US Private Sector Privacy Chapter 13 PDF
Document Details
Uploaded by SparklingCedar
Georgia Tech
2024
Tags
Summary
This is a chapter from a course book on private sector privacy and litigation. It discusses disclosures required by law, permitted by law, and those forbidden by law. It also discusses public access to court records. The chapter mentions different legal standards that may apply to civil and government actions, and gives examples of U.S. laws that require disclosure.
Full Transcript
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP legal consequences, depending on the context, for turning over either too much or too little information. This section of the chapter ends with a discussion of evidence stored in other countries, and how the Clarify...
MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP legal consequences, depending on the context, for turning over either too much or too little information. This section of the chapter ends with a discussion of evidence stored in other countries, and how the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the updated Budapest Convention address this issue. The chapter concludes with an examination of privacy issues and national security investigations in the post-Snowden era. Under the Foreign Intelligence Surveillance Act (FISA) of 1978, communications providers can face especially complex rules about when and in what way they are permitted or required to provide information to the government. For both the law enforcement and national security discussions in this chapter, the goal is not to provide enough detail to answer the questions of specialized practitioners. The goal instead is to set forth the basic principles and specific provisions that apply to a wide range of organizations as well as provide insight into the reforms that were put in place after the Snowden leaks. 13.1 Disclosures Required, Permitted or Forbidden by Law For investigations and litigation, the law can be complex about when information must be disclosed, when the organization has a choice about whether to disclose, and when the organization is prohibited from disclosing. Sometimes the same statute requires production of information in some circumstances, such as when a judge issues a court order, but prohibits production of the same information in other circumstances, such as when no court order exists. 13.1.1 Disclosures Required by Law Certain U.S. laws require disclosure of personal information held by an organization. Chapter 9, on financial privacy, discussed the Bank Secrecy Act (BSA) and related reporting requirements designed to reduce money laundering. Other examples of required disclosure: The U.S. Food and Drug Administration (FDA) requires health professionals and drug manufacturers to report serious adverse events, product problems, or medication errors suspected to be associated with the use of an FDA-regulated drug, biologic, device or dietary supplement under the Food, Drug and Cosmetic Act (FDCA). 1 The U.S. Department of Labor’s (DOL’s) Occupational Health and Safety Administration (OSHA) requires compilation and reporting of information about certain workplace injuries and illnesses. 2 Many states require reporting of certain types of injuries and medical conditions, such as abuse, gunshot wounds, immunization records or specific contagious diseases. The Health Insurance Portability and Accountability Act (HIPAA) permits disclosure of protected health information where disclosure is “required by law.” 3 Outside of these regulatory systems, records sometimes must be disclosed during an investigation or in the course of litigation. The discussion in this chapter of e-discovery will describe how parties to civil litigation in the United States are routinely required to produce emails, documents and other company records containing substantial personal information. In litigation, discovery, which essentially means information disclosed to another party in a lawsuit before trial, is governed by the rules of civil and criminal procedure, as overseen by state and federal judges. 2 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP Companies with information relevant to a government investigation or in civil litigation may receive a subpoena, which is an instruction to produce a witness or records. For instance, Federal Rule of Civil Procedure 45 says that a subpoena must: State the court from which it is issued State the title of the action and its civil-action number Command each person to whom it is directed to do the following at a specific time and place: attend and testify; produce designated documents, electronically stored information, or tangible things in that person’s possession, custody or control; or permit the inspection of premises Set out the text of the rules describing a person’s right to challenge or modify the subpoena The party seeking information must “serve” the subpoena (deliver it to the subject in a legally sufficient way), to put that person on notice of the obligation to respond and of the recipient’s right to seek to quash or modify the subpoena. The rule states: the issuing court “may hold in contempt a person who, having been served, fails without adequate excuse to obey the subpoena.” 4 Contempt of court can result in fines or imprisonment. Differing legal standards may, of course, apply to civil (private) litigation and to government investigations, and standards also vary depending on the types of records sought. For instance, as discussed further below, law enforcement can get phone numbers called and similar information under a pen register order. A judge issues that type of order under the relatively easy-to-meet standard that the information “is relevant to an ongoing investigation.” 5 The stored content of records may be accessed under court orders defined by 18 U.S.C. § 2703(d), which require the government to provide a judge with “specific and articulable facts showing that there are reasonable grounds” to believe communications are relevant to a criminal investigation. 6 One step stricter is the traditional search warrant issued by a judge or magistrate under the Fourth Amendment to the U.S. Constitution, which requires showing that there is probable cause that a crime has been, is, or will be committed. Even stricter is the standard for a telephone wiretap, which has the requirements of a probable cause warrant as well as other requirements, such as that alternative means of getting the evidence have been exhausted. 7 This range of standards is intended to provide more protection for more sensitive information—a list of phone numbers called is easier to get than permission to listen to an entire telephone conversation. 13.1.2 Disclosures Permitted by Law For some categories of information, an organization is permitted, but not required, to disclose personal information. HIPAA itself, for instance, requires very few disclosures. The HIPAA Privacy Rule requires covered entities to disclose protected health information (PHI) only to the individual to whom it pertains and to the U.S. Department of Health and Human Services (HHS) in the course of an enforcement action. 8 It permits (but does not require) companies to disclose PHI when required to do so by another applicable law, such as the state laws that require reporting of medical information. HIPAA also permits covered entities to disclose PHI for reasons including public health, law enforcement, and national security. After the U.S. Supreme Court overturned Roe v. Wade in 2022, 9 the HHS Office of Civil Rights issued guidance concerning permitted disclosures and reproductive health care. According to the 3 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP guidance, the HIPAA Privacy Rule clarified that a covered entity would not be permitted to make a disclosure of protected health information (PHI) to law enforcement as “required by law” where the state law does not expressly require the reporting, such as when a state law prohibits abortion but does not require the hospital to report individuals to law enforcement. The 2022 HHS Office of Civil Rights guidance also clarified that the HIPAA Privacy Rule would permit a covered entity to disclose PHI in response to a law enforcement request made through legal process such as a court order or court-ordered warrant. 10 Another example is the “computer trespasser” exception (sometimes called the “hacker trespasser” exception) created by Section 217 of the USA PATRIOT Act. 11 In general, a law enforcement officer needs to have a court order or some other lawful basis to intercept wire or electronic communications. As discussed later in the chapter, the owner or operator of a computer system can face penalties under ECPA for providing access to law enforcement without following legally mandated procedures. Section 217 of the USA PATRIOT Act permits, but does not require, the owner or operator of a computer system to provide such access in defined circumstances. For computer trespassers, law enforcement can now perform interceptions if: 12 The owner or operator of the protected computer authorizes the interception of the computer trespasser’s communications on the protected computer The person acting under color of law (in an official capacity) is lawfully engaged in an investigation The person acting under color of law has reasonable grounds to believe the contents of the computer trespasser’s communications will be relevant to the investigation Such interception does not acquire communications other than those transmitted 13 13.1.3 Disclosures Forbidden by Law Many of the privacy laws discussed in this book forbid disclosures of categories of personal information to categories of recipients. These laws often use either an opt-in or an opt-out requirement to help accomplish their restrictions. 14 For instance, HIPAA and the Children’s Online Privacy Protection Rule (COPPA) forbid disclosures of covered information to third parties, unless there is opt-in consent, or a different exception applies. The Gramm-Leach-Bliley Act (GLBA) forbids disclosures to third parties if the individual has opted out. Many websites of companies not covered by GLBA similarly provide an opt-out, and disclosures in violation of such promises can trigger Section 5 enforcement under the Federal Trade Commission (FTC) Act. In the context of investigations and litigation, evidentiary “privileges” can also prohibit disclosure. These privileges are generally defined under state law. 15 One example is the attorneyclient privilege, which means that an attorney cannot be compelled to testify or produce records about a client concerning matters within the scope of the representation. As with other privacy rules, there can be exceptions to the attorney-client privilege, such as client consent or to prevent imminent physical harm to another person. Other common evidentiary privileges include doctorpatient, priest-penitent, and spousal privilege. Where these apply, a doctor, member of the clergy, or spouse cannot be compelled to testify about the other party, absent consent or some other exception. Nationally, a person accused of a crime in state or federal court can assert the privilege against self-incrimination under the Fifth Amendment to the U.S. Constitution. 4 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP 13.2 Privacy and Civil Litigation A large amount of personal information may be disclosed to parties in the course of civil litigation. Courts can issue protective orders to prohibit disclosure of personal information revealed in litigation, and attorneys increasingly are required to redact Social Security numbers and other sensitive information when filing documents with the courts. The systematic management of personal information has also become more prominent since the 2006 adoption of the e-discovery rules, which often require civil litigants to turn over large volumes of a company’s electronic records in litigation. 13.2.1 Public Access to Court Records, Protective Orders, and Required Redaction The United States has a strong tradition of public access to government records, including under the federal Freedom of Information Act (FOIA) and state open records laws. States and localities often provide access to a wide range of public records, including birth and death records, professional and business licenses, real estate ownership and appraisal records, voter registration records, and many more. The activities of courts historically have also been public records. Criminal and civil trials in the United States are almost always open for the public to attend. Historically, people could also go to the local courthouse and read the materials submitted to the court, including documents and other exhibits introduced at trial. With the growth of the internet, court systems began to consider putting their records online for beneficial reasons such as providing transparency in government and reducing the cost of storing and accessing records. Placing court records on the internet, however, also raised privacy issues. Paper records stored in local courthouses provided practical obscurity for most of the information because of the expense and difficulty of searching the records. Online, searchable public records greatly reduced this obscurity. In 2000, the federal bankruptcy courts proposed placing their records online, including Social Security numbers and the details of the person’s financial status, including bank account numbers and the amount in each account. Internet publication of these details raised the risk that these accounts would be the target of identity fraud. The federal government issued a report on the privacy issues, and the bankruptcy court rules were amended to protect Social Security numbers and privacy. 16 The Administrative Office of U.S. Courts and the Center for Legal and Court Technology have held multiple conferences in Williamsburg, Virginia, with extensive documentation of how state and federal courts address the issues of privacy and public access to court records. 17 Certain categories of records often receive greater protection, including juvenile, financial and medical records. One response to public access to court records has been for litigants to seek protective orders for personal information. With a protective order, a judge determines what information should not be made public and what conditions apply to those who may access the protected information. Rule 26(c) of the Federal Rules of Civil Procedure states that a party may seek a protective order providing that confidential information may not be revealed or must be revealed in a particular way—such as “attorney’s eyes only”—during litigation. The moving party must demonstrate good cause, and a court will apply a three-part test in deciding whether to grant the request. First, the resisting party must show the information to be confidential. Second, the requesting party must show that the information is relevant and necessary to the case. Third, the court must weigh the harm of disclosure against the need for the information. 18 5 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP The HIPAA Privacy Rule, similarly, discusses the standards for a “qualified protective order” (QPO), which applies in state courts that are not covered by the Federal Rules of Civil Procedure. A QPO prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested. It also requires the return to the covered entity or destruction of the protected health information (including copies) at the end of the litigation. 19 If a QPO is in place, a covered entity complies with privacy requirements for disclosure in litigation or administrative proceedings. More generally, court rules today require redaction of certain personal information by the litigants themselves. Redaction is the practice of identifying and removing or blocking information from documents being produced pursuant to a discovery request or as evidence in a court proceeding. One important example is the 2007 adoption of Rule 5.2 of the Federal Rules of Civil Procedure, “Privacy Protection for Filings Made with the Court.” The rule applies to both paper and electronic filings and to both parties and nonparties filing documents. Specifically, attorneys are required to redact documents so that no more than the following information is included in court filings: The last four digits of the Social Security number and taxpayer identification number The year of the individual’s birth If the individual is a minor, only the minor’s initials The last four digits of the financial account number 20 Certain exemptions may apply, and parties may request that filings be made under seal without redaction when appropriate. In cases where additional protection may be necessary, parties can seek protective orders. If granted, the protective order may require additional redaction or may restrict electronic access to the court filings. 21 Enforcement and penalties apply as for other violations of court rules. 22 Rule 49.1 of the Federal Criminal Rules of Procedure and Rule 9037 of the Federal Rules of Bankruptcy Procedure contain similar redaction requirements. 23 In criminal proceedings, city and state of the home address are a fifth category requiring redaction so that the precise home address is not revealed. 24 Federal district courts often have supplementary redaction or privacy requirements that apply in their court proceedings. Similarly, state and local courts have increasingly adopted redaction requirements. Attorneys and privacy professionals thus should be mindful of the privacy procedure rules that may apply depending on where the litigation actually takes place. 13.2.2 Electronic Discovery Prior to trial, the parties usually engage in discovery. In discovery, the information typically is exchanged with the other party or parties and their attorneys. In doing so, as just discussed, there may be confidentiality protections such as protective orders and redaction requirements. Information exchanged in discovery also raises at least the possibility that it will be disclosed more broadly, such as in a trial or public court filing, or because those who receive the information in discovery may disclose it to others. Since the 2006 revisions to the Federal Rules of Civil Procedure, electronically stored information (ESI) has become an increasingly large focus of pretrial discovery in U.S. litigation. 25 The discovery of 6 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP ESI, generally known as e-discovery, has become an important subdiscipline in law and technology. E-discovery implicates both domestic privacy concerns and issues arising in transborder data flows. Managing e-discovery and privacy begins with a well-managed data retention program. In designing a retention policy, it should be remembered that ESI takes not only obvious forms such as email or word processing documents, but can also manifest itself as databases, web pages, server logs, instant messaging transcripts, voicemail systems, virtual meetings, social networking records, thumb drives, or even the microSD cards found in smartphones. 26 An important source of standards and best practices for managing electronic discovery compliance through data retention policies is the Sedona Conference. 27 Regarding email retention, the Sedona Conference offers four key guidelines: 1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units 2. Such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice 3. Interdisciplinary teams should reach consensus as to policies, while looking to industry standards 4. Technical solutions should meet and parallel the functional requirements of the organization Database design should also be considered when addressing a company’s retention policies. When done in good faith, data that is “transitory in nature, not routinely created or maintained by [d]efendants for their business purposes, and requiring of additional steps to retrieve and store,” may be considered outside the duty of preservation. 28 Retention policies should also consider employee hard drives. While it may be an accepted practice to wipe and reimage personal computers after an employee is terminated so that the computer can be provided to a new employee, “in order to take advantage of the good faith exception [to discovery obligations], a party needs to act affirmatively to prevent the system from destroying or altering information, even if such destruction would occur in the regular course of business.” 29 One solution to this problem is to collect forensic images of such devices prior to reassignment. Initial problems with invasion of privacy concerns related to such retention can be countered by clearly articulating a usage policy for employees. For example, by discouraging employees from using their company email accounts for personal communications, a company can reduce the future risk of handing over sensitive or embarrassing information when complying with a discovery request. Similarly, placing limits on the permitted uses of company computers may aid in preventing later forensic discovery of hard drives from revealing private information about employees. Conversely, employees should be discouraged from conducting company business on personal devices to prevent the subsequent risk of an invasion of privacy if an employer needs to examine such devices. 30 While these best practices are widely accepted, it should be noted that where discovery obligations are in direct conflict with business practices, the discovery obligations will likely prevail. When a court finds conflict between a corporate retention policy and a discovery request, the court will likely apply a three-factor test: (1) a retention policy should be reasonable considering the facts of the situation, (2) courts may consider similar complaints against the organization, and (3) courts 7 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP may evaluate whether the organization instituted the policy in bad faith. 31 Finally, in regard to retention policies, it must be remembered that even a reasonable policy may need to be suspended in the face of a litigation hold, which exists when the company is on notice of discovery because litigation is already underway. 32 U.S. sectoral laws such as HIPAA and GLBA create some tension between broad pretrial discovery powers and privacy protections. Generally, however, these laws exist in harmony with discovery obligations. For example, the HIPAA Privacy Regulation specifically addresses when protected health information may be disclosed during discovery. First, a covered entity may disclose PHI if the subject of those records authorizes their release. 33 Second, absent a release, a covered entity may release PHI subject to a court order. 34 Third, a covered entity may disclose PHI subject to a discovery request if satisfactory assurances are provided. An assurance is satisfactory under HIPAA if the parties seeking the request for information have agreed to a qualified protective order and have submitted it to the court, or if the party seeking the information has requested a qualified protective order from the court. 35 A qualified protective order requires both that the parties are prohibited from using or disclosing the PHI for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation. 36 Similarly, under GLBA, a financial institution may disclose otherwise protected information “to comply with federal, state, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.” 37 Federal courts have been willing to read this clause to encompass civil discovery requests, although protective orders should still be obtained by those disclosing the information. 38 The issue of transborder data flows creates a more complicated situation. When engaged in pretrial discovery in U.S. courts, parties can be caught between conflicting demands. On the one hand, they must comply with U.S. discovery rules that expressly recognize the importance of broad preservation, collection and production. The rules therefore generally require the disclosure of all information relevant to the claims or defenses in a case that are in a party’s possession, custody or control—and this extends to information globally. On the other hand, parties may also face compliance obligations under foreign laws that place an emphasis of the protection of personal data and recognize privacy as a fundamental right. For instance, the European Union (EU) General Data Protection Regulation (GDPR) makes e-discovery with European nations subject to even more restrictions. 39 Consequently, a conflict can arise between a U.S. requirement to produce documents and another country’s laws, which may prohibit transfer of personal information out of that country and/or prohibit disclosure to third parties without the data subject’s consent. 40 U.S. courts have taken different approaches to resolving this conflict. 41 Some courts have sought to resolve this tension by requiring production by those parties that sought to take advantage of U.S. jurisdiction, such as the plaintiff who filed the lawsuit. 42 Other courts, however, have extended data production requirements even to parties that did not seek the benefit of U.S. courts, stating “it is well settled that [foreign] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” 43 Another approach has been to focus on the nature or type of the documents at issue, such as by requiring the foreign parties to prepare a privacy log describing the documents 8 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP without disclosing the contents of the documents, so that the court could differentiate among documents. 44 Balancing broad discovery demands in the U.S. with foreign privacy restrictions remains a challenging issue for many organizations, with no simple resolution thus far of the legal conflicts. The production of transborder data may also be avoided by invoking the Hague Convention on the Taking of Evidence. 45 Under the treaty, the party seeking to displace the Federal Rules of Civil Procedure bears the burden of demonstrating that it is more appropriate to use the Hague Convention and must establish that the foreign law prohibits the discovery sought. Such prohibitions may be established by expert testimony. Aerospatiale v. S.D. of Iowa outlines the factors that an American court may use to reconcile the conflict. 46 These factors include: 47 The importance of the documents or data to the litigation at hand The specificity of the request Whether the information originated in the United States The availability of alternative means of securing the information The extent to which the important interests of the United States and the foreign state would be undermined by an adverse ruling The fifth factor is often referred to as being the most important. For example, when victims of a terrorist attack sued a British bank for aiding and abetting a terrorist organization, British bank secrecy laws did not preempt the discovery request, because the information was central to the case, and the disclosure would advance both American and British interests in combating terrorism. 48 Courts have also been willing to look to additional factors, such as the good faith of the party resisting compliance, in applying such a test. Obtaining evidence through the Hague Convention is far more expensive and time-consuming than typical discovery requests under the Federal Rules; it is often a means of last resort for U.S. litigators with no other recourse for obtaining the necessary evidence. 49 Once data has been culled for e-discovery, preservation and transport present final considerations. Data may either be “preserved in place” by maintaining it in its native repository, or it may be preserved in a separate form. 50 For transfer, data should be encrypted, and the key transferred by a secure second method of transport. If shipped as physical media (such as a hard drive or optical media), it should be transported in a manner that preserves an audit trail. Alternatively, data may be transferred by using a secure connection, such as secure file transfer protocol (SFTP). Organizations producing thousands of pages of documents in discovery will often need a plan to address sensitive personal information, including a process for identifying and redacting or withholding such information where possible, maintaining confidentiality under a protective order where it must be disclosed, and seeking to “claw back” or otherwise remediate inadvertent disclosures of such information. 13.3 Law Enforcement and the Role of Privacy Professionals Along with civil litigation, a company can face requests to provide personal information in connection with criminal investigations and litigation. The discussion here begins with an introduction to Fourth Amendment limits on law enforcement searches. Fourth Amendment cases 9 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP have articulated some of the most fundamental concepts used by privacy lawyers and other privacy experts in the United States, including the “reasonable expectation of privacy” test developed in the context of government wiretaps. 51 The discussion then moves to other statutes that can apply to criminal investigations, including HIPAA, ECPA, the SCA, the RFPA and the PPA. This section concludes with a discussion of evidence stored in other countries, and explains how the recently enacted CLOUD Act addresses this issue. This chapter does not attempt to provide the many details that prosecutors and criminal defense lawyers need to know about the handling of personal information in criminal litigation. Nor does it go into the complex details of ECPA and the SCA, as those laws apply to communications providers such as telephone companies and email services. Instead, the focus is on general principles and issues that can arise in a wide range of companies. 13.3.1 Fourth Amendment Limits on Law Enforcement Searches The Fourth Amendment to the Constitution provides: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched.” 52 The Fourth Amendment’s limits on government power stem in part from objections to “general warrants” used by the British king’s customs inspectors before the American Revolution. Officers of the Crown could get one general warrant and search all the houses in a neighborhood or town when looking for contraband goods. At the most basic level, the Fourth Amendment authorizes reasonable government searches while setting limits on their scope and how they are issued. The U.S. Supreme Court has stated: “The overriding function of the Fourth Amendment is to protect personal privacy and dignity against unwarranted intrusion by the State.” 53 The Fourth Amendment provides a ban against “unreasonable searches and seizures” by the government. For search warrants, the government must show “probable cause” that a crime has been, is or is likely to be committed. Search warrants must be supported by specific testimony, often provided by a police officer. A neutral magistrate (judge) approves the search warrant. They cannot be general warrants, but instead must describe the place to be searched with particularity. Evidence gathered by the government in violation of the Fourth Amendment is generally subject to what is called the “exclusionary rule” - meaning that the evidence can be excluded from the criminal trial. The exclusionary rule creates a powerful incentive for criminal defendants to seek to show that the government has violated the Fourth Amendment. Consequently, state and federal courts have issued an enormous number of judicial decisions interpreting the Fourth Amendment, and the case law is notably complex. Company privacy professionals are not likely to encounter the type of search warrant that provides the police physical entry to a house, automobile or other private space. The legal rules are likely to be more important when the government seeks to conduct surveillance in connection with a company’s facilities. For instance, the government might conduct wiretaps using the facilities of a telephone company or email service. In addition, and increasingly over time, the government may seek to gain access to company databases containing personal information about customers, employees and others. Telephone wiretap law has been important to the last century of Fourth Amendment jurisprudence. In the 1928 case of Olmstead v. United States, a majority of the Supreme Court held 10 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building. 54 The majority emphasized that the purpose of the Fourth Amendment was to protect the home and other private spaces. In one of the most famous statements about privacy, Justice Louis Brandeis argued in dissent that new technologies meant that the Fourth Amendment must have a “capacity of adaptation to a changing world.” He said: “The makers of our Constitution... conferred, as against the government, the right to be let alone—the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.” 55 The Supreme Court essentially overruled Olmstead in the 1967 case of Katz v. United States. 56 The majority stated: “What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” The court found that a warrant was needed for a police bug in a restaurant, placed to hear the calls behind the closed doors of a phone booth. Katz is best remembered today for the widely cited “reasonable expectation of privacy” test. In a concurring opinion, Justice John Marshall Harlan stated: “There is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’” 57 In practice, important exceptions exist to the requirement of a warrant where a reasonable expectation of privacy exists. The “in public” and “third-party” exceptions are especially important to privacy professionals. Katz itself said that what a person knowingly exposes to the public is not protected by the Fourth Amendment. Police thus have broad discretion to follow a suspect down the street or take advantage of other information that is in plain view. The Supreme Court has also held that information a person puts into the hand of someone else—a third party—is not protected by the Fourth Amendment. For instance, the court has held that the Fourth Amendment does not require a warrant for the police to get a person’s checking account records or the list of phone numbers a person has called. 58 The court has stated that the individual consented to letting the bank or phone company have that information, so the companies can lawfully turn the information over to the government without a search warrant. The third-party doctrine has been especially important in connection with company privacy practices—companies are generally permitted under the Constitution to turn over customer and employee records to the government (although statutory and other legal limits may apply). In the 2012 case of United States v. Jones, the Supreme Court signaled important changes to the in public and third-party exceptions. The court held unanimously that a warrant was needed when the police placed a Global Positioning System (GPS) device on a car and tracked its location for over a month. The majority decision emphasized that the police had trespassed onto the car when they physically attached the GPS device. Four of the nine justices, however, would have held that a search occurred even without the physical attachment, and even for movements that took place entirely in public. A fifth justice seemed to indicate sympathy for this constitutional limit on surveillance of “in public” activities, and also stated that the time had come to reexamine the thirdparty doctrine. 59 The 2014 case of Riley v. California was an important decision where the Supreme Court unanimously held that the contents of a cell phone cannot be searched unless law enforcement 11 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class. MGT 6727 (Spring Semester 2024) at Georgia Tech Chapter 13 – as of 03/25/2024 © IAPP officers first obtain a search warrant. 60 The justices ruled that the data on a cell phone was quantitatively (the amount of data) and qualitatively (the kind of data) different than the contents that would normally be found in a physical container, which was the analogy the government had proposed to the court. As to the quantity of data, the court noted the immense storage capacity of cell phones as well as the ability to link to remote storage. With regard to the quality of data, the court opined that internet searches can reveal a person’s interests, and location information can pinpoint an individual’s movement over time. 61 In the 2018 case of Carpenter v. United States, the Supreme Court reduced the scope of the third-party doctrine. 62 Prior to the determination of this case, a person did not legally have a reasonable expectation of privacy in records held by a third party—including bank records and telephone pen registers—so a warrant was not required for records held by third parties. 63 This is the concept known as the third-party doctrine. In 2018, the court acknowledged that cell phone usage was integral to modern life and noted that cell site location information could reveal intimate details about the habits of individuals’ lives. In Carpenter, the court determined that law enforcement officers must secure a warrant to access at least certain records held by third parties— namely, cell site location information. 64 These three recent cases by the Supreme Court requiring search warrants—Jones, Riley, and Carpenter—suggest that the Supreme Court is seeking to update Fourth Amendment doctrine to adapt to changing technology and may place further limits on the third-party doctrine as it relates to digital data. 65 Applying legal rules such as the third-party doctrine is further complicated when the accused did not themselves provide their data to the relevant company, such as: (1) DNA databases that are examined to identify relatives of the person who submitted the DNA sample; 66 and (2) videos from electronic doorbells that are utilized to investigate individuals other than the person who installed the doorbell. As of the writing of this book, neither of these issues has been directly addressed by the U.S. Supreme Court, but privacy professionals should be on the lookout for possible updates concerning the application of the Fourth Amendment. In 2022, U.S. Supreme Court overturned Roe v. Wade - the 1973 case that stated the U.S. Constitution recognized a woman’s right to terminate her pregnancy by abortion. After this recent U.S. Supreme Court decision, the legality of an abortion was decided by each state in the U.S. 67 In states that outlaw abortion, state and local law enforcement may send legal process, such as a warrant, for data related to an illegal abortion to a company headquartered in a state that does not outlaw abortion. In response to this situation that impacted many tech companies headquartered in California, California enacted its own law that prohibits a company from responding to other states’ abortion-related warrants. 68 This creates a conflict of law, similar to those seen in the international cross-border context (discussed in Section 13.3.8). Privacy practitioners should be alert that this type of conflict of law between states in the U.S. could result in a case before the U.S. Supreme Court. 69 The overturning of Roe v. Wade also heightened concerns about geofence warrants. Geofencing is a technology that allows companies to target digital advertising to people within a virtually ‘fenced’ area – such as within a certain proximity of an abortion clinic. The collection of data for this advertising purpose means that data can then be acquired by law enforcement using a geofence warrant. These geofence warrants have been challenged in lower courts – sometimes successfully and other times not successfully – under the bar against general warrants. 70 As of the writing of this book, the U.S. Supreme Court has not ruled on the legality of such warrants. 71 12 NOT FOR DISSEMINATION The materials in this course are provided only for the personal use of students in this class in association with this class.