Whether we like it or not, the courts are getting more and more involved in privacy matters. Of course, the judge and jury certainly learn a lot about the specific situations in cases that come before them. However, the rest of their knowledge about privacy principles and how they are interpreted and implemented comes mainly from the news and their personal experiences.
While the business community has focused much of its attention on educating regulators and policy makers about privacy laws and industry best practices, not much, if any, attention has been paid to educating judges and juries about big data and the Internet of Things.
While the EU the big focus has been on the “Right to be Forgotten” decision by the EU Court of Justice, here are a few examples of where the courts are engaging in privacy matters in the US.
The US Supreme Court rejected an appeal by Google, leaving the company to face lawsuits accusing it of violating a federal wiretapping law by secretly collecting personal data while developing its Street View maps. It left intact an appeals court ruling that the US Wiretap Act protects the privacy of information on unencrypted in-home Wi-Fi networks.
Entertainment Company Sued Over Disclosures of Who’s Watching (Partially Settled)
Hulu, Cartoon Network, Disney Interactive and AMC Networks have been separately fighting proposed class action lawsuits about disclosures of who’s watching what based on the Video Privacy Protection Act of 1988 (VPPA). These lawsuits have made all sorts of claims of violating the law from information shared with a metrics company providing reports for the purpose of selling advertising to information shared with Facebook. Plaintiffs have also brought up alleged disclosures like smartphone registration IDs and Roku device serial numbers. The biggest decision to date is in the Hulu case where the US Magistrate interpreted “personally identifiable information” as not just the person’s actual name, but under the VPPA, disclosing a unique identifier and a correlated look-up table met the definition. The judge also ruled that an individual can be identified in many ways: by a picture, by an employee number, by the station or office or cubicle where one works, or by telling someone what ‘that person’ rented.
Wyndham Security Breach Law Suit (Under Appeal)
While there are numerous lawsuits that have been brought and will be brought in the future by individuals and State AGs over security breaches against prominent companies like Target and Home Depot, Wyndham decided to fight back against the FTC after experiencing a data breach. Section 5 of the FTC Act makes unlawful all “unfair or deceptive acts or practices in or affecting commerce.” The FTC has alleged that Wyndham violated that provision by failing to take responsible measures to protect credit card numbers from customers when their computer systems were hacked, the numbers stolen, and used to make fraudulent purchases. The questions Wyndham has raised are whether a company’s unreasonable failure to protect the security of consumer data can constitute an ‘unfair…act or practice’.
Carrier IQ has agreed to settle a class-action lawsuit alleging that is software for mobile devices logged keystrokes, violating consumers’ privacy. Carrier IQ claims the software isn’t readable and was intended to help mobile carriers discover the source of network problems. Class-action lawsuits were also filed against six device manufacturers including, HTC, Samsung and LG Electronics and were consolidated into one action under mediation. The FTC has also gotten involved accursing HTC of allegedly installing Carrier QI software in such a way that many third-party apps could access users’ keystrokes and gain access to the phone numbers users’ called, browsing histories and other data. HTC has settled these charges with the FTC.
Instagram, a mobile photo-sharing app, changed its Terms of Service after it was acquired by Facebook, allowing it to use pictures in advertisements without notifying or compensating users, and to disclose user data to Facebook and other advertisers. It also introduced a mandatory arbitration clause waiving user rights to file a class action lawsuit in most circumstances. Many users expressed outrage and a few days later, Instagram revised their Terms of Service further by deleting language about displaying photos without compensation. However, Instagram kept language that gave it the ability to place ads in conjunction with user content, and kept the mandatory arbitration clause. A class action lawsuit was filed that accused Instagram of violating the property rights of its users and breaching its existing terms of service by taking ownership of user images, especially in the situation where a user quits the service and automatically loses ownership of their photos to Instagram.
Whether this is a good thing or detrimental to getting the full value out of big data and the Internet of Things, it is inevitable. The question is “how should the business community be more proactive?” We welcome thoughts and feedback from others!