Do You Have a Constitutional Right to Have the Government Safeguard Personal Data It Collects From You?

Most legal academics are happy to be cited by courts–it’s at least proof of relevance. But it’s better if the Judge agrees with you, and that’s not what happened this week when Judge Amy Berman Jackson of the District Court of the District of Columbia, discussed my article Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009).

My article argues, correctly I still believe, that if the government takes your personal data, and then mishandles it so that it leaks to your detriment, the government has committed an actionable harm:

The key case in establishing the contours of the Due Process right to compensation for certain government data breaches is Chief Justice Rehnquist’s opinion in DeShaney [v. Winnebago Cty. DSS, 489 U.S. 189 (1989)]. Chief Justice Rehnquist is an unexpected source for a major information privacy right, and DeShaney is a particularly unexpected locus for its elucidation. DeShaney is notorious as an opinion in which the Supreme Court held that the state of Wisconsin had no duty under the Constitution to protect a boy, the infamous “poor Joshua” of Justice Blackmun’s dissent, from a permanently disabling beating by his father. The absence of a duty was controversial because the state social services were on actual notice that Joshua had been repeatedly injured and was at risk. In finding that the Due Process clause imposed no duty of care on state social services regarding children residing with a parent, at least absent a statutory or regulatory undertaking to protect children from their parents, Chief Justice Rehnquist distinguished Joshua’s case from one where a duty would have existed. Mere notice was not enough; the state would have had a duty only if it had placed Joshua in circumstances where it “renders him unable to care for himself, and at the same time fails to provide for his basic human needs ….” The duty arises “from the limitation which it has imposed on his freedom to act on his own behalf’ not “its failure to act to protect his liberty interests against harms inflicted by other means.’ Chief Justice Rehnquist immediately added in a footnote that, “[e]ven in this situation, we have recognized that the State ‘has considerable discretion in determining the nature and scope of its responsibilities.'”

When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has “by the affirmative exercise of its power” taken the data and “so restrain[ed]” it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s “affirmative duty to protect” the data “arises … from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.’ Again, “it is the State’s affirmative act of restraining the individual’s freedom to act on his own behalf” which creates a duty on the government to keep the data secure. The State created the danger, and thus the State is responsible for the outcome.

The plaintiffs in In Re: U.S. Office Of Personnel Management Data Security Breach Litigation, — F.Supp.3d —-, 2017 WL 4129193, MC 15-1394 (ABJ), MDL 2664 (D.D.C. Sept. 19, 2017), sought to apply this theory to the massive data breach by the Office of Personnel Management, AKA the OPM hack. Plaintiffs claimed the government breached an actionable duty by failing to protect (or, as plaintiffs put it, being grossly negligent in failing to protect) their personal data.

Unfortunately, Judge Jackson did not agree (footnotes omitted):

Given … the absence of binding precedent one way or the other, this Court also finds it prudent to avoid wading into the legal waters surrounding the existence or scope of any constitutional right to informational privacy in general when it is not necessary to do so. And it is not necessary here because the NTEU claim is asking the Court to recognize a constitutional violation that no court has even hinted might exist: that the assumed constitutional right to informational privacy would be violated not only when information is disclosed, but when a third party steals it. See NTEU Compl. ¶¶ 96-98; NTEU’s Opp. at 25-44 (arguing that the government has an affirmative duty “grounded in the constitutional right to informational privacy” to safeguard plaintiffs’ private data). In other words, even if an individual who completes an SF 85 or SF 86 has a constitutional right to privacy in the information he or she is being asked to provide, it is well-established that the government has the right to gather that information. And even if it might violate the Constitution for the government to then deliberately disclose the information, there is no authority for the proposition that the Constitution gives rise to an affirmative duty — separate and apart from the statutory requirements enacted by Congress — to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).

The sole source plaintiffs identify for the existence of the affirmative duty they would have this Court enforce is a law review article. NTEU’s Opp. at 37, citing A. Michael Froomkin, Government Data Breaches, 24 Berkley Tech. L. J. 1019, 1049 (2009) (“When the State takes a person’s data and holds it in a fashion outside the person’s control, the State has done to that data exactly what Chief Justice Rehnquist said was necessary to trigger Due Process Clause protection: it has `by the affirmative exercise of its power’ taken the data and `so restrain[ed]’ it that the original owner is unable to exert any control whatsoever over how the government stores or secures it. The government’s `affirmative duty to protect’ the data `arises . . . from the limitation which it has imposed on his freedom to act on his own behalf’ to keep the data secure.”). Given the absence of any binding precedent — or even any persuasive writing from other courts — that recognizes a constitutionally based duty to safeguard personal information, and the D.C. Circuit’s expressed skepticism about the existence of a right to informational privacy in the first place, this Court is compelled to hold that plaintiffs have failed to state a constitutional claim.

The thing is, my article anticipates Judge Jackson’s rejoinder:

One might object that the DeShaney holding stands for the proposition that when the government stands by and lets another do harm to a person, that person has no recourse unless the government has taken on an affirmative duty to protect. In this view, exposing private data on the web or losing an unencrypted database is not the harm. Rather, the harm comes from a third party’s use of the data, something for which this reading of DeShany says the government should not be blamed. But this is a misreading of De- Shaney because the analogy is incorrect. In DeShany, the State had no duty because it had never taken Joshua into care. The harms he suffered at his father’s hands were private wrongs, a direct transaction in which the government had no part. […]

Indeed, it was the claim that the government had a duty to intervene which was the heart of the plaintiffs case, and which the majority rejected.

Contrast this to a hypothetical lost database: there is no question that the government had taken full control of the data before it lost them. Once the government takes that control, the subject of the data is completely disempowered with regards to how the data will be protected. Therefore, it is nonsensical to suggest that when the government negligently allows a third party to access the data, that third party is the only relevant actor for Due Process purposes. The government remains the critical intermediary, the one actually responsible for allowing the loss. In the case of information controlled by the government, it is not a bystander, but rather a direct agent. The government’s active role in controlling the data, one that displaces the subject or owner of the data, is what creates the duty of care. Or as the Seventh Circuit stated, “The state must protect those it throws into snake pits, but the state need not guarantee that the volunteer snake charmer will not be bitten.” [Walker v. Rowe, 791 F.2d 507, 511 (7th Cir. 1986).]

In short, Judge Jackson links two issues that I think ought to be seen as separate. One issue is whether the Constitution creates a a generalized right to information privacy. Judge Jackson notes, fairly enough, that currently there is no judicial recognition of such a right. But that’s not the only question at issue here. Even in the absence of a general substantive constitutional duty to protect information privacy, I believe that the rule in Chief Justice Rehnquist’s DeShaney opinion compels the conclusion that when the government demands your data, takes it, and fails to care for it, that creates a valid claim.

Judge Jackson may be right that the D.C. Circuit is not ready to find a general constitutional right to information privacy, a right that likely would extend far beyond data breaches and into, for example, data collection practices. But why, even if we stipulate that Judge Jackson correctly reads the DC Circuit tea leaves on information privacy rights generally, does this tell us anything about the much narrower Due Process claim at issue in the OPM case?

One need not find a generalized right to information privacy to hold, following the logic of DeShaney, that the government has a duty of care when it creates the circumstances which both make the data vulnerable and makes self-help by the data subject impossible. What exactly that duty of care requires could certainly be debated, but whatever the level of care turns out to be, it surely must exceed the gross negligence alleged by the plaintiffs in the OPM case.

I should note that Judge Jackson cites one case in support of her assertion that the Due Process clause cannot create a governmental duty “to protect the information in any particular manner from the criminal acts of third parties. See, e.g., Harris v. McRae, 448 U.S. 297, 317-318 (1980) (discussing the Due Process Clause of Fifth Amendment and declining to “translate the limitation on governmental power implicit in the Due Process Clause” into an affirmative obligation on the government).” I think the citation to Harris is misplaced. Harris is a 1980 case; DeShaney was decided in 1989, and in case of conflict the later case ought to prevail. But in fact there is no conflict: Harris was a challenge to the Hyde Amendment, and in rejecting the challenge the Supreme Court stated that the Due Process Clause could not be invoked to create a requirement that Congress providing funding for something. Given the bedrock principle that “No Money shall be drawn from the Treasury, but in Consequence of Appropriations made by Law,” U.S. Const. Article I, § 9, Cl. 7, the Harris holding on this point seems clearly correct — but also irrelevant to the OPM case which is not about legislation or funding.

I think it’s only a matter of time before US law recognizes a right to have the government apply at least reasonable safeguards to personal information it holds. This case shows why that rule is necessary. I wonder if the plaintiffs will appeal?

Posted in Law: Constitutional Law, Law: Privacy | Leave a comment

Best News Story of the Week?

Parrot mimics owner to make purchases using Amazon Echo

Posted in Sufficiently Advanced Technology | 1 Comment

It’s That Bad

You know things are bad when a foreign head of state, even a former one, is mocking you like this:

Then again, we already knew it was that bad.

Posted in Completely Different, Trump | 1 Comment

I Hate Reruns

I almost never watch a movie twice (except of course Groundhog Day).

I generally hate re-runs.

And so far this Maria show looks like an Irma rerun:

TS Maria

Posted in Weather With a Name | 1 Comment

Coral Gables / FPL Update

It seems FPL cleaned up the downed power lines yesterday, but has revised its estimate to turn on all the power in the area to Tuesday.  We’ll see if Coral Gables goes through with its threat to impose fines.

I was out for a brief drive to the library today (Comcast still hasn’t fixed the internet, and the library has wifi) and saw a lot of electricity trucks working in the area. Hard to know, but maybe that letter from the Commission had an effect; or maybe it’s just our turn.

Posted in Coral Gables, Weather With a Name | 2 Comments

Coral Gables Commission Orders FPL to Restore Power by Sunday 11:45pm Or Else

In this resolution the City of Coral Gables purports to order Florida Power & Light to restore our electricity by Sunday night on pain of … wait for it … $500/day fines if it doesn’t (plus the some dubious threat of additional higher fines under state law).

Does a city have the power to order a state-regulated utility to restore power by a set date after a hurricane? Given the relationship between cities and the State of Florida, I’d be a little surprised if the answer were yes, at least in the absence of clearly dilatory or unreasonable behavior, although I am certainly not an expert in local government law. The resolution cites two authorities: § 2-203 of the Coral Gables code and Florida Statutes § 162.09. The Coral Gables code section is about cease and desist letters:

Sec. 2-203. – Penalty for failure to obey cease and desist letter.

(a) The city attorney is authorized to issue cease and desist letters for violation of the City Code, Zoning Code and any other applicable law where such violation causes harm to the city, its residents or its businesses.

(b) It shall be unlawful for any person or entity to disobey the demand made by the city attorney or his/her designee, on behalf of the City of Coral Gables, in a cease and desist letter.And And

(c) Failure to obey the demand made in a cease and desist letter shall result in the issuance of a code enforcement citation, punishable by a fine of $500.00 per day.

(d) A violator who has been issued a citation for failure to comply with the demand in the cease and desist letter, must elect to either comply with the demand in the letter and pay the fine or request an administrative hearing before a special master, as set forth in chapter 101, article VI, division 3 of the City Code.

(e) As a cumulative remedy, the city attorney is authorized to file a civil action to enforce the cease and desist letter, the city is entitled to an injunction and the violator is responsible for attorney’s fees and costs incurred. Such proceedings shall be expedited by the court.

(f) The city, as well as its elected and appointed officials, employees and agents are immunized from civil or criminal liability for actions taken in accordance with this section.

(g) Subsection (a) of this Code section shall be incorporated into section 2-201 of the City Code as subsection (13).

As for the state statute, I see authority for “$15,000 per violation if the code enforcement board or special magistrate finds the violation to be irreparable or irreversible in nature.” But is failure to repair quickly enough really a zoning violation? Maybe at some point yes, but a week after a hurricane? Surely there is some implicit (and in the case of the state law, fairly explicit) reasonableness limit operative here?

As to the Coral Gables ordinance, I sort of wonder how it applies–does FPL have a legal duty to the city under zoning law that is enforceable in this manner? (I honestly don’t know.) Does it make sense to talk of ‘cease and destining” from failure to deal with a public emergency? (It might.) More to the point, though, even if the legal answer is yes, can you really make FP&L do anything in these post-hurricane conditions? (Not as far as I can see.)

Perhaps prudently, therefore, the Commission’s resolution only demands that the power be back by Sunday at 11:45pm (although it demands downed power lines blocking streets be cleared today). As FP&L has publicly said it will have all the power back on the east coast of Florida by Sunday unless your house is destroyed or it would be dangerous to turn it on, at least as to the power restoration this may be more sound than fury.

Then again, I suppose there could be litigation: this is the same Coral Gables Commission that recently sued Facebook and Instagram to find out the identity of a public (and until the lawsuit, very obscure) critic. The legal theory in that case — trademark and irreparable harm to the city — was maybe tenable enough not to be risible (but I’d say on balance not even that). More to the point the suit looked to me like a SLAPP suit, and seemed very very unwise, in terrible taste, and probably outright unconstitutional.

So who knows, maybe my tax money will be spent on a suit about this too.

Don’t get me wrong, I have no love for FP&L, even if they did get my lights back on a couple of days ago. Having had no power for five weeks after Andrew, and having everything in my fridge just spoil, I understand how awful it can be to be without it — and that it is even worse for people who depend on medical equipment.

I’m all for getting tough with FP&L on solar power, on burying power lines (on which, let the record show, Coral Gables wimped out long ago), and even on harrying them to fix the power. But is this the right way to go about it? I am not convinced. FP&L may not do a great job of pre-hurricane hardening, but large-scale post-hurricane restoration is something they seem fairly good at, if only because they have practice and get massive help from out of state.

I’d much rather see Coral Gables get tough with FP&L about pre-hurricane preparedness, like burying power lines, than this post-hurricane spasm — whether it is sincere or a publicity stunt. (I should emphasize that it could be either for all I know. Normally I would call up and try to interview some Commissioners about this, which I think is the right thing to do when writing about people. But I expect that they have better things to do immediately post-Irma than talk to me and I’m not about to bother them.)

Posted in Coral Gables, Weather With a Name | Leave a comment