03 March 2016

NSW Privacy Tort Report

The NSW Legislative Council Standing Committee on Law and Justice has released its report on Remedies for the serious invasion of privacy in New South Wales.

The Committee's terms of reference were
to inquire into and report on remedies for the serious invasion of privacy in New South Wales, and in particular: (a) the adequacy of existing remedies for serious invasions of privacy, including the equitable action of breach of confidence (b) whether a statutory cause of action for serious invasions of privacy should be introduced, and (c) any other related matter. 
Its recommendations are
R 1 That the NSW Police Force:
a) ensure that its officers receive training in the harms associated with technology-facilitated stalking, abuse and harassment; and 
b) that the training incorporate education about how existing offences and other orders, such as apprehended violence orders, could be used in respect of allegations of that nature. 
R 2 That the NSW Government undertake a statutory review of the Crimes (Domestic and Personal Violence) Act 2007 to consider additional potential remedies available to the Local Court to protect the privacy of individuals who have been or are seeking to be safeguarded by apprehended domestic violence orders. 
R 3 That the NSW Government introduce a statutory cause of action for serious invasions of privacy. 
R 4 That in establishing the statutory cause of action at recommendation 3, the NSW Government base the action on the Australian Law Reform Commission model, detailed in its 2014 report, Serious Invasions of Privacy in the Digital Era
R 5 That in establishing the statutory cause of action at recommendation 3, the NSW Government should consider incorporating a fault element of intent, recklessness and negligence for governments and corporations, and a fault element of intent and recklessness for natural persons. 
R 6 That the NSW Government:
a) broaden the scope of the NSW Privacy Commissioner’s jurisdiction to enable the Commissioner to hear complaints between individuals relating to alleged serious invasions of privacy; 
b) empower the NSW Privacy Commissioner to make determinations that involve non-financial forms of redress, including apologies, take down orders and cease and desist orders 
c) ensure that the NSW Privacy Commissioner is empowered to refer a complaint on behalf of a complainant to the NSW Civil and Administrative Tribunal for hearing for a statutory cause of action where there is a failure to act on a non-financial form of redress, including apologies, take down orders and cease and desist orders, and 
d) ensure that the Office of the NSW Privacy Commissioner is adequately resourced to enable it to fulfil its functions arising from the expanded scope to deal with complaints arising from alleged serious invasions of privacy.  
R 7 That the NSW Government confer jurisdiction on the NSW Civil and Administrative Tribunal to enable it to hear claims (in addition to ordinary civil courts) arising out of the statutory cause of action for serious invasions of privacy at recommendation 3.

01 March 2016

SNS

'Destined to Collide? Social Media Contracts in the U.S. and China' by Michael L. Rusted, Thomas H. Koenig and Wenzhuo Liu in (2016) 37 University of Pennsylvania Journal of International Law considers SNS terms and conditions.

The authors state
Part I of this article is the first empirical examination of the Chinese social media universe. We develop a typology of twenty-five of China’s most popular social media sites and compare terms of use from these social media with their U.S. counterparts. 
Part II compares the contracting practices of Facebook, Twitter, and Match.com to their Chinese equivalents. The core finding is that U.S. social media providers use terms of use to reduce their liability and protect their rights to the maximum. China social media providers rarely foreclose consumer rights and remedies in their terms of use but do include clauses that forbid user conduct that incites racial, ethnic, or religious disharmony or otherwise harms national stability.
Part III contrasts the terms of use of twenty-five of America’s largest and most popular social media sites’ terms of use with terms devised by the twenty-five largest Chinese social media providers. U.S. social media sites construct fine print boilerplate that include one-sided warranty disclaimers, caps on damages, mandatory arbitration and anti-class action waivers – provisions that are rarely found in the Chinese sites. Chinese social media terms of use frequently violate Western rights to free expression. We explore the doctrinal basis underlying these diametrically opposed mass-market agreements by comparing U.S. to Chinese law. The largest social media providers in both the United States and China have global ambitions and thus must devise user agreements that harmonize with the laws and policies of other nations if they are to avoid serious legal and cultural clashes.

28 February 2016

Surveillance

'Surveillance Policy Making by Procurement' by Catherine Crump comments
The Seattle police obtained a surveillance drone with the approval of a city council that did not realize what it was doing. Following a council review that lasted literally two minutes, the Oakland police created a data information center that networked together all of the city’s existing surveillance infrastructure. In San Diego, elected representatives were only dimly aware that the law enforcement agency they supervised had built and deployed innovative facial recognition technology.
In an age of heightened concern about the militarization of local police and surveillance technology, how is it possible for municipal law enforcement agencies to obtain cutting edge and potentially highly intrusive surveillance equipment without the knowledge of elected leaders and the general public? The answer lies in the multi-billion-dollar process of federal procurement, a process with which the federal government funnels resources to local law enforcement agencies to purchase surveillance equipment. Because of the way in which federal procurement operates in practice, the absence of a political check on the use of surveillance technology often poses significant privacy concerns. Surveillance policy making by procurement thus raises a host of questions related to the delicate balance between administrative and political policy making, privacy, and public safety.
This article is the first to comprehensively consider the intersection of procurement and local surveillance policy making. Using case studies from Seattle, Oakland, and San Diego, it exposes the practice of surveillance policy making by procurement. It argues that, although a large and persuasive literature touts the value of deference to the expertise of agencies in technical policy making, local elected representatives should have the lead role in formulating surveillance policy, with input from both law enforcement agents and members of the public. Surveillance technology invariably raises questions regarding how data will be collected, retained, used, and shared. Communities have differing values and needs, and the political process is best suited to ensuring that legitimate community concerns are brought to bear on surveillance policy making. The article concludes by proposing politically feasible steps to strengthen democratic control of police surveillance while maintaining appropriate deference to the legitimate role of limited administrative policy making in the law enforcement context.
The Seattle police obtained a surveillance drone with the approval of a city council that did not realize what it was doing. Following a council review that lasted literally two minutes, the Oakland police created a data information center that networked together all of the city’s existing surveillance infrastructure. In San Diego, elected representatives were only dimly aware that the law enforcement agency they supervised had built and deployed innovative facial recognition technology.
In an age of heightened concern about the militarization of local police and surveillance technology, how is it possible for municipal law enforcement agencies to obtain cutting edge and potentially highly intrusive surveillance equipment without the knowledge of elected leaders and the general public? The answer lies in the multi-billion-dollar process of federal procurement, a process with which the federal government funnels resources to local law enforcement agencies to purchase surveillance equipment. Because of the way in which federal procurement operates in practice, the absence of a political check on the use of surveillance technology often poses significant privacy concerns. Surveillance policy making by procurement thus raises a host of questions related to the delicate balance between administrative and political policy making, privacy, and public safety.
This article is the first to comprehensively consider the intersection of procurement and local surveillance policy making. Using case studies from Seattle, Oakland, and San Diego, it exposes the practice of surveillance policy making by procurement. It argues that, although a large and persuasive literature touts the value of deference to the expertise of agencies in technical policy making, local elected representatives should have the lead role in formulating surveillance policy, with input from both law enforcement agents and members of the public. Surveillance technology invariably raises questions regarding how data will be collected, retained, used, and shared. Communities have differing values and needs, and the political process is best suited to ensuring that legitimate community concerns are brought to bear on surveillance policy making. The article concludes by proposing politically feasible steps to strengthen democratic control of police surveillance while maintaining appropriate deference to the legitimate role of limited administrative policy making in the law enforcement context.

Forgetting Again

'A historian’s view on the right to be forgotten' by Antoon De Baets in (2016) International Review of Law, Computers and Technology explores
the consequences for historians of the ‘right to be forgotten’, a new concept proposed by the European Commission in 2012. I first explain that the right to be forgotten is a radical variant of the right to privacy and clarify the consequences of the concept for the historical study of public and private figures. I then treat the hard cases of spent and amnestied convictions and of internet archives. I further discuss the applicability of the right to be forgotten to dead persons as part of the problem of posthumous privacy, and finally point to the ambiguity of the impact of the passage of time. While I propose some compromise solutions, I also conclude that a generalized right to be forgotten would lead to the rewriting of history in ways that impoverish our insights not only into anecdotal lives but also into the larger trends of history. ...
In this essay, I strongly defended a right to forget. But whereas I see much quality in forgetting acts of others and much necessity in privacy for oneself, as a historian I see neither quality nor necessity in forcing others to forget you, for basically the same reason why I reject forcing others to remember you: it is an act of coercion in the realm of holding and expressing opinions. Oddly enough, some seem to think that when persons are able to invoke a right to be forgotten, they will also be encouraged to freely express themselves because their opinions are then reversible. In contrast, I think that a generic chilling effect is more likely. The protection of A's privacy bolsters A's free expression, but A's right to be forgotten, as a radical offshoot of A's privacy and regulator of sources about A, chills B's rights to information and expression. A right to be forgotten disproportionally distorts the balance between free expression and privacy in favour of privacy in the already privacy-favourable European context. It will encourage data controllers to err on the safe side. As Van Hoboken wrote, this effect may produce a bias towards uncontroversial information in search engines and related services. This is a fatal bias for any scholar of internet resources (Van Hoboken 2011). Only in the case of children do I see legitimacy in erasing information previously posted by themselves on the internet. Only for spent convictions do I see legitimacy in minimum anonymization upon request and in a right of reply. A generalized right to be forgotten, however, would lead to the rewriting of history in ways that impoverish our insights not only into anecdotal lives (which is justified in a small class of recent cases) but also into the larger patterns and trends of history. If we remember this, we better forget it.
'The right to be forgotten in the light of the consent of the data subject' by Cesare Bartolini and Lawrence Siry in (2016) Computer Law and Security Review takes a more nuanced view, commenting
Recently, the Court of Justice of the European Union issued decision C-131/12, which was considered a major breakthrough in Internet data protection. The general public welcomed this decision as an actualization of the controversial ‘right to be forgotten’, which was introduced in the initial draft for a new regulation on data protection and repeatedly amended, due to objections by various Member States and major companies involved in massive processing of personal data. This paper attempts to delve into the content of that decision and examine if it indeed involves the right to be forgotten, if such a right exists at all, and to what extent it can be stated and enforced. ...
In an age of instant access to vast amount of material, policy makers must search for solutions which allow digital citizens the ability to maintain control over the image they present to the world. The DPD represented a step in this direction. Adopted in 1995, during the infancy of digital age, it represented a progressive protection regime which addressed technological developments of that age. Since then the Internet has exploded and changed the landscape of what it means to be a digital citizen. It has transformed the concepts of privacy, access and consent.
Yet with each action comes a reaction. One such action is currently being undertaken in the form of the GDPR, which seeks to shift the balance of power away from the data controllers in favor of the DSs, if only ever so slightly. Through its adoption of a right to be forgotten the EU will simplify and embolden citizens' right to control their image in the web. The existing provisions which allow limited editorial control based on objection or consent will be replaced. Yet, in the meantime, the CJEU's decision against Google Spain has, to a certain extent, complicated the debate. Does the decision recognize a previously existing right to be forgotten? Or rather is the Court simply morphing the right to objection in order to fill a void in existing law in order to protect rights of users within the spirit of existing legislation?
The Court could not enforce a right that does not exist in the current legislation. And yet, what it could do was to plant the seeds, to affirm something that goes in the direction of the right to be forgotten, although it is a mere application of the right to object.
What did the Court achieve? Very much, and very little. The clear statement that the search engine is a data controller is a definite step forward in adapting the existing data protection principles to the new technological context. And yet, on a concrete ground, the effect on the case was the opposite than the upholding of the claim actually aimed at. The original content on the Spanish website is still available; it cannot be found on Google Spain using only the name of the claimant as the search string, but the search service from different countries still displays those results, as does the Spanish service by using a more detailed search string; and the claimant has earned a lot of visibility, which was probably the opposite of what he wanted.
Under the existing legal framework, the Court could not require the original data to be erased. At any rate, those data (actually a copy of an old issue of a newspaper from the archive repository) were unlikely to be looked for in the original website, thus not causing any harm to the claimant's reputation. The harm came from the fact that the search engine brought under present light something that had no real interest. The decision finds a balance between the rights granted by Articles 8 and 11 of the Charter: once the public interest in the information on the subject has ceased, the right to the DS's personal data must prevail.
The Court stopped here. The decision was based on the context “here and now”, and several critical issues were left open. First off, many search strings, involving or not the name of the DS, display those results. To what extent should the search engine be forced to disable those results? Of course, if Google is obliged to avoid the indexing of those results in response to more search strings, the limitation to the freedom of information is stronger, and at some point the balance shifts. Finding the perfect balance is extremely hard, but that topic was not discussed in the decision.
Second, the Court discussed the facts in a static perspective. If the DS runs for a political career or a position with significant public responsibilities, then maybe what has been considered an obsolete and irrelevant information about his past financial problems may become interesting again in the eyes of the public. The transparency of the information to the public might suddenly shift the balance back in favor of the ease in finding those results. A dynamic analysis of the possible scenarios is not available yet.
It seems that the Court planted a seed. Possibly, it used the case to put its endorsement upon an idea which has been struggling to gain full approval from the legislature of the European Union, even without recognizing its existence under the current legal framework: the right to be forgotten. Quite possibly, the Court is sending a signal that it will recognize the essence of a right until it is adopted into codified law.
'The right to be forgotten – a Dutch perspective' by AJ Verheija in (2016) International Review of Law, Computers and Technology investigates
to what extent the right to be forgotten as proposed by the European Commission is already recognized in Dutch tort law. The focus of this paper will be on the existence and the desirability of such a right and not on questions of enforcement. It is submitted that although Dutch law does not recognize the right to be forgotten as such, several judicial decisions can be identified that afford protection to interests that are also protected by the proposed right to be forgotten. This indicates that in the Netherlands a right to be forgotten in some form or another might have developed over time but this would have been a lengthy affair. A more precise formulation of this right by the legislator is therefore welcomed. It has been remarked that the name ‘right to be forgotten’ may give rise to unrealistic expectations but the Dutch experience shows that people do not seem to be very aware of their rights. ‘A right to be forgotten’ – however imprecise from a legal viewpoint – might be catchy enough to remedy this.
Verheija concludes
On the basis of the above decisions, it can be concluded that there is a right not to be confronted with one's past after a certain time has elapsed. When exactly this right comes into existence is unclear; everything depends upon the individual circumstances of the case. Despite its constitutional roots, this right therefore seems to offer less protection than more traditional, well-delineated rights that are recognized by private law. Judges attach a lot of weight to the context in which past crimes are raked up. A political debate on immigration law does not justify a detailed description of an over-a-decade-old crime that reveals the identity of the convict. In their contextual approach, judges seem sensitive to mitigating measures by defendants that strike a balance between the right to privacy and to reputation on the one hand and the right to free speech on the other hand. Illustrative of this are the considerations of the Court of Amsterdam on the disclaimer of the movie based on the kidnapping of Freddy Heineken. It estimated that although the disclaimer was not in sight for a long time and was difficult to read, the public who went to see the movie in the cinema would be aware of the fictitious character of many scenes due to current newspaper coverage. The Court acknowledged that this might not be the case for people who would see the DVD version in the future but it was satisfied by the fact that in the DVD version the disclaimer would be shown for longer.
In the last two cases, the right to privacy did not protect against internet publications about children without the consent of their legal representative. Again, the courts did not formulate a hard and fast rule but weighed all the circumstances of the case. Of special relevance were the nature of the information, the extent to which the information was public, and the fact that defendants were the fathers of the children concerned. The mere possibility that this information might be used by third parties to the detriment of the mothers and/or the children was in itself deemed insufficient to support a prohibition. A prohibition was granted, however, when such a risk could be made concrete with reference to the work of the mother.
This means that Dutch tort law does not in any general way protect people who disclose personal (but not embarrassing or defaming) information on the internet themselves and later on wish to delete it. Only when this information is used by others to harass them or when a very long time has elapsed does the law offer protection. When companies collect information on the internet, the Wbp (by which Directive 95/46/EC was implemented) provides some protection but there is evidence that this law does not work very well in practice.
It is therefore submitted that although Dutch law does not recognize the right to be forgotten as such, several judicial decisions can be identified that afford protection to interests that are protected by the proposed right to be forgotten. This indicates that, in the Netherlands, a right to be forgotten in some form or other might have developed over time. Both the structure of Dutch tort law with its emphasis on conduct and not on protected interests and the open-ended nature of tort law principles are likely to have made development of such a right to be forgotten a lengthy and cumbersome process. A more precise formulation of this right is therefore to be welcomed. This would create a foundation to build without stifling further development. It has been remarked, with some justification, that the name ‘right to be forgotten’ may give rise to unrealistic expectations, but the Dutch experience with Directive 95/46/EC shows that people do not seem to be very aware of their rights. ‘A right to be forgotten’ – however imprecise from a legal viewpoint – might be catchy enough to remedy this.
'Germany’s ‘Right to be forgotten’ – between the freedom of expression and the right to informational self-determination' by Claudia Koddea in (2016) International Review of Law, Computers and Technology argues that
Although never having defined it explicitly, German law and jurisprudence imparted a right to be forgotten which could be described as a right to delete long ago. Its basis can be found in the constitution where it is torn between the freedom of expression and the right to informational self-determination. Also, German legislature introduced non-constitutional provisions ensuring the deletion of personal data in specific cases that are applied regularly. This article aims to give an overview of the ‘German’ right to be forgotten, its legal framework and its application in court. ....
The first part of this article has shown that the Grundgesetz provides a right for data subjects to decide for themselves about release and use of their personal data. This right to informational self-determination is an implementation of the right of personality and does not only grant a right to decide about the circumstances of a disclosure of data but also a right to remain the ‘master of one's private data’, meaning that the data subject also has the right to ask for the erasure of his/her data. However, as the data subject is only a small part of society, his or her constitutional right has to be balanced against the rights of others.
The second part covered the current legal framework concerning a right to be forgotten or, more narrowly, a right to delete. The relevant Section 35 Paragraph (2) BDSG transposes Art. 12 Paragraph (b) of the Directive 95/46/EC and grants a right to delete in a number of cases. One of the most problematic points regarding these provisions is the question of responsibility, especially in the case of search engines. A data subject generally has the right to withdraw consent, which would lead to a right to delete, but it must not be forgotten that the right to revoke consent has to take possible legitimate interests of the service providers into consideration.
Furthermore, if the data in question are openly accessible, a deletion becomes even more difficult. If one argues that data on profiles in social networks where the user did not restrict the visibility or privacy settings are openly accessible, even a deletion of this social network profile will be only of limited help because the withdrawal of consent does not affect the lawfulness of the processing prior to the withdrawal.
The last part of this article dealt with different court cases in which plaintiffs had asked for a deletion of personal data. In all cases, no matter if the BDSG was applicable or the claims had to be based on the more general provisions of Sections 823 and 1004 BGB, the Court had to balance the constitutional rights of the defendant, such as the right to the freedom of expression or the right to information, with the right to informational self-determination of the plaintiff. One can say that, although Germany has adopted a rather protective system of data protection, the right to information of the public is one of the most important constitutional rights, which often outweighs the other rights.
It appears that not only scholars but also judges and other jurists either do not like the notion of a ‘right to be forgotten’ or do not see a basis for it in the German law. Otherwise, it is difficult to explain why not a single decision can be found mentioning this term. The main reason for this might be the biggest problem of the right to delete in the BDSG and it is not a legal one. Although the legislature tries to protect the citizens the best it can, the enforcement of the rights in practice is almost impossible. Often internet users will not know to whom their data was transmitted and they will not even try to pursue their claim in court. Although one has to admit that a right to be forgotten, where the data subject only has to ask a single controller to delete the data and the controller will ensure the deletion of every copy whoever holds it, does not exist in German law, the existing provision grants at least ‘a small right to be forgotten’. The fact that it is hardly used shows the need for other solutions, especially technical ones. In short: the theory is ready. It only waits for the practice.