Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller. Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller. My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977. In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”
Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine. Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever. Sotomayor’s opinion didn’t attract a single other Justice.
Can we draft a statute to overturn the third-party doctrine? That is not an easy task, and it may be an unattainable goal politically. Nevertheless, the discussion has to start somewhere. I acknowledge that not everyone wants to overturn Miller. See Orin Kerr’s The Case For the Third-party Doctrine. I’m certainly not the first person to ask the how-to-do-it question. Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.
I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill. I see right away that there is precedent. Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq. The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.
The RFPA is remarkable too for its exemptions and weak standards. The law only applies to the federal government and not to state and local governments. (States may have their own laws applicable to state agencies.) Bank supervisory agencies are largely exempt. The IRS is exempt. Disclosures required by federal law are exempt. Disclosures for government loan programs are exempt. Disclosures for grand jury subpoenas are exempt. That effectively exempts a lot of criminal law enforcement activity. Disclosures to GAO and the CFPB are exempt. Disclosures for investigations of crimes against financial institutions by insiders are exempt. Disclosures to intelligence agencies are exempt. This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.
We’re not done with the weaknesses in the RFPA. A customer who receives notice of a government request has ten days to challenge the request in federal court. The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice. The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry. Relevance and legitimacy are weak standards, to say the least. Good luck winning your case.
Who should get the protection of our bill? The RFPA gives rights to “customers” of a financial institution. A customer is an individual or partnership of five or fewer individuals (how would anyone know?). If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town. It will be hard enough to pass a bill limited to individuals. The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems. I’d be inclined to stick to individuals.