In a new book, Top Secret America, Washington Post reporters Dana Priest and William Arkin tell the story of the rise of the American security state following the terrorist attacks on 9/11. The authors detail the vast security apparatus developed by an alphabet soup of federal agencies. The thesis of the book is twofold. First, the authors explain, with numerous examples, how this security apparatus developed with little if any oversight, coordination or attempt to assess whether the new security state would better protect us from terrorist attacks. A second theme is that much of this security apparatus is being used not to fight terrorism, but to combat ordinary crime. The extremely sophisticated technologies that state and local law enforcement agencies now routinely use, make the thermal imaging device at issue in Kyllo v. United States seem like ancient technology.
In this era of endless budget battles and a competition between the major political parties as to which can show better fiscal restraint and responsibility, it is striking how little either party, particularly in Congress, is willing to question the need for such a vast and expensive security apparatus. The hesitancy of politicians of either stripe to question these programs is obvious: no politician wants to be seen as soft on terror or unwilling to do everything necessary to protect citizens. Hence, there has been virtually no effort in Congress to assert meaningful oversight of these programs, or even to become educated as to what programs actually exist. In one interview, the authors quote a senior Department of Defense official who says that only God knows the extent of the government’s security programs.
While Congress’ unwillingness to provide meaningful oversight is understandable, it is not excusable. There is, in fact, very strong precedent for Congress to perform necessary oversight and question the effectiveness and usefulness of important government programs even in time of war.
At the beginning of World War II Congress created a committee to investigate the nation’s defense program. The committee was headed by then Senator Harry Truman. Over the course of the next several years, Senator Truman’s committee held numerous public hearings, conducted investigations into defense spending programs, and visited countless military bases and factories. The Truman Committee became a powerful watchdog against fraud, waste and abuse. That committee is credited with saving the government billions of dollars, eliminating wasteful programs and saving American lives. All this, while the U.S. was fighting major wars on two fronts on opposite sides of the world. Where is the modern day Truman Commission?
September 23, 2011
September 6, 2011
Privacy Harms Under Massachusetts Law
Last month, the Massachusetts Appeals Court decided Amato v. District Attorney, a case involving privacy and DNA. The plaintiff was one of many men who voluntarily submitted a DNA sample to prosecutors in connection with a murder investigation. Following the completion of that investigation, the indictment and conviction of another individual, and the exhaustion of the appellate process, the plaintiff sought confirmation that, as prosecutors had promised him, his DNA sample had been destroyed. He received no such confirmation; in fact, a representative of the state crime lab stated that the lab continued to hold all the voluntarily-submitted DNA samples associated with that case.
In his class action suit, the plaintiff claimed the defendant had violated two Massachusetts laws, the Fair Information Practices Act (FIPA) and the statutory protection against privacy invasions. In addition, he argued that the defendants had breached a promise made by investigating detectives and the district attorney that his DNA sample would not be retained.
The trial court dismissed the plaintiff’s claims and the Appeals Court reversed. Regarding the scope of FIPA, the court held that, as the statutory text indicates, government agencies may not collect or maintain more personal data than reasonably necessary in connection with their legal functions; an agency that violates this rule may be subject to an action for equitable relief. In this case, the court concluded the plaintiff’s allegations sufficed to show the defendants kept more of his personal data than reasonably necessary—after all, the criminal investigation had ended and the appellate process had run its course.
As for the invasion of privacy claim, the Appeals Court noted that, under the statute, an individual has the right to be free from unreasonable, substantial and serious interference with privacy, and the trial court has the equitable power to enforce this right. The court agreed that the DNA information at issue should be considered highly sensitive, and the allegation that the defendants retained this information without the plaintiff’s consent, and made it available for use in other criminal investigations, sufficed to show the retention was unreasonable.
Finally, the Appeals Court held that the investigating detectives had made an enforceable promise to the plaintiff when they solicited a DNA sample from him, which they broke, thereby creating an actionable claim for breach of contract.
And so the court remanded for further proceedings, and we are left with a decision that stands as a rare vindication of privacy interests. To be sure, victory depended upon the existence of statutory rules governing the collection and maintenance of private information, a statutory protection of privacy interests, and particularly egregious facts. At the same time, the decision gives us some sense of the kind of privacy harm that will be actionable.
The understanding of privacy harm embraced by the Amato court may have some utility for individuals seeking to pursue privacy violations in other contexts. One of the most difficult issues confronting plaintiffs who claim a privacy violation is the way the harm should be characterized. It is not the same as physical harm, which can be quantified and measured. And, under statutes that require a showing of actual harm, it may be difficult to demonstrate that a loss of control over personal information caused an injury.
In contrast, the Amato court’s reasoning indicates that the presence of certain factors will point to the existence of an injury which is subject to remedy. Consider that, while the court recognized data collection and maintenance may be reasonably necessary, such necessity does not extend indefinitely into the future. For example, in the context of a criminal case, when the investigation has ceased, and certainly when a conviction has been upheld, it is no longer necessary to retain information that is not relevant to the case. At the point in time when consensually-submitted personal information ceases to be relevant to a government function, control over that information essentially reverts back to the individual and the continued retention of it amounts to unreasonable interference with privacy—that is, an actionable injury.
This injury existed, moreover, even absent evidence that the privacy violator made use of the personal information at issue. In other words, the Appeals Court in Amato concluded that the merely holding this information without the information-owner’s consent stated a claim for relief.
This kind of analyis suggests that, at least under Massachusetts law, the default position is individual control over personal information, and the loss of that control without appropriate justification must be regarded as a particularized harm, one which the courts have the power to remedy.
Lawrence Friedman
In his class action suit, the plaintiff claimed the defendant had violated two Massachusetts laws, the Fair Information Practices Act (FIPA) and the statutory protection against privacy invasions. In addition, he argued that the defendants had breached a promise made by investigating detectives and the district attorney that his DNA sample would not be retained.
The trial court dismissed the plaintiff’s claims and the Appeals Court reversed. Regarding the scope of FIPA, the court held that, as the statutory text indicates, government agencies may not collect or maintain more personal data than reasonably necessary in connection with their legal functions; an agency that violates this rule may be subject to an action for equitable relief. In this case, the court concluded the plaintiff’s allegations sufficed to show the defendants kept more of his personal data than reasonably necessary—after all, the criminal investigation had ended and the appellate process had run its course.
As for the invasion of privacy claim, the Appeals Court noted that, under the statute, an individual has the right to be free from unreasonable, substantial and serious interference with privacy, and the trial court has the equitable power to enforce this right. The court agreed that the DNA information at issue should be considered highly sensitive, and the allegation that the defendants retained this information without the plaintiff’s consent, and made it available for use in other criminal investigations, sufficed to show the retention was unreasonable.
Finally, the Appeals Court held that the investigating detectives had made an enforceable promise to the plaintiff when they solicited a DNA sample from him, which they broke, thereby creating an actionable claim for breach of contract.
And so the court remanded for further proceedings, and we are left with a decision that stands as a rare vindication of privacy interests. To be sure, victory depended upon the existence of statutory rules governing the collection and maintenance of private information, a statutory protection of privacy interests, and particularly egregious facts. At the same time, the decision gives us some sense of the kind of privacy harm that will be actionable.
The understanding of privacy harm embraced by the Amato court may have some utility for individuals seeking to pursue privacy violations in other contexts. One of the most difficult issues confronting plaintiffs who claim a privacy violation is the way the harm should be characterized. It is not the same as physical harm, which can be quantified and measured. And, under statutes that require a showing of actual harm, it may be difficult to demonstrate that a loss of control over personal information caused an injury.
In contrast, the Amato court’s reasoning indicates that the presence of certain factors will point to the existence of an injury which is subject to remedy. Consider that, while the court recognized data collection and maintenance may be reasonably necessary, such necessity does not extend indefinitely into the future. For example, in the context of a criminal case, when the investigation has ceased, and certainly when a conviction has been upheld, it is no longer necessary to retain information that is not relevant to the case. At the point in time when consensually-submitted personal information ceases to be relevant to a government function, control over that information essentially reverts back to the individual and the continued retention of it amounts to unreasonable interference with privacy—that is, an actionable injury.
This injury existed, moreover, even absent evidence that the privacy violator made use of the personal information at issue. In other words, the Appeals Court in Amato concluded that the merely holding this information without the information-owner’s consent stated a claim for relief.
This kind of analyis suggests that, at least under Massachusetts law, the default position is individual control over personal information, and the loss of that control without appropriate justification must be regarded as a particularized harm, one which the courts have the power to remedy.
Lawrence Friedman
Subscribe to:
Posts (Atom)