Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Baby Steps Toward an American GDPR?

Brendan Ryan

Get your smartphone ready and point it at C-SPAN. If you don’t pay attention next Tuesday, you might miss the US Congress take wobbly little steps toward a comprehensive internet privacy regulation.

On February 26, the Consumer Protection and Commerce Subcommittee of the House Committee on Energy and Commerce will hold its first privacy hearing of this Congress. It will be based on a Government Accountability Office (GAO) report released Feb. 13 recommending that Congress develop said regulation, a report the House Committee’s chairman requested almost two years ago. Among the recommendations for an overarching statute is a call for increased authority for the Federal Trade Commission (FTC) to impose civil penalties for bad actors.

If there is ever to be an American General Data Protection Regulation, we may look back at this moment as a pivotal one in its evolution—perhaps the idea has legs this time. e-Discovery practitioners will want to start watching the story unfold now, as it may one day change the landscape of digital evidence.

Let’s look back for a moment, then cross our fingers as we look ahead toward Tuesday’s proceedings. We’ll share a few thoughts from a Relativity Fest 2018 session moderated by Relativity’s David Horrigan, “From Carpenter to the GDPR: 2018 Data Privacy and Protection Law Update,” as our guide.

Crawling Before We Walk

Though this may be the first time it gets up on its feet, the idea of comprehensive privacy legislation isn’t new—certainly not among legal technologists. Our Relativity Fest panel discussed a few laws and legal developments leading us to where many hope we are headed.

One progenitor: The Stored Communications Act (SCA), older than many readers of this blog (of course, we don’t collect the data to prove that). Part of the Electronic Communications Privacy Act of 1986, the SCA now gets a fair share of eyerolls.

“Section 2703 of the Stored Communications Act rears its aged, decrepit head in many ways. Look at this law and just think about the technology you had in your pocket in 1986 versus what you have today. The law is just antiquated,” said David. “The Stored Communications Act really is at the root of a lot of the problems we’ve had.”

“Any hope for Congress doing some really extensive amendments of this law?” David asked the panel.

“Oh, dear God, I hope so,” replied Debbie Reynolds, data privacy officer and director at EimerStahl Discovery Solutions. “We have this patchwork of states that have passed their own data privacy laws.”

So another progenitor: state laws. The Illinois Biometric Information Privacy Act comes to mind. As does the California Consumer Privacy Act that takes effect next year.

She continued: “Then you have now the Supreme Court pressing down saying digital is different. So I hope that they will update the Stored Communications Act, and I hope that in any federal data privacy laws that they will take into account not just business benefits or governmental benefits but also consumers.”

Digital Is Different

Debbie was referring to the Supreme Court holding in Carpenter v. United States, No. 16-402 (U.S. June 22, 2018). In Carpenter, the Supreme Court reversed a decision of the Sixth Circuit and held that prosecutors’ acquisition of cell site data to put Timothy Carpenter (and his phone) at the scene of crimes was a search triggering the protections of the Fourth Amendment.

Carpenter is one of the latest progenitors putting limits on the so-called “third-party doctrine” for reasonable expectations of privacy, as narrow as those limits are in the decision of the High Court. It’s also, however, one that doesn’t apply much in the world of corporate disputes and discovery.

First, the Fourth Amendment applies to the government and often is not an issue in civil litigation. Second, Americans don’t have a reasonable expectation of privacy on their company phones (though “the BYOD [bring your own device] company phone discussion is one that’s a litigator’s nightmare,” argues fellow panelist John Koss, special counsel at Mintz Levin).

Still, this latest acknowledgement from the courts that “digital is different” resonates beyond criminal proceedings and gets to something the Europeans have a head-start on: With so much data—and data about data—there needs to be much more transparency about who’s collecting what and why. Whether it’s “non-content data” like where our cell phone was five years ago or something else, our consent to collect and use that data is only as legitimate as the policies are clear.

Get the facts, the law, and why Carpenter matters—among other important milestones from the past year—in Relativity’s 2018 Data Discovery Legal Year in Review by David Horrigan.

Copy and Paste GDPR?

The last progenitor we’ll discuss in this post (there are many more) is the EU GDPR itself. Last year, Apple CEO Tim Cook, representing average Americans at the 40th International Conference of Data Protection and Privacy Commissioners in Brussels and not at all motivated by the data collection and processing prowess of his company’s competitors, gushed about the GDPR and called for something similar stateside.

“Fortunately, we have your example before us,” he said. “Thank you for your work. For your commitment to the possibility of human-centered technology. And for your firm belief that our best days are still ahead of us.”

Our Relativity Fest panel was much more measured in their ruminations of whether much of the GDPR could ever make its way into US law. They were unanimous, for instance, on the question of whether something like GDPR Article 45, allowing for situations in which foreign countries can determine an adequate level of data protection, would work in the US. “I don’t think the United States is headed there any time soon,” said John.

Even if it won’t be a copy-and-paste job, whatever is ultimately born from the exploratory discussion Consumer Protection and Commerce Subcommittee Chair Jan Schakowsky (D-IL) and her colleagues will have on Tuesday will be compared with its European predecessor. What will it look like? Will it be an America-First GDPR?

It’s way too soon to tell. “Congress needs to act, and this hearing is an important first step,” the Chair says in a press release. “The American people are counting on us to deliver real results for them, and I will work with my colleagues to get it done.”

It’s worth paying attention, lest we miss the moment when America stands up from its crawl.

Learn about the 2018 Data Discovery Legal Year in Review

Brendan Ryan was Relativity’s senior manager of partner marketing.