Photo provided courtesy by Unsplash.com.
By Daniel Pagana, Staff Writer
Many industries are subject to privacy laws. Often times, privacy law violations indicate potential criminal conduct because of the nature of certain sensitive information. For example, sensitive data held by the banking industry is subject to the Right to Financial Privacy Act, which “protects the confidentiality of personal financial records.”[1] The Act is viewed as congressional backlash to the Supreme Court decision in United States v. Miller. In that case, the Court held that individuals have no reasonable privacy expectations in banking records after voluntarily turning such sensitive information over to third parties such as financial institutions.[2] The Court has also weighed in, regarding sensitive information handled by other heavily regulated industries such as health care. In a string of decisions, the Supreme Court has protected individual privacy relating to contraceptives and abortion. In other instances, the Court has limited privacy interests in health related information like the use of controlled substances[3] And of course, Congress has regulated privacy for nearly all involved in healthcare through The Health Insurance Portability and Accountability Act or (“HIPPA”).[4] Healthcare and banking are two of the largest industries in the US, contributing trillions of dollars to the economy, so it is unsurprising to most that they are also two of the most regulated in terms of privacy.[5]
Privacy in the technology sector, specifically regarding data controlled by big tech, is the new heated debate in partisan politics,[6] It is also the area that has changed substantially over the past 20 years.[7] For example Google’s privacy policy used to be only a paragraph long. That same policy is currently over 4,000 words long.[8] This is due to a change in how the company employs user data. Early on, the company considered use of such data only in the aggregate, but now google uses a much more sophisticated method of isolating user data.[9] Through a combination of gps data, user searches—even data specific to a particular users’ device—google has become much better at selling its users to advertisers.[10]
The debate in Congress on how to regulate tech giants is currently at a standstill, with no real comprehensive legislation materializing.[11] While Congress has been flat footed on the issue, the courts have been active in regulating data privacy. The courts dismissed alleged wiretap act claims against Google for storing and listening to user audio data.[12] The courts have also decided that money gained by a company that shares user data is not the same as the plaintiff losing money. [13]These decisions are important but not comprehensive, both decisions rely on law that does not directly apply to user data.
Many of these cases are being brought under the California Unfair Competition Law (“UCL”).[14] The UCL has been cited by plaintiffs broadly because the law “prohibits business practices that are unlawful, unfair, or fraudulent.”[15] However, lawsuits seeking protection from alleged data privacy violations under UCL have had little success since the law requires plaintiffs to allege money or property damages to have standing.[16] Plaintiffs thus far have not been able to convince the courts that user data constitutes either money or property.
The European Union has passed a comprehensive data privacy program under the General Data Protection Regulation (“GDPR”). GDPR is a “regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.”[17] The GDPR has provided a regulatory framework that big tech companies have been forced to acknowledge.[18] In Facebook, Inc. Sec. Litig., executives claimed that Facebook was almost compliant with the data privacy restrictions that the GDPR was ready to enforce.[19] Facebooks made a number of claims most notably that they do not sell data to third parties and that the user owns what they post to Facebook and control how it is being shared.[20] In contrast, at the time of the GDRP rollout in the EU, Facebook was engaged in the Cambridge Analytica scandal in the US which was a blatant example of Facebook selling user data to third parties.[21]
Comprehensive legislation in the US has yet to come, but there have been efforts by states like California to get a data privacy bill done. The California Consumer Privacy Act (“CCPA”) is such a bill, and is modeled after the GDPR.[22] The CCPA requires that businesses disclose to Californians how their data is to be used.[23] It allows Californians to request that collected data be deleted and even “grants consumers the right to control selling their information to third parties via a ‘Do Not Sell My Personal Information’ link in their privacy policies.”[24] The legislation does have its short comings. Most notably, the CCPA has been criticized as being far too broad.[25] It will be interesting to see how much of this legislation will be used by Congress, other states, or simply thrown out by the courts.
[1]https://epic.org/privacy/rfpa/#:~:text=The%20Right%20to%20Financial%20Privacy%20Act%20of%201978%20protects%20the,ruling%20in%20United%20States%20v.&text=%C2%A7%203401%2D342.-,United%20States%20v.,425%20U.S.%20435%20(1976).
[2] United States v. Miller, 425 U.S. 435, 96 S. Ct. 1619 (1976)
[3] Whalen v. Roe, 429 U.S. 589, 97 S. Ct. 869 (1977)
[4] https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
[5] https://www.statista.com/statistics/247991/value-added-to-the-us-gdp-by-industry/
[6] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html
[7] https://www.nytimes.com/interactive/2019/07/10/opinion/google-privacy-policy.html?mtrref=www.google.com&gwh=CC342D0A46F2C37D3BBFC548A2746984&gwt=regi&assetType=REGIWALL
[8] Id.
[9] Id.
[10] Id.
[11] Id.
[12] In re Google Assistant Privacy Litig., 457 F. Supp. 3d 797 (N.D. Cal. 2020)
[13] In re Facebook, Inc., 402 F. Supp. 3d 767 (N.D. Cal. 2019)
[14] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html
[15] In re Facebook, Inc., 402 F. Supp. 3d 767 (N.D. Cal. 2019)
[16] Id.
[17] https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
[18] In re Facebook, Inc. Sec. Litig., 405 F. Supp. 3d 809 (N.D. Cal. 2019)
[19] Id.
[20] Id.
[21] https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html
[22] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html
[23] Id.
[24] Id.
[25] https://abovethelaw.com/2019/10/some-big-reasons-why-the-ccpa-is-more-of-a-problem-than-you-think/
