2018 is shaping up to be a potentially momentous year for data privacy, with a number of pending cases whose impact could fundamentally alter the scope of future privacy lawsuits and criminal investigations. This post will take a look at some of these cases and their potential impact.
Carpenter v. United States
We’ll start with Carpenter, which is pending in the U.S. Supreme Court and focuses on whether the Fourth Amendment requires the government to secure a search warrant to obtain a criminal defendant’s cell phone records from his or her cellular service provider.
Following the arrest of four suspects for armed robberies in Michigan and Ohio, the FBI obtained a court order (under the Stored Communications Act) compelling Carpenter’s cellular service provider to produce basic subscriber information and three-month’s worth of cell site location records for a cellphone tied to Carpenter. The lower court found that the historical location data sought by the FBI were business records, which the government may obtain without a warrant. Under the “third party doctrine,” individuals have no reasonable expectation of privacy in information that they voluntarily provide to third parties. The doctrine arises out of two 1970s Supreme Court cases holding that the government does not need a warrant to obtain telephone or bank records relevant to criminal investigations from the phone companies or banks that create and maintain such records. Numerous lower courts have applied the doctrine to cellular service providers’ collection of cell site signals transmitted by individual phones, generally reasoning that individuals ‘voluntarily’ transmit the cell site data to the provider.
Carpenter petitioned the Supreme Court for certiorari, contending that historical cell site location information paints a far more detailed account of a person’s life (through movements over an extended period of time) than other business records. This data therefore should not be covered by the third party doctrine, because the disclosures to the service provider are not truly ‘voluntary.’
Based on oral argument, and recent Supreme Court opinions, it appears that the Court may be prepared to limit the third party doctrine, at least with regard to cell site location data. In its 2012 decision in U.S. v. Jones, the Court held that the warrantless GPS tracking of a vehicle violated the Fourth Amendment, where the agents committed a trespass when attaching the tracker to the vehicle. Importantly, at least 5 justices expressed the view (in separate opinions) that individuals have a reasonable expectation of privacy in their movements over an extended period of time. In 2014, the Supreme Court held, in Riley v. California, that users have an expectation of privacy with respect to the contents of their cell phones. Carpenter has the potential to build on the Riley Court’s theme that “digital is different,” and to become a seminal Supreme Court decision regarding Fourth Amendment privacy interests in the digital age. The decision may significantly reshape – if not replace – the third party doctrine in the digital context, with implications for both the government and private enterprises alike.
LabMD, Inc. v. Federal Trade Commission
In 2016, the FTC issued an order against LabMD, finding that the company exposed the unencrypted medical and personal information of over 9,000 consumers through the installation of a file-sharing program on a LabMD computer, overruling a prior determination of no injury by the Administrative Law Judge.
The Eleventh Circuit granted a stay of the Order, pending a determination whether the FTC met its burden of proving substantial harm under the FTC Act. LabMD contends that unauthorized access, alone, does not meet the substantial harm requirement and contends that the Act requires a finding of tangible harm, in the form of monetary or personal damage.
The Court’s decision will go a long way toward defining the contours of the FTC’s jurisdiction in data privacy and security cases. If the Eleventh Circuit finds in favor of LabMD, and agrees that a more particularized or concrete showing of harm is necessary, the FTC’s enforcement power in the realm of data security could be hampered insofar as many FTC actions do not involve evidence of actual monetary or physical harm to consumers.
United States v. Microsoft
In one of the most anticipated criminal and privacy cases of the year, the Supreme Court will address the question whether the federal courts can issue search warrants under the Stored Communications Act (SCA), requiring a service provider to disclose the contents of an email account stored on a server that is physically located outside of the United States.
The Second Circuit held that the SCA did not authorize federal courts to issue an SCA warrant compelling production of communications stored by Microsoft on a server in Ireland, even though Microsoft could access those communications from the United States. The dispute in Microsoft arose when the government sought an SCA warrant for an email account related to a narcotics trafficking investigation in the New York metropolitan area. In accordance with its standard business practices, some of that data was stored in Ireland (the country the user had self-identified as his place of residence.) Microsoft refused to produce the data stored on the Ireland servers and moved to quash the warrant as it related to the internationally stored data.
The United States District Court for the Southern District of New York denied the motion, but the Second Circuit reversed on the grounds that “the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States-based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.” Applying an “extraterritoriality” analysis, the Second Circuit reasoned that “the focus of the SCA’s warrant provisions is on protecting users’ privacy interests in stored communications”—not assisting law enforcement. The Second Circuit concluded that the SCA was being applied extraterritorially here, because the data to be collected and produced pursuant to the warrant was physically located on a server in Ireland. The Supreme Court granted certiorari, and numerous national and international entities have already submitted amicus briefs. Argument is currently set for February 27, 2018.
The potential impact of this decision is very significant. First, the decision could impact the federal government’s ability to reach data stored in the cloud for criminal investigative purposes. Although the data at issue in this case was physically segregated in Ireland, many cloud-based systems work more dynamically, with shards of data from one account, for instance, in continuous motion across servers located around the globe. Would these accounts essentially become ‘warrant proof’? Second, the decision will likely have implications for global privacy. The European Union, some foreign governments and privacy advocates have asked the Supreme Court to consider European data privacy concerns about the reach of the US government’s investigative powers – a recurring issue in the development of global privacy law and policy since the Snowden revelations.
CareFirst v. Attias
In June 2014, health insurer CareFirst, Inc. suffered a data breach that compromised the personal information of approximately 1.1 million policyholders. Affected customers brought a lawsuit against CareFirst alleging that it had violated a host of state laws by failing to safeguard their personal information, leading to an increased risk of identity theft.
CareFirst moved to dismiss the complaint on the grounds that the plaintiffs lacked standing, because they had not alleged any instances of identity theft. The district court granted CareFirst’s motion to dismiss, ruling that the plaintiffs had failed to allege an “injury in fact” that is concrete, particularized, and actual or imminent, as required under the Supreme Court’s ruling in Spokeo v. Robins. Plaintiffs appealed to the United States Court of Appeals for the District of Columbia Circuit, which reversed and remanded for further proceedings, holding that plaintiffs had plausibly alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst has filed a petition for certiorari with the Supreme Court.
The core issue of whether data breach victims have standing to proceed in federal court has been hotly litigated over the past half a dozen years, with varying results. There is a modest trend toward finding standing in cases involving criminal theft of personal information. Should it grant certiorari in this case, the Supreme Court’s resolution of the matter may go a long way toward establishing the parameters of future data breach litigation. If the Court rules that victims of a data breach have standing to pursue state law claims in federal court, the flood gates for data breach litigation may open. Conversely, a ruling in favor of Care First may limit the viability of future data breach class actions.
In re Facebook Biometric Information Privacy Litigation
A consolidated litigation pending in Northern District of California involving Facebook may shape the scope of claims under the Illinois Biometric Information Privacy Act (BIPA). In recent years, numerous class actions have been filed under BIPA, which provides for statutory damages of up to $5,000 per violation.
Plaintiffs contend that Facebook’s face-scanning function, part of the “Tag Suggestions” feature, utilizes “state-of-the-art facial recognition technology’ to extract biometric identifiers from photographs users upload” without their consent, in violation of BIPA. The Court has already rejected Facebook’s argument that the statute excludes from the definition of “biometric identifier” and “biometric information” (1) photographs and (2) any information derived from those photographs, holding that the statute’s use of “photographs” refers to paper prints of photographs, not digitized images stored as a computer file or uploaded to the Internet.
A key issue that remains to be resolved is Facebook’s contention that Plaintiffs’ alleged injuries are insufficient to create federal standing under Spokeo. An Illinois appellate court recently addressed a similar issue, holding that a plaintiff who alleges a mere technical violation of BIPA is not an “aggrieved” party under the Act. Other key issues include the extraterritorial application of BIPA to non-Illinois companies, and an argument that BIPA violates the dormant commerce clause. Interest in the outcome of this case is high: numerous app manufacturers, social media companies and employers are using biometric data for authentication and oher purposes, potentially exposing them to liability under BIPA. Resolution of the Spokeo and extraterritorial arguments, in particular, may determine whether BIPA litigation explodes or slows to a crawl.