws.23 government had made little previous However, the EU Privacy Directives, effort to enforce its privacy laws, and no and the more robust privacy law effort at all to intervene in the case, the enforcement by foreign countries Gucci Court ultimately did not limit generally, have recently begun to impact discovery.28 The Court appeared to the application of both the Aerospatiale affirm on the basis that without an actual comity analysis and the Hague danger of prosecution or objection by the Convention procedures by U.S. courts. In foreign government, there was no basis the past, litigants were not guaranteed the for protecting Malaysian privacy interests How Companies Should Navigate Strict Foreign Privacy Laws Page 191 over the U.S. discovery interest.29 District of Michigan authorized the use of During the same month, in In re Air the Hague Convention procedures, even Cargo, the United States District Court though the procedures are “more difficult for the Eastern District of New York and more expensive” than those provided utilized a similar analysis, considering in the Federal Rules of Civil Procedure.33 both the realistic risk of prosecution By careful application of the based on case specific circumstances and Aerospatiale factors and authorizing the the efforts of the French government to use of the Hague Convention procedures, enforce its privacy laws.30 The thorough U.S. courts are allowing foreign countries analysis and genuine consideration given to have some greater measure of control the Aerospatiale comity analysis by both and protection over the interests of their the Gucci and In re Air Cargo courts citizens’ personal privacy during the U.S. represents deference given to foreign discovery process. Even recognizing the privacy interests that was previously very fact specific outcomes in the above hard to come by. referenced cases, the general privacy Although both Gucci and In re Air protection represented by them suggests a Cargo resulted in ordered discovery that trend toward increasing concern for could potentially violate international foreign privacy interests. U.S. litigants law, the decisions were premised on fact faced with the challenge of responding to specific circumstances that are not requests for the production of foreign necessarily applicable to other foreign private information must demonstrate that countries. For instance, Malaysia is the foreign country’s privacy interests neither a member of the EU nor a warrant serious concern, based in part on signatory to the Hague Convention, the country’s privacy law enforcement therefore the U.S. court discounted the history. Additionally, parties should not foreign privacy interests implicated. In In overlook the potential benefits of seeking re Air Cargo, the documents at issue had authorization for the use of the Hauge previously been produced with the Convention procedures, as well as permission of the French government in intervention from the foreign country at another matter; prompting the Court to issue.34 Letters from foreign question the seriousness of the privacy ambassadors and foreign judicial officials concerns raised.31 have been enough to convince some U.S. Courts have also begun to courts that relief from U.S. discovery reassess the appropriateness of the Hague demands is in order.35 At the least, when Convention procedures in certain faced with foreign privacy interest laws, circumstances. For example, in Motorola the Hague can and should be used to Credit Corp. v. Uzon, the United States allow the foreign country to assert its District Court for the Southern District of interests.36 New York refused to compel a bank to produce information, based in part, on the III. How to Avoid Entanglement in requesting party’s failure to follow the the Conflict Hague Convention procedures.32 The U.S. District Court for the Eastern Page 192 THE PRIVACY PROJECT IV – 2011

While there is a shift toward policies that comply with applicable carefully considering and even restricting foreign privacy laws. discovery of foreign protected private information, it is left to individual courts A. Identify Relationships with to balance the competing interests.37 Foreign Entities that Create Thus, a consistent approach has not yet Access to Private Information developed. The EU’s Privacy Directives protects U.S. entities risking conflict with a broad spectrum of “personal data,” foreign privacy laws are those that seek defined as any information relating to an private information 1) pursuant to identifiable individual.38 This means any discovery requests; or 2) for internal uses information even tangentially related to like research and statistical analysis. U.S. an individuals’ specific physical, discovery rules only require a party to physiological, mental, economic, cultural, produce relevant information within its or social identity as well as anything possession, custody, and control.40 This suggesting financial information, requirement is generally interpreted to organizational affiliations, racial or ethnic include all such material held by any identity, health status, email address, or entity over whom the party has a right to phone number is protected by law.39 This compel production.41 Typically, this protected information is not only included includes wholly or partially owned in many discoverable documents foreign subsidiaries or affiliates, foreign- requested in litigation, but is also often owned parents, and potentially foreign- acquired for statistical analysis and owned suppliers.42 Thus, only those U.S. research. Thus, U.S. entities must entities with qualified foreign affiliates consider how this protected information risk a discovery scenario where foreign should be handled both inside and outside privacy laws conflict with U.S. discovery the U.S. litigation context. U.S. obligations. Likewise, any U.S. entity companies which are involved in using a foreign affiliate (even if not litigation, or which may use this type of “controlled” by the U.S. entity) to collect information for other business purposes, statistical data for research and analysis should be cognizant of both applicable should consider the potential application foreign privacy laws and the still of foreign privacy laws before obtaining inconsistent protection offered by U.S. any potentially private information. courts. To that end, the following considerations are significant: (1) B. Understand the Law and identifying foreign relationships that may Enforcement Policies in create access to private protected Applicable Foreign information, (2) knowing the law and Jurisdictions enforcement history in those foreign jurisdictions where those relationships Once potentially problematic foreign exist, and (3) adopting document affiliates are identified, it is important to retention and document management understand the nuances of privacy law and the penalties imposed in each How Companies Should Navigate Strict Foreign Privacy Laws Page 193 particular foreign jurisdiction. While the some foreign jurisdictions, domestic EU Privacy Directive provided the entities can obtain consent from the framework for a more unified approach, relevant parties allowing them to collect each member country is free to enact its personal data without violating applicable own specific privacy laws and, of course, privacy laws.46 However, such consent these vary. Not every foreign jurisdiction often does not translate to U.S. based has shown an equal willingness to enforce operations.47 When it is necessary to its privacy laws and some have even obtain information that may include provided “safe harbors” for accessing private data, U.S. entities should protect private information.43 themselves by requiring the foreign entity to redact private information before C. Effectively Manage Private accepting a transfer.48 By placing the Information burden of reviewing and censoring the information on the foreign entity, Assuming a qualifying foreign questionable material can be removed in relationship exists where privacy laws compliance with applicable foreign restrict information commonly requested privacy laws. in discovery or used for business The easiest mistake for U.S. entities purposes, is it advisable to develop a to make in regard to foreign privacy laws compliant document retention policy. In is a product of modern technology: the normal course of business, U.S. neglecting to give electronic information entities should not take actual possession the same, if not more, protection than that of foreign protected information. given to tangible documents and Moreover, foreign subsidiaries, parents, information. Foreign privacy laws and possibly suppliers of U.S. entities prohibit corporations and other entities should also abstain from collecting, from storing, accessing, reviewing, or maintaining or reviewing personal even organizing e-data covered by such privacy laws.49 The Federal Rules of information, even within their own 44 Civil Procedure have allowed for e- borders. If a company consistently 50 discovery since 1970. However, many applies and enforces document retention U.S. courts have more recently adopted policies that exclude private information, stricter production requirements for U.S. courts have been more willing to electronic discovery.51 defer to those policies when considering 45 The EU Privacy Directives forbid discovery objections. storing or maintaining personal While the ideal solution is to avoid information, regardless of whether such collecting or retaining protected would constitute spoliation in a U.S. information, that is not always realistic. court.52 This heightened burden, from Because entities based in countries with both sides, combined with the increased privacy restrictions are in the best amount of data that now exists position to avoid violating them, they electronically, makes the risk for privacy may be better positioned to review and violation more substantial.53 As redact information when transfers of discussed, digital documents can contain protected information are necessary. In a massive amount of unseen ESI that exists mostly in the background of Page 194 THE PRIVACY PROJECT IV – 2011 electronic transfers. Thus, it is easy to exclude ESI from the review and 2 See European Commission, Article 29 redaction process. The potential result is Working Party Opinion 4/2007 on the Concept obtaining carefully reviewed and edited of Personal Data, 01248/07/EN (2007), information that inadvertently includes available at http://eur-lex.europa.eu/en/ personal data in the attached ESI. Should index.htm (last visited October 28, 2010); a company neglect to address ESI, it may Directive 2002/58/EC of the European be forced to preserve and produce the Parliament and of the Council of 12 July 2002 information it has received.54 concerning the processing of personal data and As discovery in U.S. civil actions is the protection of privacy in the electronic increasingly impacted by shifts in foreign communications sector (Directive on privacy privacy laws and technological and electronic communications), Official advancements, U.S. courts have indicated Journal L 201 , 31/07/2002 P. 0037 – 0047 available at http://eur-lex.europa.eu/Lex a willingness to consider the privacy UriServ/LexUriServ.do?uri=CELEX:32002L0 challenges faced by U.S. litigants. 058:EN:HTML; see also Privacy Directive, Through careful attention to the infra note 11, art. 2(a) ("an identifiable natural protections offered by older tools like the person is one who can be identified, directly or Hague Convention and newer tools like indirectly, in particular by reference to an the EU Privacy Directives, U.S. litigants identification number or . . . one or more can often find protection for their privacy factors specific to his physical, physiological, interests in U.S. courts. Better still, mental, economic, cultural or social identity." careful document use, retention and Id. storage planning may allow U.S. litigants 3 While this article addresses the conflict for to avoid privacy and disclosure conflicts U.S. based companies with access to private before they arise. foreign information, the same concerns and analysis offered here, apply equally to foreign 1 entities subject to U.S. court jurisdiction. See, e.g., Law No. 80-538 of July 16, 1980, 4 See, e.g., Valois of Am., Inc. v. Risdon Journal Officiel de la République Française Corp., 183 F.R.D. 344, 346 (D. Conn. 1997) [J.O.] [Official Gazette of France], July 17, (“In many of the post-Societe Nationale 1980, p. 1799 (French blocking statute); decisions, . . . judges were unwilling to attach Strafgesetzbuch [StGB] [Criminal Code] Nov. much significance to the sovereign interests 8, 1934, art. 271 (Swiss blocking statute). For involved, finding no important interest to be the sake of time and space this article refers to offended by use of the Federal Rules, and privacy laws generally and should be instead recognized that use of the Hague understood to include blocking statutes. Convention could involve considerable time and expense.”). 5 See Cour de Cassation chamber criminelle [Cass. Crim.][highest court of ordinary jurisdiction] Paris, December 12, 2007, Bull. crim., Appeal n 07-83228 (fining “Christopher X” €10,000 in part for violation of a French blocking statute in connection with discovery in a U.S. case); Adam Liptak, When American and European Ideas of Privacy Collide, N.Y. TIMES, Feb. 27, 2010, available at http://www.nytimes.com/2010/02/28/weekinre How Companies Should Navigate Strict Foreign Privacy Laws Page 195

view/28liptak.html (discussing Italian courts’ 10See, e.g., Council Directive 95/46/EC, 1995 enforcing criminal sanctions against Google O.J. (L 281) 31-50 available at http://eur- executive for violating privacy laws); Marc lex.europa.eu/LexUriServ/LexUriServ.do?uri= Gottridge and Thomas Rouhette, France Puts CELEX:31995L0046:EN:HTML. Some Muscle Behind Its Blocking Statute, 239 11 See id. [hereinafter Privacy Directive]. The N.Y.L.J. 82 (2008). privacy directive encourages members states 6 See M. James Daley & Kenneth N. to protect “the right to privacy” while still Rashbaum, THE SEDONA CONFERENCE, A providing for differences in the “variety of FRAMEWORK FOR ANALYSIS OF CROSS BORDER national laws, regulations, and administrative DISCOVERY CONFLICTS: A PRACTICAL GUIDE provisions.” Id. at (7). 12 TO NAVIGATING THE COMPETING CURRENTS OF See, e.g., Federal Act on Data Protection INTERNATIONAL DATA PRIVACY AND E- ("BDSG") January 27, 1977 DISCOVERY 1 (2008). (Bundesgesetzblatt, Part I, No 7, February 1, 7 See, e.g., Radio Corp. of Am. v. Rauland 1977), amended in 1990. Privacy & Human Corp., [1956] 1 Q.B. 618, 643-44 (describing Rights 2003, An International Survey of the American pre-trial process as the “almost Privacy Laws and Development, Federal abusive discovery permitted by American Republic of Germany, FN 1182, available at law.”). http://www.privacyinternational.org/survey/ph 8 See Cour de Cassation chamber criminelle r2003/countries/germany.htm. Germany is [Cass. Crim.] Paris, December 12, 2007, Bull. one of many European Union members which crim., Appeal n 07-83228. had to revise pre-existing privacy laws, in 9 DIRECTORATE GENERAL FOR ENLARGEMENT, place since 1974 to comply with the new EU UNDERSTANDING ENLARGEMENT: THE Directive. See id. Once the EU Directive EUROPEAN UNION’S ENLARGEMENT POLICY, 16 passed, Germany was forced to refine its EU Publications Office (2007), available at privacy restrictions to comply with the stricter http://www.delmkd.ec.europa.eu/en/broshures requirements of the new Directive. Id. _and_campaigns/Undestranding%20Enlargem 13 See Cour de Cassation chamber criminelle ent%20EN.pdf. Since 1995, European Union [Cass. Crim.] Paris, December 12, 2007, Bull. membership has increased from 12 to 27 crim., Appeal n 07-83228. This case is one countries, providing the European Union with example of increased enforcement of privacy the combined negotiating power and economic restrictions by EU countries, in response to influence of industrialized nation status in discovery requests from U.S. litigants. 14 Western and Eastern Europe. See KEY Adam Liptak, When American and ASPECTS OF GERMAN BUSINESS LAW 422 European Ideas of Privacy Collide, N.Y. (Bernard Buecker et al. eds., 3rd ed., Springer, TIMES, Feb. 27, 2010, available at 2006). Indeed, since its introduction in 1999, http://www.nytimes.com/2010/02/28/weekinre the Euro has become the second largest view/28liptak.html; John Hooper, Google reserve currency and second most traded Executives Convicted in Italy, THE GUARDIAN, currency in the world – second only to the dollar. See Aleksander Aristovnik & Cec Tanja, Compositional Analysis of Foreign Currency Reserves in the 1999-2007 Period. The Euro v. The Dollar as Leading Reserve Currency, 13(1) J. FOR ECON. FORECASTING 165-181 (2007). Page 196 THE PRIVACY PROJECT IV – 2011

Feb. 24, 2010, available at 19 See, e.g., Societe Nationale Industrielle http://www.guardian.co.uk/technology/2010/f Aerospatiale v. U.S. Dist. Court for S. Dist. of eb/24/google-video-italy-privacy-convictions. Iowa, 482 U.S. 522, 530 (1987) (describing Although this conviction was not directly tied the Hague as a system established to make to United States’ discovery efforts to obtain discovery “tolerable” for all states using its information located abroad, it does strongly procedures); Deman v. Terrien, 2002 WL suggest the European community will not 1824941 (Cal. Ct. App. 2002) (not officially hesitate to enforce its privacy laws through published) (relying on Hague procedures to criminal penalties and/or sanctions against avoid the imposition of potential criminal those who provide or produce private sanctions). information protected by statute. 20 See Anglo Am. Ins. Group, P.L.C. v. 15 See Uniting and Strengthening America by CalFed Inc., 940 F. Supp. 554 (S.D. N.Y. Providing Appropriate Tools Required to 1996) (denying request to use Hague Intercept and Obstruct Terrorism Act of 2001, Convention procedures noting they are more 18 USC § 2712, 31 USC § 5318A (2004). time consuming than the Federal Rules); The statute is commonly referred to as the Seguros Comercial Americas S.A. De C.V. v. “Patriot Act”. Id. Am. President Lines, Ltd., 933 F. Supp. 1301 16 See e.g., Justin Santolli, The Terrorist (S.D. Tex 1996) (calling the Hague procedures Finance Tracking Program: Illuminating the time consuming potentially ineffective); Shortcomings of the European Union’s Moake v. Source Int’l Corp., 623 A.2d 263 Antiquated Privacy Directive, Note, 40 GEO. (N.J. Super. A.D. 1993) (denying the request WASH. INT’L L. REV. 553 (2008) (suggesting to use Hague procedures in part because they the EU’s response to the Patriot Act was to are more expensive and time consuming than pass additional privacy protections in the face the federal rules). of what is widely viewed in the EU as 21 See id. at 542 (calling Hague Convention overreaching by the U.S. government); Dan procedures “unduly time consuming and Bilefky, Europeans Berate Bank Group and expensive” and uncertain to produce the Overseer for U.S. Access to Data, N.Y. TIMES, desired result). Oct. 5, 2006, at A15 (documenting the 22 482 U.S. 522 (1987). European Parliament’s criticism of U.S. access 23 See, e.g., Sandsend Fin. Consultants, Ltd. v. to banking information pursuant to the Patriot Wood, 743 S.W.2d 364 (Tex. Ct. App. 1988); Act). Great Lakes Dredge & Dock Co. v. 17See Gottridge & Rouhette, supra note 5. Harnischfeger Corp., 1990 WL 147066 (N.D. 18 The Hague Convention on the Taking of Ill. 1990); In re Asbestos Litig., 623 A.2d 546 Evidence Abroad in Civil or Commercial (Del. Super. 1992); In re Aircrash Near Matters, opened for signature March 18, 1970, Roselawn, Ind., 172 F.R.D. 295 (N.D. Ill. 23 U.S.T. 2555, T.I.A.S. No. 7444, 847 1997); Adm’rs of Tulane Educ. Fund v. Debio U.N.T.S. 231 [hereinafter Hague Convention]. Holding S.A., 2000 WL 1131999 (E.D. La. 2000). 24 See supra note 20. How Companies Should Navigate Strict Foreign Privacy Laws Page 197

25 See Strauss v. Credit Lyonnais, S.A., 242 35 See Uzan, 2003 WL 203011 (letters from F.R.D. 199, 210-223 (E.D.N.Y. 2007) Swiss ambassador); Deman v. Terrien, 2002 (analyzing each Aerospatiale factor separately, WL 1824941 (Cal. App. 2002) (not designated but discounting the threat of French criminal for publication) (refusing to compel defendant sanctions); In re Rubber Chem. Antitrust to travel to the U.S. for a deposition in part Litig., 486 F.Supp.2d 1078 (N.D.Cal. 2007) based on the formal protestation letter of a (considering the complete comity analysis and French judicial official). finding in favor of non-disclosure); In re 36 See Uzan, 2003 WL 203011 (considering Payment Interchange Fee & Merch. Disc. letters from Swiss ambassador in decision to Antitrust Litig., 2010 WL 3420517, *7-9 require Hague procedures for pretrial (E.D.N.Y. Aug. 27, 2010) (slip copy) discovery); Jacobsen v. Deutsche Bank, 206 F. (weighing each Aerospatiale factor and Supp.2d 590, 592 (S.D.N.Y. 2002) (respecting finding foreign interests prohibited disclosure the decision of a German court that journalist of requested material). privilege prohibited compelling deposition 26 See generally Gucci Am., Inc. v. Curveal testimony after utilizing Hague procedures [A Fashion, 2010 WL 808639 (S.D.N.Y. Mar. 8, letter of request]). 2010); In re Air Cargo Shipping Servs. 37 Compare Ings v. Ferguson, 282 F.2d 149, Antitrust Litig., 2010 WL 1189341 (E.D.N.Y. 151-53 (2d. Cir. 1960) (using letters rogatory March 29, 2010). to obtain evidence located in foreign 27 Gucci, 2010 WL 808639 at *8. jurisdictions) with Société Nationale 28 Id. at *7-8. Industrielle Aerospatiale v. United States, 482 29 Id. However, the court left room for U.S. 522 (1987) (holding the Hague protecting the foreign privacy interests Convention is neither the initial nor exclusive implicated if the foreign government indicated remedy for obtaining evidence abroad) and In intentions to protect its own privacy interests. re Vitamins Antitrust Litig., 2001 WL Id. at *8. 1029433 (D.D.C. 2001) (holding the Hague 30 In re Air Cargo, 2010 WL 1189341 at *3. Convention procedures were unlikely to result This court refused to restrict discovery, but in efficient and timely discovery). recognized the legitimacy of excusing 38 See European Commission, Article 29 nonproduction when criminal sanctions are Working Party Opinion 4/2007 on the Concept realistically possible. Id. of Personal Data, 01248/07/EN (2007), 31 See id. available at http://eur-lex.europa.eu/en 32 Motorola Credit Corp. v. Uzan, 55 Fed. R. /index.htm (last visited October 28, 2010); Serv. 3d 762 (S.D.N.Y. 2003). Directive 2002/58/EC of the European 33 In re Daimler Chrysler AG Sec. Litig,, 2003 Parliament and of the Council of 12 July 2002 WL 21698358 (E.D. Mich. 2003) concerning the processing of personal data and 34 See Gucci, 2010 WL 808639 at *7 the protection of privacy in the electronic (explaining that because defendants provided communications sector (Directive on privacy no evidence of previous enforcement, the and electronic communications), Official court cannot conclude there is a risk of Journal L 201, 31/07/2002 P. 0037 – 0047 enforcement in the case at hand); In re Air available at http://eur-lex.europa. Cargo, 2010 WL 1189341 at *2 (explaining that the factual differences between the previous French enforcement of its privacy statute makes it very unlikely the defendant will actually be prosecuted). Page 198 THE PRIVACY PROJECT IV – 2011

eu/LexUriServ/LexUriServ.do?uri=CELEX:3 outside the country’s borders. See, e.g., 2002L0058:EN:HTML; see also Privacy Article 29 Working Party, WP 55 at p. 21. Directive, supra note 11, art. 2(a) ("an 45See In re Citric Acid Litig., 191 F.3d at identifiable natural person is one who can be 1107. The Ninth Circuit Court of Appeals identified, directly or indirectly, in particular explained that acting as the alter ego or agent by reference to an identification number or . . . of another company can cause a corporation to one or more factors specific to his physical, be deemed to have possession, custody, and physiological, mental, economic, cultural or control of discovery materials. Id. social identity."). 46 See Privacy Directive, supra note 11, art. 8. 39 See Official Journal L 201, 31/07/2002 P. Article 8 lays out three exceptions to the 0037 – 0047, European Commission, Article prohibitions against processing personal 29 Working Party Opinion 4/2007 on the information, one of which is obtaining the data Concept of Personal Data, 01248/07/EN subjects consent. Id. art. 8(2) (a), 8(2) (b), 8(2) (2007), available at http://eur- (e). lex.europa.eu/en/index.htm (last visited 47 See Working Party, Working Document on a October 28, 2010). Common Interpretation of Article 26(1) of 40 FED. R. CIV. P. 34(a) (2007). Directive 95/46/EC of 24 October 1995, at 9, 41 See, e.g., In re Citric Acid Litig., 191 F.3d 2093/05/EN, WP 114 (Nov. 25, 2005) Article 1090, 1107 (9th Cir. 1999) (Explaining that 26(2) (a). To rely on consent it must be acting as the alter ego or agent of another specific, informed, and freely given. company can cause a corporation to be Specificity requires a particular transfer or deemed to have possession, custody, and series of transfers be consented to and control of discovery materials). Id. transfers between entities often will not avoid 42 See In re Citric Acid Litig., 191 F.3d at violation through vicarious consent. Id. 1107; Cochran Consulting, Inc. v. Uwatec 48 See, e.g., In re Lernout & Hauspie Secs. USA, Inc., 102 F.3d 1224, 1229-30 (Fed. Cir. Litig., 218 F.R.D. 348, 354 (D. Mass. 2003) 1996); In re Bankers Trust Co., 61 F.3d 465, (acknowledging the redaction of personal 469(6th Cir. 1995); Chaveriat v. Williams information is a valid method of avoiding Pipe Line Co., 11 F.3d 1420, 1426 (7th Cir. privacy violations). 1993); Gerling Int'l Ins. Co. v. Comm’r, 839 49 Directive 2002/58/EC – Directive F.2d 131, 140-41 (3d Cir. 1988); Searock v. concerning the processing of personal data and Stripling, 736 F.2d 650, 653 (11th Cir. 1984). the protection of privacy in the electronic Although, entities related more tenuously to communications sector as made under Art. 95, one another can also face international Journal Reference L201, 2002-07-31 pp. 37- discovery complications. 47, as modified by Directive 2006/24/EC. 43 50 The European Commission and U.S. See FED. R. CIV. P. 34 (1970). Department of Commerce have created a framework enabling participants to register and employ the privacy and privacy disclosure protections offered. See generally, U.S. Department of Commerce, “Safe Harbor,” available at http://www.export.gov/safeharbor/index.html. 44 It is a violation of some foreign privacy laws for even an entity within that foreign country to collect or review private information, even if it is not transferred How Companies Should Navigate Strict Foreign Privacy Laws Page 199

51 See, e.g., Tracy L. Boyd, The Information Black Hole: Managing the Issues Arising from the Increase in Electronic Data Discovery in Litigation, 7 VAND. J. ENT. L. & PRAC. 323 (2005); Kenneth J. Withers, Electronically Stored Information: The December 2006 Amendments to the Federal Rules of Civil Procedure, 4 NW. J. TECH. & INTELL. PROP. 171 (2006); John B. v. Goetz, 531 F.3d 448, 453 (6th Cir. 2008) (describing the involved process of obtaining ESI in the case); Pension Comm. of Univ. of Montreal Pension Plan v. Bank of Am. Secs., LLC, 685 F. Supp.2d 456 (S.D.N.Y. 2010) (listing the extensive electronic materials covered under electronic discovery); Zubulake v. UBS Warburg LLC, 2004 U.S. Dist. LEXIS 13574, at *35 (S.D.N.Y. July 20, 2004) (requiring litigants not only place electronically stored information materials in a litigation hold but also monitor compliance to avoid a potential adverse inference at trial). 52 See id. 53 See, e.g., Goetz, 531 F.3d at 453 (describing the complicated process for obtaining ESI discovery); Zubulake v. UBS Warburg LLC, 229 F.R.D. 422, 431 (S.D.N.Y. 2004). Even a cursory review of the case law on e-discovery reveals the significant burden it adds to pretrial preservation and production demands. 54 See FED. R. CIV. P. 37 (2007); see also Goetz, 531 F.3d at 453; Zubulake, 229 F.R.D. at 431. Revisiting the Apex Doctrine

By Christopher R. Christensen and Christopher R. Christensen is a Justin M. Schmidt partner with Condon & Forsyth LLP in New York City. He concentrates his FREQUENTLY employed tactic in practice in the areas of complex aviation, A contentious litigation is the service of product liability, and commercial a notice seeking the deposition of a senior litigation. company executive. Such a tactic is often Justin M. Schmidt is an associate used for intimidation or harassment of the who works in the same practice group corporate defendant. The proper response to such a deposition notice is to consider of the apex deponent detailing the extent the applicability of the apex doctrine. of his or her knowledge of and As a general matter, the apex involvement with the dispute, and if doctrine requires the party seeking the applicable, identifying less burdensome deposition of a senior corporate executive methods for obtaining the requested to demonstrate that the deponent has information, such as questioning lower relevant – and often unique or superior – level employees through interrogatories knowledge that is unavailable through or depositions. less intrusive discovery methods. The IADC Privacy Project last However, the apex doctrine is not an addressed the apex doctrine in 2007 with absolute shield for avoiding an apex an excellent article by Ralph Streza and deposition, particularly if the objections Patrick T. Lewis titled Privacy in the to the deposition merely consist of Executive Suite: The Apex Doctrine, boilerplate assertions of undue burden, which analyzed the doctrine’s origin, harassment, and the obligatory reminder application, and leading cases. This is an of the apex deponent’s “extremely busy update to that article. As such, this article schedule.” focuses on trends and factual nuances in Not all jurisdictions recognize the federal and state cases decided since apex doctrine. In such jurisdictions, publication of Messrs. Streza and Lewis’ counsel can often reach the same result by article and also identifies federal district obtaining a protective order to prevent an courts that have incorporated aspects of apex deposition. The specific the apex doctrine into their local rules. requirements for obtaining a protective order against an apex deposition vary I. Defining the Apex Doctrine from jurisdiction to jurisdiction. For instance, some courts place the burden of The apex doctrine is primarily a persuasion on the party seeking to prevent common law doctrine that allows courts the apex deposition while other courts to balance a party’s right to liberal shift the burden to the party seeking the discovery with an apex deponent’s right deposition. Regardless of the jurisdiction, to be protected from abuse and counsel seeking to avoid an apex harassment.1 When a party objects to the deposition should file a motion for a deposition of an apex deponent (usually protective order that includes an affidavit by filing a motion for a protective order), Revisiting the Apex Doctrine Page 201 the apex doctrine generally requires requirements to quash a subpoena under courts to consider, before compelling an Rule 45(c)).10 While Rule 26 does apex deposition, “whether the executives require the moving party to show “good possess personal or superior [or] unique cause” for a protective order, many knowledge” and “whether the information federal courts require the party seeking could be obtained from lower level the deposition to show that the apex employees or through less burdensome deponent has personal or unique means, such as interrogatories.”2 knowledge of the dispute or that other Strictly speaking, the apex doctrine discovery methods are unavailable or requires courts to shift the burden of have been exhausted.11 To the extent persuasion of these considerations onto possible, counsel should determine which the party seeking the deposition.3 side of the burden divide the judge in However, many courts that follow the their particular case falls on as judges traditional protective order rule of placing within the same court may disagree on the burden on the party opposing the which party bears the burden.12 deposition recognize that apex deponents Regardless of which party the court are particularly susceptible to harassment places the burden of persuasion on, a and abuse and will not hesitate to issue a party seeking to avoid an apex deposition protective order if warranted under the can often attain the same result under circumstances.4 This can be true even of either approach with a well-supported those courts that expressly reject the apex motion for a protective order. doctrine.5 In other words, whether a court places the burden of persuasion on II. Who Qualifies as an Apex the moving or opposing party is not Deponent? necessarily determinative of whether the court will grant or deny a protective order As a preliminary matter, courts must for an apex deponent. decide whether the person seeking to For procedural purposes, however, it invoke the apex doctrine is sufficiently is important to note that courts are split high-ranking. Courts still point to Lee on whether the burden of persuasion lies Iacocca, then Chairman of the Board of with the party seeking the deposition6 or Chrysler Corporation, in the leading case with the party seeking to prevent the of Mulvey v. Chrysler Corp.13 as the deposition.7 In some states, such as epitome of an apex deponent.14 In Texas, the state courts place the burden Mulvey, the court required the plaintiff to on the former,8 while the federal courts propound interrogatories instead of place the burden on the latter.9 One deposing Mr. Iacocca because “he is a Texas federal district court explained that singularly unique and important although federal courts apply state individual who can be easily subjected to substantive law in diversity jurisdiction unwarranted harassment and abuse. He claims, federal procedural law governs has a right to be protected, and the courts discovery procedures in federal court have a duty to recognize his (i.e., the protective order requirements of vulnerability.”15 In recent cases, courts Federal Rule of Procedure 26 or the had no trouble declaring the following Page 202 THE PRIVACY PROJECT IV – 2011 individuals apex deponents: UAW deposition has sought the information President Ron Gettelfinger, Continental through less intrusive means.22 If the Airlines CEO Larry Kellner, Google former executive is not retired, but simply founders Sergey Brin and Larry Page, and employed elsewhere, courts may compare Microsoft CEO Steven Ballmer.16 the duties and responsibilities of the Senior management personnel need current and prior positions to determine not be household names or the highest whether the executive is still an apex executive in their corporation or deponent. For example, the district court organization to be designated an apex in WebSideStory, Inc. v. NetRatings, Inc. deponent. Courts have found a variety of rejected the defendant corporation’s corporate officers and their equivalents in contention that the plaintiff’s executive non-corporate organizations17 to be whom defendant sought to depose was sufficiently high-ranking for purposes of not an apex deponent because he was no the apex doctrine, such as chief legal longer the CEO of plaintiff’s corporation, officers, general counsel, executive vice but only serving as a director.23 The presidents, directors, university court explained that: presidents, and the Cardinal of the Catholic Archdiocese of New York.18 No since [the deponent] is currently the rule defines a specific cut-off point in the CEO and Chairman of the Board of corporate hierarchy between apex and Directors for another company . . . non-apex deponents. However, one as well as a member of the Board of district court found persuasive the Directors for WebSideStory and its plaintiff’s argument that “a vice president former CEO, [the deponent] is an position is hardly the ‘apex’ of a official at the highest level or company.”19 Another district court was “apex” of a corporation, and while not convinced that the defendant he may not possess the celebrity insurance company’s director of status of apex deponents in other corporate claims, vice president of cases, the Court finds his corporate claims, and senior director for responsibilities to current and prior corporate claims were “officials or employers to be of similar managers at the highest level or ‘apex’ of proportions.24 corporate management to which the particular rules of apex depositions would The party seeking to have its officer apply.”20 designated an apex deponent should Courts also apply the apex deponent provide the court with information of the designation to former or retired executive company or organization’s size, how officers.21 While retired executives may many people it employs, how many not be able to argue that a deposition different offices it has, the amount of its would impede their schedules as it would business that is concentrated in the region an employed executive, courts will where the officer is employed, and nonetheless evaluate whether the retired exactly where the officer ranks in the executive has unique knowledge of the company or organization’s hierarchy.25 issues and whether the party seeking the Providing this information to the court is Revisiting the Apex Doctrine Page 203 especially important when the size of the and held that Continental Airlines’ CEO, company or organization is not readily Larry Kellner, lacked unique or superior known. knowledge about the causes of a 2008 Continental accident in which 37 III. Apex Deponent’s Knowledge of the passengers were injured.28 Plaintiffs Dispute Is Usually the Deciding argued that Kellner had discoverable Factor information about the cause of the accident based on the following: (1) Even if the court designates an public statements he made after the individual as an apex deponent, it still accident indicating that he would learn may permit the deposition to proceed. the cause of the accident to prevent future This typically occurs when the court finds accidents; (2) personal letters he sent to that the apex deponent has relevant each of the passengers; (3) his interviews personal knowledge of or involvement in of flight crew members following the the dispute. accident; and (4) his knowledge of The first question counsel should ask Continental’s implementation of safety when deciding how to respond to a policies.29 Using Kellner’s affidavit, the deposition notice for an apex officer is: court found that Kellner lacked unique or What level of knowledge does the superior knowledge because the deponent have concerning the dispute? information he gave at a press conference The answer to this question usually drives came from other employees; he did not the court’s decision on whether to grant discuss with the flight crew members or deny a protective order because the what occurred before, during, and after apex doctrine “is normally aimed at high the accident; and he did not receive level decision makers who have no information about the cause of the particular direct knowledge of the facts accident in executive briefings.30 pertaining to the particular lawsuit.”26 Moreover, the court found that The requirement of “no particular plaintiffs had not demonstrated that less direct knowledge of the facts” does not intrusive discovery methods had proven mean that a high-level officer must be insufficient, despite the fact that plaintiffs completely unaware of the issues in the had submitted 110 requests for pending litigation for the apex doctrine to production, 74 interrogatories, and taken apply. Two recent cases demonstrate that 11 depositions.31 The court observed that CEOs and other high-level officers are plaintiffs had not deposed employees with often the “public face” of a corporation. critical information about the accident, Consequently, the fact that they may including a Rule 30(b)(6)32 witness, and make public appearances to address emphasized that “[m]erely completing events that are the basis of a pending some less-intrusive discovery does not lawsuit does not necessarily mean they trigger an automatic right to depose an have unique or superior knowledge of the apex official.”33 The court held that issues involved. plaintiffs had failed to show that The Texas Court of Appeals applied Kellner’s deposition would lead to the Texas’ well-established apex doctrine27 discovery of admissible evidence because Page 204 THE PRIVACY PROJECT IV – 2011 his “subjective intent in making the officer has particular knowledge of or had public statements does not establish a role in the dispute and can therefore be anything regarding negligence, proximate deposed.39 Also, mid-level managers cause, or damages.”34 who are not at senior levels of the The Michigan Court of Appeals company are more likely to have relied extensively on the Continental discoverable information.40 Apex Airlines decision in holding that the apex officers who are named as individual doctrine protected Toyota’s Chairman defendants tend to be more closely and CEO and its President and COO from associated with the issues in the being deposed in a wrongful death action litigation.41 Regardless of the size of the involving the alleged sudden acceleration company or of the apex officer’s rank, of a Toyota Camry.35 Plaintiffs asserted courts often will not accept assertions by that both executives had made public defense counsel that an apex deposition appearances to discuss Toyota’s safety will result in abuse, harassment, or problems and vehicle recall campaign unreasonable interruption of the officer’s (which did not include the subject busy schedule if the apex deponent is vehicle). The court found that the Toyota likely to have discoverable information. executives had general knowledge about The following cases illustrate this point. alleged Camry unintended acceleration The Sixth Circuit reversed a district issues, but had no unique or superior court’s denial of plaintiff employee’s knowledge of the vehicle’s design, request to depose her employer’s CEO.42 testing, and manufacturing process.36 The employer argued that the CEO was The court noted that an apex officer not personally involved in and lacked “often has no particularized or specialized personal knowledge of the employment knowledge of day-to-day operations or of decisions that led plaintiff to file particular factual scenarios that lead to discrimination and retaliation claims.43 litigation, and has far-reaching and The court observed that while plaintiff comprehensive employment duties that did not report directly to the CEO (who require a significant time commitment.”37 was the highest ranking officer at a multi- The Continental Airlines and Alberto national corporation with over 10,000 decisions show that the highest executives employees), the two worked in the same in large corporations are often far headquarters building, regularly removed from the issues and events that interacted with each other, and were give rise to litigation. Therefore, such separated by only one direct supervisor.44 executives usually lack unique or superior Accordingly, the court found that the knowledge of specific issues in the CEO had an active role in the adverse litigation, which lower level employees employment decisions at issue, and stated most likely possess. that although the record may not currently However, the apex doctrine is not an support a retaliation claim, “it is more absolute shield that prevents an apex than sufficient to support further officer from being deposed under any discovery.”45 Moreover, the court circumstance.38 For instance, the smaller rejected the CEO’s “bald assertions” that the corporation, the more likely the apex the deposition would pose an undue Revisiting the Apex Doctrine Page 205 burden because other executives had be disinclined to grant a motion that seeks already been deposed and the CEO likely to completely prevent an apex deposition. had information critical to the plaintiff’s For example, one district court in claims.46 deciding whether to completely prohibit The Western District of Arkansas an apex deposition found that: denied a protective order for Wal-Mart’s CEO and its Executive Vice President [T]he issuance of a broad protective despite Wal-Mart’s contention that the order precluding any discovery from apex doctrine should apply and that the [an apex deponent] goes too far. depositions “would cause ‘annoyance, Given the fact that knowledge is embarrassment, oppression, or undue frequently proved circumstantially, burden and expense.’”47 The court noted precluding all discovery of a highly that the test for deciding a motion for a placed business, government or protective order “is not whether a putative clerical official based solely on their deponent had personal involvement in an unchallenged denial of knowledge event, or even whether they have ‘direct’ sets the bar for a protective order knowledge of the event, but whether the too low. . . . [P]arties to an action witness may have information from are ordinarily entitled to test a claim whatever source that is relevant to a claim by a potential witness that he has no or defense.”48 The court found that the knowledge.51 executives may have relevant information about their instructions not to shred Depending on the court’s prior documents pertinent to a government disposition to such prophylactic motions, investigation and whether their counsel may want to consider requesting employees followed the instructions.49 certain limitations on taking the apex These cases demonstrate that apex deposition, rather than (or in the officers of any level can be deposed if the alternative to) requesting complete court concludes that they possess prevention of the deposition. Counsel relevant, unique, or superior knowledge may be able to avoid or at least defer an of issues in the litigation. Even if a court oral deposition by proposing that the apex issues a protective order on the grounds deponent answer interrogatory questions that lower level employees have not been or written deposition questions.52 Courts deposed or other less intrusive discovery also may allow depositions to be means have not been exhausted, courts conducted by telephone or video will often permit a party to renew its conference.53 request to depose an apex officer if it Standard oral depositions, however, shows that the alternate discovery may not always be avoidable. methods proved insufficient.50 Fortunately, courts have granted a wide range of limitations on oral apex IV. Limitations on Apex Depositions depositions. One of the most commonly granted limitations relates to the Due to the broad discovery rules in deposition location. The general rule is state and federal courts, some courts may that depositions of apex deponents “‘are Page 206 THE PRIVACY PROJECT IV – 2011 ordinarily taken at the [deponent’s] agreement, which limited BP’s CEO’s principal place of business unless justice deposition to one hour by telephone.60 requires otherwise.’”54 Courts often grant time restrictions on oral apex V. Incorporation of the Apex Doctrine depositions, limiting the deposition to less into Local Rules than the seven hours allotted under Federal Rule of Civil Procedure Several federal district courts have 30(d)(1).55 Counsel may also request that incorporated aspects of the apex doctrine the scope of inquiry be narrowed to into their local rules.61 specific issues in the case.56 The Eastern District of New York Courts may take into consideration Local Rule 30.5 provides: the health and age of the apex deponent. The standard for “‘seeking to prevent or (a) Where an officer, director or delay a deposition by reason of medical managing agent of a grounds’” is that “‘the moving party has corporation or a government the burden of making a specific and official is served with a notice documented factual showing that the of deposition or subpoena deposition would be dangerous to the regarding a matter about deponent’s health.’”57 Brief and which he or she has no conclusory doctor’s notes are knowledge, he or she may insufficient.58 Even without a submit reasonably before the documented medical condition, however, date noticed for the deposition a court may limit an apex deposition an affidavit to the noticing based on the deponent’s age. In Minter v. party so stating and Wells Fargo Bank, N.A., the court limited identifying a person within the the 75-year old deponent’s deposition to corporation or government five hours on the first day and two hours entity having knowledge of on the second day, even though he the subject matter involved in submitted no opinion from a medical the pending action. professional and merely asserted that “he (b) The noticing party may, has health problems that ‘flare up from notwithstanding such affidavit time to time’ and his ‘stamina has of the noticed witness, proceed declined over the years.’”59 with the deposition, subject to Finally, parties may enter into the witness’s right to seek a discovery agreements with opposing protective order. counsel that provide restrictions or logistical conditions for taking apex Rule 30.5 allows a corporate or depositions. In a case involving the government officer noticed for a explosion of a BP oil refinery in Texas deposition to designate a Rule 30(b)(6) City, Texas, that killed fifteen people, the witness to testify on behalf of the Texas Supreme Court directed a trial corporation or government body court to enforce the parties’ discovery regarding the issues involved in the litigation. The noticing party may accept Revisiting the Apex Doctrine Page 207 the Rule 30(b)(6) witness or proceed with or officer. Before filing a motion for a the apex deposition subject to the protective order to prevent an apex deponent’s right to file a motion for a deposition, counsel should thoroughly protective order. familiarize themselves with the apex The language of District of Wyoming doctrine’s procedural and substantive Local Rule 30.1 is nearly identical to that nuances, which vary depending on the of Eastern District of New York Local jurisdiction or judge, such as which party Rule 30.5. The District of Kansas has the burden of persuasion, who provides a document titled “Deposition qualifies as an apex officer, and what Guidelines,” which is separate from its factual information the court requires to local rules, but contains a paragraph titled apply the doctrine. Counsel also should “Depositions of Witnesses Who Have No determine whether the local rules Knowledge of the Facts,” which also is incorporate elements of the apex doctrine nearly identical to the local rules or consider requesting that the court place mentioned above.62 any guidelines pertaining to apex The Eastern District of Virginia’s depositions in the case management, Local Rule 45 requires permission of the pretrial, or scheduling orders. court before issuing a subpoena for the Even in those courts that reject or do attendance at any hearing, trial, or not expressly apply the apex doctrine, the deposition of the following government party seeking to avoid an apex deposition officials: can often obtain the same relief with a well-supported motion for a protective (1) the Governor, Lieutenant order. No apex deponent is immune from Governor, or Attorney General of being deposed, especially if the officer any State; (2) a judge of any court; has relevant, unique, or superior (3) the President or Vice-President knowledge of the issues in the case that of the United States; (3) any cannot be obtained through alternative member of the President’s Cabinet; discovery methods. Under these (5) any Ambassador or Consul; or circumstances, counsel should seek to (6) any military officer holding the achieve reasonable limitations on the rank of Admiral or General. time, place, scope, and/or method of the deposition. In addition to local rules, some district court judges have incorporated 1 See Abarca v. Merck & Co., No. 07 Civ. aspects of the apex doctrine into their 0388, 2009 WL 2390583, at *3 (E.D. Cal. case management orders and pretrial Aug. 3, 2009) (“‘Virtually every court that has orders.63 addressed deposition notices directed at an official at the highest level or ‘apex’ of VI. Conclusion corporate management has observed that such discovery creates a tremendous potential for abuse or harassment.’” (citations omitted)). The apex doctrine provides counsel 2 Reif v. CNA, 248 F.R.D. 448, 451 (E.D. Pa. with the ability to avoid, or at least limit, 2008) (analyzing a number of leading apex the deposition of a high-ranking executive doctrine cases). Page 208 THE PRIVACY PROJECT IV – 2011

3 See Crest Infiniti II, LP v. Swinton, 174 P.3d executive before being deposed does not 996, 1003 (Okla. 2007) (citing Crown Cent. establish “rigid adherence to the burdens Petroleum Corp. v. Garcia, 904 S.W.2d 125, imposed under the facts of those cases”)); 128 (Tex. 1995)); see also Gauthier v. Union Prosonic Corp. v. Stafford, No. 07 Civ. 803, Pac. R.R. Co., No. 07 Civ. 12, 2008 WL 2008 WL 64710, at *1 (S.D. Ohio Jan. 3, 2467016, at *4 n.2 (E.D. Tex. June 18, 2008); 2008); Bouchard, 2007 WL 2728666, at *4. Alberto v. Toyota Motor Corp., No. 296824, 8 See In re Cont’l Airlines, Inc., 305 S.W.3d 2010 WL 3057755, slip op. at 3 (Mich. Ct. 849, 852 (Tex. App. 2010). App. Aug. 5, 2010) (the page numbers cited 9 See Staton Holdings, Inc. v. Russell Athletic, for this case refer to the court’s slip opinion Inc., No. 09 Civ. 0419, 2010 WL 1372479, at because the Westlaw version was not *2-3 (N.D. Tex. Apr. 7, 2010); Gauthier, 2008 paginated when this article went to print). WL 2467016, at *3. 4 See, e.g., Tabor v. Hilti, Inc., No. 09 Civ. 10 See Gauthier, 2008 WL 2467016, at *4 n.2 189, 2010 WL 2990004, at *1 (N.D. Okla. (finding “no federal cases within the Fifth July 23, 2010); Mehmet v. PayPal, Inc., No. Circuit actually applying the Texas standard 08 Civ. 1961, 2009 WL 921637, at *3 (N.D. for the apex doctrine”). Cal. Apr. 3, 2009); Stelor Prods., Inc. v. 11 See federal cases cited supra note 6. Google, Inc., No. 05 Civ. 80387, 2008 WL 12 Compare Mansourian v. Bd. of Regents of 4218107, at *5 (S.D. Fla. Sept. 15, 2008); Univ. of Cal. at Davis, No. 03 Civ. 2591, 2007 Bouchard v. N.Y. Archdiocese, No. 04 Civ. WL 4557104, at *3 & n.2 (E.D. Cal. Nov. 21, 9978, 2007 WL 2728666, at *6 (S.D.N.Y. 2007) (deciding not to apply the apex doctrine Sept. 19, 2007), aff’d, 2007 WL 4563492 burden-shifting approach because no Ninth (S.D.N.Y. Dec. 18, 2007). 5 Circuit or Supreme Court precedent requires See, e.g., Gauthier, 2008 WL 2467016, at *4 that result, however, noting that the burden- & n.2 (rejecting the “Texas apex doctrine,” shifting approach could be applied under which shifts the burden to plaintiffs, yet certain circumstances) with Abarca v. Merck quashing executives’ depositions and & Co., No. 07 Civ. 0388, 2009 WL 2390583, requiring plaintiffs to “first attempt to obtain at *4 (E.D. Cal. Aug. 3, 2009) (finding that the sought information through the less “the burden-shifting approach provides burdensome means of discovery described guidance to this Court”). herein”). 13 6 106 F.R.D. 364 (D.R.I. 1985). See, e.g., Abarca, 2009 WL 2390583, at *4; 14 See, e.g., Berning v. UAW Local 2209, 242 Chick-Fil-A, Inc. v. CFT Dev., LLC, No. 07 F.R.D. 510, 513-14 (N.D. Ind. 2007); Wal- Civ. 501, 2009 WL 928226, at *1 (M.D. Fla. Mart Stores, Inc. v. Vidalakis, No. 07-MC- Apr. 3, 2009); Wagner v. Novartis Pharm. 00039, 2007 WL 4591569, at *2 (W.D. Ark. Corp., No. 07 Civ. 129, 2007 WL 3341845, at Dec. 28, 2007). *1 (E.D. Tenn. Nov. 8, 2007); Alberto, 2010 15 Mulvey, 106 F.R.D. at 366. WL 3057755, slip op. at 3. 16 See Berning, 242 F.R.D. at 513-14 7 See, e.g., Meharg v. I-Flow Corp., No. 08 (“Gettelfinger, in his position as the President Civ. 0184, 2009 WL 1404603, at *1 (S.D. Ind. of the International UAW [overseeing more May 15, 2009) (citing In re than 600 staff members in a union with over Bridgestone/Firestone Inc. Tires Prods. Liab. 1.3 million members], is particularly Litig., 205 F.R.D. 535, 536 (S.D. Ind. 2002) vulnerable to unwarranted harassment and (determining that decisions where courts abuse that [plaintiff’s] deposition may imposed a burden on the proponent to produce, and he has a right to be protected demonstrate unique personal knowledge by an from such harassment.”); Cont’l Airlines, 305 Revisiting the Apex Doctrine Page 209

S.W.3d at 859; Stelor Prods., Inc. v. Google, protective order for its regional vice president Inc., No. 05 Civ. 80387, 2008 WL 4218107, at of claims). *4-5 (S.D. Fla. Sept. 15, 2008) (Google 20 Lexington Ins. Co. v. Sentry Select Ins. Co., founders); Kelley v. Microsoft Corp., No. No. 08 Civ. 1539, 2009 WL 4885173, at *7 C07-0475, 2008 WL 5000278, at *1-2 (W.D. (E.D. Cal. Dec. 17, 2009). Wash. Nov. 21, 2008) (recognizing 21 Rodriguez v. SLM Corp., No. 07 Civ. 1866, Microsoft’s CEO as an apex deponent, yet 2010 WL 1286989, at *1-3 (D. Conn. Mar. 26, denying his motion for protective order). 2010) (“The standards that govern depositions 17 Courts often bar the depositions of high- of corporate executives apply with equal force ranking government officials under the to former executives.”). Morgan doctrine, a doctrine similar to the 22 Id. apex doctrine. See, e.g., United States v. 23 No. 06 Civ. 408, 2007 WL 1120567, at *3 Sensient Colors, Inc., 649 F. Supp.2d 309, (S.D. Cal. Apr. 6, 2007). 316-18 (D.N.J. 2009) (applying the Morgan 24 Id. doctrine to bar the deposition of a former 25 See Prosonic Corp. v. Stafford, No. 07 Civ. Administrator of the EPA). 18 803, 2008 WL 64710, at *1-2 (S.D. Ohio Jan. See Dart Indus., Inc. v. Acor, No. 06 Civ. 3, 2008) (due to defendant’s lack of factual 1864, 2008 WL 1995105, at *1 (M.D. Fla. detail, the court was unable to determine May 7, 2008) (“no question” that the whether the district manager was sufficiently Secretary, Chief Legal Officer and Executive high-ranking to be “subject to more exacting Vice-President of Tupperware was a “high- scrutiny by the Court than a garden-variety ranking executive officer”); Burns v. Bank of request to take a deposition”). Am., No. 03 Civ. 1685, 2007 WL 1589437, at 26 Wal-Mart Stores, Inc. v. Vidalakis, No. 07- *3 (S.D.N.Y. June 4, 2007) (general counsel); MC-00039, 2007 WL 4591569, at *1 (W.D. Parmer v. Wells Fargo & Co., No. 07 Civ. Ark. Dec. 28, 2007); see also Abarca v. Merck 02061, 2009 WL 1392081, at *1-4 (D. Colo. & Co., No. 07 Civ. 0388, 2009 WL 2390583, May 15, 2009) (executive vice president); at *5 (E.D. Cal. Aug. 3, 2009) (granting Roman v. Cumberland Ins. Group, No. 07 Civ. protective order because “there is no 1201, 2007 WL 4893479, at *1 (E.D. Pa. Oct. indication that [Merck’s CEO] has unique, 26, 2007) (company president, vice president, non-cumulative knowledge simply because his and board of directors); Raml v. Creighton name appears on three documents, particularly Univ., No. 08 Civ. 419, 2009 WL 3335929, at where one is an unsigned draft, one is not *1-3 (D. Neb. Oct. 15, 2009) (Creighton addressed to or from him and another is an University President); Mansourian v. Bd. of apparently unrelated e-mail string addressed to Regents of Univ. of Cal. at Davis, No. 03 Civ. [him] and other individuals”); Alliance Indus., 2591, 2007 WL 4557104, at *1-2 & n.2 (E.D. Inc. v. Longyear Holdings, Inc., No. 08 Civ. Cal. Nov. 21, 2007) (Chancellor of the 490S, 2010 WL 4323071, at *4 (W.D.N.Y. University of California at Davis); Bouchard Mar. 19, 2010) (granting protective order for v. N.Y. Archdiocese, No. 04 Civ. 9978, 2007 CEO and explaining that “‘Apex’ depositions WL 2728666, at *3-4 (S.D.N.Y. Sept. 19, are disfavored in th[e Second] Circuit ‘unless 2007) (relying on cases involving corporate [the executives] have personal knowledge of executives to partially grant a protective order relevant facts or some unique knowledge that for Cardinal Egan), aff’d, 2007 WL 4563492 is relevant to the action’” (citation omitted)). (S.D.N.Y. Dec. 18, 2007). 27 See In re BP Prod. N. Am., Inc., 244 19 Kelly v. Provident Life & Accident Ins. Co., S.W.3d 840, 842 n.2 (Tex. 2008). 695 F. Supp.2d 149, 157 (D. Vt. 2010) (denying insurance company’s motion for a Page 210 THE PRIVACY PROJECT IV – 2011

28 See In re Cont’l Airlines, Inc., 305 S.W.3d 43 Id. at 904. 849, 858 (Tex. App. 2010). 44 Id. at 906. 29 Id. at 851. 45 Id. at 905-06. 30 Id. at 858. 46 Id. at 907. 31 Id. at 858-59. 47 Mills v. Wal-Mart Stores, Inc., No. 06 Civ. 32 A Rule 30(b)(6) witness is chosen by a 5162, 2007 WL 2298249, at *1 (W.D. Ark. company to testify on behalf of the company, Aug. 7, 2007). rather than in the witness’s individual 48 Id. at *2; see also Johnson v. Jung, 242 capacity. F.R.D. 481, 483 (N.D. Ill. 2007) (denying 33 See Cont’l Airlines, 305 S.W.3d at 858-59. protective order for CEO despite her claims 34 Id. at 859. that she lacked personal involvement because 35 Alberto v. Toyota Motor Corp., No. 296824, she likely had relevant knowledge of issues in 2010 WL 3057755, slip op. at 8 (Mich. Ct. the case). App. Aug. 5, 2010). 49 Mills, 2007 WL 2298249, at *2. 36 Id. 50 See, e.g., Gauthier v. Union Pac. R.R. Co., 37 Id. at 6. No. 07 Civ. 12, 2008 WL 2467016, at *4 38 Id. at 5; see also Echostar Satellite, LLC v. (E.D. Tex. June 18, 2008) (quashing the Splash Media Partners, L.P., No. 07 Civ. depositions of the Union Pacific executives, 02611, 2009 WL 1328226, at *2 (D. Colo. but warning that the deposition requests may May 11, 2009) (noting that “‘highly-placed be revisited if plaintiffs show they were unable executives are not immune from discovery’” to obtain the necessary information through (citation omitted)); Otsuka Pharm. Co. v. less burdensome means of discovery); see also Apotex Corp., No. 07 Civ. 1000, 2008 WL Mehmet v. PayPal, Inc., No. 08 Civ. 1961, 4424812, at *5 (D.N.J. Sept. 25, 2008) 2009 WL 921637, at *3 (N.D. Cal. Apr. 3, (“[M]ultiple jurisdictions recognize that there 2009); Reif v. CNA, 248 F.R.D. 448, 455 is not a protective blanket that prohibits (E.D. Pa. 2008). 51 discovery from highly-placed executives.”). Bouchard v. N.Y. Archdiocese, No. 04 Civ. 39 See, e.g., Ray v. BlueHippo, No. 06 Civ. 9978, 2007 WL 2728666, at *4 (S.D.N.Y. 1807, 2008 WL 4830747, at *2 (N.D. Cal. Sept. 19, 2007), aff’d, 2007 WL 4563492 Nov. 6, 2008) (finding that the CEO had (S.D.N.Y. Dec. 18, 2007). 52 “personal knowledge, which is not surprising See, e.g., Elvig v. Nintendo of Am., Inc., given that BlueHippo is a relatively small No. 08 Civ. 02616, 2009 WL 2399930, at *3 company, not a large national corporation”). (D. Colo. July 31, 2009) (interrogatories or 40 See, e.g., Wal-Mart Stores, Inc. v. Vidalakis, written deposition questions under Federal No. 07-MC-00039, 2007 WL 4591569, at *1- Rule of Civil Procedure 31); Craig & 2 (W.D. Ark. Dec. 28, 2007) (distinguishing Landreth, Inc. v. Mazda Motor of Am., Inc., Wal-Mart real estate managers from top-level No. 07 Civ. 134, 2009 WL 103650, at *2 apex officers and finding that the managers (S.D. Ind. Jan. 12, 2009) (interrogatories); may have unique and necessary information Bouchard, 2007 WL 2728666, at *5 concerning the real estate contracts at issue). (permitting plaintiff to serve 25 deposition 41 questions in lieu of an oral deposition). See, e.g., Anthropologie, Inc. v. Forever 21, 53 Inc., No. 07 Civ. 7873, 2009 WL 723158, at Alexander v. Johns Manville, Inc., No. 09 *1 (S.D.N.Y. Mar. 11, 2009); Ray, 2008 WL Civ. 0518, 2010 WL 597984, at *1 (S.D. Ind. 4830747, at *1. Feb. 17, 2010) (providing the option to depose 42 See Conti v. Am. Axle & Mfg., 326 F. manager by telephone); Kirk v. Shaw Envtl., App’x 900, 901-02 (6th Cir. 2009). Inc., No. 09 Civ. 1405, 2010 WL 447264, at Revisiting the Apex Doctrine Page 211

*4 n.3 (N.D. Ohio Feb. 3, 2010) (video Dec. 7, 2000. The language in both of these conferencing possible, presumably if both orders is practically identical to the language parties agree); In re Jarvar, Nos. 04-62762-7 in the above-mentioned local rules for the & 09-00028, 2009 WL 5247491, at *4 n.5 Eastern District of New York., District of (Bankr. D. Mont. Dec. 28, 2009) (video Wyoming, and the District of Kansas’s conferencing permitted if both parties agree). Deposition Guidelines. 54 Crest Infiniti II, LP v. Swinton, 174 P.3d 996, 1003 n.16 (Okla. 2007). 55 See, e.g., Mformation Techs., Inc. v. Research In Motion, Ltd., No. 08 Civ. 04990, 2010 WL 3154355, at *2 (N.D. Cal. Aug. 9, 2010) (1 hour); Kirk, 2010 WL 447264, at *4 (90 minutes); Raml v. Creighton Univ., No. 08 Civ. 419, 2009 WL 3335929, at *3 (D. Neb. Oct. 15, 2009) (2 hours); DR Sys., Inc. v. Eastman Kodak Co., No. 08 Civ. 669, 2009 WL 2973008, at *7 (S.D. Cal. Sept. 14, 2009) (3 hours); Kelley v. Microsoft Corp., No. C07- 0475, 2008 WL 5000278, at *2 (W.D. Wash. Nov. 21, 2008) (3 hours); In re Land, No. 100796/08, 2009 WL 241728, at *5 (N.Y. Sup. Ct. N.Y. County Jan. 6, 2009) (2 hours). 56 See, e.g., Raml, 2009 WL 3335929, at *3; Meharg v. I-Flow Corp., No. 08 Civ. 0184, 2009 WL 1404603, at *3 (S.D. Ind. May 15, 2009); Kelley, 2008 WL 5000278, at *2; In re Land, 2009 WL 241728, at *5. 57 Minter v. Wells Fargo Bank, N.A., 258 F.R.D. 118, 127 (D. Md. 2009) (citation omitted) (emphasis added by the Minter court). 58 Id. at 127-28. 59 Id. at 128. 60 See In re BP Prod. N. Am., Inc., 244 S.W.3d 840, 848 (Tex. 2008). 61 Due to the sheer number of state, county, and local courts, only the local rules for federal courts were reviewed. 62 Deposition Guidelines, available at http: //www.ksd.uscourts.gov/guidelines/depo guidelines.pdf. 63 See, e.g., In re Seroquel Prods. Liab. Litig., No. 6:06-md-1769 (M.D. Fla.), Case Management Order No. 3, filed Apr. 13, 2007; In re Propulsid Prods. Liab. Litig., MDL No. 1355 (E.D. La.), Pretrial Order No. 7, filed