Category: Privacy (Medical)


Rethinking Free Speech and Civil Liability

I’ve been meaning to announce, but keep forgetting to get around to it, that my article with Neil Richards was recently published — Rethinking Free Speech and Civil Liability, 109 Columbia Law Review 1650 (2009).  Here’s the abstract:

One of the most important and unresolved quandaries of First Amendment jurisprudence involves when civil liability for speech will trigger First Amendment protections. When speech results in civil liability, two starkly opposing rules are potentially applicable. Since New York Times v. Sullivan, the First Amendment requires heightened protection against tort liability for speech, such as defamation and invasion of privacy. But in other contexts involving civil liability for speech, the First Amendment provides virtually no protection. According to Cohen v. Cowles, there is no First Amendment scrutiny for speech restricted by promissory estoppel and contract. The First Amendment rarely requires scrutiny when property rules limit speech.

Both of these rules are widely-accepted. However, there is a major problem – in a large range of situations, the rules collide. Tort, contract, and property law overlap significantly, so formalistic distinctions between areas of law will not adequately resolve when the First Amendment should apply to civil liability. Surprisingly, few scholars and jurists have recognized or grappled with this problem.

The conflict between the two rules is vividly illustrated by the law of confidentiality. People routinely assume express or implied duties not to disclose another’s personal information. Does the First Amendment apply to these duties of confidentiality? Should it? More generally, in cases where speech results in civil liability, which rule should apply, and when? The law currently fails to provide a coherent test and rationale for when the Sullivan or Cohen rule should govern. In this article, Professors Daniel J. Solove and Neil M. Richards contend that the existing doctrine and theories are inadequate to resolve this conflict. They propose a new theory, one that focuses on the nature of the government power involved.

In Columbia Law Review’s Sidebar, Professor Timothy Zick has a very thoughtful response piece entitled “Duty-Defining Power” and the First Amendment’s Civil Domain.


NASA v. Nelson: The Merits of the Case

As I wrote in a previous post, the U.S. Supreme Court granted cert. on NASA v. Nelson, 512 F.3d 1134 (9th Cir. 2008), a case where NASA required employees to answer questions about very private matters.  The U.S. Court of Appeals for the 9th Circuit granted a preliminary injunction because the questions violated the constitutional right to information privacy.

I believe the Supreme Court will reverse.  As I argued in my previous post, I hope it will not reverse based on a conclusion that the constitutional right to information privacy doesn’t exist.  Instead, the 9th Circuit’s opinion expands the constitutional right to information privacy far beyond its current contours.

I. The Constitutional Right to Information Privacy

In Whalen v. Roe, 429 U.S. 589 (1977), the Supreme Court held that the right to privacy protects not only “independence in making certain kinds of important decisions” but also the “individual interest in avoiding disclosure of personal matters.”  This latter interest has become known as the constitutional right to information privacy.

Whalen involved a challenge to a reporting requirement to the government of certain prescription drugs (many of which were considered controlled substances if not properly prescribed).  The Supreme Court concluded that because the records would be kept confidential and highly secure (the storage facility had many security safeguards), the plaintiffs’ rights weren’t violated.

The focus of the constitutional right to information privacy is a duty to avoid disclosure. The right allows disclosure if the government has a compelling interest that outweighs the privacy interest.  So the way courts address the constitutional right to information privacy is to balance the government’s interest in disclosure against the plaintiffs’ interest in privacy.

But NASA v. Nelson didn’t involve disclosure.  It involved collection. The constitutional right to information privacy isn’t focused around questioning people or gathering information — it is about protecting against unwarranted disclosure. The only other case I’m aware of where a court has used the constitutional right to information privacy to bar information gathering is another 9th Circuit case — Norman-Bloodsaw v. Lawrence Berkeley Laboratory, 135 F.3d 1269 (9th Cir. 1998).  There, a government lab tested prospective employees blood and urine for syphilis, sickle cell anemia, and pregnancy without their knowledge and consent.  The 9th Circuit held that the testing violated the constitutional right to information privacy, concluding: “Although cases defining the privacy interest in medical information have typically involved its disclosure to ‘third’ parties, rather than the collection of information by illicit means, it goes without saying that the most basic violation possible involves the performance of unauthorized tests.”

But the 9th Circuit’s expansion of the constitutional right to information privacy, however normatively desirable, is not consistent with the bulk of the caselaw.

The only way I see a potential violation of the constitutional right to information privacy based on the probing questions NASA asked is if the information wasn’t protected with adequate security after being collected or if there was an indication by NASA that it would disclose the information.

The cert. questions, it is explicitly noted that the information is “protected under the Privacy Act, 5 U.S.C. 552a.”

My sense is that if the Supreme Court wants to rule narrowly in this case, it can do so as follows:

1. The constitutional right to information privacy protects against unwarranted disclosure of personal information.  It doesn’t protect against the collection of data.

2. The government is under a legal obligation pursuant to the Privacy Act to avoid disclosing the data.

3. The plaintiffs can prevail only if they show that the government fails to provide adequate security to the information.

II. The First Amendment

There is one potential theory that could protect plaintiffs — the First Amendment.   The Supreme Court’s grant of cert. focuses on the constitutional right to information privacy, so I doubt the Court will reach the First Amendment issues.  But in Shelton v. Tucker, 364 U.S. 479 (1960), the Court held that the First Amendment right to free association was violated by asking overly broad questions for state employment as teachers.

Read More


NASA v. Nelson: Is There a Constitutional Right to Information Privacy?

The U.S. Supreme Court has just granted cert. on NASA v. Nelson, 512 F.3d 1134 (9th Cir. 2008).  In this case, NASA required employees to undergo background checks and answer questions about very private matters,including “any adverse information” about financial integrity, alcohol and drug abuse, and mental and emotional stability.  Plaintiffs, a group of “low risk” contract employees, sought a preliminary injunction that the investigation violated their constitutional rights.  The U.S. Court of Appeals for the 9th Circuit granted the injunction.

There is a lot at stake in this case, for it potentially involves whether or not a constitutional right exists — the little-known constitutional right to information privacy.  Despite its obscurity, this right is recognized by the vast majority of federal circuit courts and there are scores of decisions involving this right.

Here are the issues cert. was granted on:

1. Whether the government violates a federal contract employee’s constitutional right to informational privacy when it asks in the course of a background investigation whether the employee has received counseling or treatment for illegal drug use that has occurred within the past year, and the employee’s response is used only for employment purposes and is protected under the Privacy Act, 5 U.S.C. 552a.

2. Whether the government violates a federal contract employee’s constitutional right to informational privacy when it asks the employee’s designated references for any adverse information that may have a bearing on the employee’s suitability for employment at a federal facility, the reference’s response is used only for employment purposes, and the information obtained is protected under the Privacy Act, 5 U.S.C. 552a.

The cert. questions are narrowly posed, so there’s hope the Supreme Court will not eliminate the right.  But I see it as a possibility.  Ultimately, I believe the following:

1. The constitutional right to information privacy does (and should) exist.

2. The court’s holding in NASA v. Nelson constitutes a big expansion of the constitutional right to information privacy.  It doesn’t follow from most of the cases interpreting that right.

3. There may be a First Amendment argument to support the plaintiffs.

I will address the first contention in this post, and the other two in a subsequent post.

The constitutional right at issue is a little-known spinoff right to the constitutional right to privacy, most famously declared in Griswold v. Connecticut, 381 U.S. 478 (1965) and Roe v. Wade, 410 U.S. 113 (1973).  In these cases, the Supreme Court recognized that the Constitution protects a “right to privacy” grounded in the First, Third, Fourth, Fifth, and Ninth Amendments.  The Supreme Court issued an extensive line of cases involving the constitutional right to privacy, and these cases have generally involved freedom from government interference in making certain kinds of private decisions about one’s health, contraception, child-rearing, and abortion.

The constitutional right to information privacy emerged in a case called Whalen v. Roe, 429 U.S. 589 (1977). The case involved a government record system of people taking prescriptions for certain medications. Although the government promised that the information was confidential and secure, the plaintiffs feared the possibility of the information leaking out.

Read More


Facebook: Taking Out the Free in Free Expression

As so many warn (and warn to no avail), self-expression on social network sites can be costly.  CBC News recently reported that an employer’s insurance company cut a Quebec employee’s long-term sick leave benefits after seeing photographs on the employee’s Facebook page.  The employee had been on leave from her job at IBM for a year and a half after being diag1211887_on_the_beach_2nosed with major depression.  The employee posted pictures of herself having a good time at a bar on her birthday and enjoying the beach while on vacation.  The insurance company investigated the woman’s Facebook page after she told her insurer about her trip.  The employee explained that her doctor advised her to have fun to combat the depression.  But that apparently did little to convince the insurer that the employee still struggled with depression.  This case demonstrates the problem of de-contextualization in our digital lives.  A strong argument exists that the insurer took pictures out of context when terminating the woman’s benefits.  This is just the kind of privacy problem that Dan Solove so astutely tackles in Understanding Privacy and urges a contextual, pragmatic approach to address it.

Not only do insurers (and employers) hold our Facebook musings against us, but government employers can as well.  As Helen Norton‘s superb article Constraining Public Employee Speech: Government’s Control of its Workers’ Speech to Protect its Own Expression (59 Duke L.J. 1 (2009)) explores, government employees can be fired for off-duty online speech on the grounds that the public would associate the employee’s off-duty expression with the government entity that employed him.  For instance, the Ninth Circuit rejected a First Amendment challenge by a police officer who had been fired for maintaining a sexually explicit website featuring his wife even though the website never referred to law enforcement generally or the plaintiff’s employment specifically.  The court explained: “it can be seriously asked whether a police officer can ever disassociate himself from his powerful public position sufficiently to make his speech (and other activities) entirely unrelated to that position in the eyes of the public and his superiors. . .  . the sleazy activities [of plaintiff and his wife] could not help but undermine [the public’s] respect” for the police department.  Given the current state of First Amendment doctrine, it seems possible that government employers could fire employees for participating in Facebook groups with unpopular viewpoints on the grounds that such support would undermines the public’s respect for the particular government employer (the Facebook groups supporting Nazi ideology and Holocaust denial come to mind).  Norton elegantly addresses the value of government speech and that of its employees and, like Solove, prefers a contextual approach that honors First Amendment values and employees’ expressive autonomy.

Hat tip: Raymond Cha


Understanding Privacy in Paperback

Cover 5 medium.jpgI’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.


Reservoirs of Patient Data: Next Generation’s Privacy Problem

1076628_mask_from_venicePatients of rare diseases find that drug companies have little interest in devoting limited R&D budgets to diseases of small populations.  As a result, patients have begun to strike out on their own in the search of cures.  As The New York Times explains, patients increasingly share their medical information (including details about their everday experiences living with a disease) online in the hopes that other similarly-situated patients will do the same.  This would permit interested academic researchers to mine the data for observations about their diseases.  Patients see online communities as offering new ways to transform medical research–especially into rare diseases that elude the current model of large-scale studies of widespread conditions.

Some experts are skeptical, asking how these sites will guarantee patient privacy.  One imagines that these sites will respond to privacy concerns by employing anonymization practices.  For instance, sites might delete personal identifiers like names and social security numbers and remove other potential identifiers, such as names of next of kin or student ID numbers.  This ostensibly permits researchers to use the amassed data without concomitant privacy risks.  But, as Paul Ohm’s important and engrossing new paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization argues, technology renders this privacy-protection option obsolete.  Computing advances now permit clever adversaries to reidentify or deanonymize the people hidden in anonymized databases.  This means that datasets that were meant to be kept apart are easily rejoined, allowing sensitive secrets to be  revealed.

Patients may of course be willing to take that risk if their particpation in open-source research leads to cures of rare diseases.  Yet patients also jeopardize their offsprings’ privacy: if medical information can be reidentified with ease and linked with other datasets, a patient’s children may get caught up in that web of re-identification.  This may lead to genetic discrimination in the grown-up child’s life.  Grown-up children may be willing to bear that risk–it is, however, worth considering this possibility when assessing privacy concerns related to such open-source research efforts.


Seeing With Your Tongue: No Really

Not much law here, yet. Researchers have taken theoretical work begun decades ago and developed a “brain port,” a device that uses technology to allow people to reorganize how they process sensory data. In the example below, blind people are able to see images. The device takes visual input, processes it, sends impulses to a pad that sits on someone’s tongue, and then the person is able to see some images. It takes quite a bit of training and in some cases folks have been able to use the device such that they actually re-train the brain and can reduce use of the device. Yes in a sense they have “rewired” their brain. This advance is just cool. The video also explains that the advances in this field trace to Professor Paul Bach-y-Rita who apparently had to overcome a fair amount of resistance in his fields of neurobiology and rehabilitation, because he was challenging many accepted beliefs regarding the way the brain works and more (all hail Kuhn). Will the law become involved in this area? It probably already is insofar as patents and copyright are being used to govern the technology. In addition, as I have noted before, the advances in embedded or sensory enhancing devices raise numerous questions regarding privacy, the ownership of data, bioethics, and research ethics. So welcome to the future and take a look at the video. It really is amazing and wonderful that scientists have made these breakthroughs. At the very least, anyone questioning how basic research can lead to unforeseen benefits should pause after seeing this work.


Maps and Legends

Space the final frontier. These are the voyages of … ah, you know the rest. Exploration and the idea of frontiers seem to capture an important part of the human experience. The possibility of finding something new, of entering uncharted territories excites people. And, although one may want to keep the secret of the Northwest Passage or the Straits of Magellan a secret, sooner or later a map is created to increase the amount of benefit that can be extracted from the discovery. Yet with the world seeming to collapse into one connected place, the role of maps has changed. In short, maps are a new frontier for property and privacy.

As Jacqueline Lipton noted Google Maps has enabled the persistence of race discrimination. Google Maps has also spawned some other curious creations and connections. For example, I wrote about the flap over what is a true IMAX screen and that folks put together a map of IMAX screens with information about the screen size. The H1N1 (aka swine) flu epidemic revealed an interesting dual use for maps. One person created a frequently updated map with information about claimed incidents. I was curious about the source and found that one person at, what else, a bitotech company focused on recombination and disease, was behind the map. In addition, a group called Health Map seeks to offers a map that connects “disparate data sources to achieve a unified and comprehensive view of the current global state of infectious diseases and their effect on human and animal health.” On the light side, Total Film has a feature that uses Google Street view to show 25 favorite film locations.

As seems always to be the case, folks will probably soon argue about who owns what. The more interesting point might be the way maps show the malleability of information. In some hands, maps show fun things like where a film was shot. In other hands, maps provide useful epidemiological information. Yet, certain home owners may not be pleased about having tourists show up to gawk at what had been a quiet abode. Cities, counties, and even states may be upset if lay people assume that suspected or even confirmed outbreaks mean they should create a de facto or quasi-quarantine. Last, knowing where specific racial, religious, and other groups are can all too easily lead to mob behaviors.

The information mill churns. We have to sort it out. Old tools have new impacts. Today maps pose challenges. Tomorrow it will be something else. I am never certain that the law is the best way to manage these changes. Nonetheless, we have to consider what they are and how they function in case the law is asked to do so. On that note, please share any other creative and/or challenging uses of maps of which you are aware.

Last here is a little music for the trip:

Maps And Legends – R.E.M.


Health Tech: CNET Shadows The Economist

507px-gersdorff_-_schadelwundeTeaching Information Privacy is simply fantastic. The law and issues force students to consider torts, contracts, criminal procedure, constitutional law, and more. The health and genetic privacy material alone could easily be a course unto itself. Health care has been a major policy matter for more than a decade, and yet, it has not suffered the usual let’s move on to the next hot topic pattern that specific health matters such as HIV/AIDS and more recently H1N1. One area that is coming is so-called e-health. CNET is hosting a three day series on “Your e-health future.” The series looks at digital health records, Microsoft and Google’s forays into the sector, some fundamentals about e-health, stimulus, and so on. I plan on reading the different parts but based on the bits I’ve scanned, it is a little thin. In contrast, The Economist’s special report “Medicine Goes Digital” from April was stimulating and informative. I highly recommend the series of articles. The basic premise, “The convergence of biology and engineering is turning health care into an information industry,” relates to something I have been working on for a while: the way in which the merging of humans and machines (some call this possibility the singularity) poses problems that relate to intellectual property and privacy in much the same way being online did and continues to pose problems. These changes are coming. The question, and my hope, is that for once the law will be ahead of the curve as technology foments a fundamental change in the way we live.

Image: “Fieldbook of medicine (1517). Treatment of a skull injury. Wood cut work attributed to Hans Wechtlin.”
Source: Wikicommons

License: Public Domain


Lessons from the Identity Trail

lessons-from-the-identity-trail.jpgThere’s a terrific new book of essays about privacy out from Oxford University Press — LESSONS FROM THE IDENTITY TRAIL: ANONYMITY, PRIVACY AND IDENTITY IN A NETWORKED SOCIETY (Oxford University Press 2009). It’s edited by Ian Kerr, Valerie Steeves, and Carole Lucock. The essays are fascinating and are written by a number of very prominent privacy scholars. Highly recommended!

The book is available free for download under a Creative Commons license. One third of the essays are now posted online. The rest will become available in two more stages — on April 22th and May 6th. This is the first book to be published by Oxford University Press under a Creative Commons license.

The book is available on or on our special Concurring Opinions Oxford University Press promo page for 20% off.

Here’s the table of contents:

Read More