Overturning the Third-Party Doctrine by Statute: Hard and Harder

Privacy advocates have disliked the third-party doctrine at least from the day in 1976 when the Supreme Court decided U.S. v. Miller.  Anyone who remembers the Privacy Protection Study Commission knows that its report was heavily influenced by Miller.  My first task in my long stint as a congressional staffer was to organize a hearing to receive the report of the Commission in 1977.  In the introduction to the report, the Commission called the date of the decision “a fateful day for personal privacy.”

Last year, privacy advocates cheered when Justice Sonia Sotomayor’s concurrence in U.S. v. Jones asked if it was time to reconsider the third-party doctrine.  Yet it is likely that it would take a long time before the Supreme Court revisits and overturns the third-party doctrine, if ever.  Sotomayor’s opinion didn’t attract a single other Justice.

Can we draft a statute to overturn the third-party doctrine?  That is not an easy task, and it may be an unattainable goal politically.  Nevertheless, the discussion has to start somewhere.  I acknowledge that not everyone wants to overturn Miller.  See Orin Kerr’s The Case For the Third-party Doctrine.  I’m certainly not the first person to ask the how-to-do-it question.  Dan Solove wrestled with the problem in Digital Dossiers and the Dissipation of Fourth Amendment Privacy.

I’m going at the problem as if I were still a congressional staffer tasked with drafting a bill.  I see right away that there is precedent.  Somewhat remarkably, Congress partly overturned the Miller decision in 1978 when it enacted The Right to Financial Privacy Act, 12 U.S.C. § 3401 et seq.  The RFPA says that if the federal government wants to obtain records of a bank customer, it must notify the customer and allow the customer to challenge the request.

The RFPA is remarkable too for its exemptions and weak standards.  The law only applies to the federal government and not to state and local governments.  (States may have their own laws applicable to state agencies.)  Bank supervisory agencies are largely exempt.  The IRS is exempt.  Disclosures required by federal law are exempt.  Disclosures for government loan programs are exempt.  Disclosures for grand jury subpoenas are exempt.  That effectively exempts a lot of criminal law enforcement activity.  Disclosures to GAO and the CFPB are exempt.  Disclosures for investigations of crimes against financial institutions by insiders are exempt.  Disclosures to intelligence agencies are exempt.  This long – and incomplete – list is the first hint that overturning the third-party doctrine won’t be easy.

We’re not done with the weaknesses in the RFPA.  A customer who receives notice of a government request has ten days to challenge the request in federal court.  The customer must argue that the records sought are not relevant to the legitimate law enforcement inquiry identified by the government in the notice.  The customer loses if there is a demonstrable reason to believe that the law enforcement is legitimate and a reasonable belief that the records sought are relevant to that inquiry.  Relevance and legitimacy are weak standards, to say the least.  Good luck winning your case.

Who should get the protection of our bill?  The RFPA gives rights to “customers” of a financial institution.  A customer is an individual or partnership of five or fewer individuals (how would anyone know?).  If legal persons also receive protection, a bill might actually attract corporate support, along with major opposition from every regulatory agency in town.  It will be hard enough to pass a bill limited to individuals.  The great advantage of playing staffer is that you can apply political criteria to solve knotty policy problems.  I’d be inclined to stick to individuals.

Should the law apply only to federal government demands for records?  The RFPA does not, but do we want to leave the raging loophole that seemingly allows states to obtain records and give them to the feds.  Yet the political price to be paid if the law extended to all government levels might well be enormous.  I sure wouldn’t want to pick a fight with every local prosecutor and cop in the country.  Still, it might be possible in theory to integrate a new federal third-party doctrine law with existing state laws or to invite the states to join in a new federal scheme.

What about private demands for records?  The HIPAA health privacy rule provides that if anyone (including private parties) in a judicial or administrative proceeding who uses a court order, subpoena, discovery request, or other lawful process to obtain an individual’s health record must notify the individual so that the individual has an opportunity to challenge the demand.  Should we extend the same notice and challenge requirement to all legal demands for third party records?  That sounds narrower in some ways, but it would change the way that discovery operates in every court in the nation.

Should we allow notice and challenge when one private party shares my record with another private party?  For example, when a merchant notifies a credit bureau that I didn’t pay a bill.  After all, it may be that private type of data transfer that makes the biggest difference in the lives of most people.  The NYT recently reported on a hitherto unknown database that collected accusations about theft by employees of retailers.  One lawyer called it a secret blacklist.  What could be more damaging to the employment prospects of a worker than having a record in that database?

But we’re now pretty far afield from the Fourth Amendment, so maybe we should just drop this line of inquiry and stick to government demands.

Another issue is defining when data is about me and when is it about someone else, like the merchant who sold me something.  I’d be happy to say that if an agency gets my data without notice to me, it can’t use the data against me.  You won’t sell that idea to a cop who stumbles upon child porn when investigating an ISP.  I don’t see new exclusionary rules as politically forward going.

Given all of these problems, the best hope of success may be with a narrow bill covering some rather than all third-party record keepers and limited to government access.  A narrow bill would also avoid messy issues involving my data held by friends, neighbors, and eyewitnesses.  If we take a narrow approach, where do we start?

Changes to ECPA are brewing, and they would affect the third-party doctrine in some way.  I can’t predict the result, but it’s very likely to be different from what we find in RFPA.  That’s the real problem with the narrow approach.  We may end up with one rule and standard for email and another for location information, dialed telephone numbers, credit cards, employment records, cloud computing, social networks,  merchants (online and offline), smart grid records, etc.  In fact, what we might end up with is something that is just as complex and incomprehensible as the standards now in place for electronic surveillance.  Why would anyone want to duplicate that?

Next, consider what standard to apply when an individual challenges a disclosure covered by the bill?  Is the RFPA standard – relevant to a legitimate law enforcement inquiry – good enough?  If you have any chance of overcoming the political opposition to a change in the third-party doctrine, that might be the best you can do, and it’s not much.  If we overturn the third-party doctrine with a standard that gives individuals no real chance of success, what have we accomplished?

What would the average individual do with a notice that allows ten days to find a lawyer and go to court?  Would the bill create a right and a remedy that is meaningless as a practical matter for 99.9% of the population?  Just to make a point, have you received any security breach notices for records about you held by third parties?  Have you reached the stage where you just toss the notices without action?  That seems to be what most people do with them.  Breach notices are much easier to deal with than a notice that says go to court in ten days or lose your rights.  We could make it 30 days, but that won’t do much to simplify the burden or expense.

This is just a slapdash look at a handful of the issues that would need to be addressed in any legislative effort to overturn the third-party doctrine.  I haven’t covered the messy parliamentary choices that affect committee jurisdiction and the prospects for passage.  I’m already overwhelmed by the difficulty of defining goals, the complexity of the choices, the unattractiveness of the remedies, and the political realities that any proposal would face.

As much as I would like to do something to change the third-party doctrine, I can’t admit to much optimism or enthusiasm about the task.  If I were still a congressional staffer, I might prefer an easier task, like reforming the tax code.


Robert Gellman is a privacy consultant and former Chief Counsel to the House Subcommittee on Government Information.  His website is www.bobgellman.com.

You may also like...

3 Responses

  1. PrometheeFeu says:

    How about recognizing the third-party’s privacy policies and practices as creating a reasonable expectation of privacy?

  2. Bob Gellman says:

    That may be fine (up to a point) as between the data controller and the data subject. Although what to do about the ubiquitous “changeable at any time” privacy policy that you find everywhere? What’s a reasonable expection if the policy can vary at the whim of the data controller?

    I don’t see a third party’s policy as addressing the Fourth Amendment issue. What if the third party’s policy is not reasonable (e.g., we never turn data over to the government)? The government should have some ability to get third party data (e.g., with a warrant) that can’t be changed by a data controller’s policy.

  3. PrometheeFeu says:

    @Bob Gellman

    I agree that the changeable at any time policy is a problem. We could deal with that problem by encouraging companies to give users a meaningful opportunity to delete their data prior to any change in the privacy policy coming into effect.

    Perhaps this encouragement could come in the form of a “magical incantation” that when placed in the privacy policy would confer a reasonable expectation of privacy. If such an “incantation” was reasonably-worded, there would be significant incentives on companies to adopt it. (Privacy policies are often opaque, but it would be easy to determine whether or not a service provider has used the incantation in their terms of service or some similar document)

    “What if the third party’s policy is not reasonable (e.g., we never turn data over to the government)? The government should have some ability to get third party data (e.g., with a warrant) that can’t be changed by a data controller’s policy.”

    I agree. My point was not that the government would be bound to follow that third-party’s privacy policy. My point was that the reasonable expectations test should be involved by the third-party’s policy.

    So let’s say I have an email account with a company and that company’s policy is that none of its employees, contractors, affiliates or whatever can view my email without my explicit consent. (Perhaps obtained over the phone.) This would create a reasonable expectation of privacy which could be defeated in the normal ways: warrant, probable cause, etc…