Top 10 Privacy Law Developments

Top 10 Privacy Law Developments of the Decade 2010-2019 02

It is an understatement to say that a lot has happened in privacy law during the past decade. Here is my list of the most notable developments.

NOTE: I am giving a particular emphasis to what I find to be notable from a United States perspective. What is notable privacy law depends upon where one is situated. For example, if one is from a small country, that country’s developments are quite notable even if not well-known on a worldwide stage.

Latin American Privacy Law Emerges
as a Major Force (2010-2019)

I am grouping several developments in Latin America together because there clearly seemed to be a trend throughout the region in stepping up privacy protections. New comprehensive privacy laws emerged in Mexico, Brazil, Peru, and Columbia. In 2012, the European Commission recognized Uruguay as providing an adequate level of protection for personal data. The Commission had previously recognized Argentina.

United States v. Jones (2012)

In United States v. Jones, 565 U.S. 400 (2012), the U.S. Supreme Court held that the installation of a GPS device to a car without a warrant is a search under the Fourth Amendment to the U.S. Constitution. The majority rationale was very narrow, relying on the old dusty trespass doctrine that the Supreme Court had largely forgotten when it adopted the reasonable expectation of privacy test after Katz. But in the concurring opinions, a majority of Supreme Court justices expressed views about the application of the reasonable expectation of privacy to new technologies that indicated that the Supreme Court might be turning in a new direction in the future.

I struggled about whether this case would make my list, as the majority opinion was not a bold new direction but a timid inch forward, and the concurring opinions were only good for speculation about the future. Essentially, the Court left tea leaves to read. But the Supreme Court rarely does much to clarify and resolve issues. Its signals did suggest that Fourth Amendment jurisprudence might take a new turn, and the case sparked a wave of new approaches in judicial opinions in the years that followed. Jones thus had a significant impact even if the case itself didn’t actually move the needle all that much.

HIPAA Omnibus Final Rule (2013)

It took many years after the 2009 passage of the HITECH Act, but HHS finally issued the HIPAA Omnibus Final Rule in 2013. This Rule implemented several important changes from the HITECH Act into HIPAA and started a new era of HIPAA compliance. With stronger penalties and stricter enforcement, many organizations finally started to take HIPAA compliance seriously.

HIPAA Omnibus

Clapper v. Amnesty International USA (2013)

In Clapper v. Amnesty International USA, 568 U.S. 398 (2013), the U.S. Supreme Court denied standing to challengers to NSA surveillance because they could only speculate that they were under surveillance. The Court also held that the plaintiffs suffered no harm despite their spending money to avoid the surveillance because this was “manufacturing” standing by spending money on a speculative claim.

Clapper would go on to become a widely-used case in data breach litigation to support denying standing for plaintiffs who argued that they had spent money on measures to protect themselves against future identity theft and fraud after a data breach. At first, using Clapper as a tool to wipe out data breach litigation seemed to be an effective one, but over time, more and more courts have found ways to distinguish Clapper and recognize harm.

Subsequently, the Supreme Court attempted to clarify its tortured standing doctrine in Spokeo v. Robins, 136 S. Ct. 1540 (2016), but is opinion was a tangled mess of inconsistencies that has created far more confusion than insight. Although Spokeo will generate lots of citations, I don’t list it as a major development because the opinion really didn’t change anything. The Court saw a window smeared with mud, took a rag, and just smeared more mud on it.

For those interested in the issue of harm in data breach cases, I co-authored an article with Professor Danielle Keats Citron, Risk and Anxiety: A Theory of Data Breach Harms, 96 Texas Law Review 737 (2018).

Edward Snowden (2013)

In the summer of 2013, Edward Snowden leaked classified documents about surveillance programs by the NSA. This vast surveillance was unlawful. The Snowden revelations generated significant debate about government surveillance.

In 2015, the USA Freedom Act was passed to curtail some of the excesses of the surveillance. It remains unclear how many lessons were learned in the wake of the Snowden revelations. We have certainly not entered into a bold new era of government surveillance that is sufficiently accountable, limited, lawful, and overseen. There has been some improvement, but certainly not a paradigm shift.

FTC Enforcement (2010-2019)
and FTC v. Wyndham (2015)

FTC and privacy and security enforcement The Federal Trade Commission (FTC) engaged in an expansive and significant amount of enforcement of Section 5 of the FTC for privacy and security violations. Staring in the mid 1990s, the FTC has established itself as the leading U.S. regulator for privacy and security. But FTC enforcement really started to hit its stride in the past decade. To cap off the decade, in 2019, the FTC issued a $5 Billion file against Facebook in 2019, the largest fine it has issued for a privacy violation and probably the largest regulatory fine ever imposed for a privacy violation.

In FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), Wyndham challenged the FTC’s regulatory authority over data security (with potential implications for privacy). The U.S. Court of Appeals for the Third Circuit sided with the FTC, concluding that the FTC had broad powers to regulate data security under the FTC Act. The Wyndham case is most significant for what was at stake and what could have happened had the case been decided in favor of Wyndham. Had Wyndham won, the FTC’s role in privacy and security enforcement would have been greatly diminished.

Shrems v. Data Protection Commissioner (2015)

In Schrems v. Data Protection Commissioner, Case C-362/14 (Oct. 6, 2015), the ECJ invalidated the Safe Harbor Arrangement, the method that about 4,000 U.S. companies used to transfer personal data from the EU to the U.S. In one swift stroke, the ship was sunk, leaving thousands of companies in limbo about how they would handle personal data from the EU. U.S. and EU officials quickly negotiated a successor to the Safe Harbor Arrangement — the Privacy Shield Framework in July, 2016.

Schrems and Safe Harbor

Carpenter v. United States (2018)

In Carpenter v. United States, 138 S. Ct. 2206 (2018), the U.S. Supreme Court finally indicated a stopping point for the tortured logic of the Third Party Doctrine. The Court held that the 4th Amendment applies when the government “accesses historical cell phone records that provide a comprehensive chronicle of the user’s past movements.” Prior to Carpenter, the Supreme Court had issued a number of decisions (most notably United States v. Miller, 425 U.S. 435 (1976) and Smith v. Maryland, 442 U.S. 735 (1979)), that held that there is no reasonable expectation in privacy for information known or exposed to third parties — a doctrine that has become known as the Third Party Doctrine. Carpenter took a step away from the Third Party Doctrine to recognize a reasonable expectation of privacy in cell phone records of a person’s location despite the fact that these records are in the hands of a third party.

I was hoping for a bolder repudiation of the Third Party Doctrine, which I have long and oft criticized as bad policy, terrible reasoning, and faulty logic (in other words, I really don’t like it). But the Court left Smith and Miller intact and just refused to extend them to cell phone records of location. “There is a world of difference,” the Court concluded, “between the limited types of personal information addressed in Smith and Miller and the exhaustive chronicle of location information casually collected by wireless carriers today.”

EU General Data Protection Regulation (GDPR) (2018)

Developed over many years throughout the 2010s, the EU General Data Protection (GDPR) was enacted in 2016 and became active on May 25, 2018. The GDPR has had an enormous influence on privacy law around the world as well as on the internal policies and practices of many global companies. I professed my love for the GDPR in a post back in 2018. I wrote: “The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition.”

The GDPR actually doesn’t differ dramatically from its predecessor, the EU Data Protection Directive. There are, of course, some notable differences, but the basic approach to data protection, the rights and responsibilities, are quite similar. But the GDPR succeeded in waking up companies in ways that the Directive was unable to do. The GDPR ushered in a very different mindset for data protection around the world.

As I wrote in an essay for Bloomberg Law (no longer available online):

The GDPR has taken privacy to the next level. Before the GDPR, nothing had fully gelled around what protecting privacy actually entailed. The consequences of poor privacy were also rather vague in many cases. There was no clear blueprint for protecting privacy. Organizations would do just one or two things, such as provide a notice of privacy practices and keep data secure, and then claim they were protecting privacy. But they were only doing a fraction of what was truly needed to protect privacy.

The GDPR has changed all that. It provides a blueprint for protecting data that is more thorough and complete than nearly any other privacy law. The GDPR contains provisions that require governance measures, data mapping, assessment, data protection by design, and vendor management, among other things. It provides for individual rights such as the right to access one’s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability. The GDPR has a broad definition of personal data, and it applies across different industries, so it provides a comprehensive baseline of privacy protection.

Now, privacy professionals can point to a definitive source of the various norms, best practices, standards, and rules that have long existed in fragmentary form. The GDPR has penalties that will keep the CEO awake at night. Privacy professionals can point to it and say, “This is what we need to do, and this is why.”

California Consumer Privacy Act (CCPA) (2018)

In a breathless span of days in the summer of 2018, California enacted the California Consumer Privacy Act (CCPA). The CCPA law was hurried through the legislative process to avoid a proposed ballot initiative with the same name. The ballot initiative was the creation of Alastair Mactaggart, a real estate developer who spent millions to bring the initiative to the ballot. Mactaggart indicated that he would withdraw the initiative if the legislature were to pass a similar law, and this is what prompted the rush to pass the new Act, as the deadline to withdraw the initiative was looming.

The CCPA provides for many consumer privacy rights. It imposes many responsibilities on companies that collect and use personal data. The CCPA is one of the strongest state privacy laws in the United States. It also goes far beyond many federal laws.

The CCPA has sparked considerable state legislative attention on privacy, and it has reignited the conversation about a federal privacy law in the U.S.

* * *

Other Notable Developments

There were countless other notable developments in privacy law over the past decade. Here are a few others that are significant:

In Riley v. California, 134 S. Ct. 2473 (2014), the U.S. Supreme Court held that a warrant is generally required to search digital information on a cell phone seized pursuant to an individual’s arrest.
In Google Spain SL v. Agencia Española de Protección da Datos, Case C-131/12 (May 13, 2014), the European Court of Justice (ECJ) held that Google had to remove a link to a search result that violates the “right to be forgotten.”
Data breaches kept occurring at record-setting levels each year, with bigger and bigger breaches being announced. Fearless prediction for the next decade: More of the same.
Data breach notification laws spread widely — they were adopted in numerous states and around the world.
Biometric privacy laws began to rise in the U.S. I predict that more biometric privacy laws will be passed over the ensuing years.
The U.S. Federal Communications Commission (FCC) began vigorously enforcing against privacy and data security violations. However, this enforcement mostly dried up in the last few years of the decade.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the annual Privacy + Security Forum events.

NEWSLETTER: Subscribe to Professor Solove’s free newsletter
TWITTER: Follow Professor Solove on Twitter.