Privacy and data protection

1
Privacy and data protection

• The Last Class
• Exam open materials
• Three hours
• See posted model

2

• You represent the NY Times in reference to their
  online site. The site gives away electronic
  copies of the NY Times for free, but requires
  that the user register, by answering a number
  of questions giving her name, address, email,
  occupation, general income range, and other
  information and agreeing to contractual terms of
  use. They use this information for targeted
  advertising through mailing lists, pop-up ads
  and the like. You are asked to draft a privacy
  policy for the Times and to advise them on what
  risks they have in reference to possible
  unauthorized access to the data. How should they
  respond?

3
Basic Issues privacy and security

• What considerations of privacy shape modern law?
• Capability of system to acquire, store and
  process individual items
• Create full, rather than scattered files
• Modern query re identity theft and profiling
• Huge social and legal change occurring
• Meaning conflicted and shifting
• Privacy as confidentiality
• Privacy as data protection

4
The Privacy side

• Grounded in tort law and constitutional law
• What is the policy basis?
• Cooley/ Brandeis The right to be left alone
• Reasonable expectation of privacy as one issue
• Subjectively present and Objectively reasonable
• The Court finds that this society is simply not
  prepared to recognize as reasonable a claim
  that a picture on the Internet is private in
  nature, such that the Government cannot access
  it. In fact, the Court believes that our society
  would recognize the opposite that a person who
  places a photograph on the Internet precisely
  intends to forsake and renounce all privacy
  rights to such imagery

5
Privacy torts

• Intrusion on seclusion. One who intentionally
  intrudes, physically or otherwise, upon the
  solitude or seclusion of another or his private
  affairs or concerns, is subject to liability
  for invasion of privacy, if the intrusion would
  be highly offensive to a reasonable person.
• Publication of private facts. A person who gives
  publicity to a matter concerning the private
  life of another is subject to liability for
  invasion of privacy, if the matter publicized is
  a kind that (a) would be highly offensive to a
  reasonable person, and (b) is not of legitimate
  concern to the public.
• False light. Tort if one gives publicity to a
  matter that places the other before the public in
  a false light, the false light would be highly
  offensive to a reasonable person, and the actor
  had knowledge of or acted in reckless disregard
  as to the falsity of the publicized matter.

6
Dwyer case

• Am Ex rents information regarding spending
  habits
• Claims violation of privacy
• Intrusion on seclusion four elements must be
  alleged - (1) an unauthorized intrusion or prying
  into the plaintiff's seclusion (2) an intrusion
  which is offensive or objectionable to a
  reasonable man (3) the matter upon which the
  intrusion occurs is private and (4) the
  intrusion causes anguish and suffering.
• No violation

7
Dwyer cont.

• Claims fraud you promised and said that you did
  not use them in the particular way, but then did
  so.
• Result no liability
• Defendants contend, and we agree, that the only
  damage plaintiffs could have suffered was a
  surfeit of unwanted mail. Plaintiffs have
  failed to allege how they were damaged by
  defendants' practice of selecting cardholders for
  mailings likely to be of interest to them.

8
Data protection Issues

• Personally identifiable data is the issue
• Limit the right of the holder of the data to use
  it
• Defined (a) "personal data" shall mean any
  information relating to an identified or
  identifiable natural person ("data subject") an
  identifiable person is one who can identified,
  directly or indirectly, in particular by
  reference to an identification number or to one
  or more factors specific to his physical,
  physiological, mental, economic, cultural or
  social identity
• The issue is how can the holder of such data use
  it?
• Restraint is a result. What is the policy?
• Consideration right/ interest of general
  economy, other person etc.

9
EU Directive personal data may be processed only
if

• (a) data subject has given his consent
  unambiguously
• (b) processing is necessary for the performance
  of a contract to which the data subject is party
  or in order to take steps at the request of the
  data subject prior to entering into a contract
• (c) processing is necessary for compliance with
  a legal obligation to which the controller is
  subject
• (f) processing is necessary for the purposes of
  the legitimate interests pursued by the
  controller or by the third party to whom the
  data are disclosed.

10
Cal Privacy Policy Posting Law

• In general no requirement
• California and a few others say
• An operator of a commercial Web site or online
  service that collects personally identifiable
  information about individual consumers residing
  in California who visit its site or service
  shall conspicuously post its privacy policy on
  its Web site, or in the case of an operator of an
  online service, make that policy available in
  accordance with Section 22578
• The privacy policy shall
• (1) Identify the categories of personally
  identifiable information that the operator
  collects and the categories persons or
  entities with whom the operator may share that
  information.
• (2) If the operator maintains a process for an
  individual consumer to review and request
  changes provide a description of that process.
• (3) Describe the process by which the operator
  notifies consumers of material changes to the
  privacy policy for that Web site.

11
Northwest

• Disclose personal information the Government
• PNRs contain information such as a passenger's
  name, flight number, credit card data, hotel
  reservation, car rental, and any traveling
  companions
• The ECPA prohibits a person or entity from
• (1) intentionally accessing without
  authorization a facility through which an
  electronic communication service is provided....
  
• Plaintiffs argue that Northwest's access to its
  own electronic communications service is limited
  by its privacy policy

12
Other claims

• Trespass
• As a matter of law, the PNRs were not Plaintiffs'
  property. Plaintiffs voluntarily provided some
  information included in the PNRs. It may be that
  the information Plaintiffs provided to Northwest
  was Plaintiffs' property. However, when that
  information was compiled and combined with other
  information to form a PNR, the PNR itself became
  Northwest's property. Northwest cannot wrongfully
  take its own property
• Intrusion on seclusion

13
Contract Issue

• Contract warranty
• When you reserve or purchase travel services
  through Northwest Airlines nwa.com Reservations,
  we provide only the relevant information required
  by the car rental agency, hotel, or other
  involved third party to ensure the successful
  fulfillment of your travel arrangements.
• General statement of policy
• The privacy statement did not constitute a
  unilateral contract. The language used vests
  discretion in Northwest to determine when the
  information is "relevant" and which "third
  parties" might need that information.

14
Policies that come back to haunt

• Non-contractual risk
• An incongruity between the privacy policy
  language and actual practices a common FTC
  enforcement target.
• FTC charges of unfair and deceptive trade
  practices under Section 5 of the FTC Act are
  increasing as to privacy and security
• Deceptive to claim that data is not revealed or
  is secure, but then reveal it or not protect it
• Unfair to not maintain security?

15
Security issues

• Duty to protect security of personal data
• FTC says its common sense
• CA Civ. Code 1798.81.5 (CA residents, not just
  consumers) Businesses controlling information
  about Cal. Residents must "implement and maintain
  reasonable security procedures and practices
  appropriate to the nature of the information, to
  protect the personal information from
  unauthorized access, destruction, use,
  modification, or disclosure."

16
Guess policy and consequences
17
The 20 year result

• Adopt a comprehensive security program reasonably
  designed to protect security of personal
  information collected from or about consumers
• Must include safeguards including
• designation of employees to coordinate and be
  accountable
• identification of material internal and external
  risks re unauthorized disclosure, misuse, loss,
  alteration, destruction, or other compromise.
• Must include (1) employee training and
  management (2) systems, including network and
  software design, processing, storage,
  transmission, and disposal and (3) prevention,
  detection, and response to intrusions, or other
  systems failures.
• design and implement reasonable safeguards to
  control the risks regularly test or monitor
  effectiveness evaluate
• outside audit
• File with FTC of copies of each different
  print, etc. or other document containing any
  representation regarding policy or collection

18
Notice of security breaches

• Over 20 states have security breach notice laws
• CA Civ. Code 1798.82
• Notice to CA residents
• By any entity that conducts business in
  California
• Disclose any breach of the security of the system
  to any California resident whose unencrypted
  personal information was or is reasonably
  believed to have been acquired by an unauthorized
  person