Ch 13 - Privacy Issues in Civil Litigation and Governmental Investigations Flashcards
Disclosures required by law
FDA requires health professionals and drug manufacturers to report serious adverse events assoc. with use of FDA regulated item
OSHA requires reporting info about certain workplace injuries and illness.
States can require reporting certain types of injuries/conditions - abuse, gun wounds, contagious diseases.
Recall HIPAA allows PHI to be disclosed if required by law.
Disclosures permitted by law
- HIPAA - required to discloses to data subject and to HHS in enforcement action.
- Computer/Hacker trespasser - Section 217 of USA PATRIOT Act permits, not require owner/operator of computer system to provide access to law enforcement to communications if –
1. O/O authorizes interception of hacker’s communications on the computer
2. Investigator acting under color of law
3. Reasonable grounds to believe contents will be relevant to investigation.
4. such interception not acquire other communications.
Disclosures forbidden by law (unless consented to)
- State law evidentiary privileges – eg. atty- can prohibit client, doctor-patient.
Forbids forcing disclosure, but can still consent.
Recall COPPA, HIPAA - consent required or exception.
Fifth Am self incrim right also.
F
Public access to court records: protective orders
- response to public access to court records: protective orders, where judge dets what info should not be made public and what conditions apply for access. Moving party must show good cause
Reqs for PO:
- must be confidential information in the 1st place.
- must show info is relevant to the case
- must weigh harm against the need for the information.
- HIPAA has a qualified protective order provision, applies in state courts not covered by PO in fed rules of civpro.
If granted, prohibits parties from using/disclosing PHI except in litigation, and must return it at end.
Public access: required redaction
FRCP Rule 5.2: Privacy Protection for Filings Made with Court”
Requires no more than this in court filings:
- The last four digits of the Social Security number and taxpayer-identification number
- The year of the individual’s birth
- If the individual is a minor, only the minor’s initials
- The last four digits of the financial account number
Certain exemptions exist, and can file under seal w/o redaction in some cases.
Bankruptcy has similar rules.
Criminal proceedings add city and state of home address also must be redacted.
E-discovery of electronically-stored information (ESI): Guidelines of Sedona Conference re. emails
Regarding email retention, the Sedona Conference offers four key guidelines:
- Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units
- Such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice
- Interdisciplinary teams should reach consensus as to policies, while looking to industry standards
- Technical solutions should meet and parallel the functional requirements of the organization
When can data not be included in response to e-discovery request?
When done in good faith, data that is “transitory in nature, not routinely created or maintained by [d]efendants for their business purposes, and requiring of additional steps to retrieve and store,” may be considered outside the duty of preservation
Court test to resolve conflict between retention policy and a discovery request?
(1) a retention policy should be reasonable considering the facts of the situation,
(2) courts may consider similar complaints against the organization and
(3) courts may evaluate whether the organization instituted the policy in bad faith.
Tension between GDPR and a domestic discovery request
Ways courts have resolved:
- if party sought US jurisdiction, then require production
- require production for all parties, regardless of whether sought US jurisd.
- Focus on nature of document at issue - privacy log describing docs without disclosing - balancing
- resort to Hague Convention on the Taking of Evidence (much harder - is last resort for those seeking evidence)
party seeking to displace FRCP bears burden of demo Hague is more appropriate and that foreign law prohibits production
Aerospaciale case outlines factors US court may use to make this determination: - The importance of the documents or data to the litigation at hand
- The specificity of the request
- Whether the information originated in the United States
- The availability of alternative means of securing the information
- The extent to which the important interests of the U.S. and the foreign state would be undermined by an adverse ruling
Katz v. US
“What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” The court found that a warrant was needed for a police bug in a restaurant, placed to hear the calls behind the closed doors of a phone booth.
Katz is best remembered today for the widely cited “reasonable expectation of privacy” test. In a concurring opinion, Justice John Marshall Harlan stated: “There is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”
Exceptions to req of warrant where a reas exp of privacy exists
- “In public” exception - if knowingly expose to public, not prot by 4th - plain view
- If put info in hands of 3rd party, its not protected by 4th
so companies can turn over data subject info without warrant when data subj gave them the info.
But see Jones v. US
Jones v. US
The court held unanimously that a warrant was needed when the police placed a Global Positioning System (GPS) device on a car and tracked its location for over a month. The majority decision emphasized that the police had trespassed onto the car when they physically attached the GPS device. Four of the nine justices, however, would have held that a search occurred even without the physical attachment, and even for movements that took place entirely in public. A fifth justice seemed to indicate sympathy for this constitutional limit on surveillance of “in public” activities, and also stated that the time had come to reexamine the third-party doctrine
Riley v. California
The 2014 case of Riley v. California was an important decision where the Supreme Court unanimously held that the contents of a cell phone cannot be searched unless law enforcement officers first obtain a search warrant.56 The justices ruled that the data on a cell phone was quantitatively (the amount of data) and qualitatively (the kind of data) different than the contents that would normally be found in a physical container, which was the analogy the government had proposed to the court. As to the quantity of data, the Court noted the immense storage capacity of cell phones as well as the ability to link to remote storage. With regard to the quality of data, the Court opined that Internet searches can reveal a person’s interests, and location information can pinpoint an individual’s movement over time.57
HIPAA - When disclosure to law enforcement is permitted without consent -= “law enforcement exception”
- The information sought is relevant and material to a legitimate law enforcement inquiry
- The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought
- De-identified information could not reasonably be used
Note: Other than law enforcement exception, HIPAA has a “required by law” exception to cover where other statutes require disclosure.
Other HIPAA disclosures to law enforcement permitted in these cases
- about a crime on the premises,
- about decedents in connection with a suspected crime,
- in emergencies,
- about victims of a crime even in the absence of patient consent if a multifactor test is met.
- Limited information may in some instances also be released for identification and location purposes
General approach of federal law wrt access to communications by law enforcement / govt.
- From strictest to most permissive, federal law has different rules for
(1) telephone monitoring and other tracking of oral communications;
(2) privacy of electronic communications and
(3) video surveillance, for which there is little applicable law. - Federal law is also generally stricter for real-time interception of a communication, as contrasted with retrieval of a stored record.
- In each area, states may have statutes that apply stricter rules.
- Furthermore, monitoring that is offensive to a reasonable person can give rise to claims under state invasion of privacy or other common-law claims.
Title III interception requirements
- applies to phone wiretapping, bugging, any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circs justifying such expectation., and (via ECPA) to e-comms.
- But exact rules for wire, oral and e-comms vary.
- But interception of all of these is criminal offense and there is a PROA, unless exception applies.
Exceptions to T3 prohibition on interception of wire, oral, and e-comms
- If one party given consent (although some states are 2-party consent)
- Done in ordinary course of biz
- email or phone service provider, eg.
-
Stored Comms
- general prohib ag unauth acquisition, alteration or blocking of e-comms while in facility through which ecomms service provided.
- Crim penalties so careful before giving to law enfor. textbook not give standards, just say consult expert
- Exceptions
Company providing the service
or as authorized by user of service wrt ecomm from or to them - Not pre-empt.
- Preservation orders: provider of wire/ecomm or remote computing service, upon request of govt. entity must take all necessary steps to preserve records, pending court order.
Pen Registers and Trap and Trace Orders
- Note traditionally, these were under the “relevant to an ongoing investigation” low standard, for production to law enforcement.
- USA Patriot Act expanded PR and T&T orders to not just phone numbers but any “dialing, routing, addressing, or signaling info” transmitted to or from a device or process.
USA FREEDOM Act pulled this back - prohibits PR and T&T for bulk collection, and restricting to phone # or email address or similar “specific selector”
Communications Assistance to Law Enforcement Act (CALEA) aka Digital Telephony Act
- Lays out duties of defined actors in telecomm industry to cooperate in interception of communications for law enfor. , etc.
- Reqs telecomms to design products/services to ensure they can carry out lawfuly order to provide govt. access to comms.
- FCC implemented through r-making
- not apply to internet services, but rulemaking rendered VOIP and broadband subject to CALEA when interconnect with trad phone services.
Cybersecurity Information Sharing Act (CISA) – 2015
- The statute permits the federal government to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out.
- Companies are authorized to voluntarily share with govts and private entities ‘cyber threat indicators” and “defensive measures” for a “cybersecurity purpose” or receive such info from these entities.
IF done in accordance with certain reqs, such as, for cyber threat indicator, first remove any info not dir related to threat and that relates to an individual
- Sharing with feds does not waive atty-client priv., but may wrt st/loc/priv
- Info shared can’t be used for enf action.
- Shared info exempt from FOIA, sim state laws.
- Company can monitor and operate defensive measures on own info, or of others with permission, for cyber purpose; and company protected from liability for this monitoring (not for operating defensive measures).
Right to Financial Privacy Act
no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least one of these conditions:
- The customer authorizes access
- There is an appropriate administrative subpoena or summons
- There is a qualified search warrant
- There is an appropriate judicial subpoena
- There is an appropriate formal written request from an authorized government authority
Note: over 12 states have similar reqs
Consumers have right to notice and to challenge request
Damages available, plus punn and atty fees
Media Records and Privacy Protection Act
Under PPA, government officials engaging in criminal investigations are not permitted to search or seize media work products or documentary materials “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public communication.” In practice, rather than physically searching a newsroom, “the PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.”
It applies only to criminal investigations, not to civil litigation.
Several states provide additional protections.
Violation can lead to penalties of a minimum of $1,000, actual damages and attorney’s fees.
One important exception is if there is probable cause to believe that a reporter has committed or is in the process of committing a crime.
Evidence stored in a different country
Microsoft v. US (the Microsoft Ireland case) - 2d circuit ruled SCA not able to be used by govt to get data housed overseas, but Congress in 2018 passed CLOUD Act which expanded reach of SCA to cover oversease data.
FISA History
In passing FISA in 1978, both supporters and critics of broad surveillance powers achieved important goals. Supporters of surveillance gained a statutory system that expressly authorized foreign intelligence wiretaps, lending the weight of congressional approval to surveillance that did not meet all the requirements of ordinary Fourth Amendment searches. Critics of surveillance institutionalized a series of checks and balances on the previously unfettered discretion of the president and the attorney general to conduct surveillance in the name of national security.
Snowden
- In passing FISA in 1978, both supporters and critics of broad surveillance powers achieved important goals. Supporters of surveillance gained a statutory system that expressly authorized foreign intelligence wiretaps, lending the weight of congressional approval to surveillance that did not meet all the requirements of ordinary Fourth Amendment searches. Critics of surveillance institutionalized a series of checks and balances on the previously unfettered discretion of the president and the attorney general to conduct surveillance in the name of national security.
the 2013 Presidents Review Group was told that 70 percent of its recommendations were being adopted in letter or spirit, and others have been adopted since.
The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency in the executive branch, released detailed reports on the Section 215125 and Section 702126 surveillance programs, making numerous recommendations. Overall, PCLOB made 22 recommendations in its Sections 215 and 702 reports and virtually all have been accepted and implemented.
The Snowden revelations led to significant reforms in U.S. surveillance law and practices.
These reforms included passage of the USA FREEDOM Act in 2015, which among multiple provisions ended bulk collection under the Section 215 program,
and the Judicial Redress Act of 2016, which extends U.S. Privacy Act protections to certain non-U.S. persons. There have also been numerous administrative changes.
FISA Basics
FISA establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the United States FISA orders can issue when foreign intelligence gathering is “a significant purpose” of the investigation. 138 For law enforcement cases, court orders issue based on probable cause of a crime; FISA orders instead issue on probable cause that the party to be monitored is a “foreign power” or an “agent of a foreign power.”
In addition to wiretap orders, FISA authorizes pen register and trap and trace orders (for phone numbers, email addresses, and other addressing and routing information) and orders for video surveillance.
Generally can’t disclose the fact of order to the target.
Mostly an issue for telecomm providers
