Blog

Joshua Shirley

Information Privacy Law

Professor Ira Rubinstein

March 7, 2017

Privacy Blog Post – GDPR Compliance with Risk Management

Despite the General Data Privacy Regulation having the force of law, Gartner has issued two different predictions that less than 50% of organizations covered by the law will be in compliance by the 25 May 2018 deadline. A recent Dell survey also found that only 3% of those covered had finalized a strategy to be compliant while 37% had started such a strategy. Ergo 60% – a majority of entities covered by the regulation – currently have no plan to be compliant. By all accounts, being compliant with the new GDPR obligations will require adjustments from the majority of covered entities that are so extensive, the groundwork for compliance ought to be underway, so industry’s sluggish reaction is raising some eyebrows.

However, at least some experts remain convinced that the GDPR is already changing and will continue to influence industry behavior. Speaking at an International Association of Movers (IAM) conference in London last week, Gartner research director Bart Willemsen highlighted several features of the GDPR that in his opinion will carry the greatest weight for covered entities.

Willemsen stressed the GDPR’s emphasis on a data life cycle, and its new rules and regulations governing the end of that life cycle, the currently problematic part of the status quo for EU citizens. Specifically, he highlighted the maximum penalty: the higher of 20 million Euros or 4% of annual turnover for the most serious infringements, or half that for less serious infringements. He also highlighted that individuals now may bring class actions, and breaches such as the Yahoo breach of 2016 would cost 860,000 dollars per occurrence.

He also highlighted the strengthened and expanded rights of access, correction, portability and erasure. All in all, despite the current inaction suggesting non-compliance, he remained optimistic Industry would follow the GDPR. “This is a regulation, it is a law, and I am not telling you to break a law” he said. I drive a motorbike and don’t willfully break the speed limit, that’s breaking law. GDPR is law but I have faith in you.”

https://www.infosecurity-magazine.com/news/gdpr-compliance-risk-management/

Lauren Kreps

Information Privacy Law

Professor Ira Rubinstein

March 6, 2017

Amidst the steady current of Executive Orders President Trump has issued in his first two months in office, it would have been all too easy to miss his January 25, 2017 Executive Order threatening to place US-EU agreements on privacy regulation in jeopardy. After all, just two days later the President issued another Executive Order announcing an unprecedented travel ban on refugees and citizens of certain predominantly Muslim countries into the US, inciting nationwide protest and rebuke.

Though the human toll implied by the latter justifiably dominated national debate, both Executive Orders presented potentially seismic shifts in their respective international policy landscapes – one concerning the movement of people, the other of data.

Having already been rattled by the fall of the decades-long Safe Harbor agreement that facilitated data flow between Europe and the US, those with a political, commercial or philosophical stake in the transnational flow of information saw the January 25 Executive Order as an open threat – albeit one of a lesser order of magnitude than what was to follow. Particularly concerning was Section 14 of the January 25 presidential order, mandating that US agencies “shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

This came as a surprise to European officials, who in the wake of the Safe Harbor invalidation had spent months collaborating with the Obama administration to ensure the July 2016 enactment of The EU-US Privacy Shield. Addressing privacy “holes” that Safe Harbor had left untended, the Privacy Shield aims to guarantee the continued flow of commercially-essential personal information (PI) from the EU to the US, while also allaying European fears of surveillance by American security services.

The implications of the unwinding of US-EU cooperation on privacy regulation are extensive. Over 2,000 companies have already signed on to the Privacy Shield framework – companies including Google, Facebook, Twitter and Microsoft, whose businesses rely on the ability to store data about EU citizens on US servers. A recent New York Times article stated that the Privacy Shield made possible as much as $260 billion of trade in digital services. Commercial interests aside, assurances of equal treatment of EU citizens are also crucial to cooperation on the Umbrella Agreement, which enables the sharing of law enforcement data between the US and the EU.

Concerned by the potential effects of President Trump’s unilateral decree, EU Justice Commissioner Vera Jourova expressed in an interview with Bloomberg that she would require assurance from the Trump administration that Privacy Shield would not be affected by the Executive Order. Otherwise, she claimed the EU would be prepared to suspend the pact.

Apparently responsive to these concerns, the US Department of Justice wrote a letter to Jourova’s office stating that “Section 14 [does not] affect the commitments the United States has made under the DPPA (Umbrella Agreement) or the Privacy Shield.” Still, Jourova will be traveling to Washington to meet with officials from the Trump administration regarding the ongoing viability of Privacy Shield at the end of March, where she has stated she will expect “reconfirmation and reassurances.”

Whether this most recent EU-US data transfer mechanism can truly survive in the face of diminished privacy protections for non-US citizens remains to be seen. For now, at least the data doors remain open.

Sources:

https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united

https://www.nytimes.com/reuters/2017/02/27/business/27reuters-eu-dataprotection-usa.html?_r=1

https://www.bloomberg.com/news/articles/2017-03-02/if-trump-spoils-privacy-pact-we-ll-pull-it-eu-official-warns

https://www.privacyshield.gov/list

Giulia Checcacci

Information Privacy Law

Professor Ira Rubinstein

March 6, 2017

The European Commission proposes a new set of rules for protecting all electronic communications

On January 10, 2017 the Commission of the European Union has presented a proposal for a regulation concerning the protection of personal data in all electronic communications. The new rules are in line with the latest European legislation adopted within the Digital Market Strategy to increase the security and confidence in digital services.

As clarified in the explanatory memorandum, the proposal aim to complement the General Data Protection Regulation (Regulation EU 2016/679) with specific regard to electronic communications, such as e-mails or instant messaging. In fact, these services are generally not subject to the current Union legal framework on electronic communications, including the ePrivacy Directive (Directive 2002/58/EC).

The Proposal provides for the protection of both data and metadata (e.g. location), requiring their anonymization and deletion if end-users have not given their consent and as soon as their collection is not more necessary. This way the Commission wants to ensure the confidentiality of all electronic communications.

The main innovations, though, concern cookies and spam.

As for cookies, the proposal simplifies the way the user can give his consent to the tracking of cookies and other identifiers. Instead of requiring the consent for every website visited, as it is now under the current ePrivacy directive, the user will be able to set the privacy settings of his browser in order to accept (or refuse) the tracking of cookies once for all. This consent rule, though, does not apply to all types of cookies. Non-privacy intrusive cookies (e.g. cookies to count the number of visitors to the website) or the ones necessary to provide information or a service requested by the user (e.g. cookies that allow the website to remember the shopping cart history) do not require consent anymore.

Moreover, the Proposal forbids any type of unsolicited electronic communication. Number-based interpersonal communications services providers should give users the possibility to easily block marketing calls. The proposed rules also ban anonymous marketing calls, requiring marketers to show their numbers or to use a special pre-fix for marketing calls (articles 12-14).  Stricter requirements are set up also for e-mail. In particular, electronic contact details can be used for marketing purpose only if customers have given the possibility – easily and free of charge – to refuse such use (articles 15-16).

The Regulation will have to be fully aligned with the General Data Protection Regulation. The choice of using regulations – over directives, which are not directly applicable – will lower the risk of dissimilarities in the application of the legislation in the Member States. This proposal seems to confirm the main goal of the European legislator: the creation of a system of rules more and more uniform for the protection of privacy rights.

While the scope of the actual ePrivacy Directive is limited to traditional telecoms companies, the proposed Regulation should apply to all the providers of electronic communications, WhatsApp, Facebook, Skype, Gmail included.

However, the Proposal has been criticized by ETNO (European Telecommunications Network Operators) and GSMA (a trade association that represents the interests of mobile operators worldwide). Their main concern is that the new rules combined with the General Data Protection Regulation could result in a “double regime with blurred boundaries”, impairing their ability to process big data analytics in the interest of customers or to provide mapping services that compete with those already provided by other players.

The Regulation should apply from 25 may 2018. However, we need to wait to see if the Regulation will be adopted and, if so, it will embed all the requirements included in the proposal or if there will be some changes.

 

Related documents

1. Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications

http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241

 

2. General Data Protection Regulation

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL%3A2016%3A119%3ATOC

 

3. ePrivacy Directive

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1481215473410&uri=CELEX:02002L0058-20091219

 

For more information

http://europa.eu/rapid/press-release_IP-17-16_en.htm

 

https://www.theguardian.com/technology/2017/jan/10/whatsapp-facebook-google-privacy-rules-ec-european-directive

 

http://www.gsma.com/newsroom/press-release/etno-and-gsma-about-new-e-privacy-regulation/

by Eli Siems

–Liferaft, a cloud-based open-source intelligence program, will allow lawyers and corporate professionals, among other potential clientele, to utilize a combination of data mining and geolocation to find social media posts relevant to “issues that might affect staff or assets.”

–Alexa the Amazon robot has evidence relevant to a murder. Amazon has filed a brief seeking to throw out a search warrant for Alexa’s records, saying it violates 1st Amendment rights– Alexa’s 1st Amendment rights! Amazon argues that both user commands and Alexa’s replies are constitutionally protected speech, the latter representing a novel legal argument.

-On that note, readers interested in potential A.I. 1st Amendment rights should check out this article: “Siri-ously? Free Speech Rights and Artificial Intelligence.”

-Promptly after signing a major deal with Disney, CloudPets Toys discovered that its vast data troves of children’s voice command recordings had been hacked, exposing over 800,000 user accounts and 2.2 million recordings. As of the end of February, CloudPets had not yet alerted exposed users to the breach.

-Parts of FISA are up for reauthorization this year, including Section 702 of PRISM infamy. The White House has expressed full support for the reauthorization without reform of those provisions.

-The Center for Democracy and Technology has released a new report on data deletion and consumer trust.

–Spiegel reported on documents suggesting German intelligence agencies spied on a large number of foreign journalists including BBC, reuters, and New York Times employees.

-Finally, a French businessman is suing Uber after the app continued to send updates to his wife’s phone (from which he had ordered the service) even after he had logged off, revealing to his wife his extramarital tryst. “My client was the victim of a bug in the application,” his lawyer asserts.

Heather Garvey

Information Privacy Law

Professor Ira Rubinstein

February 28, 2017

Plans to Destroy FCC Privacy Regulations Could Signal Future Structural Changes to Privacy Regulation by the FTC

Congress and the Chairman of the Federal Communications Commission have recently been attempting to kill the FCC’s internet privacy rules.  These FCC opt-in rules, that were created during the Obama administration, require broadband service providers to obtain permission from consumers prior to using their information for marketing purposes and to take steps to protect personal data and notify customers of a breach.  In particular, the FCC Chairman, Ajit Pai, seeks to halt the rules before they go into effect this Thursday, claiming that all online entities should be regulated by the same guidelines.  Similarly, Senator Jeff Flake (R-Ariz.) announced his plan to introduce a resolution to undo the privacy rules, noting that the Federal Trade Commission (FTC) should have control over all privacy issues.

Commissioner Pai plans to hold a FCC vote to stay the implementation of the new rules.  Currently, there are two vacancies on the FCC, leaving only three FCC commissioners total.  Commissioner Michael O’Rielly supports Pai’s efforts to block the new rules, while Commissioner Mignon Clyburn wants to keep the rules and could potentially block a vote by denying a quorum.  However, Pai could direct the FCC staff to to stay the provisions and push for a vote later.  Either way, it appears Pai is likely to be successful in halting the implementation of the rules this week.  Since a future Democratic administration of the FCC could simply reinstate the rules, concrete change would be more effective coming from Congress than the FCC.

Senator Flake instead is focusing on using the Congressional Review Act (CRA) that allows Congress to revoke a regulation within 60 legislative session days, with only a simple majority and the president’s signature, to remove the FCC rules.  With the Republicans in control of both the House and Senate and with President Trump in the White House, the CBA can be used effectively to strip away many of the regulations passed under President Obama.

These recent efforts by both Congress and the FCC shed light on the future of the FCC’s privacy regulation of broadband companies and the FTC’s effort at privacy reform.  We may see a greater push to have privacy regulation of all online companies, including broadband companies, come under the purview of the FTC, rather than continuing with the carve-out of broadband companies with the FCC.  For example, Representative Frank Pallone (D-N.J.) has asked the Government Accountability Office (GAO) to study the status of broadband privacy regulation and the authority of the bifurcated process by the FCC and FTC.  Since technology increasingly is flooding our everyday lives, perhaps individual privacy and data security should be addressed via a constant regulator, rather than a fluctuating, unstable system.

One of the main concerns from Republicans and Pai is the opt-in system regulating broadband companies, where individuals must affirmatively consent to allow the companies to use their personal information.  This standard is higher for broadband companies than for other online businesses who only need to use an opt-out system.  For example, under the Administration Discussion Draft: Consumer Privacy Bill of Rights Act of 2015, online companies would be required to provide individuals a means to withdraw consent.  Instead of entirely eliminating data privacy rules as applied to the broadband companies, perhaps a future solution would be to have the FTC regulate the entire industry with uniform rules, such as those proposed in the Consumer Privacy Bill of Rights Act of 2015.  This change would eliminate the concerns of Republicans and Pai that broadband companies are treated unfairly, while simultaneously alleviating Democrats concerns about leaving online privacy entirely unregulated.  Nonetheless, while unification of the rules might solve unfairness concerns, there would still be a significant fight ahead of whether to regulate all online companies under an opt-in system or an opt-out one.

Sources

http://www.latimes.com/business/la-fi-fcc-privacy-20170227-story.html

http://thehill.com/policy/technology/320196-gop-sets-sights-on-internet-privacy-rules

http://thehill.com/policy/technology/321433-dem-senator-pushes-back-against-gop-efforts-to-rescind-internet-privacy

http://www.multichannel.com/news/congress/pallone-seeks-gao-study-broadband-privacy-oversight/411172

Information Privacy Law Blog Post

Joshua R. Fattal

Professor Ira Rubinstein

February 28, 2017

Reasonable or Unreasonable: FCC’s Privacy Rule for ISP’s

The new Republican majority on the Federal Communications Commission is planning to halt implementation of a privacy rule that was unveiled this fall alongside the more heavily publicized requirement that ISP’s get opt-in consent before sharing Web data and other consumer information with third parties. The part of this privacy order now at issue would require ISP’s and phone companies to take “reasonable steps” to protect customer proprietary information, such as Social Security numbers, financial and health information, and Web browsing data, from unauthorized use, disclosure, or access—aimed at preventing theft and data breaches.

These security obligations are scheduled to take effect on March 2, but the new chairman, Ajit Pai, is looking to act on a request to stay this rule before then. Procedurally, Pai has little standing in his way because even if a majority of the commissioners supported keeping the rule in place, he can personally guide the FCC’s Wireline Competition Bureau to hold off on implementing the rule.

Pai’s argument for rescinding this part of the rule is that ISP’s should not face stricter rules than online providers like Google and Facebook, which are regulated by the Federal Trade Commission. Instead, he supports a “technology-neutral policy framework for the online world” that is based on the FTC’s standards, and argues that the FTC standard should apply to everyone, saying “it did not matter whether an edge provider or internet service provider obtained your data.” But unless ISP’s are reclassified, they will not be protected under FTC rules because the FTC is barred from regulating common carriers.

The FCC privacy rule notably does not mandate any specific data security practices. It identifies four factors that a provider must take into account when implementing data security measures, including the nature and scope of its activities, the sensitivity of the data it collects, its size, and its technical feasibility, though it notes that “no one factor, taken independently, is determinative.” The rule also supplies recommendations such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework and best practices recommended by the FCC’s Communications Security, Reliability, and Interoperability Council, but stresses that following these standards is voluntary, and that providers retain the option to use whatever risk management approach best fits their needs.

When the privacy rule was originally announced and approved, former Chairman Wheeler had argued in favor of it in light of the fact that ISP’s are uniquely capable of collecting consumers’ Internet traffic because they can monitor everything that happens over the connection, and because costumers have difficulty voluntarily switching ISP’s (unlike how they can voluntarily switch use of web browsers). The FTC itself has recognized these heightened concerns regarding ISP’s in its March 2012 Protecting Consumer Privacy in an Era of Rapid Change report, and has supported the FCC’s ruling, noting that consumers will be better protected under the FCC’s standards than they would be under the FTC, which does not have rule-making authority.

In light of these arguments, while Chairman Pai is correct in pointing out the significant appeal of a uniform standard—something that the 2015 draft Consumer Privacy Bill of Rights as well as the above-mentioned FTC report have also called for—this privacy rule continues to offer the ISP’s flexibility while still making sure reasonable security measures are undertaken.

Some privacy advocates, even though they oppose the pending stay, say Pai’s move could discourage Congressional Republicans from taking the drastic step of revoking the entire privacy order. If Congress were to rescind the rules under the Congressional Review Act, then the FCC would not legally be allowed to replace them with other rules covering ISP protection. And while Chairman Pai may believe the FTC’s “unfair or deceptive” standard is more flexible and therefore preferable over this proposed reasonable care standard for ISP’s, costumers would surely be the ones left to suffer the consequences if there were no standards for ISP’s at all.

Related documents:

http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0224/DOC-343623A1.pdf

https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-148A1.pdf

Sources for more information:

https://arstechnica.com/tech-policy/2017/02/isps-wont-have-to-follow-new-rule-that-protects-your-data-from-theft/

http://www.consumerreports.org/privacy/new-fcc-chair-plans-to-block-net-privacy-rule/

http://www.mediapost.com/publications/article/295886/fcc-to-block-portion-of-broadband-privacy-rules.html

Aliza Hassine

Information Privacy Law

Professor Ira Rubinstein

February 28, 2017

The Impact of the “The Internet of Things” on Consumer Privacy Policy

For the past decade, numerous technology companies have developed products that have ushered in the era of “the internet of things.” “The internet of things” (“IoT”) is the concept of “connecting any device with an on and off switch to the Internet and/or to each other.” On a simple scale, IoT allows for the transfer of information between personal electronic devices and the like. However, the goal behind IoT is that it will eventually extend beyond the personal and reach mass networks. The implications of the expansion of IoT has most recently been seen with Amazon’s Echo device.

At the end of 2016, the Arkansas police department issued a warrant for Amazon to hand over information from an Echo device for purposes of a murder investigation. Amazon refused and formally responded to the request last week. In their response, Amazon stated that they had already provided information regarding the suspect’s purchase history and any further information would be in direct violation of consumer privacy rights. This case is far from being resolved and has sparked much debate regarding IoT and the current state of consumer privacy law.

The Amazon Echo is an internet-connected home assistant device that is able to sync with licensed third party products. It is always on and is “continuously recording local audio sounds.” The audio files are then stored in the cloud on servers where they are analyzed for purposes of improving the product. The Echo is always learning and updating in order to better function for its individual user. The recent Arkansas murder investigation and the warrant issued by the police has led many to question the potential privacy risks associated with “always-on” in-home devices such as the Echo, as they amass a tremendous amount of personal user information. The primary fear associated with data collection in-home products is that government agencies may argue that they do not need warrants to access this kind of data, thereby, threatening already established constitutional protections regarding the home.

In-home devices and always-on technological products present issues for the protections against unreasonable searches and seizures under the Fourth Amendment. While the Supreme Court has emphasized the protections associated with the sanctity of the home, it has not yet determined whether the home encompasses the smart home. Complicating matters further is the third-party doctrine, which holds that any information provided to third parties receives little to no protection under the Fourth Amendment. This extends to information given to a company “confidentially and on the assumption that it will be used only for limited purposes.” In some cases, Congress has chosen to protect third-party collected information through the Wiretap Act or Stored Communications Act, however, a warrant may circumvent those protections. As previously stated, a warrant was presented by the Arkansas police department, but Amazon has still refused to hand over the information.

Amazon recently stated that they are refusing to turn over the requested information because of the overbreadth warrant; “Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.” Amazon is taking the stance that its users’ privacy is primary and should be protected to the fullest extent possible. However, it is unclear whether Amazon is itself violating potential consumer privacy concerns by continuously collecting user data. Users need to become aware and take advantage of tools that give them control over how and where their communications are kept. While the consumer agrees to the privacy policy set forth by Amazon, the consumer is unable to limit the amount of information the Echo absorbs and does not have complete access to the information stored by the product. “Always-on” devices are listening to consumers in their most private spaces and questions persist whether it is reasonable to expect consumers to monitor their every word in front of their home electronics. Where do we, as a society, draw the line? What is the new standard for a reasonable expectation of privacy in the home?

Products like the Amazon Echo are continuing to advance and are resulting in more legal questions than answers. Consumer privacy protections are critical in a society that is constantly changing and pertinent policy is necessary in order to better protect consumers and diverse stakeholders. Consumers need to be provided with all of the information necessary when dealing with products that are innately designed to invade their personal space. The FTC and the DOJ need to tackle the questions and concerns of those whose personal interactions in their homes may be subject to routine surveillance as a result of their engagement with technology. Congress needs to lay out strong and precise standards for when the government can access data from these devices. The third-party doctrine needs to be reconciled with technological innovation and the Fourth Amendment needs to be understood to encompass the smart home. Consumers need to have complete access to all of their audio recordings and should have the ability to turn off always-on devices. Lastly, the draft Consumer Privacy Bill of Rights Act of 2015 should ultimately be enacted by Congress.

While it is important to recognize the benefits associated with always-on technologies, it is equally important to protect consumer privacy and ensure trust in all technological products. The case between Amazon and the Arkansas police department clearly has immense privacy implications for IoT and consumers. Hopefully, the case will bring some legal clarity and finality to the IoT space, answer questions regarding data ownership, and define the scope of consumer privacy policy.

Sources:

1. http://www.latimes.com/business/technology/la-fi-tn-amazon-echo-privacy-qa-20170105-story.html
2. https://mic.com/articles/162865/amazon-echo-privacy-is-alexa-listening-to-everything-you-say#.SSENNndX6
3. http://www.npr.org/2016/12/31/507670072/amazon-echo-murder-case-renews-privacy-questions-prompted-by-our-digital-footpri
4. https://www.wsj.com/articles/the-internet-of-things-is-here-and-it-isnt-a-thing-1471799999
5. https://www.aclu.org/blog/free-future/privacy-threat-always-microphones-amazon-echo
6. https://www.nytimes.com/2016/07/28/technology/personaltech/alexa-what-else-can-you-do-getting-more-from-amazon-echo.html
7. https://techcrunch.com/2016/12/27/an-amazon-echo-may-be-the-key-to-solving-a-murder-case/
8. https://techcrunch.com/2017/02/23/alexa-free-speech/
9. https://www.wired.com/2016/12/alexa-and-google-record-your-voice/
10. https://www.nytimes.com/2017/01/16/opinion/ask-alexa-no-hear-this-alexa.html?_r=0

 

INFORMATION PRIVACY LAW BLOG POST

Professor Ira Rubinstein

Esteban Rubio

February 28, 2017

The Secret Pooper Aftermath

There has not been a more significant case for genetic information privacy than Lowe v. Atlas Logistics Group Retail Services 102 F.Supp.3d 1360 (GA, 2015). Although it was decided in 2015, it has significant importance as the first case to go to trial and obtain a favorable decision after being rejected by the Equal Employment Opportunity Commission (EEOC)

Atlas Logistics involved a company that sought DNA tests of its employees to obtain information and identify of a “pooper” who routinely used the companies’ facilities to leave its feces. The company requested petitioners to submit to cheek swabs in 2012 to analyze them for genetic comparison with the stool samples. After the testing, Lowe and Reynolds sued the company under Genetic Information Nondiscrimination Act (GINA) for considering that the use of its genetic information was unlawful.

Atlas was arguing that GINA was not applicable because they were not seeking medical information of employers but rather trying to find the “mystery pooper”. However, the Court sided with petitioners by stating the clear language of GINA made it unlawful for employers to request, require, or purchase genetic information with respect to an employee and more so to do for dismissing people.

In today’s world in which genetic information is easily accessible and obtainable and where employers seek – and do obtain – information from every possible source, having a restraint on employees is more relevant than ever.

Atlas Logistics set an example both for companies and the EEOC. The EEOC saw its decision challenged and required to reinterpret its view about genetic information; companies looked at an example of high monetary cost – which in Atlas were of 2.25 million in damages.

The EEOC is still actively enforcing GINA because companies still try to obtain genetic information – but using deceiving mechanisms -. Such was the case in a recent 2016 settlement between BNV Home Care Agency and the EEOC, EEOC v. BNV Home Care Agency, Inc., Case No. 1:14-cv-05441-JBW-RML.

According to the EEOC, BNV engaged in the unlawful practice of collecting employees’ and applicants’ genetic information by asking them questions about their family medical history on an employee health assessment form. Such a request was considered illegal because you cannot obtain impermissible genetic information using health assessment forms and requesting family information.

“Forcing employees and applicants to provide genetic information in order to maintain or obtain their jobs is clearly against federal law, and EEOC will continue to combat this form of discrimination,” EEOC Acting New York District Director Judy Keenan said in a statement regarding this settlement.

For more information:

https://www.theatlantic.com/technology/archive/2015/08/the-case-of-the-mystery-pooper-dna-privacy/400355/

http://www.nature.com/news/why-the-devious-defecator-case-is-a-landmark-for-us-genetic-privacy-law-1.17857

https://www.eeoc.gov/eeoc/newsroom/release/11-1-16a.cfm

 

Sarah Benowich

Information Privacy Law

Professor Ira Rubinstein

February 24, 2017

Norma McCorvey, the anonymous plaintiff in the landmark case Roe v. Wade, died on February 18, 2017, bringing renewed attention to the case that established that the constitutional right to privacy extends to a woman’s right to an abortion, and continued a long line of jurisprudence shaping a woman’s constitutional right to privacy and abortion.

Although by the end of her life she actively opposed abortion, McCorvey will always be connected with the monumental decision of Roe v. Wade, 410 U.S. 113 (1973). Before becoming the plaintiff in Roe, then 22-year-old McCorvey had already suffered through sexual abuse, homelessness, and bouts of suicidal depression. Her case arose when she sought to terminate her third pregnancy by abortion, which in Texas was restricted only to instances in which abortion was necessary to save the life of the mother.

Ultimately, a 7-2 majority of the Court held that the constitutional right to privacy inherent in the 14^th Amendment to the United States Constitution guarantees a woman’s right to an abortion, particularly within the first trimester of the pregnancy. See also Griswold v. Connecticut, 381 U.S. 479 (1965). While Roe established this right for women, it was also very focused on doctors’ own autonomy and privacy rights under the fundamental rights approach that had been developing. See Skinner v. Oklahoma, 316 U.S. 535 (1942). The case also defined varying levels of state interest for regulating abortions based for the second and third trimesters.

This test was later changed in Planned Parenthood v. Casey, where a plurality of the Court upheld the central tenets of Roe, but held that the appropriate standard was whether a particular statute or regulation imposes an undue burden on a woman seeking an abortion of a nonviable fetus. 505 U.S. 833. In Casey, the only provision that the Court struck as unconstitutional was one requiring women seeking abortions to inform their husbands, focusing on the possibility for abuse and emphasizing the social utility in promoting and protecting inter-spousal communications. Justice Scalia’s dissent in Casey is of renewed relevance as Judge Neil Gorsuch of the 10th Circuit undergoes confirmation hearings to be a Supreme Court justice and lawmakers seek insight into his views on privacy and abortion. Gorsuch, many argue, is an ideological peer of Justice Scalia, who, in Casey, wrote that there is no constitutional right to abortion because it is not in the Constitution and states have a long history of restricting access to abortion.

This constitutional right to privacy was limited in 2003 with the passage of the Partial-Birth Abortion Act, which Gonzales, a late-term abortion provider who had been the target of arson and other violence, challenged in Gonzales v. Carhart, 550 U.S. 124 (2007). Writing for a 5-4 majority, Justice Kennedy upheld the provision – a significant narrowing of Roe – finding that because the law only restricted one type of popular abortion technique, it did not impose an undue burden.

Most recently, however, the Court rejected Texas HB2 as imposing an undue burden on women in Whole Women’s Health v. Hellerstedt, 136 S.Ct. 2292 (2016). In Whole Women’s Health, clinicians, on behalf of themselves and their patients, challenged HB2 alleging that the two main requirements – that clinics providing abortions have admitting privileges at hospitals within 30 miles of the clinic and maintain the standards of an ambulatory surgical center – imposed an undue burden on women seeking abortions while proponents of the bill argued that HB2 attempted to protect women’s health. The Court, finding that these requirements were medically unnecessary and would have dramatically reduced the number of clinics available, found that HB2 imposed an undue burden on women seeking to exercise their right to abortion as protected by the constitutional right to privacy.

In the absence of federal guidelines or laws, there is great variation among the states with respect to abortion and women’s privacy laws. A recent challenge against an Alaska law effectively banning outpatient health centers from providing second-trimester abortions builds on the jurisprudence of a woman’s right to privacy protecting her ability to seek and obtain an abortion free from undue burdens. Of course, the privacy implications of a woman’s choice to seek or obtain an abortion involve some of the most intimate and sensitive areas in life: medical decisions, sexual activity, religious beliefs and ideological leanings. With the recent death of Norma McCorvey and the impending confirmation hearings for Judge Gorsuch, the discussion of a woman’s right to privacy and abortion remain ever-relevant.

Sources:

https://www.nytimes.com/2017/02/06/us/politics/reading-between-the-lines-for-gorsuchs-views-on-abortion.html

https://www.nytimes.com/2017/02/18/obituaries/norma-mccorvey-dead-roe-v-wade.html

https://www.adn.com/politics/2017/02/21/the-alaska-medical-board-normally-licenses-doctors-but-now-its-in-the-court-fight-over-abortion/

https://www.aclu.org/legal-document/ak-complaint-declaratory-or-injunctive-relief

Phillip Brown

Information Privacy Law

Professor Rubenstein

February 22, 2017

Presidential Candidates, Their Health and the Law

There is no requirement that Presidential hopefuls disclose their health records or any health information to the public. Interest in the health of candidates, however, is a given today. In the recent Presidential election, public debate over candidate health took center stage repeatedly. Secretary Clinton, for example, disclosed that she had been diagnosed with and treated for pneumonia after becoming dehydrated and leaving a September 11^th memorial ceremony early.

President Trump, in a more comical instance of public health ‘disclosure’, had released a statement from his longtime physician rife with hyperbole and offering no real assessment of his health status.

Despite widespread believe that a candidate’s health is an important factor in their ability to lead (a 2004 Gallup poll found that 96% of Americans consider a President’s health very or somewhat important to their ability to be a good President), there appears to be little protection for those who would disclose a candidate’s health information or who would induce such a disclosure without the candidate’s authorization.

The First Amendment may well protect the ‘innocent’ publishing of health records obtained from an anonymous source–as Parth Baxi noted on this blog several weeks ago in the context of the New York Times’ unauthorized publishing of information gleaned from President Trump’s tax documents, “a stranger’s illegal conduct does not suffice to remove the First Amendment shield from speech about a matter of public concern.” Bartnicki v. Vopper, 532 U.S. 514 (2001).

Of course, whether the public’s concern should be taken seriously would seemingly have an impact, especially in the province of health information. While a candidate’s struggle with certain disorders (such as dementia, Alzheimer’s, etc.) are unquestionably of legitimate public concern, it is difficult to imagine what significance a candidate’s procedure to obtain hair plugs, for example, would have on their ability to perform the duties of their office.

Regardless of the public interest served by unauthorized disclosures of a candidate’s health, in addition to any violation of HIPAA by a healthcare provider or their business associates for improper disclosure, the breach of contract tort would almost certainly impose liability on any physician or similar healthcare provider who had entered an implied contract of confidentiality with the candidate in question, as well as any who would induce violations of that confidence through third party liability.

As was seen with the unauthorized disclosure of then-candidate Trump’s tax documents, there is a very real chance a candidate’s private information that has perceived public importance in an upcoming election will not remain private. This raises the question not only of how our current laws will treat healthcare-related ‘whistleblowers’, but how our laws should treat the persons responsible for such intrusions into a candidate’s privacy.

Sources:

http://time.com/4472265/clinton-trump-health-reports-history/

http://www.nytimes.com/roomfordebate/2016/09/15/what-do-we-need-to-know-about-candidates-health/releasing-candidates-health-records-is-campaign-spin-and-distortion

http://www.latimes.com/nation/la-na-presidential-health-disclosure-20160912-snap-story.html

2004 Gallup Poll:

http://www.gallup.com/poll/13558/fit-office-presidential-health-public-matter.aspx