A Brave New World looms on the Internet. Anyone who watched “The Great Hack” on Netflix knows how all the data collected from social media accounts and the internet can be merged and refined into an almost perfect profile of EVERY voter in America. That’s simultaneously both amazing and terrifying!
Europe is trying to regulate online data usage and ensure cybersecurity with a framework of regulation known as the GDPR. The question to be asking is does a similar structure work in the United States or is there even a need? Let’s face it – not a week goes by without a data breach of some kind from some well-known company.
Many, many questions need to be asked to understand this brave new world and this Blog hopes to explore as many as possible!
“I really believe that we don’t have to make a trade-off between security and privacy. I think technology gives us the ability to have both.”
Privacy is not just a fundamental right. Fundamental rights in the United States are natural law derivatives anointed by the Supreme Court as deserving of the highest level of protection from government intrusion. But the government isn’t the only one intruding here. Businesses are tracking everything we do online. Privacy rights do not extend to most of our online activities conducted through private business enterprises.
Despite arguments to the contrary, privacy is not even a natural law right. In fact, until recently it wasn’t considered a desirable right. It is not mentioned once in either the Declaration of Independence or the United States’ Constitution. Society felt through most of history that knowing what your neighbor was up to was good for everyone. Privacy is not common to all humans and it doesn’t come from nature but rather from societal mandates or positive law. Accordingly, the definition of privacy or the “right to be let alone” must change with the technology of the age.
The “right to be let alone” was a sufficient definition based on the technology of that long ago day. There was no ability to “read our minds.” But now vast amounts of combined data from thousands of websites are capable, utilizing artificial intelligence (“AI”), to literally read our minds. AI knows what we want before we do in many cases. With AI it is almost as if our computers are broadcasting our deepest thoughts and feelings.
Our thoughts have always been our own until now. So privacy isn’t a mere fundamental right, it is much, much more. Lack of privacy today means giving up our very right to think what we want. It impacts the right against self-incrimination, search and seizure, freedom speech, the press, religion and so much more. It stifles the desire to access information that society in general frowns upon.
So how do we protect something so basic as freedom of thought? Because that is the current definition of privacy at its highest level. What was once science fiction is now very real. AI can determine based on numerous factors what is likely to influence you, receive your support or disdain, and determine what you want to hear. It can influence elections, global markets, and be directed at the destruction of an individual, group or ideology.
Is it possible to protect our private thoughts and inclinations from AI and other technologies? As with all solutions it will take time and patience; but the right to privacy must be advanced alongside technological innovations. Protecting privacy will be the Digital Age’s contribution to the rights of humankind.
Privacy is a judicially created doctrine that expanded with the Digital Age. For the last twenty years, privacy has come under attack from both security and safety issues alike. Now comes COVID-19 to the table. And it’s a game changer for privacy.
COVID-19 may fundamentally change privacy law. Once again we are asked as a nation to decide whether our privacy rights are more important than our safety. After 9/11 the Patriot Act increased government surveillance powers and the majority of Americans accepted this new role of government in exchange for increased security.[i] COVID-19 is a threat to our safety. Americans seem split over whether the current impact on our civil liberties including privacy is acceptable given the risk COVID-19.[ii] However, if a virus with a much higher mortality rate, such as Ebola, were at issue, it seems doubtful anyone would object to giving the government the power it would need to keep us safe. So then, the only true evaluation of the impact of COVID-19 on privacy must be viewed in light of the severity of the risk and the necessity of the intrusion on our privacy rights.
The two areas of privacy law at issue that are most concerning are surveillance and biometric data. Both areas of law are in their infancy compared to the technology that exists and changes every day. However, technology that most of us have never heard of or even understand, is now being used to track us and the spread of the virus. Biometric data is being gathered every time our temperature is taken to gain entry into an establishment or even board of plane. Drones are taking temperatures from the air and our cell phones are being tracked to trace the spread of COVID-19.[iii]
The collection of this information is a scary and dangerous proposition. The Supreme Court ruled in Carpenter v. United States (2018)[iv] that the Stored Communications Act[v] did not allow the FBI to seek phone location data from a telecom provider to track other members of a robbery gang after seizing one of the suspects’ phones. Yet today cell phones are being tracked to fight the spread of COVID-19. [vi]
No doubt, exigent circumstances will tip the scale in favor of allowing such violations of the Fourth Amendment. However, what happens after COVID-19? It does not seem likely that the government will voluntarily relinquish this new wealth of information that could be used for tracking criminal activity, establishing a person’s routine or even determining a person’s health status.
The danger is not in the collection of this data for limited purposes, the danger is that this information can be combined with other databases of information collected by Big Data companies, Social Media Platforms and HIPAA protected information to produce a highly individualized profile of a person.
Many people would say, “that’s not what the framer’s intended.” But actually, the founders weren’t all that interested in privacy. Instead they focused on security and safety. However, today privacy is essential. Privacy from surveillance was an issue before COVID-19 i.e. drones and now drones are being used to find groups of people gathering without social distancing.[vii] This is a scary invasion of our privacy.
So far the Supreme Court is hesitant to view the use of drones and aerial phots as a violation of our expectations’ of privacy. In California v. Ciraolo, (1986)[viii] the court found that flying a plane at an altitude under 1000 feet over a property on which marijuana was suspected to be growing did not violate any expectation of privacy. In Florida v. Riley, (1989)[ix] the court held that aerial surveillance did not invade our privacy.
But recently, the Supreme Court is starting to back away from their previous view. In United States v. Jones, (2012)[x] the court seemed bothered by the persistency of the invasion of privacy of using a GPS tracker on a suspect’s car. There is a significant difference between a single photo taken with 35mm film from a plane as in Ciraolo and the constant use of drones recording everything we do every day for use by police departments. This is the business model of company named Persistent Surveillance Systems[xi]. Anyone who reviews their website will be shocked at what is not only being proposed but is actually being implemented by police departments around the country.
Ironically, technology created privacy. In Griswold v. Connecticut (1965),[xii] the Courts were forced to decide whether using birth control (a new technology) could be regulated by a state. The court said no and created the doctrine of privacy once and for all found in the penumbras of other amendments.
Now technology is the biggest threat to privacy. Technology has allowed for the creation of databases that hold our entire lives. If the Cambridge Analytica scandal shows us anything, it is that a small bit of information gathered online can be linked with public record databases and voting records to create a predictable outcome in an election. COVID-19 is going to force us to take a good hard look at the collection of information through surveillance and biometric data gathering. Exigent circumstances are one thing, but will our rights be restored after the pandemic or are we entering a 1984 inspired surveillance state?
COVID-19 revolutionized the need for remote work by employees. And the trend toward working remote likely will continue after the outbreak is a distant memory. However, the privacy and cybersecurity implications surrounding these remote workers are often either unknown and/or ignored. So now what? With more of your employees working off-site, how do you protect your company against privacy violations of state, federal and international law?
The first step is to review your privacy policy. Is it too lax? Is it too strict? Either extreme creates its own issues such as inefficiency for remote workers or potential data breaches. The policy must contain clear penalties for violations. Violations must be tracked and the penalties enforced for the privacy policy to fulfill its purpose.
The second step is to make sure that every employee, vendor and client, is aware of the privacy policy and where appropriate, commits to the privacy policy with either a physical or digital signature. These acknowledgements must be stored and organized by privacy policy version. As the privacy policy is amended from time to time, it is important to determine whether an additional acknowledgement is required from your employees, vendors and clients.
The third step is to train employees on how to abide by the privacy policy. A policy is useless if no one understands it or is unsure how to apply it to their employment duties. With remote workers, this becomes even more critical as data that may permissibly be left on a desk or sent in an email on a secure network, may not be appropriate in a remote working environment. Remote workers need to use Virtual Private Networks (VPN) to access company systems. Companies should verify that each remote worker is using a VPN while working remotely.
The final step requires taking a second look at your data, the processing of the data and specific business sector regulations such as the Graham-Leahy Bliley Act in the financial sector. During this review it is important to identify new risks posed by remote workers. One way of achieving this review is to either assign or hire a Chief Information Officer (CIO) to coordinate and stay abreast of the latest trends and developments.
Another aspect of cybersecurity and privacy that must be evaluated and implemented wherever possible is Privacy Enhancing Technology (PET). These various technologies (there are five) allow for a greater use of data while removing all identifiable information and resisting attempts to reconstruct personal information by combining an anonymous data set with a data set that “decodes” the first set, such as Census data or voter registration databases. More information on PET can be found here.
America (not just California) is bracing for the first enforcement action under the California Consumer Privacy Act (“CCPA”) on July 1, 2020 (at the latest). The CCPA of 2018 went into effect on January 1, 2020 and affects businesses across the nation. It was born as a stopgap measure to forestall a more stringent referendum initiative.[1] It was passed after only a week of debate and resulted in legislation that falls short of constitutional muster under numerous constitutional challenge theories due to its drafting errors, overreaching, and lack of clarity.[2] Despite seven (7) amendments passed by the California Legislature and a plethora of California Attorney General regulations adopted, [3] the CCPA is still unenforceable under the United States Constitution because it is designed to regulate the entire information superhighway.
The Tenth Amendment to the United States Constitution states that all powers not granted to the federal government are reserved for the states and the people. A judge-created doctrine known as the Dormant Commerce Clause or the Negative Commerce Clauses restricts the states from passing laws that inhibit interstate commerce. Interstate commerce is regulated by the federal government pursuant to the United State Constitution, Article I, Section 8, clause 3.
This article will focus on using transportation case law decided under the dormant commerce clause as they apply to the CCPA. “[T]he Internet is analogous to a highway or railroad. This determination means that the phrase “information superhighway” is more than a mere buzzword; it has legal significance…” Am. Libraries Ass’n v Pataki, 969 F Supp 160, 161 (SDNY 1997). The CCPA regulates the entire information superhighway and seeks to control interstate commerce. “The Constitution …. was framed upon the theory that the peoples of the several states must sink or swim together, and that in the long run prosperity and salvation are in union and not division.” Baldwin v. G.A.F. Seelig, 294 U.S. 511, 523 (1935).
There are numerous articles describing the details of the CCPA and this article is not intended as a guide to the CCPA. In general, the CCPA creates extensive new data privacy rights for California resident, but as always, the devil is in the details. Californians’ new rights follow them outside the state on business or pleasure travel and the law also creates statutory damages for data breaches. This will no doubt lead to extensive litigation once was the starting gun fires in July 2020.
California is the world’s fifth largest economy and is home to approximately 40 million residents.[4] The CCPA applies to in-state and out-of-state businesses that are in anyway connected to California residents and meet certain thresholds. The most worrisome of these thresholds is that a mere 140 website visits from unique California residents a day, will trigger the application of the CCPA and ostensibly its penalties. The CCPA has the potential to ensnare companies that depend on web commerce and to ensnare any company who does business with a company subject to the CCPA in the form of business client inquiries targeting the proper processing and handling of personal information by that company.[5]
Clearly the CCPA’s extensive reach creates dormant commerce clause concerns. Dormant commerce clause analysis starts by examining whether the primary purpose of the CCPA discriminates on its face against out-of-state actors. If it discriminates it is invalid. This CCPA is neutral on its face.
Accordingly, the court then uses a four-part balancing inquiry to examine the law further, asking: Does the statute regulate evenhandedly? Does the statute effectuate a legitimate purpose? Are the effects on interstate commerce incidental? Is the Burden created clearly in excess in relation to local putative benefits? Pike v. Bruce Church, Inc., 397 U.S. 137 (1970).
“It is unnecessary to review in detail the evolution of the principles of Commerce Clause adjudication. The Clause is both a “prolific sourc[e] of national power and an equally prolific source of conflict with legislation of the state[s].” H. P. Hood & Sons, Inc. v. Du Mond, 336 U.S. 525, 534, 69 S.Ct. 657, 663, 93 L.Ed. 865 (1949). The Clause permits Congress to legislate when it perceives that the national welfare is not furthered by the independent actions of the States. It is now well established, also, that the Clause itself is “a limitation upon state power even without congressional implementation.” Hunt v. Washington Apple Advertising Comm’n, 432 U.S. 333, 350, 97 S.Ct. 2434, 2445, 53 L.Ed.2d 383 (1977). The Clause requires that some aspects of trade generally must remain free from interference by the States. When a State ventures excessively into the regulation of these aspects of commerce, it “trespasses upon national interests,” Great A & P Tea Co. v. Cottrell, 424 U.S. 366, 373, 96 S.Ct. 923, 928, 47 L.Ed.2d 55 (1976), and the courts will hold the state regulation invalid under the Clause alone.”
Even if a law passes the Pike balancing test, the court must take one final step and determine if the law concerns a subject matter that even in the absence of federal legislation “imperatively demand[s] a single uniform rule, operating equally on the commerce of the United States….” Cooley v. Bd. of Wardens, 53 U.S. 299, 326 (1851) (Daniels, J., concurrence). In the 19th and 20th centuries, the clause has mainly been used to prevent economic protectionism by states and to promote a consistent national common market.
Kassel v Consol. Freightways Corp. of Delaware, 450 US 662, 669, 101 S Ct 1309, 1315, 67 L Ed 2d 580 (1981).
The Supreme Court “transportation cases” used the dormant commerce clause to strike down laws that limit the length of trucks (Kassel, supra; Raymond Motor Transportation, Inc. v. Rice, 434 U.S. 429 (1977)), but not a South Carolina law that regulated the weight of trucks (South Carolina State Highway Department v. Barnwell Bros., 303 U.S. 177, 180 (1938)), and struck down an Illinois law regulating the type of mud flaps used by trucks (Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520, 526-27, 529-30 (1959)), along with the limitation on the number of railroad car allowed on trains (Southern Pacific Co. v. Arizona, 325 U.S. 761, 770-71 (1945) . The difference in the rulings in every case was the sufficiency of the evidence demonstrating a safety issue. “Although courts afford great deference to state regulations in the field of highway safety as challengers must overcome a “strong presumption of validity,” the Supreme Court has established that maintaining a cohesive and unburdened national highway network is a substantial countervailing interest.”[6]
“Those who would challenge such bona fide safety regulations must overcome a “strong presumption of validity.” Bibb v. Navajo Freight Lines, Inc., 359 U.S. 520, 524, 79 S.Ct. 962, 964, 3 L.Ed.2d 1003 (1959). …The extent of permissible state regulation is not always easy to measure. It may be said with confidence, however, that a State’s power to regulate commerce is never greater than in matters traditionally of local concern. Washington Apple Advertising Comm’n, supra, 432 U.S., at 350, 97 S.Ct. at 2445. For example, regulations that touch upon safety—especially highway safety—are those that “the Court has been most reluctant to invalidate.””
Kassel v Consol. Freightways Corp. of Delaware, 450 US 662, 670 (1981).
The California Legislature’s stated safety concern under the CCPA is that:
“The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”
There is no doubt that safety concerns are a driving force behind the CCPA legislation but when California Attorney General Xavier Becerra was asked to frame his mandate he stated that “Americans should not have to give up their digital privacy to live and thrive in this digital age (emphasis added).”[7] Attorney General Becerra said “Americans” not “Californians”. California took it upon itself to regulate the information superhighway without consulting the rest of us.
From the earliest days of transportation cases, a distinction was drawn between areas of law requiring local expertise and areas of law requiring a unified national policy. In Cooley v. Bd. of Wardens, 53 U.S. 299 (1851), the Court was asked to decide whether port fees could be charged at the state level in absence of federal legislation. The Court found that local ports needed local supervision and that even though it affected interstate commerce, it was constitutional. The Court also noted that an 1789 Act passed by Congress granting states power in this field of law was evidence of historical local control of port fees.
Unlike the situation in Cooley, supra, the information superhighway requires a unified national policy. Local control is not only unnecessary but hampers national productivity and commerce. Moreover, to further the analogy to Cooley, the CCPA is trying to control commerce in every port on the information superhighway. But now there is no reason for local control of ports….each port is now the same. Furthermore, there is no history of local control of the information superhighway and Congress did not delegate authority specifically to the states. Congress simply failed to act. That alone is not a sufficient reason to forestall application of the dormant commerce clause.
The CCPA is a trespass against national interests. We all have a stake in privacy rights and one state cannot and should not control the application of privacy rights to an entire nation. The dormant commerce clause was created exactly for this purpose. The real question is whether the Court is ready to act in the absence of Federal legislation. There are several introduced bills but none are gaining traction due to the current political environment and the 2020 election. Only time will tell what will transpire but it does not seem unrealistic to expect a challenge to the law from an out of state business hampered with expenses due to the CCPA.
“Web scraping” involves the use of software to collect data from the internet, which can then be sold to other users. See link to Lexology above.
The Ninth Circuit Court of Appeals recently held in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 that LinkedIn cannot restrict robotic software from collecting public information on its website. The GDPR takes the opposite approach from the United States in regard to data privacy protection.
The GDPR requires consent of the data subject for all personal information collected. There are six reasons that the GDPR will respect with regard to collecting personal data. Of these six, only consent (which is very unlikely in the case of webscraping) and a legitimate business purpose are applicable. See Article 6 (1) (f) of the GDPR and Recital 47.
Under the GDPR a legitimate business purpose can be simply economic gain but such a reason will not stand if the data subject objects to the collection of the data. The GDPR builds into its architecture the duty of transparency on the part of the data controller. See GDPR Articles 12-13 generally; and specifically for webscraping issues, Article 14. Pursuant to the duty of transparency, the data subject must be notified and given certain categories of information (Article 12), and certain other applicable information (Article 13) and finally if the personal data was not collected directly from the data subject, the webscraper must provide notice to the data subject based on the requirements in Article 14.
Accordingly, webscrapers must notify every data subject whose data they scrape that they have done so and how the data subject can have their data removed from the webscraper’s control. These duties can be abrogated if the effort would yield a disproportionate impact. That exemption from notification was recently challenged in Poland. In UODO (Poland’s Supervisory Authority) v. Bisnode, the Court had no sympathy for the webscraber and ordered an approximately €220,000 fine as well as required Bisnode to notify approximately 6 million data subjects which would have cost Bisnode approximately € 8 million. Bisnode chose to delete the data instead. However, it is unclear if they have done so given their pending right to appeal and their stated intent to appeal all the way to the Court of Justice. While an English version of the decision could not be found at the time of writing, it seems as though the UODO was troubled by the notice placed on Bisnode’s website which informed website users that data had been scraped by the Bisnode. Unfortunately, for Bisnode if you didn’t know your data had been scraped in the first place, how would you know to go to Bisnode’s site to see the notice? Clearly, Bisnode was aware of the GDPR violation and chose to rely on the disproportionate impact exemption. Bisnode gambled and lost. At least so far. Implicit in the decision however, was that webscraping is not necessarily prohibited in the EU under the GDPR.
In July 2019 the EDPB promulgated
guidelines
for interpreting the GDPR with regard to video data. These guidelines contain
the normal GDPR balancing test. As with all data collection within the GDPR’s purview,
there must be an important and documented reason (compelling reason) to gather
the data (in this case video feeds and still camera images) pursuant to Article
6 (1) (f) of the GDPR. Next, the data collector must demonstrate that the need
to collect the data outweighs the data subject’s right to not have the data
collected. For instance, a data subject
might not expect to be filmed trying on clothes but would expect to be
surveilled in a jewelry store. Finally,
the data collector must demonstrate that there is no other way to safeguard the
stated compelling reason other than by usage of the video data.
Sound familiar? It should because it is basically the same
test that the Supreme Court uses in protecting fundamental rights. Privacy as we all know is not in the
Constitution of the United States.
However, privacy was found in Griswold v.
Connecticut to be inherent in most of our critical amendments to the
Constitution.
The foregoing cases suggest that
specific guarantees in the Bill of Rights have penumbras, formed by emanations
from those guarantees that help give them life and substance. See Poe
v. Ulinan, 367 U. S. 497, 516-522 (dissenting opinion). Various guarantees
create zones of privacy.
Griswold
v. Connecticut, 381
U.S. 379, (1965).
The Court stated the test
that limitation of such a fundamental right must overcome:
Such a law cannot stand in light of
the familiar principle, so often applied by this Court, that a
“governmental purpose to control or prevent activities constitutionally
subject to state regulation may not be achieved by means which sweep
unnecessarily broadly and thereby invade the area of protected freedoms.”
Griswold v. Connecticut,
Id.
So could EU’s framework work
in the United States? I am not
sure. For one thing, data collection and
the sale of data is an important industry in the United States. According to “The
Great Hack” on Netflix data is worth more than oil or gold. That is stunning!
The other
problem I foresee is that the enactment of data privacy regulation will have to
be at the Federal level. For instance, California’s
Consumer Privacy Act is modeled almost entirely on the GDPR. But how will companies headquartered in
California such as Google and Facebook handle data collected regarding
California residents and data collected regarding residents of states with no Consumer
Privacy Act? It seems fraught with difficulties…should
California be able to set the state of privacy law for the entire nation? Definitely not!
Returning to
the video surveillance guidelines promulgated by the EDPB, video surveillance
is scary stuff. Recently, the news contained
a story
about how Google has possibly been helping China engage in video surveillance “shaming.” Jaywalkers images are flashed on large
television screens in Beijing. It is
part of China’s social rating of its citizens.
So
clearly, we need data privacy protection.
The ironic part is that governments are excluded from the recent video
surveillance guidelines. So what is
happening in China could possibly happen in EU countries despite the GDPR?
But what
if data collection and usage were not subject to government oversight but
rather to capitalism. What if you could
choose to have laws such as the GDPR protect your data collection or choose to
allow it to be used for enumerated purposes and you were paid a substantial sum
for its usage. Almost like a copyright,
every time your data is processed, analyzed or sold, you would receive a fee.
Monetization
of data collection at the individual level would make compliance with the GDPR
and its like easier and cost effective. Monetization
would level the playing field for the individuals making them an equal in the
data collection industry instead of playing defense like the GDPR’s posture.
The term Data Monetization is
usually associated with business collecting data and selling it to a third
party or using it to increase the business’s own bottom line. What I am proposing is to take it a step
further and put the actual individual into the monetization game.
Instead of
fighting the inevitable gathering of personal data by businesses and
governments, let’s work with it. The
genie cannot be put back in the bottle.
The election of 2016 in the United States and the English vote on Brexit
are the writing on the wall. We cannot
stop the collection of data and maybe we shouldn’t even try.
Bloggers
and YouTube personalities already make a living off sharing their personal
lives. A similar GDPR law in the United
States would have a chilling effect on those booming industries. How can a blogger know what speaks to his or
her audience without gathering data from those individuals that follow the
blogger’s posts?
I don’t
think regulation is the overall answer.
Let capitalism work its magic and then let regulation fill in the holes
that capitalism exacerbates or fails to solve.
This is my
first post on this subject and I welcome comments and suggestions to these
ideas. All opinions are welcome!
BRAVE NEW WORLD 