Privacy Legal Landscape Monday, March 19, 2018

Dear Ithaca Campus Community, With safety as a priority, Cornell University is making available a free mobile app for faculty, students and staff on the Ithaca campus. RAVE Guardian turns your smartphone into a personal safety device. Check out the FAQs for more information. By downloading the app on your mobile phone, you can invite friends and family to join your network as your “Guardians.” You can then request one or more of your Guardians to virtually walk with you on or off campus. It’s like having an emergency blue light system and a trusted friend with you at all times. The app also has a safety feature that directly connects you to campus police (or 9-1-1 if off-campus) in an emergency situation, as well as the ability to submit an anonymous tip to campus police should you see something suspicious. The Guardian app augments emergency communications and safety. All students, faculty and staff are encouraged to enhance their personal safety and the safety of their friends by downloading the free app at the Apple App Store or the Android app on Google Play. Sincerely, Cornell University Police Cornell Office of Emergency Management emergency.cornell.edu

Law Other forms of regulation . Ethics . Professional codes . Technology Law

Is this legal? in the US

Is this legal?

Arne Svensen-2013 Julie Saul Gallery

IRS hands over Donald Trump’s tax returns to Mueller investigation US Census provides a full report of short form responses to the public Acxiom (a data broker) obtains divorce records from the New York State courthouse Dictionary.com shares information about users to advertisers Your best friend tells her brother about your financial troubles The FBI cites a protester for distributing anonymous fliers Cornell sells student’s grade transcripts to headhunting firm Coursera sells performance information about you to headhunting firm

Federal and State/Local E.g. Privacy Act (1974; HIPAA) LEGISLATURE Statutes U.S. Constitution ”Bill of Rights” Where does law pertaining to PRIVACY come from? United States v. Jones (2013) FB sponsored stories (2013) E.g. 4th Amendment COURTS Judicial decisions COMMON (CIVIL) LAW “Torts” E.g. Privacy policies online E.G. Hulk Hogan sues Gawker GOVERNMENT AGENCIES FTC, FCC, DHHS, ... Rules, Legal Actions, Principles

Federal Constitutional Law – Bill of Rights (“privacy penumbra”) • The First Amendment right to speak anonymously • The First Amendment freedom of association • The Third Amendment’s protection of the home from the quartering of troops • The Fourth Amendment’s protection against unreasonable searches and seizures • The Fifth Amendment’s privilege against self-incrimination Ask class about Gawker, to test fact that constitution applies to govt actor only. 1928 Olmstead v. United States (wiretap private phone) 1967 Katz v. United States (bug public payphone) Justice John Marshall Harlan invents the “reasonable expectation of privacy test,” (1) exhibited subjective expectation; (2) deemed reasonable by society

CODE OF FAIR INFORMATION PRACTICES (for PID information) US Dept of HEW, 1973 Report on Automated Personal Data Systems • There must be no personal data record-keeping systems whose very existence is secret. • There must be a way for an individual to find out what information about him is in a record and how it is used. • There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent. • There must be a way for an individual to correct or amend a record of identifiable information about him. • Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.

Federal Statutory Law • Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1681 et seq. — provides citizens rights regarding use and disclosure of personal information by consumer reporting agencies. • Bank Secrecy Act of 1970, Pub. L. No. 91-508 — requires banks to maintain reports of people’s financial transactions to assist in government white-collar investigations. • Privacy Act of 1974, 5 U.S.C. § 552a — provides individuals with a number of rights concerning their personal information maintained in government record systems, such as the right to see one’s records and to ensure that the information in them is accurate. • Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §§ 1221 note, 1232g — protects the privacy of school records. • Foreign Intelligence Surveillance Act of 1978, 15 U.S.C. §§ 1801–1811 — regulates foreign intelligence gathering within the U.S. • Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510–2522, 2701–2709 — updates federal electronic surveillance law for new developments in technology. • Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. § 552a — regulates automated investigations conducted by government agencies comparing computer files. • Video Privacy Protection Act of 1988, 18 U.S.C. §§ 2710–2711 — protects the privacy of videotape rental information.

Federal Statutory Law, continued: • Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721–2725 — restricts the states from disclosing or selling personal information in motor vehicle records. • Health Insurance Portability and Accountability Act (HIPAA) of 1996 — gives the Department of Health and Human Services (HHS) the authority to promulgate regulations governing the privacy of medical records. • Children’s Online Privacy Protection Act of 1998, 15 U.S.C. §§ 6501–6506 — restricts the use by Internet websites of information gathered from children under age 13. • Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §§ 6801–6809 — requires privacy notices and provides opt-out rights when financial institutions seek to disclose personal data to other companies. • USA-PATRIOT Act of 2001 — amends a number of electronic surveillance statutes and other statutes to facilitate law enforcement investigations and access to information.

The Common Law: Torts (“harms”) 1890 Warren & Brandeis: The Right to Privacy Declares a NEW common law right to privacy (vs. Libel, Slander, Property Rights) 1960 William Prosser organizes over 300 cases since W&B Intrusion upon seclusion (and private affairs) Public disclosure of private facts False light Appropriation of name or likeness Tests: Note: offensive to “a reasonable person” Note: no of legitimate concern to the public

Government Agencies Federal Trade Commission* Department of Health and Human Services Federal Communications Commission National Security Agency Federal Bureau of Investigation Central Intelligence Agency

OECD PRIVACY GUIDELINES 1980  (1) collection limitation—data should be collected lawfully with the individual’s consent; (2) data quality—data should be relevant to a particular purpose and be accurate; (3) purpose specification—the purpose for data collection should be stated at the time of the data collection and the use of the data should be limited to this purpose; (4) use limitation—data should not be disclosed for different purposes without the consent of the individual; (5) security safeguards—data should be protected by reasonable safeguards; (6) openness principle—individuals should be informed about the practices and polices of those handling their personal information; (7) individual participation—people should be able to learn about the data that an entity possesses about them and to rectify errors or problems in that data; (8) accountability—the entities that control personal information should be held accountable for carrying out these principles.