United States: Privacy - Wherefore Art Thou?

Let's face it – over the last 20 years or so, we have come to embrace, celebrate, and depend completely on electronic communications. What is more, we keep reaching out to grasp onto yet more ways to communicate, be it through Alexa (who just may be listening in on everything we do), our appliances, or whatever else is the internet-of-things gadget du jour. We love the ease, the fun, and the ability to run our lives from these contraptions. Without them we are lost.

But we also gave up something when we turned our lives over to these mechanisms. We lost our privacy. In fact, we gave it away – freely, if perhaps unwittingly. With each email, text, purchase, tweet, phone call, survey response, and picture posted, we leave an electronic trail leading right back to . . . us. Information about us can be found on our actual apparatuses, embedded in our messages, housed with our internet service provider, or floating somewhere in "the cloud." We don't actually know what information we have sent out there into the cyber world, how long it exists, or who can actually find that information and read it, decipher it, and use it against us. Some of us have started to worry about it too. "Isn't this information mine?" "Don't I have a say in what happens to it?" "Can't I stop others from seeing it?"

The Europeans have been addressing these issues for some time now, both at the individual national-level and on a European Community-wide basis. In May of this year, a whole new set of EC-wide rules and regulations went into force – the General Data Protection Regulation or, as it is more commonly known, the GDPR. A great deal has been written about the GDPR and all of its complexities and intricacies. But at its core, it was designed to do something that people forgot that they crave – it is designed to protect their privacy. As the EU Commission stated last year in a filing to the U.S. Supreme Court, the EC regards "protection of personal data [as] a fundamental right" and the GDPR reflects the EU's interest to protect that right.1

Thus, under the GDPR, individuals – that is, actual human beings – are given certain rights and controls over their so-called "personal data" . . . not only the content of their electronic messages but their very email addresses and any other information that may reveal who they are, where they live or work, what they purchase, or how they can be contacted via telephone, mobile phone, text, etc. In addition, individuals must be notified if some other person or entity is collecting their information and sharing it with someone else – and the individual is granted the right of review of that data, the right to correct it, the right to demand that the information be erased, and the right to demand to be forgotten2. Granted, there are some exceptions to the rights and obligations outlined in the GDPR, such as when the collection and transfer of the personal data is "necessary for compliance with a legal obligation." GDPR, Art. 6(1)(c). However, it likely will be years before the EC Data Protection authorities and the European courts will be able to provide any meaningful guidance about when and under what circumstances these exceptions apply.

The bottom line is this: In Europe, privacy rights over personal data is regarded as a fundamental right of the individual. What about here in the United States? Well . . . well . . . well, we are thinking about it.

Shortly after the GDPR went into effect, California adopted the California Consumer Privacy Act 2018, but that statute is of more limited scope and has yet to be tested. Intel recently has published proposed draft privacy legislation and is inviting public comment on its draft3. It also is possible that the new Congress may take up privacy rights issues and even, finally, amended the woefully outdated Stored Communications Act, which was adopted in 1986. But, as of now, we live in a hazy fog of privacy uncertainty.

That uncertainty was reinforced recently by the Third Circuit Court of Appeals in its September 20, 2018 decision in Walker v. Coffey, 905 F.3d 138 (3d 2018). There, Walker, an employee of Pennsylvania State University, brought suit against the state prosecutor and a special agent employed by the state attorney general for using an invalid subpoena to induce her employer into collecting and producing her work emails. The emails were sought as part of a criminal investigation into Walker and her husband's activities.

Initially, defendants simply asked the University for Walker's work emails. However, University officials balked and asked for "something formal, a subpoena." Id. at 142. Defendants "complied" with that request by obtaining a blank subpoena form from the local courthouse but filled out only part of it before submitting it to the University. Defendants later conceded that by leaving out required information – including relatively innocuous information such as the date and place of document production – the subpoena was incomplete and unenforceable. Id. Despite this infirmity, the University's general counsel accepted the subpoena and ordered that Walker's work email be collected and handed over to the law enforcement officials. Walker, of course, was not informed of these developments.

Ultimately, all criminal charges against Walker were dismissed. Walker, however, then brought suit against defendants under 42 U.S.C. § 1983 – the statute that permits an individual to file suit claiming that he/she was deprived of rights by a government official – arguing that the use of an invalid subpoena to obtain her work emails violated her Fourth Amendment right to be free from unreasonable search and seizure. Defendants moved to dismiss on the grounds that they had qualified immunity because Walker had no reasonable expectation of privacy in her work emails. Id. at 143. The district court agreed, finding that Walker could not show a clearly established, constitutionally based right to privacy in the content of her work email. And the Third Circuit affirmed.

The Third Circuit began with the "touchstone of Fourth Amendment analysis" – i.e., whether a person has a constitutionally protected reasonable expectation of privacy over the subject matter seized. That analysis requires a two-part inquiry asking first whether the person manifested a subjective expectation of privacy and whether "society is willing to recognize that expectation as reasonable." Id. at 145 (citations omitted). The court concluded that Walker's subjective expectations were clear and, thus, focused only on the second question – whether Walker had an objectively reasonable expectation in the content of her work email.

From there, the Third Circuit conducted a survey of Supreme Court decisions, in particular those that addressed new advances in technology over the decades. Hence, in U.S. v. Katz, 389 U.S. 347 (1967), the Court recognized a reasonable expectation of privacy in the contents of a telephone call conversation made from a public telephone, but in Smith v. Maryland, 442 U.S. 735 (1979), the Court held that there is no expectation of privacy in the telephone numbers actually dialed and that obtaining that information from the telephone company does not implicate the Fourth Amendment. As the Third Circuit explained "the core holding of Smith rested upon the established rule that 'a person has no legitimate expectation to privacy in information [he/she] voluntarily turns over to third-parties.'" Id. at 145-46 (quoting Smith, 442 U.S. at 743-44).

Moving from the world of telephone calls to more modern communication methods, the Third Circuit then discussed City of Ontario v. Quon, 560 U.S. 746 (2010), where the Supreme Court essentially punted on the question of whether a police officer had a reasonable expectation to privacy in text messages sent over a city-issued pager. There, the Supreme Court determined that it was premature to "elaborate[e] too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear." Quon, 560 U.S. at 759. Instead, the Supreme Court assumed for purposes of its opinion that Quon had a legitimate privacy expectation but ultimately determined that, because his messages were searched by his employer for a valid work-related purpose, Quon's Fourth Amendment rights were not violated. Quon, 560 U.S. at 764-75 (search conducted by an employer for non-investigatory work-related purposes or to investigate work-related misconduct does not constitute an impermissible search and seizure).

The Third Circuit then looked at two other decisions from 2010 – one from the Eleventh Circuit, Rehberg v. Paulk, 611 F.3d 828 (11th Cir. 2010), and one from the Sixth Circuit, United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). In the former, the Eleventh Circuit deferred from declaring a privacy right in emails based on the view that because this information was shared with third-party internet service providers (ISPs), it is questionable whether an established reasonable expectation of privacy exists in that information. Rehbert, 611 F.3d at 847. The Sixth Circuit, however, went the other way and held that law enforcement officials violated Warshak's Fourth Amendment rights when it subpoenaed his ISP and obtained over 27,000 emails sent to or received by Warshak's email address. The Sixth Circuit explained that an ISP is the functional equivalent of a post office or telephone company, and "the government cannot compel a commercial ISP to turn over the contents of emails without triggering the Fourth Amendment." Warshak, 631 F.3d at 286.

Strangely absent from the Third Circuit's discussion was any mention of the Supreme Court's June 2018 analysis of the intersection of the Fourth Amendment and modern technology – arpenter v. United States, 138 S. Ct. 2206 (2018). There, as part of an investigation into a string of robberies, the FBI obtained, without a warrant, the suspects' cell-site location information, which is data automatically transmitted from a person's cellphone to near-by cell towers. Such information is routinely retained by wireless service providers for internal business purposes, but the information can be collected and produced. The Supreme Court held that Fourth Amendment privacy rights do attach to such personal location information and that the government may not obtain that information without a warrant. Again, however, the Third Circuit ignored this opinion.

In any case, Walker argued to the Third Circuit that the Sixth's Circuit's analysis and reasoning in Warshak should be followed. However, the Third Circuit declined, explaining that there is not a "robust consensus of cases of persuasive authority" in support of the Sixth Circuit's approach and that, in fact, Warshak, appeared to be something of an outlier. Walker, 905 F.3d at 148. Moreover, the Third Circuit found a distinction between Walker's situation and Warshak – i.e., Walker's claim arose out of a search and seizure of her work emails and that "an employee's Fourth Amendment rights in the workplace are subject to additional exceptions and limitations." Id. In particular, the Third Circuit emphasized that while an employee may have some privacy rights in work emails vis-à-vis outsiders, those rights are very much circumscribed vis-à-vis the employer's right to examine those communications. Id.

In coming to its conclusion, the Third Circuit further noted that "courts have long recognized that employers, as third parties who possess common authority over the workplace, may independently consent to a search of an employee's workplace documents or communications." Id. That bears repeating – employers can independently consent to a search and seizure of an employee's emails and other documents, regardless of the employee's privacy interest to the extent that they exist, because the employer has common authority over the workplace and its equipment. And the Third Circuit is not alone in reaching this conclusion. Rather, in reaching its conclusion, the Third Circuit specifically followed and adopted the Ninth Circuit's decision in United States v. Ziegler, 474 F.3d 1184 (9th 2007).

The Third Circuit's bottom line here is that: 1) Walker had no reasonable privacy interest in her work emails because they were subject to the common authority of her employer Penn State; and 2) because Penn State had the authority to consent to a search and seizure over its employee's communications, the fact that the authorities' subpoena was deficient was meaningless. Id. At 149-50. Thus, the search and collection of Walker's emails conducted by Penn State at the request of law enforcement officials was not illegal and did not violate Walker's rights. The Third Circuit did note that it was "dismayed" that the law enforcement officials relied on an invalid subpoena, but it is highly doubtful that this "dismay" provided any comfort to Walker. How could it have, given that the Third Circuit essentially held that tricking Walker's employer with a bogus subpoena, and then not telling her about it, did not matter at all?

Where does all this leave us? Uneasy. Worried. Waiting for the next privacy shoe to drop. Maybe we just should know better. The Fourth Amendment is a mighty bulwark designed to protect us, but it is surmountable. Each new advance in technology represents a new challenge to finding the right privacy balance. What we do know as of now is that if we have "shared" our information with our employer or some unknown data server located somewhere or anywhere, we remain vulnerable to the grasp of unknown "others." Moving forward, remember this motto: Users beware.

Footnotes

1 See Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party at 1 and 8, United States v. Microsoft Corp., No. 17-2 (S. Ct. Dec. 13, 2017) (hereinafter "EC Amicus Brief"). The Microsoft case concerned a warrant issued under the Stored Communications Act by a federal magistrate judge in New York for an individual's electronic data/documents stored on a Microsoft server in Ireland and Microsoft's refusal to comply on the grounds that the Stored Communications Act did not have extraterritorial reach. The Second Circuit subsequently agreed with Microsoft and overturned the district court decision. The U.S. government appealed the matter to the Supreme Court and oral argument was held in February 2018; however, due to new legislation that clarified the extraterritorial application of the Stored Communications Act, the appeal was deemed moot and dismissed.

2 See generally GDPR, Arts. 15, 16, 17 and 21. See also Letter from the Office of the European Data Protection Supervisor to the EC Directorates General for Competition, Trade, Anti-Fraud, and the European Investment Bank, October 22, 2018 at 6 (confirming obligation under GDPR Art. 14(1)(e) of entities to inform employees about the identities of recipients of their personal data when their personal data is collected and transferred, but noting that governmental agencies with investigatory authority do not constitute a "recipient" when collecting information within the scope of their authority.)

3 See Intel's Approach to Privacy and draft legislation attached thereto available at https://usprivacybill.intel.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
 
Email Address
Company Name
Password
Confirm Password
Country
Position
Industry
Mondaq Newsalert
Select Topics
Select Regions
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions